Beruflich Dokumente
Kultur Dokumente
Editorial
Regions
Europe
4 What’s in a project name? - Cyber Resilience
for Development (Cyber4Dev)
8 Cyber Security – a joint responsibility
calls for extensive cooperation
America
17 The current process of OAS confidence-building
measures in cyberspace
21 The OAS and CISCO launch “Cybersecurity
Innovation Councils”
Africa
24 Cybersecurity a Flagship project of the African
Union Agenda 2063
27 An interview with Dr. Amani Abou-Zeid on
cybersecurity and the AUC’s priorities
Global developments
Editorial
On behalf of the Editorial Board, welcome to the sixth edition of the Global
Cyber Expertise Magazine! We are proud to present this edition at the Global Forum
on Cyber Expertise Annual Meeting 2019 in Addis Ababa.
The Global Cyber Expertise Magazine is a joint initiative by the African Union, the
European Union, the Organization of American States and the Global Forum on Cyber
Expertise, that aims to provide cyber policymakers and stakeholders an overview of
cyber capacity building projects, policies, and developments around the world.
In this edition, we see practical cyber capacity building (CCB) activities carried
out in all regions especially with a focus on international cooperation. This reflects
an improvement in the coordination of CCB resources, knowledge-sharing and
expertise around the world. Our cover story on Africa discusses the African Union
Commission’s role in ensuring member states are equipped to face cybersecurity
challenges posed by the digital transformation of the region. An interview with Dr.
Amani Abou-Zeid, African Union Commissioner for Infrastructure and Energy,
similarly gives insight to the priorities of the AUC and promoting cybersecurity.
From Europe, Norway shares their lessons learnt in drafting and implementing
a cybersecurity strategy after publishing their fourth strategy this year (hint: it
involves international cooperation and building on best practices). International
cooperation is highlighted again in an article on European Union’s Cyber Resilience
for Development (Cyber4Dev) project which promotes a multi-layered approach to
security and provides assistance to partners in developing countries.
From Asia & Pacific, we have an article on cybercrime capacity building and
training with the formation of an Asia-Pacific “hub”, a collaboration between the
Korea Supreme Prosecutors’ Office (KSPO), World Bank and the GFCE. Also, read
more about India’s new training program, the “Cyber Surakshit Bharat”, for senior
government officials to address and mitigate cybersecurity challenges and create
awareness.
From the Americas, a key takeaway from both articles is that cybersecurity
challenges requires collaboration, public and private. In one article, the Organization
of American States (OAS) and CISCO describe the launch of their Cybersecurity
Innovation Council and how this will enhance cybersecurity in the Americas.
In a second article, the OAS delves into their confidence-building measures in
cyberspace and the importance of cyber diplomacy.
From Global developments, the UNODA shares their new online training
course on cyber diplomacy that was developed in partnership with Singapore’s Cyber
Security Agency. In another article, the GFCE Secretariat reflects on the GFCE’s
progress since its launch in 2015 and how we may continue to accelerate forward.
We thank our guest writers for their valuable contributions to the sixth
edition of the Magazine and we hope you enjoy reading the Global Cyber Expertise
Magazine!
On behalf of the Editorial Board,
Why cyber capacity spiralling cost of physical infrastruc- Tackling cybersecurity threats
ture improvements. is something which has to happen at
building matters But becoming more active in, multiple levels, and across the globe.
and reliant on, virtual space brings The European Union has recognised
new risks. These new concerns are that strong international cooperation
The challenges facing minis- amplified by the often central and cri- is an essential element of building
ters in developing and middle income tical position of the services concer- effective capacity in cybersecurity.
countries are many faceted, complex, ned, and by the open nature of access The Cyber Resilience for Development
and cross-cutting. Strategic approa- to the internet itself. (Cyber4Dev) project funded under the
ches to national development plan- So we can see that the connec- Instrument Contributing to Stability
ning are increasingly reliant on digital tion between a national commitment and Peace, implemented by the EU’s
solutions both to ensure the effective to creating a safe and secure cybers- International Development and Coo-
and efficient delivery of public servi- pace and crafting a climate for wider peration Directorate (DG DEVCO), is
ces, and to mitigate the drag created progress in economic and social de- but one part of the EU’s response.
by the slow implementation and often velopment is a pretty obvious one. It is clear to researchers, policy-
Europe | What’s in a project name? - Cyber Resilience for Development (Cyber4Dev) 5
“Tackling
cybersecurity
threats is
something which
has to happen at
multiple levels, and
across the globe.”
Figure 1. Cyber4Dev Project Leader Maurice Campbell and Project Manager Belinda
Conlan attending the EU Cyber Forum in Brussels in April 2019.
Under component two, a num- importance of pre-planned respon- because of the scarce combination of
ber of training courses have been held ses, tailored to the local environment. technical and international develop-
for staff working in national CERTS, Under component three, the ment skills required, and because of
each of which has been through a Se- project has been able to facilitate and the fast pace of change in the field.
curity Incident Management (SIM3) fund the engagement of government Significant challenges faced
maturity model assessment, the ou- officials from our core countries in include those arising from capacity
tput of which has informed develop- regional and global discourse on de- building absorption capability, and in
ment plans. A number of cyber resi- veloping trends in cyber-security, at the related areas of stakeholder en-
lience exercises, both technical and events organised by bodies such as gagement. Often technical and policy
table-top, have been supported and AfricaCERT, The One Conference, teams are under-resourced, and te-
more are planned. Such exercises FIRST, Meridian, the GFCE and the chnical teams find themselves under
create very valuable opportunities for UK’s NCSC. pressure to deliver in areas which are
important learning, demonstrating to not core to their mission, an example
participants, on occasion including being computer forensic analysis in
ministers, the risks faced and the Overcoming challenges support of criminal proceedings which
through EU cooperation can divert already stretched resour-
ces. Effective stakeholder engage-
ment also requires sustained contact,
Cyber capacity building is not and disillusionment within especially
an easy environment to work in, both private sector stakeholder communi-
Europe | What’s in a project name? - Cyber Resilience for Development (Cyber4Dev) 7
ties can result from perceived slow- each of those countries, and is now
ness of governmental response. also about to commence delivery in
Another issue can be a perceived Rwanda. Recognising the global na- “Prioritising the
lack of candour in the private sectors,
especially in banking and finance,
ture of the challenges faced, scoping
missions are planned shortly in South development of
which arises from a risk of disclosure
affecting the standing of institutions
East Asia, and South America.
We have also benefited from the
cyber resilience
which rely very heavily on trust in buil- excellent support of DEVCO to ensure is not only good
ding their relationships with clients. full coordination between this project
We have benefited greatly from and others, including especially our practice technically,
the counterpart working model we sister project GLACY+, also EU funded
use to overcome such challenges. but delivered by a highly experienced but an essential
The delivery of the project is being
managed by NI-CO (Northern Ireland
Council of Europe team, who comple-
ment our focus on cyber security with underpinning
Cooperation Overseas) in partnership
with the Estonian Information System
strong and effective support on tac-
kling cyber-crime.
of progress in
Authority (RIA), the United Kingdom’s many areas of
Foreign and Commonwealth Office
(FCO) and the Kingdom of the Nether- Towards global wider national
lands Ministry of Foreign Affairs. This cyber resilience
allows us to access to a wide range of economic and social
EU expertise and to draw upon, and
learn from, significant experience. So a minister at his desk in any development plans.”
At both the national and regional of our partner countries now knows
levels we have been well supported that prioritising the development of
by the EU’s EEAS Delegations as well cyber resilience is not only good prac- rity benefits not only the states direct-
as by diplomatic representations of tice technically, but an essential un- ly assisted, but neighbouring and dis-
our delivery partners. Such help was derpinning of progress in many areas tant states as well. But it is also at the
critical in establishing the right con- of wider national economic and social level of all individual citizens that we
tacts from the very beginning, and in development plans. His staff have seek to have a real impact, bringing a
helping to ensure that host gover- strong expertise to hand to assist in stability that encourages investment,
nments understood the nature and creating and reviewing national cyber spreading knowledge of not only risk
benefits of the project at the highest security strategies, and the imple- but also of opportunity, engaged not
level. The effectiveness of this work mentation plans that activate them. only with people in capital cities, but
was demonstrated at launch events World leading technical assistan- also bringing knowledge to adults and
attended in each case by cabinet level ce is provided in the development of children, girls and boys, women and
ministers. effective Computer Incident Respon- men alike, in all communities.
Following an inception phase se Teams, and high quality training Just as the global security of
during which sensitization and as- is available for staff. The new skills aviation relies on effective controls at
sessment missions were conducted in learnt are exercised and tested, and all airports, a more secure and resi-
three countries, Sri Lanka, Mauritius learning captured facilitated. lient cyber space in one place, creates
and Botswana, the project deployed In this inter-connected world, a safer global cyber space too.
coordination and technical experts to such a focus on enhanced cyber secu-
8 Cyber Security – a joint responsibility calls for extensive cooperation | Europe
Earlier this year Norway released its fourth National Cyber Security Strategy. An
important part of preparing the strategy was building on experiences with previous
strategies and looking internationally to build on best practices. To succeed in
meeting the challenges that arise from moving towards a fully digitalized society,
and at the same time take full advantage of the benefits, it was essential to align all
stakeholders to pull them in the same direction. Cyber security is a joint responsibility
and concerns everyone. This should be reflected in both creating and implementing
a national strategy.
Written by: Robin Bakke, Specialist Director Cyber Security, Norwegian Ministry of
Justice and Public Security
Strategy drafting as an only for the public sector. An open and early stage, and to include everyone
open and inclusive process inclusive process where everyone that was interested in contributing.
could contribute with ideas and input, The event was thus open to everyone
was considered as one of the main who wanted to attend and the invol-
The strategy drafting process was success factors to increase the likeli- vement of over 300 delegates, written
perceived to be as important as the hood for the strategy being perceived input and high participation in a ran-
Cyber Security Strategy itself. By ha- as relevant for the different stakehol- ge of workshops clearly indicated that
ving an open and inclusive strategy der groups. there is great interest in identifying
process, Norway sought to create ow- The strategy drafting process shared solutions. Subsequent works-
nership of the strategy for a large was launched with a strategy confe- hops with participation from both the
group of stakeholders. An ambition rence that was opened by the Prime public and private sector were also
early on was to truly make it a national Minister. It was important to get the used to follow up on various target
strategy for society as a whole, not target group’s attention from a very groups and prioritized areas. Drafts
Europe | Cyber Security – a joint responsibility calls for extensive cooperation 9
and the conference was livestreamed detailed report with around 60 recom-
to gain as much attention as possible, mendations at the end of 2015. This
“There is no resulting in over 1000 people following
the launch of the strategy.
assessment was followed by Norway’s
first white paper on Cyber Security in
use in having a 2017. Together, this paved the way and
lay the foundations for the new stra-
good strategy The Strategy tegy. Furthermore, for the first time,
Norway fully incorporated a civil-mi-
that nobody litary and an international dimension
knows about.” When it came to the strategy it-
self, it was a goal to communicate in
in the strategy, and combined it with
an “all-hazards” approach, making it
short, easy and precise language to a truly holistic strategy. A corner sto-
of the strategy were shared openly in be able to address people with in-dep- ne of the strategy is to reinforce pu-
these workshops for further input and th knowledge and rookies alike. The blic-private, civil- military and inter-
discussions in order to include stake- strategy contains a pull-out poster national cooperation.
holders throughout the different sta- that sums up the most important as- A separate list of measures
ges of the strategy process. pects of the strategy so that the stra- was released as part of the strategy
tegy is visible for the end user in their to support its implementation. It is
daily work life. In this way, it increases important to underline that this only
Generating attention the likelihood of the strategy being contains a selection of measures, and
to the strategy read, remembered and used. that all ministries are responsible for
From the publishing of the following up in their own sectors, as
first strategy in 2003 to now, and as well as to establish whether measu-
There is no use in having a good Norway became the first country to res initiated in their own sector su-
strategy that nobody knows about. release a fourth National Cyber Se- fficiently contribute to achieving the
Therefore, as an integrated part of curity Strategy, it has been important goals of the strategy.
the strategy process was to develop for Norway to establish a systematic A new approach was to not only
a media plan to get attention around approach and build on previous ex- have large national actions for the go-
the process. The media plan was de- periences to make the best possible vernment to follow up on, but to also
veloped in cooperation between se- strategy. An independent committee include ten basic points of advice for
lected ministries and agencies. This focused on identifying and assessing all companies in Norway to follow.
was seen as crucial in order to make Norway’s digital vulnerabilities was The main purpose of this advice is to
sure the strategy got attention and formed in 2014 and they delivered a raise the cyber security level across
was successfully implemented in the
wider community.
A separate strategy launch con-
ference was organized to increase
attention for the release of the stra-
tegy. The Prime Minister of Norway,
Minister of Public Security, Minister
of Justice and Immigration, Minister
of Defence and Minister of Research
and Higher Education played a vital
part in the conference and presented
different parts of the strategy. This
showed that the challenges we face
are cross-sectorial and a key priority
for the whole government. This open
event was fully booked within a day,
10 Cyber Security – a joint responsibility calls for extensive cooperation | Europe
Combatting Cybercrime:
Enhancing Collaboration
to Build Capacity in the
Asia Pacific Region
The Korea Supreme Prosecutors’ Office (KSPO), the World Bank and the GFCE are
collaborating in the creation of a “hub” to combat cybercrime in the Asia-Pacific
region through awareness raising, capacity building and training of key stakeholders,
including policy-makers, legislators, investigators, law enforcement, NGOs, civil
society and the private sector.
Cooperation needed port on a flagship initiative to address How the “Hub” was born
this issue.
to combat cybercrime
The three parties mentioned are
effectively collaborating to establish a center for The call for enhanced coordina-
training and capacity building focused tion and collaboration was raised at
on the Asia-Pacific region. The “Hub” the GFCE Annual Meeting in Singapo-
It has become clear that awa- will facilitate coordination of delivery re in 2018. At the meeting, under the
reness raising, capacity building and of training and capacity building initia- leadership of its chair, Zahid Jamil,
training of key stakeholders, in addi- tives by various organizations (mostly the members of the Working Group
tion to working with countries on ela- members of GFCE Working Group on on Cybercrime agreed on a number
borating enabling policies and laws, Cybercrime) as well as working as a of initiatives. Key among these initia-
are necessary tools to effectively com- regional clearinghouse to ensure en- tives was to focus on collaboration of
bat cybercrime. The Korea Supreme hanced coordination on delivery of its members and coordination of their
Prosecutors’ Office (KSPO), the World these activities by Working Group C various initiatives to deliver cybercri-
Bank and the GFCE are pleased to re- members. me awareness and capacity building.
12 Combatting Cybercrime: Enhancing Collaboration to Build Capacity | Asia & Pacific
Written by: Dhawal Gupta, Shri Dipak Singh, and Shri Rakesh Maheshwari, Cyber
Law & e-Security Division, Ministry of Electronics & Information Technology
Figure 1. The launch of the Cyber Surakshit Bharat programme by Honourable Minister of State (Electronics & IT) with industry leaders.
is becoming critical. A cyber breach E&Y, Samsung and Amazon Web Ser-
The “Cyber Surakshit
can cause severe financial damage vices. The knowledge partners from
and bring the functioning of govern- Bharat” programme the government include the National
ment and government organisations Information Centre (NIC) - an arm of
to a standstill. It is therefore impera- the Ministry of Electronics and Infor-
tive, that every organisation involved The “Cyber Surakshit Bharat” mation Technology (MeitY), Computer
in the use of Information Technology programme was launched on 19th Emergency Response Team of India
in the discharge of its functions must January 2018 to educate and enable (CERT-In), Standardization Testing
identify and document its Information the CISO’s and broader IT communi- and Quality Certification (STQC) Di-
Security (IS) requirements. ty within Government to address and rectorate - an attached office of Mei-
To strengthen cyber securi- mitigate the emerging challenges and tY, and Centre for Development of
ty in government departments, the create awareness. This includes a se- Advanced Computing (C-DAC) an au-
appointment of a Chief Information ries of regional workshops, deep-dive tonomous organization under MeitY.
Security Officers (CISO) was advised trainings for designated CISOs and The training is conducted at 6 cities in
to State governments, government or- the officers responsible for cyber se- the country namely New Delhi, Mum-
ganizations, public sector units (PSU), curity in their respective government bai, Kolkata, Bengaluru, Chennai and
etc. The CISOs shall be responsible for organization. Hyderabad.
maintaining and updating the threat The deep-dive training of CISOs Cyber Security is a vast domain
landscape of the organisation on a and other frontline IT government that ranges across policy, process, le-
regular basis, including staying up to officials is supported by a consortium gal and regulatory framework, chan-
date on the latest security threat envi- of industry partners and it is unique ge management and core technology.
ronment and related technology deve- example of Public Private Partners- As such, the target audience for the
lopments and take corrective actions. hip. The industry partners are Micro- deep-dive training have different bac-
soft, IBM, Intel, PaloAlto Networks, kgrounds as well, some with a highly
Asia & Pacific | Indian Initiative of Capacity Building for Senior Government Officials 15
technical background while some Feedback on the As a part of the structured feed-
with no prior technical experience. training sessions back collected, participants also pro-
The basic CISO deep-dive training is vided suggestions on improvement
therefore designed for a heteroge- or enhancement of future programs.
neous audience group to accommo- By and large, the post-training One major suggestion is to have fur-
date all participants and encourage feedback and validation suggests that ther training to address sector speci-
cross-learning built through intensive the training has been immensely use- fic training needs, for example in the
class group work and individual as- ful for participants in better unders- power and finance sector.
signments. tanding their roles and responsibili-
The programme has a target of ties as a CISO, while enhancing their
training 1200 CISOs and officials res- knowledge about cyber security. It has The way ahead
ponsible to observe cyber security in also broadened their understanding
their respective organizations. Since of the technical and legal aspects
the training started in June 2018, 486 involved in drafting policies for safe- This training initiative has crea-
officials, representing various Central guarding their organizations against ted an army of Cyber Security enthu-
and State Ministries and PSUs have cyber threats. The participants also siasts in State and Central govern-
been trained so far through 12 bat- felt that program provided a forum for ment organizations, including critical
ches of training. interaction and enabled learning from sectors like IT services, defence &
peers in similar roles. defence production, energy, telecom,
16 Indian Initiative of Capacity Building for Senior Government Officials | Asia & Pacific
“There is an
opportunity to
institutionalize
and scale up the
capacity building
drive, which is
currently limited
to basic training
of a targeted set
of officers in the Figure 3. The cumulative qualitative feedback collected based on a scale from 1-5, with
5 being best.
Government.”
election bodies and public service sily. Besides continuing with the ba- and its impact on organizational
examinations, finance, public sector sic programme to achieve the initial effectiveness.
banks and insurance companies. target training of 1200 CISOs, the way • Vertical Deep-Dive training pro-
It is important to not only keep forward is to develop a: grammes: There are regular re-
this motivation aligned but also build quests and feedback reiterating
an enabling ecosystem to further en- • Community of CISOs for ongoing the need for specific training
sure transfer of learning and tangible cross-learning and knowledge programmes that dives vertically
outcomes of the developed capacities exchange. into each module with a focus on
within the Government. Furthermore, • Reward and Recognition of CI- technology and hands-on expe-
there is an opportunity to institutio- SOs: This will not only help in rience.
nalize and scale up the capacity buil- encouraging documentation and • Assessment and Certification of
ding drive, which is currently limited adoption of better practices, but basic skills and competency to
to basic training of a targeted set of in the long run, will be critical in assume responsibility as a CISO.
officers in the Government. institutionalizing CISOs as an im-
Most of the CISO training parti- portant function in government
cipants have also underlined a need organizations.
for a platform where they can regu- • Impact Assessment of CISOs
larly interact with other participants Training and ongoing Training
to share their problems and issues, Need Analysis: To evaluate chan-
and to consult peers and experts ea- ges in the job behaviour that
resulted from the programme
America | The current process of OAS confidence-building measures in cyberspace 17
Written by: Mila Francisco Ferrada, Alternate Representative from Chile to OAS
Pablo Castro Hermosilla, Analyst, Ministry of Foreign Affairs Chile
International law this new domain will be governed, The consequences of such sce-
and cyberspace many countries have been investing narios can be serious. For this reason,
in offensive and defensive cybernetic the international community has enga-
capabilities of a military nature, whi- ged in global and regional processes
The debate on the stability and le others do not refer to international that seek to determine how interna-
governance of cyberspace has beco- law when using cyberspace. These tional law applies to cyberspace, to the
me one of the most relevant issues factors increase the risk of escalation development of norms that regulate
in the field of international security. and conflict and will continue to do so the behavior of States in this area and
Until States and relevant stakeholders as Internet-based platforms and in- underpinning a renewed agenda of
reach an agreement on exactly how frastructure continue to grow. confidence-building measures (CBMs).
18 The current process of OAS confidence-building measures in cyberspace | America
Creating a culture
of cybersecurity in
the Americas
The second meeting of the Wor- in cyber diplomacy. se engagement among MFAs in our
king Group was held in Santiago, 3. To foster the inclusion of cyber- region in the development of cyber-
Chile on April 23 and 24, 2019. Du- security and cyberspace subjects security and cyberspace policies. Per-
ring the meeting, Chile assumed the into training courses for diplo- ception of these subjects as technical
presidency for the period of one year, mats and officials of the MFAs and not necessarily political challen-
and Member States agreed to the and other government agencies. ges tend to diminish the importan-
following additional voluntary cyber 4. To foster cooperation and ex- ce the MFA plays in their definition.
CBMs to promote and strengthen the change of best practices on cyber However, MFAs are essential when
engagement of MFAs and diplomacy diplomacy, cybersecurity and cy- building cooperation between States.
on cybersecurity, and cyberspace po- berspace through, for example, MFAs usually coordinate national po-
licies in the region: the establishment of working licies and decisions on cyberspace
groups, other dialogue mecha- and cybersecurity in the international
1. To designate points of contact, in nisms, and the signing of agree- scene.
the event that none exist, within ments among states.
the MFAs, with the purpose of fa-
cilitating the work on internatio- Also, considering the impor- Strengthening cyber
nal cooperation and dialogue in tance of implementing the measures diplomacy and cooperation
cybersecurity and cyberspace. adopted, the Working Group agreed
2. To develop and strengthen capa- on recommendations to make effecti-
city-building through activities ve use of the national contact points MFAs and diplomacy are power-
such as seminars, conferences, (CBM 2 from 2018). ful and important tools when it comes
workshops, among others, for The adoption of these four mea- to building not just “cooperation brid-
public and private sector officials sures responds to the need to increa-
20 The current process of OAS confidence-building measures in cyberspace | America
“It is important
to build an open,
stable, secure,
transparent
and governable
cyberspace in the
region, in accordance
with international
law and with clear
Figure 4. Second meeting of the Working Group on Confidence Building Measures in
rules of responsible Cyberspace held in Santiago, Chile on April 23 and 24, 2019.
behavior.”
ges”, but also in the discussion, work Consequently, at the Regional
and negotiations on international nor- level, the establishment of CBMs in
ms and CBMs. Cyber diplomacy, then, cyberspace should encourage coope-
is a crucial dimension for the interna- ration, joint work, the development of
tional discussion of cybersecurity and national capacities and cyber diplo-
cyberspace. Considering that the cu- macy, amongst others. This region,
rrent process of discussion, negotia- as demonstrated in the past, has the
tion and adoption of CBMs within the capacity to agree on principles and
framework of the OAS is a good exam- practices, between States with a si-
ple of this, it seems logical that States milar vision, which can become stan-
adopt measures that allow and help to dards that others tend to accept. It is
strengthen cyber diplomacy. important to build an open, stable,
Cyber diplomacy is also rele- secure, transparent and governable
vant considering that the Americas cyberspace in the region, in accor-
presents unique characteristics that dance with international law and with
could generate a renewed approach to clear rules of responsible behavior. A
CBMs in cyberspace, which goes be- long term challenge will be to esta-
yond the aim of de-escalating possible blish effective mechanisms for imple-
conventional conflicts alone. Here, the mentation, and in this regard, it will
possibility of states using cyberspa- be essential to be able to help coun-
ce to conduct attacks on other states tries within the region develop their
may be remote, given the increasing national cyber capacities.
occurrences of conflicts and inter-sta-
te tensions.
America | OAS and CISCO launch the “Cybersecurity Innovation Council” 21
The General Secretariat of the Organization of American States (GS/OAS) through its
Cybersecurity Program and CISCO launched the Cybersecurity Innovation Councils
(CICs) in Latin America. This initiative aims to drive innovation, raise awareness,
and expand best practices in cybersecurity across the region.
The CICs will be comprised of representatives of the GS/OAS and CISCO, and
prestigious professionals from the public and private sector, industry associations
and academia. The multi-stakeholder design seeks to solve cybersecurity challenges
by incorporating varied perspectives with the understanding that no single actor
can effectively solve today’s cyber challenges. Collaborative innovation is required
between these key players for the purpose of developing better approaches and
effective solutions for today’s cyber issues.
The partnership cy-level cybersecurity capacity. The tatives from the private sector be
initiatives and activities carried out by involved in the protection of citizens’
the Program aim at ensuring an open, rights in cyberspace.
With over 12 years of experience, secure and resilient cyberspace CISCO has been an important partner
GS/OAS Cybersecurity Program has throughout the Western Hemisphere. in promoting education and technolo-
become a regional leader in assisting To promote cybersecurity in the Wes- gy that help improve cybersecurity by
countries in Latin America and the tern Hemisphere, the GS/OAS recog- contributing to capabilities needed for
Caribbean to build technical and poli- nizes that it is essential that represen- a safer cyberspace globally. CISCO, as
22 OAS and CISCO launch the “Cybersecurity Innovation Council” | America
“Members of the
CICs will discuss
the best way to
promote innovation,
raise awareness
among citizens
and disseminate
best practices in
cybersecurity.”
levant stakeholders in each country to training and exploration of best chnology for improving cybersecurity
share the findings of the Council and practices for incident response for citizens, companies and countries.
promote local discussions of cyberse- process across national entities. The contributions of the Councils of
curity. c. Certification or training: GS/ each country will ensure that the lo-
An additional regional event will OAS Cybersecurity Program and cal context is captured at the same
be held during 2020 after the first CISCO offer significant training time that the regional approach will
round of CICs have taken place. This of many types regarding cyber- enable international sharing to enrich
event will bring together again the security, technical training and all of the participants and the public
first representatives, OAS and Cisco ongoing certifications. Cyberse- discourse around cybersecurity in the
to share once again the best practi- curity, IoT, and core network se- Americas.
ces and lessons learned from the first curity are all key components of
year of activity. the certifications offered around
A key output of the CICs and this the region.
alliance will be the joint dissemination d. Hackathons: creation of cyberse-
of content generated by the Council curity focused hackathons which
such as white papers, blogs or other result in hands-on experience fo-
publications for use in various chan- llowed by guidance and support
nels such as social media, press re- to cybersecurity technicians from
leases or online presence. across the region.
e. Simulations: using, for example,
“Capture the Flag” or “Red Team
Funding innovative projects Green Team” techniques to offer
experience in threat hunting, cy-
bersecurity incident response, cy-
In the spirit of collaboration ber defense or other simulations
and innovation, a key final area of the of real attacks and defenses.
alliance and the councils will be to
design new projects that respond to
the issues raised regarding national Enhancing Cybersecurity
cybersecurity concerns. By definition, in the Americas
the final scope of these innovation
projects will be agreed at a future date
with the input from the CICs taking In conclusion, the OAS and CIS-
into context the specific challenges of CO will convene national Councils with
each country. Some possible exam- the overall objective of advancing cy-
ples include: bersecurity solutions, best practices
and education in an innovative fashion.
a. Youth projects: education-focused The Council approach will by design
campaign or event to raise aware- bring together different perspectives
ness of cybersecurity threats and from multiple distinguished partici-
good habits among the youth po- pants with expertise in the various fa-
pulation of the country. cets of cybersecurity. The Council and
b. SME’s: Design a project for co- its objective are directly aligned with
llaboration between national the OAS’ focus on hemispheric secu-
Computer Security Incident Res- rity, as well as with CISCO’s focus on
ponse Teams, including technical a broad approach to education and te-
24 Cybersecurity a Flagship project of the African Union Agenda 2063 | Africa
Cybersecurity a Flagship
project of the African
Union Agenda 2063
Cybersecurity is a major risk for the digital revolution in Africa. Decision makers
and business leaders in Africa always cite the proliferation of cyber incidents as the
culprit for the slow adoption of ICTs on the continent. The African Union Commission
has been playing a leading role in ensuring its member states are well equipped to
face this challenge and to mainstream cyber culture across Africa.
Digital transformation ments, digitalization is creating jobs, mation Strategy for Africa to guide a
for Africa addressing poverty, reducing inequa- common, coordinated digitalization
lity, facilitating the delivery of goods agenda. Cybersecurity, privacy and
and services, and contributing to the personal data protection is one of the
Africa presents a sea of econo- achievement of Agenda 2063 and the cross-cutting themes of the Strategy.
mic opportunities in virtually every Sustainable Development Goals.
sector, and the continent’s youthful It is within this context that the
population structure is an enormous African Union (AU) Commission in Cybersecurity needed
opportunity in this digital era. For this collaboration with the UN Economic for digital development
reason, Africa is making digitally ena- Commission for Africa, Smart Africa,
bled socio-economic development a AUDA-NEPAD, Regional Economic
high priority. Communities, African Development The incidents and threat of cy-
Digital Transformation is a dri- Bank, Africa Telecommunications ber breaches, as well as the spread
ving force for innovative, inclusive Union, Africa Capacity Building Foun- of viruses and malware is pervasive.
and sustainable growth in Africa. dation, International Telecommuni- Given the global threat, a comprehen-
From innovations such as for mobile cation Union and the World Bank, is sive and consistent response is requi-
money platforms to large-scale bu- currently finalizing the development red. Only by raising the awareness of
siness process outsourcing develop- of a Comprehensive Digital Transfor- the public, educating businesses on
Africa | Cybersecurity a Flagship project of the African Union Agenda 2063 25
Figure 1. Workshop for AU Member States on cyber strategy, cyber legislation and setting up CERTS organized in July 2018
days after the date of the receipt by steps to create an African Cybersecu-
the Chairperson of the Commission rity Experts’ Group, composed of 10 –
Nation Agencies, the African develop- ting and sometimes amplifying the
ment Bank, the World Bank, and the global trends in this area. In essence,
“The increasingly European Investment Bank. there is an urgent necessity to ensure
It goes without saying that the that citizens, governments and busi-
digital and data Digital Transformation is at the top of nesses are protected.
my department’s priorities. We will be
driven economy working with all our partners around Q: What are some of the concrete
also comes with the world to make sure that our Afri-
can Digital Agenda priorities are ti-
steps that the AUC has taken to pro-
mote Cybersecurity?
risk and challenges, mely implemented for the benefit of
our people. First: Following the adoption of
therefore requiring the Malabo Convention in 2014, the
Q: What is the strategic imperative of AUC has been organizing capacity
new rules that cybersecurity for AUC? building and sensitization workshops
on Cybersecurity for our Member Sta-
would generate Undoubtedly, the rise of digital tes to address:
trust, protect technologies offers the prospect to
unlock tremendous opportunities and
• Cybercrime issues,
• Online Privacy and personal data
and secure data new pathways for economic growth,
economic mobility, innovation, job
protection,
• Drafting of Cyber-Strategy and
across the entire creation and access to quality servi- Cyber-Legislation,
ces by citizens. The accelerating pace • Setting up of incident response
value chain.” of technology, the convergence of systems such as CERTs/ CIRTs
multiple technologies, and the emer-
gence of global platforms are chan- Second: The AUC published in
mation strategy, Africa will be in a be- ging traditional development models collaboration with Internet Society,
tter position to leapfrog into the 21st and value chains. With that said, the Guidelines on:
century and catch up with the rest of increasingly digital and data driven • Security of Internet infrastructure
the World. economy also comes with risk and in Africa; and
Digital Transformation is now at challenges, therefore requiring new • Personal Data Protection for Africa;
the top of African Union Agenda as rules that would generate trust, pro- • We also published in 2016, in coo-
an enabler of socio-economic deve- tect and secure data across the entire peration with Symantec and US
lopment. The Chairperson of the AU value chain. State Department, a report on
Commission H.E. Mr. Moussa Faki Ma- Being connected to the rest of Cybersecurity and Cybercrime
hamat and other African leaders have the world means that Africa is now trends in Africa
repeatedly emphasized this including within the perimeter of cybercrime,
more recently during the 32nd Afri- making the continent’s information Third: The AUC has recently es-
can Union Assembly of Heads of State systems and digital infrastructures tablished an African Cybersecurity Ex-
and Government that took place early rather vulnerable. Unfortunately, both perts’ Group whose sole mission is to
February 2019 and in the presence of governments and private sector enti- advise the AUC on Cybersecurity ma-
many of our continental and interna- ties in Africa have increasingly been tters. The first experts’ group meeting
tional partners like Estonia, the United experiencing cyber-attacks, reflec- will take place during this year.
Africa | An interview with Dr. Amani Abou-Zeid on cybersecurity and the AUC’s priorities 29
Finally: The AUC has launched Q:With the limited resources availa-
in cooperation with the European ble to AUC, what are the key priori-
Union the “Policy and Regulation ties in the short term? The AUC must
Initiative for Digital Africa (PRIDA)”.
Building capacity in all 55 AU Mem- It is critically important to assist foster strong
ber States on Internet Governance the AU Member States with:
and Cybersecurity/ Cyber-resilience First: Development of national cy- partnerships
matters is one of the critical tracks of
PRIDA project.
ber-security strategies, in line with in-
ternational standards and practices as with countries
Q: Given all that has been accompli-
well as supporting the creation of na-
tional governance for Cyber-security;
and international
shed by the AUC so far, what are the Second: Adopting and Implemen- players who
missing elements in order to have tation of legal frameworks for online
real impact? privacy and personal data protection as possess capabilities
to allow African citizens to safely and
At the continental level, the Exe- securely use ICT for their socio-econo- and know-how.”
cutive Council of the African Union mic development (Health, education,
endorsed in 2018 “the AU Declaration governance etc.) as a sine qua none
on Internet Governance and develop- condition for peace and stability;
ment of the Digital Economy in Afri- Third: Enforcing the existing na-
ca and adopted Cyber Security as a tional criminal laws and adapt them
Flagship project of the African Union to the reality of digital environment to
Agenda 2063”. effectively fight against all kind of cy-
However, in order for the Afri- bercrime and cyber-attacks. Develo-
can Union Commission to make real ping legal and Regulatory framewor-
progress and ensure that all African ks and specific provisions related to
countries are well positioned and fu- cyber legislations,
lly equipped to tackle this serious is- Fourth: Develop technical ca-
sue, the AUC must firstly embark on pabilities to monitor and defend na-
a cybersecurity awareness campaign tional networks to protect Institutions
targeting policy makers, businesses against the threats and attacks capa-
and citizens at national, regional and ble of endangering their survival and
continental levels. AUC must ensure efficacy;
that sound cyber culture policies are Fifth: Establishing and opera-
being implemented on the continent. ting Computer Emergency / Incident
Secondly, to enable actions and Response Teams (CERTs/CIRTs),
concrete steps in this area, the AUC Finally: Developing continental
must foster strong partnerships with and regional mechanisms to increa-
countries and international players se regional and international coo-
who possess capabilities and know- peration on Cybersecurity and build
how. an Africa CERT at the African Union
Commission HQ
30 UNODA and Singapore Cyber Security Agency: online training course “Cyberdiplomacy” | Global Developments
Use of ICTs and Three of these Groups have agreed on Experts on ICTs in the context of inter-
International Security substantive reports, with conclusions national security.
and recommendations that all UN With three in-depth substantive
Member States have welcomed.1 documents in place and the possibility
Since 2004, the UN General As- Importantly, in 2016, the General that this corpus of international gui-
sembly has established five Groups of Assembly adopted resolution 71/28, dance on cybersecurity will continue
Governmental Experts (GGEs) to exa- calling on Member States to be guided to grow, the UN Office for Disarma-
mine the existing and potential threats in their use of information and com- ment Affairs, in partnership with the
from the use of ICTs and possible coo- munications technologies by the 2015 Singapore Cyber Security Agency, de-
perative measures to address them. report2 of the Group of Governmental veloped an online training course to
Global Developments | UNODA and Singapore Cyber Security Agency: online training course “Cyberdiplomacy” 31
encourage greater understanding of by UN Member States. The course is audiences around the world.
the use of ICTs and its implications for also intended to support the capaci- The training course is also avai-
international security, based on the ty of States to engage in cyber diplo- lable to the private sector, non-gover-
contents of the GGE reports. macy as UN Member States prepare nmental organizations and academia,
to collectively consider, over the co- which will be engaging with intergo-
ming years, the issue of internatio- vernmental processes on internatio-
Meeting the demand for nal ICT-security in an Open-ended nal ICT-security for the first time. In
awareness-raising on the Working Group, and in parallel, a new this context, the course provides an
Group of Governmental Experts3. The- opportunity for these actors, many of
work of previous GGEs se processes will be informed by the whom have never engaged with these
work of the previous GGEs. This online processes, to enhance their unders-
By unpacking the key elements training course fulfils a need for grea- tanding of the issues being considered
and recommendations formulated by ter understanding of previous findings by States.
the GGEs, the training course is de- and recommendations, and its online
signed to facilitate their application format makes it readily accessible to
Figure 1. In an “Existing Threats” module, participants are introduced to the range of threats in cyberspace.
32 UNODA and Singapore Cyber Security Agency: online training course “Cyberdiplomacy” | Global Developments
Figure 2. Which type of attacks belongs to which category? This drag-and-drop activity challenges participants to apply their acquired
knowledge.
Global Developments | UNODA and Singapore Cyber Security Agency: online training course “Cyberdiplomacy” 33
GFCE: Strengthening
the cyber capacity
building ecosystem
Since 2015, the Global Forum on Cyber Expertise (GFCE) has focused its efforts
on growing the community and building a strong foundation to facilitate efficient
exchange, collaboration and knowledge-sharing. Today, the GFCE functions as
a thriving ecosystem that enables international cooperation in cyber capacity
building (CCB) and prioritizes the practical implementation of cyber capacities.
To continue accelerating forward, the GFCE shifts its attention to strengthening
the GFCE ecosystem through the Working Groups, launching the CCB knowledge
portal, implementing the clearing house mechanism, and progressing towards
internationalization.
members to work together outside of lable open-sources and input from the
scheduled conference calls and mee- GFCE community and CCB knowledge
tings (for example, they may collabo- community. Input from the GFCE com-
rate on online documents). munity was collected by the Secre- “The portal
tariat over the summer through our
Questionnaire 2019, allowing Mem- aims to be a
Launch of CCB
knowledge portal
bers and Partners to share informa-
tion on their ongoing and completed
neutral, globally-
CCB projects, knowledge products, owned, one-stop
and events. The portal, which would
In line with the GFCE’s efforts to not be possible without the valuable knowledge hub that
enable and support global CCB pro- contributions of the GFCE’s extensi-
cesses, the CCB knowledge portal ve network, thus contains a wealth of brings together
will be launched during the Annual
Meeting 2019 in Addis Ababa, Ethio-
unique information on products, tool-
kits, and activities on CCB as well as information on
pia. The portal aims to be a neutral,
globally-owned, one-stop knowledge
the GFCE Working Group outcomes.
The portal is accessible for everyone
cyber capacity
hub that brings together information on: www.cybilportal.org. building.”
on cyber capacity building from avai-
36 GFCE: Strengthening the cyber capacity building ecosystem | Global Developments
Implementation of the same region are also brought together is one of the most visible outcomes of
clearing house mechanism to collaborate and coordinate on the the Working Group.
requirements for the project.
To facilitate the clearing house
A core aim of the GFCE is to mechanism, each Working Group is Working Group
match countries that require assistan- in the process of creating a menu of Workshops during the
ce in capacity building with resources support that they can share with the 2019 Annual Meeting
and expertise. Through our clearing wider GFCE network. With this, coun-
house mechanism, the GFCE is able tries that require assistance may be
to connect countries that require CCB matched to stakeholders quickly and With a continued focus on the
assistance with multi-disciplinary more efficiently while providing the re- outcomes of the Working Groups,
stakeholders that can offer support. cipient with a clear visualization of the each group organized two 2-hour
During this process, stakeholders practical areas that they may receive workshops on the Tuesday of the An-
working on similar CCB projects in the support. The clearing house process nual Meeting 2019 in Addis Ababa.
Global Developments | GFCE: Strengthening the cyber capacity building ecosystem 37
The workshops were designed with real experiences through case studies, CCB, the GFCE Annual Meeting 2019
the beneficiary community in mind, best practices, and interacting with ex- is the next milestone to demonstrate
to engage regional participants and perts one-on-one. its importance through its knowle-
emphasize more practical implemen- Besides these Workshops, dge-sharing, Working Group delive-
tation of CCB. Prior to the workshops, Members and Partners also have the rables, and the GFCE clearing house
participants were given a menu of opportunity to share their own CCB mechanism.
workshops with descriptions so that projects and experiences at the GFCE
they could choose to attend the ones Base Camp booths over the three days.
that are most relevant or pertinent to This provided an excellent networking
them. The workshops covered a range opportunity for the community as they
of topics from National Cyber Security could walk around the booths, ask
Strategy, IoT Security, and Critical In- questions, seek advice, and network
formation Infrastructures Protection, with others.
to Cyber Security Awareness and Cy- As we have laid the foundation
bercrime. During the action-oriented over the last four and a half years for
workshops, participants learnt about a strong ecosystem to cooperate on
Volume 6, October 2019
Global Cyber Expertise Magazine
Colophon
Publishers
Disclaimer
The opinions expressed in this publication are solely those
of the authors and do not necessarily reflect the views of the
AU, EU, GFCE or OAS or the countries they comprise of.
Global Cyber Expertise Magazine
AU • EU • GFCE • OAS
contact@thegfce.com