Paper:
Reviewing National Cybersecurity Strategies
Shigeo Mori and Atsuhiro Goto
Institute of Information Security
2-14-1 Tsuruya-cho, Kanagawa-ku, Yokohama-city, Kanagawa 221-0835, Japan
Corresponding author
The damages caused by cyber-attacks are becoming larger, broader and more serious and to include monetary losses and losses of lifeline. Some cyber-attacks are arguably suspected to be parts of national campaigns. Under such circumstances, the public sector must endeavour to enhance the national cybersecurity capacities. There are several benchmarks for national cybersecurity, i.e., a snapshot relative assessment of a nation’s cybersecurity strength at a global level. However, by considering the development of technology, attackers’ skills and capacities of other nations, we believe that it is more important to review the national strategy for cybersecurity capacity enhancement and to ensure that the national capacity advances adequately in the coming years. We propose a method of reviewing national strategies. Additionally, we performed a trial review of the Japanese cybersecurity strategy using the Cybersecurity Capacity Maturity Model for Nations (CSCMMN) developed by the Global Cyber Security Capacity Centre. This trial proved to be workable because it detected various possibly inadequate (insufficient, inappropriate or inefficient, although further investigation is needed) approaches in the Japanese strategy. Moreover, the review also discovered the shortcomings of the capacity areas in the CSCMMN. We plan to improve the reviewing method and develop the improvement process of national strategies for cybersecurity capacity enhancement.
- [1] Oath Inc. news release, “Yahoo provides notice to additional users affected by previously disclosed 2013 data theft,” https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/, 2017. [accessed April 5, 2018]
- [2] The New York Times article, “Hackers’ $81 Million Sneak Attack on World Banking,” https://www.nytimes.com/2016/05/01/business/dealbook/hackers-81-million-sneak-attack-on-world-banking.html, 2016. [accessed April 5, 2018]
- [3] SANS ICS Defense Use Case, “Analysis of the Cyber Attack on the Ukrainian Power Grid,” https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf, 2016. [accessed April 5, 2018]
- [4] SANS ICS Defense Use Case No.6, “Modular ICS Malware,” https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_6.pdf, 2017. [accessed April 5, 2018]
- [5] Executive Order 13687, “Imposing Additional Sanctions With Respect To North Korea,” https://www.federalregister.gov/documents/2015/01/06/2015-00058/imposing-additional-sanctions-with-respect-to-north-korea, 2015. [accessed April 5, 2018]
- [6] Y. Tagawa and K. Hayashi, “Information Sharing and the Core Institution for Cybersecurity,” Bulletin of Institute of Information Security, Vol.9, pp. 17-44, 2017 (in Japanese).
- [7] National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity,” https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity, 2014. [accessed April 5, 2018]
- [8] International Telecommunication Union, “Global Cybersecurity Index (GCI) 2017,” https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf, 2017. [accessed April 5, 2018]
- [9] Global Cyber Security Capacity Centre, “Cyber Security Capability Maturity Model (CMM) – V1.2,” https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/CMM%20Version%201_2_0.pdf, 2014. [accessed April 5, 2018]
- [10] Global Cyber Security Capacity Centre, “Cybersecurity Capacity Maturity Model for Nations (CMM) Revised Edition,” https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/CMM%20revised%20edition_09022017_1.pdf, 2016. [accessed April 5, 2018]
- [11] Global Cyber Security Capacity Centre, “Cybersecurity Capacity Review of the Republic of Uganda,” https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Uganda%20CMM.pdf, 2016. [accessed April 5, 2018]
- [12] Global Cyber Security Capacity Centre, “Cybersecurity Capacity Review of the Republic of Senegal,” https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Senegal-Report-v4%20.pdf, 2016. [accessed April 5, 2018]
- [13] Global Cyber Security Capacity Centre, “Building Cyber-security Capacity in the Kingdom of Bhutan,” https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/CMM_Review_Report_Bhutan_September_2015.pdf, 2015. [accessed April 5, 2018]
- [14] Global Cyber Security Capacity Centre, “Cybersecurity Capacity Assessment of the Republic of Kosovo,” https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/CMM_Review_Report_Kosovo_June_2015.pdf, 2015. [accessed April 5, 2018]
- [15] Global Cyber Security Capacity Centre, “Cybersecurity Capacity Review of the United Kingdom,” https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/Cybersecurity%20Capacity%20Review%20of%20the%20United%20Kingdom.pdf, 2015. [accessed April 5, 2018]
- [16] Inter-American Development Bank, “Cybersecurity: Are We Ready in Latin America and the Caribbean?,” https://publications.iadb.org/handle/11319/7449, 2016. [accessed April 5, 2018]
- [17] Information Security Policy Council, “Cybersecurity Strategy – Toward a world-leading, resilient and vigorous cyberspace –,” https://www.nisc.go.jp/eng/pdf/cybersecuritystrategy-en.pdf, 2013. [accessed April 5, 2018]
- [18] Information Security Policy Council, “Information Security Strategy for Protecting the Nation,” https://www.nisc.go.jp/eng/pdf/New_Strategy_English.pdf, 2010. [accessed April 5, 2018]
- [19] The Government of Japan, “Cybersecurity Strategy,” https://www.nisc.go.jp/eng/pdf/cs-strategy-en.pdf, 2015. [accessed April 5, 2018]
- [20] National center of Incident readiness and Strategy for Cybersecurity, “Annual Report of Cybersecurity Policies (Fiscal Year 2016),” https://www.nisc.go.jp/active/kihon/pdf/jseval_2016.pdf, 2017 (in Japanese). [accessed April 5, 2018]
- [21] National center of Incident readiness and Strategy for Cybersecurity, “Cybersecurity 2017,” https://www.nisc.go.jp/active/kihon/pdf/cs2017.pdf, 2017 (in Japanese). [accessed April 5, 2018]
- [22] Counter-Intelligence Promotion Council, “Basic Strategy for Enhancing Counter-Intelligence Capabilities,” http://www.cas.go.jp/jp/seisaku/counterintelligence/pdf/basic_decision_summary.pdf, 2007 (in Japanese). [accessed April 5, 2018]
- [23] M. B. Chrissis, M. D. Konrad and S. Shrum, “CMMI for Development: Guidelines for Process Integration and Product Improvement, Third Edition,” Addison-Wesley Professional, 2011.
This article is published under a Creative Commons Attribution-NoDerivatives 4.0 Internationa License.