How do you work out a country’s level of cybersecurity?
When we talk about the cyber security of a nation state, we have to refer to many different aspects, such as the nation's capacity to respond to large-scale security incidents, its legislation in this area, the protection of critical infrastructure, its capacity to work with other countries, and even the security culture that might exist among the population.
This is a complicated task, since we're talking about initiatives that are large in scale but absolutely necessary in the present day, due to the increasing number, frequency and impact of IT threats and attacks. The complexity lies in working out which actions to track and establishing a point of reference for countries seeking to increase and improve their level of cyber security. In this context, where do we begin?
The Global Cybersecurity Index
One of the initiatives launched by the International Telecommunication Union (ITU) is the Global Cyber security Agenda (GCA), a framework for international cooperation aimed at enhancing confidence and security in the information society.
The GCA is built upon five strategic pillars, also known as work areas: legal measures, technical and procedural measures, organisational structures, capacity building, and international cooperation. Arising from these is the Global Cybersecurity Index (GCI), which aims to measure and assess the commitment of countries to this issue.
Initially developed in 2013, the GCI is engaged in a perpetual update process to determine the relevant aspects of the security of ITU member states. The purpose of the index is to measure the following elements:
- Type, level, and development of commitment to cybersecurity in countries over the course of time
- Progress in the commitment to cybersecurity of all countries from a global perspective
- Progress in the commitment to cybersecurity from a regional perspective
- Level of participation of countries in cybersecurity initiatives
The scope of the GCI's mission is wide: it aims to act as a point of reference so that countries can identify areas of opportunity in the field of cybersecurity, and, at the same time, it can work as a kind of incentive for nation states to try and improve their Global Cybersecurity Index rating or assessment. This has the knock-on effect of increasing the country's level of cybersecurity.
How is the cybersecurity level determined?
The index works on the basis of a questionnaire which considers 24 indicators. The document is divided into five sections; the first considers legislation and regulations on cybersecurity in the country in the question – for example, whether it has laws on unauthorized access, the misuse of information systems, and the interception of data.
The second group of questions looks at the availability of technical measures, which among other things includes the existence of a Computer Security Incident Response Team (CIRT, CSIRT or CERT) with a focus on different sectors within the country. The third point includes aspects relating to organisational measures, such as having a national cybersecurity strategy, the existence of a national body or agency responsible for the issue, or the existence of metrics by which developments can be measured.
The fourth element evaluates capacity-building activities, primarily in respect of standardisation. In other words, the adoption of cybersecurity standards and good practices, as well as investment in security-related R-D programs, and also awareness campaigns aimed at the general public.
The final element looks at the provision of measures for cooperation with other countries, such as bilateral, multinational, and international agreements. This factor is a crucial one when investigating crimes that go beyond borders and are committed using new technologies.
The benefits of having an index that enables us to evaluate cybersecurity
Through the information gathered, the Global Cybersecurity Index seeks to learn how countries start to implement cybersecurity. In turn, showing the practices that have been applied in some countries enables them to be used as a point of reference or a starting point in other countries.
With this information available, other countries can adopt, adapt, and apply certain aspects depending on their national context, with the aim of promoting better practices and making them more widespread. All of this doesn't stop at national level, but can be extended to a global level through exchange and cooperation.
Without a doubt, this initiative contributes directly to understanding the security situation of the countries involved, as well as encouraging a culture of cybersecurity, in the aim of increasing and improving the protection of information and other assets internationally.