Rapid progress in IT industry over the past years created an evolvement of various unprecedented opportunities. At the same time, the accessibility and interaction of various local and global networks increase their vulnerability to cyberattacks of different nature. For instance, there were cases when hackers cracked online security systems of banks endangering up to 25 million people (Hyde, 2012). Therefore, alongside with assuring the security of the country in the physical world, it is crucial for any government to secure national cyberspace. Consequently, the implementation of the strategies defending cyberspace should be a priority for any country. Such need is also crucial for resource-poor nations because the rapid growth of technology is inevitable in the whole world. At the same time, developed countries unite their efforts for establishing comprehensive international strategies of cybersecurity.
Common Principles and Guidelines of ENISA and CTO
First, in order to compare strategies of the two organizations, the main characteristics should be defined. Thus, CTO “is the Commonwealth agency mandated in the field of Information and Communications Technology and works towards helping its members leverage ICTs for socio-economic development” (“Commonwealth approach for developing national cybersecurity strategies,” 2015). At the same time, The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its Member States, the private sector and European citizens (European Union Agency for Network and Information Security, 2014).
Despite the organizations operate in differentlocations, they aspire a similar goal, which is to assure cybersecurity within the region of operation. Because they have a similar goal, they share some basic principles, and guidelines that affect their strategies. Both organizations unite the resources of the stakeholders and share responsibilities to create a standardized framework resisting cybercrime and assuring cybersecurity. Moreover, they support individual security of the citizens as well as organisations and governments. Likewise, they see the strategy of cybersecurity as a risk-base and outcome-focused. Thus, identification of threats, vulnerabilities and consequences as well as focus on the desired outcomes and critical points is the organizations’ common priority (“Commonwealth approach for developing national cybersecurity strategies,” 2015). Moreover, they plan to optimise the adoption in the broadest range of critical sectors to be internationally standardized.
Furthermore, the implementation of the strategies starts from gathering the data about the possible vulnerabilities, solutions and outcomes as well as informing the stakeholders. Afterwards, raised awareness of cybersecurity is supported by various hardware and software standardized by the stakeholders. At the same time, both organizations have differences that make them unique in their approaches towards the proposed solutions and strategies in the sphere of cybersecurity.
Our outstanding writers are mostly educated to MA and PhD level
Unique Principles of CTO
First, CTO embraces a wider variety of countries. Therefore, it follows an intercontinental strategy of cybersecurity, which is supported by its statement “we contribute to a safe and an effective global Cyberspace” (“Commonwealth approach for developing national cybersecurity strategies,” 2015). Consequently, their strategy embraces a significantly broader range of stakeholders when compared to ENISA. Additionally, this strategy is based on collaboration with Microsoft, which is one of the most influential hardware and software developers. Such basis enhances the processes of unification and standardization of global cooperation in the selected sphere. Likewise, the strategy is based on international standards such as ISO-31000, ISO-27000, BSI, COBIT 5, NIST SP800-53 and others. In fact, each participating country recognizes the major parts of such standards. Moreover, each participant is obliged to abstain from developing separate cybersecurity standards in order not to interfere with the global approaches and practices.
Since the CTO’s strategy aspires for the development of a global cybersecurity approach, it recognizes the need for a standardized glossary of terms related to this sphere. This measure is important because “some words related to Cybersecurity can convey quite different meanings to different audiences across different sectors” (“Commonwealth approach for developing national cybersecurity strategies,” 2015). Besides, the strategy relies on the creation of sub-committees and activities organized by the stakeholders. At the same time, the difference between CTO and ENISA is that in CTO each participating country identifies its unique goal. For instance, among the Austrian goals, the establishment of individual standards transitioned into CTO through a regulatory framework. Furthermore, Canada is more concerned about secure government systems and partnerships to secure vital cyber systems (“Commonwealth approach for developing national cybersecurity strategies,” 2015).
Therefore, CTO is the initiative in the sphere of global cybersecurity that is pursuing the development of a unified security framework guided by Microsoft. At the same time, the participating countries are free to focus on individual issues with the restriction of introducing individual standards, which can restrain global initiatives. Moreover, governments of each participating county should ensure the validity of the implemented strategy through legislation. Additionally, the organization enables each country to participate in the development of an interactive network that handles minor incidents without central intervention (“Commonwealth approach for developing national cybersecurity strategies,” 2015). Consequently, the strategy practiced by CTO allows managing global and local cyberthreats within a flexible framework of standardized international cooperation.
Unique Aspects of ENISA
The main difference between ENISA and CTO is that ENISA focuses on the participants of the European Union. Therefore, it is a strategy directed towards local cyberspace security. This locality is one of the most economically and technologically developed parts of the world. That is why it focuses on experience-based approaches, which allow creating a working framework of the domestic cybersecurity. The proposed strategy is a result of the comprehensive evaluation of 18 cybersecurity strategies of the members of the EU as well as eight non-EU strategies (European Union Agency for Network and Information Security, 2014). Additionally, they were supported by 11 informant interviews that resulted in the mapping of the components of National Cyber Security Strategy (NCSS). Furthermore, the study stresses that the discussed ENISA strategies are functioning almost in all 28 states of the EU. The process is constantly analysed in case with any necessary corrections related towards the evolving issues arise. Thus, the study suggests that ENISA has a significant impact on cybersecurity measures within a specified area.
Furthermore, ENISA practices a mapping approach when considering major issues of cybersecurity. Thus, it focuses on a simplification and visualization of the elements “that can be used as part of an evaluation framework based on logic modelling and programme theory” (European Union Agency for Network and Information Security, 2014). This need is crucial for the EU since it is a union of states with different cultural, technological and other factors. Therefore, unlike the Commonwealth’s strategy, the process of unification of the similar issue within this region requires a thorough evaluation of the opportunities and threats of each member. Moreover, the authors of this method indicate that it aspires for exploring “the starting point for Member States in implementing and/or enhancing the evaluation aspects of their strategies” (European Union Agency for Network and Information Security, 2014). Thus, mapping objectives consider specific concerns of each region that are managed by the common efforts of the Member States. Additionally, the strategy recognizes inputs and outputs associated with its implementation regarding each Member State. For instance, Czech Republic and Poland recognizes the need for a legislative framework whereas Slovakia and the UK require review of the applied practices (European Union Agency for Network and Information Security, 2014).
Concerning the structure, ENISA has introduced flexible units of emergency response, which are managed by Computer Emergency Response Teams. Their activity is associated with the increase of cyber security progress in the region. Additionally, ENISA implemented the principle of protecting critical infrastructure (CIP). The authors claim this measure to be efficient because of the need for protection of vital services in society (European Union Agency for Network and Information Security, 2014). Moreover, CIP requires a direct control of the governments since it considers each Member State separately.
Furthermore, ENISA proposes a broad range of stakeholder initiatives ranging from educational trainings to collaboration with businesses, establishing a culture of cyber security. Therefore, this program is more practical and efficient, as it emphasizes on the applied efficacy and real-time evaluation of the implemented measures.
Recommendation for Providing the Best Approach for Developing a National Cybersecurity Strategy
Since each of the characterized approaches has its pros and cons, there is a need for describing next steps of cybersecurity strategies. These steps should present the best approach for developing a national cybersecurity strategy. Thus, the fist suggestion is to form initiative groups responsible for direct cyber threats. Such threats might be hacker and botnet attacks as well as the usage of any software aimed at endangering national and individual intelligence. Among the responsibilities of such groups would be collaboration, evidence-based research and provision of security measures. Moreover, the additional legislative initiatives should be directed towards the establishment of responsibilities to fight cyberattacks. Additionally, they should focus on the provision of legislative background for educational initiatives in the sphere of digital security. National cybersecurity strategy requires the existence of unified standards in terminology as well as common approaches in management of the issues. Educational programs should support the unification, fostering cybersecurity awareness. Next, this national program of digital security should have a standardized basis, which allows it to integrate into the global security frameworks. This integration would allow sharing data and experiences related to the discussed issue. Furthermore, the program should establish a proper scientific basis for addressing the problems of cybersecurity. Microsoft or another predominating software developer might regulate it, thus gaining social interest and support. This measure would also positively influence the process of software integration that would assure the compatibility of the national program with global initiatives on different levels.
Conclusion
After analyzing the presented cybersecurity strategies, the study concludes that they provide a wide range of efficient approaches directed towards global and local cybersecurity. Moreover, they have various similarities and differences. Thus, the evaluated similarities of the strategies include the goals of cybersecurity of their members, addressing individuals, private, corporate sectors, and governments. Likewise, they unite the resources of stakeholders and share the responsibilities between them creating a standardized framework for efficient operation. Positive outcomes of the strategy are also assured through the standardization of hardware and software. At the same time, ENISA is more applicable on practice and evidence-based, whereas CTO devotes many efforts towards the unification of IT standards and glossaries. Likewise, CTO relies on the guidance of Microsoft as a leader of the industry whereas ENISA is based on evidence from the State Members. Both strategies are efficient when applied towards the region of their function. However, the study suggests that there is a need for the establishment of proper scientific institutions aimed at the research of national cybersecurity. At the same time, advanced measures of its international integration into the international framework of global security would assure its compatibility with international structures and plans. Such measures would drastically raise awareness about the issue of cybersecurity within a specified country.