There is no one-size-fits-all approach for governments to manage cybersecurity. But asking some key questions can help leaders get started.
Government leaders are increasingly aware that promoting prosperity and protecting national security includes providing cybersecurity. That means demonstrating that a nation, state, region, or city is a safe place to live and do business online. And it includes deterring cyberattacks, preventing cyber-related crime, and protecting critical national infrastructure while also maintaining an environment that makes technological progress easy, according to McKinsey.
It is a tall order. National security and criminality are different—and multifaceted—in the digital arena. Tools developed by governments to provide security are seized, weaponized, and proliferated by criminals as soon as they are released. Malware-development utilities are available on the dark web, enabling criminal activity even by those with only basic digital skills. Cyberthreats cross national boundaries, with victims in one jurisdiction and perpetrators in another—often among nations that don’t agree on a common philosophy of governing the internet. And complicating it all, criminal offences vary, legal assistance arrangements are too slow, and operating models for day-to-day policing are optimized for crimes committed by local offenders.(1) Even relatively low-level threats can have impact on a vast scale.
Each country is addressing the challenge in its own way, just as companies tackle the issue individually. Approaches vary even among leading countries identified by the Global Cybersecurity Index, an initiative of the United Nations International Telecommunications Union. Differences typically reflect political and legal philosophy, federal or national government structures, and how far government powers are devolved to state or local authorities. They also reflect public awareness and how broadly countries define national security—as well as technical capabilities among policy makers. Despite such differences, our work with public- and private-sector organizations suggests a series of questions government leaders can ask to assess how prepared they are.
Who is accountable?
An effective national cybersecurity ecosystem crosses traditional institutional boundaries and includes a wide range of departments, agencies, and functions, both military and civilian. Many countries have yet to clarify who is accountable across all dimensions of cybersecurity or to impose a single governance structure. That lack of clarity can result in a confused response to crises and inefficient use of limited resources.
In our experience, a single organization should have overall responsibility for cybersecurity, bringing operational activity and policy together with clear governance arrangements and a single stream of funding. Particularly when responding to a cyberattack, clarity of leadership and decision making is vital to ensure the correct balance among helping victims recover quickly, taking measures to protect others (by increasing resilience and attacking the source of the attack), and performing a criminal investigation of those responsible. While some national and state governments have consolidated accountabilities into a clear structure, such as Estonia’s Cyber Security Council, or have well-established and tested crisis-response mechanisms that they have adapted for use in cyberevents, as in Sweden, many others do not.
Key skills are often in short supply. Knowledge of the threat, resources, and authority to make decisions may all sit in different places across government. This reduces operational effectiveness and can also result in weak legislation, bad policy, and lack of investment. Some countries are starting to address these challenges. Germany, for example, has strengthened its Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security) to lead its national cybersecurity strategy and establish shared cybersecurity services for government.
The United Kingdom’s National Cyber Security Centre (NCSC) is also widely cited as a model for government-level cybersecurity. It brings together analysis, assessment, and crisis response to provide advice to critical national infrastructure organizations, businesses more broadly, and the public (exhibit). Its operating model involves both access to highly sensitive intelligence and dissemination of public information. And it brings together cybersecurity experts from government and the private sector in a single body.
Questions governments can ask include the following:
Are lines of accountability and remits clear—both for policy and for crisis response?
Is it clear how government priorities are decided and communicated?
Is there a coherent, cross-government strategy? Is it reviewed and refreshed regularly?
What performance metrics does the government have for the strategy? How are they monitored?
What information does the government publish about progress on cybersecurity?
Do the responsible parts of government come together regularly to agree on plans and review progress?
How centralized should you be?
Some countries have consolidated their audit and regulation functions in a centralized agency. Japan, for example, has its Cyber Security Strategic Headquarters, and Romania has its Association for Information Security Assurance. Others, such as India, have dispersed audit functions across multiple bodies. Both models can work, but as India’s National Information Security Policy and Guidelines illustrates, a decentralized model—in this case, ministries are tasked to self-audit and bring in external auditors—requires clear national guidelines and standards. Israel’s benchmarking and accreditation arrangements have also been key to raising standards across all sectors.
At the very least, governments can insist on reporting of cyberevents by victims and on sharing of vulnerabilities by suppliers into a single reporting, analysis, assessment, and response hub. In Germany, for example, federal legislators have sought to amend the law to require companies to register any cyberincidents in which they are a victim. Australia introduced a notifiable-data-breaches scheme in 2017, making it a legal requirement to notify affected individuals and the Office of the Australian Information Commissioner of serious data breaches.(2) Ideally, governments will also make it easy for citizens and businesses to report such breaches through an automated platform to facilitate responses, advice, and feedback. Such platforms will also increase transparency around threats and steps to mitigate them.
More information here.