National Cybersecurity Strategy of Bhutan (2024–2029)
October 2024
Strategies and Action Plans
Author: Bhutan – Computer Incident Response Team (BtCIRT)
The National Cybersecurity Strategy (NCS) of Bhutan (2024–2029) lays out a comprehensive plan to secure the nation’s cyberspace by addressing cyber threats and vulnerabilities in alignment with its digital transformation goals. The strategy is structured around four core goals, each with specific objectives and actionable steps, ensuring a robust framework for national cybersecurity:
1. Cybersecurity governance and coordination
- Establishes a centralised cybersecurity institutional framework to streamline governance and coordination across governmental and private sectors.
- Defines clear roles and responsibilities at all levels (strategic, operational, and tactical), with the GovTech Commission providing oversight and guidance.
- Facilitates collaboration among stakeholders for cohesive cybersecurity policymaking, resource allocation, and execution.
2. Strengthening cybersecurity legislation
- Builds on existing laws, such as the Information, Communication, and Media Act (ICMA) 2018, by identifying legal gaps and recommending enhancements.
- Proposes the development or amendment of legislation to tackle emerging threats, with a focus on child protection, data privacy, and incident investigation.
- Introduces regulatory frameworks for Critical Information Infrastructure Protection (CIIP), data privacy, and coordinated vulnerability disclosure to address immediate legal gaps.
3. Critical information infrastructure protection
- Focuses on identifying and safeguarding Bhutan’s essential ICT and infrastructure assets to ensure resilience against cyberattacks.
- Develops CIIP governance frameworks, guidelines, and compliance mechanisms to secure infrastructure in sectors like energy, healthcare, and finance.
- Enhances the capacity of infrastructure operators through training and simulations, such as tabletop exercises and cyber drills.
4. Enhanced incident response and collaboration
- Establishes Security Operations Centers (SOC) at various levels, including governmental (GSOC), educational (EduSOC), and sector-specific SOCs.
- Promotes information sharing among Computer Incident Response Teams (CIRTs) and SOCs for proactive threat detection and mitigation.
- Develops a national cyber threat landscape report to assess and prioritise risks, creating a unified response to threats.
- Strengthens incident handling through skill-building initiatives like forensics, red/blue teaming, and advanced cybersecurity training for responders.
Implementation and monitoring
- A detailed action plan outlines ownership, timelines, and budgets for each initiative, monitored under the NCS governance framework.
- Progress is assessed through half-yearly reviews, aligned with national development plans, ensuring adaptability to evolving threats.
The strategy envisions a safe, secure, and resilient cyberspace for Bhutan by integrating international best practices, fostering collaboration, and building capacity across sectors. It invites all stakeholders to work together toward achieving these goals within the five-year timeframe, laying the groundwork for a more mature cybersecurity landscape.