The International Telecommunications Union (ITU) says the adoption of a national cybersecurity strategy is a “crucial first step” for governments seeking to support continued growth in technological sophistication.
If that sounds a little like stating the obvious, the organization’s 2017 Global Cybersecurity Index suggests that – for some countries at least – it will come as news. While 38% of countries have a published cybersecurity strategy, only 11% have a dedicated, standalone strategy.
It’s not all doom and gloom: 12% of countries are developing a strategy and 61% have an emergency response team (i.e. CIRT, CSIRT, CERT) in place. On the down side, only 21% have a national responsibility to publish incident metrics, making it difficult to objectively assess programme performance.
The need to heed
The ITU says the scale of global cybercrime makes plugging the gaps a vital component of any government policy; the interconnectivity of critical infrastructure, business and everyday technologies means vulnerabilities can have far-reaching impacts – from keeping the lights on to business and consumer confidence levels.
The ITU says malicious mails are the “weapon of choice” for a wide range of attacks, used by everyone from ransomware gangs to state-sponsored actors. One in 131 mails sent last year was malicious – the highest rate in five years.
In this environment, “the gap in the level of cybersecurity engagement between different environments is still present and visible,” according to the report. “While commitment in Europe remains very high… there is still an evident gap between countries in terms of awareness, understanding knowledge and finally capacity to deploy proper strategies, capabilities and programmes to ensure a safe and appropriate use of ICTs as enablers for economic development.”
So who’s getting things right?
This survey involving 134 ITU members (and validated by all 193 of them) shows that Estonia, France and Norway are the top European performers in terms of cybersecurity commitment.
Although targeted by a nation-state-sponsored attack in 2007, Estonia’s response was singled out for praise: not only does it have a rapid-response organizational structure in place to handle any new incidents, but also legislation requiring critical service providers to maintain a minimal operational level if they lose connectivity. Estonia hosts NATO’s Co-Operative Cyber Defence Centre of Excellence.
Second-placed France scored a perfect 100 for capacity building – the country’s commitment to training is reflected in dozens of universities offering accredited cybersecurity degree programmes. The list is published by the country’s National Agency for Information System Security (ANSSI).
While Ireland’s potential to exploit its large IT and telecoms sector to promote the growth of a cybersecurity industry is referred to, performance-wise it’s in the ‘maturing’ category, alongside Germany, Belgium and Denmark. Ranking 26th globally, Ireland’s best performance areas included cybersecurity legislation, National CERT/CIRT/CSIRT, standards for professionals and organizations and international participation. Weakest areas included cybersecurity training, metrics and R&D programmes.
The full report is available here.