How Can You Improve a Nation’s Cyber Security Capacity?

Stacey McGowen, Resarch Impact Officer for the University of Oxford's Social Sciences Division, looks at the work of the Global Cyber Security Capacity Centre (GCSCC) at the Oxford Martin School. Launched in 2013, GCSCC is a leading international centre for research on efficient and effective cyber security capacity-building, promoting an increase in the scale, pace, quality and impact of cyber security capacity-building initiatives across the world.

During her remarks to the recent Global Cyber Security Capacity Centre Conference, Ms Sandra Sargent, Senior Operations Officer at the World Bank, explained why the World Bank, which has invested heavily in ICT in developing countries around the world in recent years, had decided to partner with the Global Cyber Security Capacity Centre (GCSCC). She likened cybersecurity to a string of Christmas lights – when one bulb goes out, so does the entire string, and when that one string is connected to many other strings, it leads to a blackout. Given the predicted increase in cyber users over the next decade and the associated risks, the work of the Global Cyber Security Capacity Centre is vital to keeping the lights on for us all.

In 2013, the UK Government launched the Global Cyber Security Capacity Centre at the Oxford Martin School, which brings together academics and experts from across the University of Oxford and around the world under the direction of Professor Sadie Creese. The initial aim of this new Centre was to develop a framework to understand what does and doesn’t work in regard to cyber security capacity and why, and they have achieved this. This framework, called the Cyber Security Capability Maturity Model (CMM), helps nations to look at their cyber security capacity in five areas or dimensions: policy and defence, culture and society, education and knowledge, legal and regulatory, and technology and security.

Using knowledge gained from their research, they have since developed a unique method of evaluating and measuring the maturity of a nation’s cyber security capacity across these five dimensions, and in 2015, they began applying their work in the real world.

In January 2015, in partnership with the Organization of American States (OAS), using the CMM, the GCSCC undertook pilot country assessments in Jamaica and Colombia, before the approach was rolled out across the Latin America and the Caribbean region by the OAS in partnership with the Inter-American Development Bank (IDB). Over the course of the rest of 2015, the CMM assessment process was piloted in other countries around the world from Bhutan to Montenegro to Armenia.

Four of these assessments were conducted with the World Bank, and the first of these to be published was conducted in Kosovo. In February 2015, researchers from GCSCC travelled to Pristina to interview government officials and other individuals, and in June they produced and published a Cyber Security Maturity Model assessment report for Kosovo along with a series of recommendations to improve cyber security capacity. Mr Agim Kukaj of the Department of the Ministry of Economic Development of Kosovo and lead government counterpart for the assessment said: "The assessment showed a realistic view of cyber security capacity strengths and weaknesses of different categories of Kosovo stakeholders, and in the process generated a considerable amount of interest, especially on the level of interagency cooperation in the public sector. It would thus be a lost opportunity for the government not to build on this assessment further by bridging various interests and leveraging synergies ".

Recently, the GCSCC in conjunction with Oxford’s Saïd Business School set up the Cyber Security Capacity Portal, an online resource for those interested in learning more about cyber security capacity and keeping up with developments of the GCSCC. This year saw a new partnership with the Global Forum for Cyber Expertise based in the Netherlands, to produce a comprehensive interactive map on the portal. This highlights key cybersecurity initiatives taking place around the world to improve cooperation and avoid duplication. The Centre is also developing a new Harm Model to complement the CMM. The first draft will be completed by April 2016.

In addition to the research taking place in Oxford, the GCSCC is seeking strategic collaborations and collaborators around the world to act as, in the words of Prof Creese, “centres of gravity” for this kind of work, who can assist with the country reviews and act as “custodians of the knowledge”, but also provide information back to the GCSCC in Oxford so that they can continue their research and adapt their methods as necessary. As well as collaborations with the World Bank, the Organization of American States and the Commonwealth Telecommunications Organisation (CTO), in December 2015, the GCSCC made its first regional partnership with the State Government of Victoria, which is establishing a new cyber security facility, the Oceania Cyber Security Centre (OCSC) in Melbourne. It is hoped that this will be the first of many such regional centres to help spread the important work of the GCSCC around the world.

The GCSCC is currently funded by the UK Foreign and Commonwealth Office (FCO) and the Governments of Norway and the Netherlands.

This article was originally published on the University of Oxford Social Sciences website.

This opinion piece reflects the views of the author, and does not necessarily reflect the position of the Oxford Martin School or the University of Oxford. Any errors or omissions are those of the author.