The Constellation of Regional Research Centres
We welcomed a new partner in our constellation of regional cybersecurity research centres: the Cybersecurity Capacity Centre for Southern Africa (C3SA) at the University of Cape Town (UCT) is a consortium between the GCSCC, UCT’s Department of Information Systems, Research ICT Africa (RIA), and the Norwegian Institute of International Affairs (NUPI). C3SA aims to drive regionally informed cybersecurity capacity research and lead the deployment of the Cybersecurity Capacity Maturity Model for Nations (CMM) in the region. In June, researchers of C3SA conducted the first online CMM review in Uganda which was also the first re-assessment on the African continent. A second online CMM review in Somalia is planned in December.
The CMM Around the World
By December 2020 the GCSCC and its regional and strategic partners conducted 120 CMM reviews in 85 countries around the world, including 36 reassessments. The Organization of American States (OAS) and the Inter-American Development Bank (IDB) launched its second cybersecurity study of the Latin American and Caribbean Region “Cybersecurity Risks, Progress, and the way forward in Latin America and the Caribbean”.
This year we have also been updating the CMM to respond to changes in the operational environment, emerging risks and the changing cybersecurity control landscape. In a broad consultation with our constellation and strategic partners, our Expert Advisory Panel, and stakeholders from around the world we collected input and evidence for achieving Cyber Security Capacity Maturity. The Model now incorporates risk controls currently practiced and available to the community. The new version of the CMM will be published in the upcoming months.
Our research team has continued the cross-national comparative research using CMM data. The findings have shown that:
- More capacity building will enhance the experience of end-users and thereby have positive implications for the Internet and society. A paper has been submitted to an academic journal and it is currently under peer review based on systematic empirical evidence collected from the field research of 73 CMMs.
- Regions are widely perceived to be a factor shaping approaches to cybersecurity capacity building and its consequences, especially where social and cultural issues are concerned. Through a focused study of Dimension 2 of the CMM, our analysis has indicated that the major influencing factors are: a) the scale of Internet use and the population of a nation; and b) aspects of development, such as wealth, the centrality of the Internet (percent of users in the nation), the absence of corruption, and the quality of regulation. When controlling for scale and development, region has no systematic relationship to the maturity of the social and cultural dimensions of cybersecurity capacity building. This does not undermine the value of regional networks for sharing information around cybersecurity, but could shift more emphasis to development goals, independent of region.
- Follow-on work will refine the findings above and extend the analyses to other dimensions of capacity building. We have already launched more comparative research on the factors shaping advances in education and awareness raising (Dimension 3 of the CMM).
Our researchers continued to look at the issue of why cybersecurity awareness campaigns often fail in raising user understanding of protecting themselves and their information within the cyber space. A qualitative analysis of eight national CMM reports suggests campaigns are often led by different ‘owners’ without coordination, and thereby creating fragmentation of the national awareness programme. The paper discusses the different levels of success of the reviewed national awareness programmes, highlighting the main challenges and offering guidelines for their development. This paper has been accepted to be published at the International Journal of Information Security and Cybercrime.
The GCSCC and the World Economic Forum (WEF) published its report “Future Series: Cybersecurity, emerging technology and systematic risk”, funded by Axis Capital. The report highlights the growing threat from hidden and systemic risks inherent in the emerging technology environment, which will require significant change to the international and security communities’ response to cybersecurity.
Our researchers were also involved in the Lloyds Register Foundation funded foresight review into cybersecurity for the industrial Internet of Things. Following workshops held around the world the report was published and concluded that there are areas of operational cybersecurity that will not immediately translate into this future environment, and that action is needed to develop the capacity to securely and safely embrace this new technology-enabled future. We thank our partners at the OAS for funding the translation of the report into the Spanish language, and you can obtain copies in the English and Spanish language here.
Over the last year, the GCSCC successfully established the new global Cyber Capacity Knowledge Portal “Cybil” in partnership with the GFFE, the Australian Strategic Policy Institute, (ASPI), DiploFoundation, FIRST, and the Norwegian Institute of International Affairs (NUPI). Since its launch at the GFCE Annual Meeting 2019 in Addis Ababa, Cybil has become a neutral, open and inclusive platform, hosting over 1,400 projects, publications and tools, offering good practice, information, and practical knowledge for governments, funders, implementers and researchers.
This year, our Annual Conference moved Down Under: hosted by the GCSCC’s regional partner, the Oceania Cyber Security Centre (OCSC), in Melbourne/Australia. This key event for the global cybersecurity capacity building community provided an opportunity to show what cybersecurity capacity really means and why it matters for nations.
In the autumn we started a webinar series where we share our latest research findings and upcoming issues with our community. Visit our website and follow it on social media to stay updated. Topics covered to-date are: Cybersecurity Awareness (October) and Cybersecurity Capacity Building for the 4th Industrial Revolution (November)
Save the Date for the next webinar – The sub-Saharan African cybersecurity ‘parabellum’ – 16 February 2021, 10.00-12.00 SAST. To show interest, send email to: firstname.lastname@example.org
The Centre and its work has continued to been presented by members of the Centre and the constellation partners at various online and offline events throughout the year, such as the Chatham House “Cybersecurity in the Commonwealth” Meeting in London, the Chevening Fellows visit India meetings in Oxford, CyFy 2020, EU Cyber Direct "Closing the Gap" Conference, GFCE Annual and V Meetings, the GFCE Pacific Regional Meeting, GigaNet Annual Symposium, ITU Regional Cyber Drills, OSCE Cyber-ICT Security Day as well as at regional events in the Pacific and Africa.
Our work was referenced in
· ENISA National Capabilities Assessment Framework
· UK Commonwealth Chair-in-Office report 2018 to 2020: delivery of Commonwealth Summit commitments
· UK National Cyber Security Strategy 2016 to 2021 progress report
· UK Prosperity Fund annual report 2019 to 2020
What is Ahead
In parallel with the efforts to establish the constellation and working with our strategic partners, we have been broadening our research portfolio in cybersecurity capacity-building – reinforcing the GCSCC as a Centre of Excellence in this domain ― while maintaining a continued leadership position in the CMM-user community and upholding sustained widespread adoption.
The GCSCC is positioned to sustain and build on its research base to develop three new areas of impact: 1) the effectiveness of capacity-building; 2) the understanding and mitigation of cyber-harms; and 3) the anticipation of emerging risks and threats to business, critical infrastructures, and an open and global Internet. We aim to identify the most challenging dilemmas that the world faces in terms of cybersecurity, an inherently interdisciplinary problem, and approach them through high-quality interdisciplinary research. The outputs of our work will not only inform the evolution of the CMM in response to changing environments, but will also have consequences for policy-makers determining both how they should prioritise funds for research aimed at solving future cybersecurity challenges and how to prioritise financial capacity-building support to the international community. This will better enable countries to consider future risks as they build their capacity, crucial to developing resilience, and will help those organisations that seek to support countries in developing capacity (whether as sources of loans, or as providers of education and training, or as specialist cybersecurity technology and service providers).
Our partners and our community are crucial for our work and its impact, so in 2021 we will reach out for your input and feedback. We will continue to share our research findings at events around the world and disseminate them through our website and social media channels.
Visit our website: https://gcscc.web.ox.ac.uk/
Visit our profile page on the Cybil Portal: https://cybilportal.org/actors/global-cyber-security-capacity-centre/
Follow us on Social Media: