When there is trust in our online environment, businesses and governments can operate safely, and individuals can exercise their rights and enjoy the freedom that digital technology affords. This growing interconnectedness between society, technology, and the economy has caused governments to
consider how to protect their citizens and critical infrastructure from threats in the digital environment. As such, the existence of a free, open, and secure cyberspace is intrinsically linked to social and economic development.
The prevalence, diversity, complexity, and severity of existing and emerging cyber threats require a shift from reactive ad-hoc responses to a more structured, cohesive, and strategic approach to addressing cyber threats in a manner that respects human rights. As a result, governments are increasingly turning
to the development of National Cybersecurity Strategies (NCS) to address a broad range of issues at the policy level, providing a strategic pathway and framework to doing so in a sustainable way. It is important at this juncture to acknowledge that while the NCS cannot address a government’s digital agenda in its
entirety (for example the considerations around government digital migration and national connectivity programs), it stands as a good interlocutory for those initiatives and considers security by design.
From our experience working in the Americas, it has become evident that developing a strategic approach to addressing cyber threats is no easy task. NCSs in the region are beginning to be seen as key instruments to address cyber threats and build resilience. In this effort, countries have grappled with finding the right approach to developing and implementing an NCS.
The authors of this paper aim to address this challenge by offering information on the possible approaches to policymakers working on the development, implementation, and review of NCSs in the Americas. We include descriptions of different possible approaches and considerations, illustrated through examples from some OAS member states and other globally relevant resources, for developing an NCS and addressing cybersecurity threats. Developing and implementing an NCS is a mammoth task, but assessment tools and guides are available to support a holistic and sustainable effort.
While policymakers responsible for the development, implementation, and review of NCSs in the Americas are the primary audience of this resource, we hope that this document will also be a helpful resource for any stakeholder working in the field of cybersecurity capacity-building. By providing
practical examples of good practice, the document can inform the design and delivery of projects focused on NCS and can otherwise be used at any point in the NCS development, implementation, or review process. In addition to this, the authors hope that the document will be a useful resource to inform international peace and security discussions, where NCSs are seen as key instruments to advance cybersecurity capacity building and contribute to the implementation of agreed norms and confidence building measures for responsible State behavior in cyberspace.
Approach and document structure
This document is structured in five parts that address the key considerations relevant for the process of NCS development, implementation, and review. Part One makes a case for prioritizing the development of an NCS as it describes some of the challenges in cybersecurity today, both at the national and international levels. It also considers the role an NCS plays in supporting societal and economic developmental goals.
Part Two focuses on the need to follow a multistakeholder approach to developing an NCS. Multistakeholder efforts provide value by bringing in multiple viewpoints and easing the road to general buy-in and support with the implementation of the NCS.
Part Three offers descriptions in a neutral, agnostic (i.e.,“tool-nostic” and “guide-nostic”) way for several existing assessment tools and guides, including information on applicable regional and global programs. While none of these should be used straight “out of the box”, they may serve as an excellent starting point to help determine where a nation is in its cyber capacity and how it might best move forward.
Part Four moves from the general considerations of tools and guides into practical approaches around implementing an NCS, including bringing together multistakeholder committees, prioritizing the goals and objectives, and considering the monitoring and evaluation process that is so critical to the success of an NCS.
Part Five provides several case studies comparing NCS development and implementation in several countries and regions in the Americas. Included in this section is a sectoral case study focusing on how cybersecurity in the maritime sector aligns with the needs and processes of an NCS.
The development of the document is built on desk-based research by the authors and contributing authors as well as interviews with OAS member states; it encapsulates the experiences of the work of the OAS and GPD in the region on this topic.