BTOB: Cybersecurity Capacity Building, EUISS

I attended the above mentioned meeting hosted by the EU Institute for Security Studies, based in Paris. This was the 2nd meeting on the topic organized by EUISS. The initial meeting took place back in March this year. The main takeaways of this session are here.

EUSIS prepared a concept note for the meeting, building on the notion of scenarios. My initial reaction to this was not that positive as the scenarios seem to ignore: a) The global nature of the issue; and b) The unevenness of Internet penetration around the globe. It also seems to take a particular approach to capacity building which is more akin to technical cooperation.

Below are my detailed comments.

1. Cybersecurity is yet another example of a classical global public good which transcends nation-states and demands global coordination and interaction to be effectively addressed. As with global warming and climate change, any weak link in the global chain will prevent addressing the issue. By definition the Internet is the network of networks which also transcends nation-states. There are thus millions of millions of networks in this setup, a fact that complicates the issue not only because of the sheer numbers but also because it is constantly expanding.

2. Unlike climate change or sustainable development which took over 30 years to become a real issue (thanks in part to the resistance from some developed countries and especially the private sector), cybersecurity is spearheaded by developed countries AND the private sector with most developing countries sitting in the fence for the time being.

3. For many developing countries, especially the poorer one, cybersecurity seems to be low in their agendas as Internet penetration is still incipient while other development issues are pervasive. There is however a strong push to get these group of countries to prioritize this issue for the sake of the global public good conundrum.

4. Cybesecurity is also perceived by many as a technological issue which demands a technological solution. This approach is risky, especially for developing countries where policies and regulatory environments are not as mature as those in developed countries. The risk here is multi-dimensional in terms of the impact on citizens of any given country.

5. In this context and from a development perspective, it is important to factor into the overall approach two critical issues: 1. Link cybersecurity to national development policies instead of presenting it as yet another separate and independent priority in an already crowded policy agenda; 2. Increase awareness of the importance of cybersecurity as a policy issue which can be seen as a means to an end to ensure free (as in liberty), secure and stable access to the Internet and all the services and information it can provide to people.

6. In regards to the latter, it is also essential to link cybersecurity to key democratic governance issues such as privacy, confidentiality, trust and surveillance. This in turn demands that we take a human rights based approach to the issue and thus promote policies that address all this in systematic fashion, a far cry from technical approaches to the issue which seem so pervasive nowadays.

7. In this light, the scenarios presented at the meeting are not very useful for addressing this macro issues. As mentioned in point one above, this is a global public issue and can only be properly solved if all nodes and networks are acting in sync while at the same time ensuing that new nodes and networks fall into the purview and do not misbehave.

8. In terms of capacity building, it is necessary to refine this concept a bit more. First of all, we should distinguish between capacity building and capacity development. The former is more associated with technical assistance and technical cooperation which usually does not achieve capacity development. The latter is essentially the process by which people in a given socio-economic, political and cultural context acquire, strengthen and sustain their capabilities to establish and achieve their own development goals and aspirations.

9. Capacity development is thus larger than capacity building, training and skills development, issues that at the meeting in Paris were being addressed as synonyms. What all these have in common is their focus on personal and individual enhancements.

10. Capacity development has three levels: policy (enabling environment), institutions (organizational components), and individuals (skills, knowledge, etc). Any capacity assessment must address this three levels to be effective and sustainable in the long run.

11. It is also essential to distinguish between functional and technical capacities. The former refers to “how to do things” and are cross-sectoral and cross-cutting, usually referring to management capacities. Technical capacities are in turn sectoral and refer to having expertise and skills on a given set of tasks specific to a particular sector (computer programming for example).

12, With this approach in mind, one way to move the ISS agenda forward will be to undertake cybersecurity capacity assessments in a couple of countries to bring some real evidence into the policy discussions. Evidence based policy making is much more effective than any other, while such assessments can also be used to increase awareness of traditional policy makers which somehow remain oblivious to this question.

13. Cybersecurity capacity assessments can be implemented in five related steps: 1. Identify and engage stakeholders; 2. Assess capacity assets and needs; 3. Design a capacity development response; 4 Implement the response; and 5. Evaluate capacity development to then return to 1.

14. Another area that you might want to start exploring is the design and development of a cybersecurity global index. There are already a couple of them out there but they seem to ignore most of the issues we have mentioned above.

Cheers, Raúl