Несомненно, сложно разработать и реализовать национальную стратегию кибербезопасности. Исследование McKinsey рассказывает про лучшие практики
Against a backdrop of escalating geopolitical and geo-economic tensions, one of the biggest threats nations face today is from state-sponsored cyber warfare. From election interference to the alleged attempted theft of sensitive COVID-19 vaccine research to power-supply cutoffs for nearly a quarter-million people, state-sponsored cyberattacks are infiltrating the critical infrastructure of countries around the world.
Not just state actors but also nonstate actors today have more technical prowess, motivation, and financial resources than ever before to carry out disruptive attacks on a country’s critical infrastructure. Any attack on critical infrastructure in one sector of a country can lead to disruption in other sectors as well. An attack on a country’s telecommunications, for example, may disrupt electronic payments.
But this is just part of the problem. Today, individuals and businesses are more dependent than ever on digital connectivity in virtually every aspect of their existence. Most people cannot imagine going even a few hours without access to the internet. Globally, an estimated 127 new devices connect to the internet every second. Any disruption in digital connectivity is considered an obstacle in the path of progress.
Owing to the COVID-19 pandemic, our dependence on all matters digital has increased dramatically. With remote working having become integral to our economies and the medical response, the rising dependence of citizens and businesses on everything digital is only going to continue.
With every new device, user, and business that connects to the internet, however, the threat of cyberattacks increases. If a government cannot provide secure and trusted digital connectivity, societies can’t prosper and economies won’t thrive.
As a result, more than 100 governments have developed national cybersecurity defense strategies to combat the cybersecurity risks that their citizens, businesses, and critical infrastructure face. To help up-and-coming governments, we studied and benchmarked the cybersecurity strategies of 11 nations (see sidebar, “About the research”).
While countries have taken a wide variety of approaches to cybersecurity defense, we have identified five common elements of successful national strategies. We explore those strategies in this article. The dangers relating to cybersecurity are constantly evolving, and the stakes are high. Governments that focus their efforts in these five places might be in a better position to prevent cyberattacks, mitigate their damage, and better protect their citizens, businesses, and critical infrastructure.
Principal elements of a comprehensive national cybersecurity strategy
These are the five elements of successful national cybersecurity strategies:
- dedicated national cybersecurity agency (NCA)
- National Critical Infrastructure Protection program
- national incident response and recovery plan
- defined laws pertaining to all cybercrimes
- vibrant cybersecurity ecosystem
Dedicated national cybersecurity agency
Best-in-class countries give a single entity—usually referred to as a national cybersecurity agency—the overall responsibility of defining and driving the cybersecurity agenda of the entire country. This involves developing a cohesive national cybersecurity strategy with a portfolio of initiatives, among them protecting the critical infrastructure of the country, mobilizing the response to cyber incidents, defining cybersecurity standards, improving the cyber awareness of citizens, and developing the cybersecurity capabilities of professionals.
Fulfilling these responsibilities requires the NCA to have adequate in-house technical skills and expertise. To fill any capability gaps, the NCA typically partners with and mobilizes other government entities as well as the private sector. The United Kingdom’s National Cybersecurity Agency, for instance, works closely with other government entities, such as the Department for Digital, Culture, Media & Sport, to improve capabilities of the cybersecurity professionals in the country.
When setting up an NCA, countries can consider design choices, such as:
- Should the agency reside within a defense and intelligence entity or within a civilian body?
- What level in the government does the agency report to?
- What is the scope of the agency’s control and oversight (for example, does it focus only on critical infrastructure or also on citizens and small and midsize businesses)?
Approaches to these design choices vary even among leading countries but typically reflect a country’s political philosophy, federal government structure, maturity of cyber capabilities, and overall cybersecurity aspirations.
National Critical Infrastructure Protection program
If an NCA could only focus on one aspect of cybersecurity, it should be protecting the critical infrastructure of the country. Critical infrastructure is typically the most attractive target for hostile state actors. Disruption to critical infrastructure can have an impact on the economy, business confidence, society, and even overall national security. Critical infrastructure typically consists of both information technology and operational technology, which makes it harder and more complicated to protect. Our study found that the best-in-class National Critical Infrastructure Protection programs focus on the following three success factors:
Prioritized critical sectors and assets. A country typically determines whether a sector is critical based on how significant a role it plays in ensuring the health of the economy, well-being of the society, and national security of the country. For example, the European Union’s Network and Information Security (NIS) directive considers energy, transport, digital infrastructure, healthcare, and water critical sectors to protect. Our global benchmark analysis of 11 countries reveals that the majority of those countries have identified 11 critical sectors, ranging from energy (oil, gas, and nuclear power) to healthcare and emergency services.