Five Guiding Principles for the Development of National Cyber Strategies

Editor’s note: In a piece that first appeared in the June 2014 issue of Turkey’s International Strategic Research Organization (USAK)’s ‘Analist’ magazine, Ian Wallace examines five principles of what a national cyber strategy should look like.

National cyber strategies are very much in vogue. The majority of European Union and NATO member states had their own national strategies, along with countries as diverse as Grenada and Pakistan. The message is clear that cybersecurity matters. If you want to be taken seriously on the world stage, let alone protect your increasingly networked economy and society, you need a national cyber strategy. But what does a national cyber strategy need to look like?  Here are five principles that I believe should be central to any such endeavor:

• Remember that a strategy is declaratory policy as well as a guide to action.While the primary purpose of a national cyber strategy is usually to ensure a coordinated national response to cyber threats, what your national cybersecurity strategy says, also says a great deal about your nation. Countries that see the principal threat being attacks on information systems will be seen very differently to countries that see the threat coming from the information itself.
• Focus on continuity as well as change. New national coordination structures will likely be required to respond to the cyber challenge.  But what is just as important will be to successfully adapt existing structures to the new challenges. Cyber crime is still crime, cyber espionage is still espionage, cyber warfighting is still warfighting.  Preserving that philosophy will help keep the challenge in perspective and ensure, for example, that civilian/military roles and responsibilities are appropriately maintained.
• Make your strategy genuinely ‘national’.  National strategies are often about the role of government in cyber security, and that is not a bad thing.  But effective cybersecurity is likely to be a private/public partnership, often with the private sector in the lead.  Strategies that recognize this fact, and build on it (eg. through government use of both ‘carrots’ and ‘sticks’) are likely to be the most successful.  Likewise, cyber is an international issue – foreign and development ministries have key roles to play too.
• Make sure your strategy is credible. Resourcing is an important part of this, but so is what strategies fail to address. For example, the fact that few strategies mention the offensive cyber capabilities is – in my view – often self-defeating.  A partial strategy is unlikely to be convincing. No one expects great detail but a failure to acknowledge such capabilities simply undermines confidence in the rest of the strategy.  Indeed, using national strategies to set out unilateral limits on the use of such capabilities could be an important ‘norm’ setting device.
• Accept that cybersecurity is with us forever, and plan accordingly. All strategy should be dynamic, but especially cyber strategy where not only are the adversaries perpetually evolving but so is the underlying technology.  Part of this is to mitigate the likely consequences of inevitable future attacks.  In fact, when we look back in history, we may well conclude that the most successful national strategies have been those that build nations’ resilience to cyber shocks.  To date, however, such strategy sadly remains the exception rather than the rule.