UK encourages UN Member States to undertake national cybersecurity capacity assessment

18 January 2022

Adobe Stock 286355042
The call was made in a statement by the UK delegation to the United Nations Open Ended Working Group on Developments in the Field of ICTs in the Context of International Security at its first substantive session at the UN headquarters in New York.

The United Nations Open Ended Working Group on Developments in the Field of ICTs in the Context of International Security (UN OEWG) was established in 2019, based on resolution 73/27 to further develop rules, norms, and principles on responsible state behaviour in cyberspace.

The meeting, held the week of 13th December 2021, had rich contributions from member states and inter-governmental organisations, as well as inputs from non-state actors. It focused on cyber rules, norms and principles, on the applicability of international law in cyberspace, on capacity building, on new and emerging cyber threats, and on multistakeholder participation for this new round of negotiation on responsible state behaviour in cyberspace.

In its statement to the working group, the UK encouraged member states to conduct cybersecurity needs assessments using the Cybersecurity Capacity Maturity Model for Nations (CMM) developed by the Global Cyber Security Capacity Centre (GCSCC). The UK noted that the adoption of the model by so many organisations demonstrates its massive impact on global cybersecurity capacity building.

Since 2015, the CMM has been deployed in 87 countries, including the UK, to identify their gaps and needs in cybersecurity capacity. Thirty-six states have gone on to use the model for a second time to track their progress over time.

“Despite its Oxford home, the CMM is a global effort delivered through a range of well-known experts, from the World Bank to the International Telecommunication Union, and through regional institutions such as: the Organization of American States; the Commonwealth Telecommunications Organization; the Oceania Cyber Security Centre; and the Cybersecurity Capacity Centre for Southern Africa,” said the UK representative.

Statements by different delegations referred to the importance of multistakeholder perspective, as different actors have important roles to play in cybersecurity capacity and to preserve and maintain cyber stability. Delegations also called for a demand-driven and coordinated approach to capacity building and a means for tracking the progress of global efforts and of the UN OEWG towards cybersecurity capacity building.

One way of doing this, as the UK noted, is to develop an understanding of what cybersecurity maturity is, to understand the multistakeholder environment in national ICT policy communities, and to share this knowledge between states on a continuous basis, so that states and organisations can learn from each other. The CMM highlights countries’ areas of strength, and the country reports provide an opportunity for sharing experiences and good practices for developing cybersecurity resilience. It also empowers governments to include elements of diversity and participation in the development and implementation of cybersecurity strategies.

The global research of the GCSCC and its partners has demonstrated patterns of similarities in cybersecurity across regions that can be leveraged when designing approaches to cooperation on cybersecurity capacity-building.