The CMM at the UN OEWG: The UK encourages Member States to undertake national cybersecurity capacity assessment
Posted: 20th January 2022
The United Nations Open Ended Working Group on Developments in the Field of ICTs in the Context of International Security (OEWG) held its first substantive session on the week of 13th December 2021 at the UN headquarters in New York. The UN Cyber OEWG was established in 2019, based on resolution 73/27. Its aim is to further develop rules, norms, and principles on responsible state behaviour in cyberspace and on the security and in the use of ICTs by state actors. After the successful conclusion of the first round of negotiations, which ended with a Final Substantive Report, the OEWG was renewed in December 2020 for the term 2021-2025 by resolution A/RES/75/240.
The December 2021 meeting had rich contributions from member states and inter-governmental organisations, as well as inputs from non-state actors, with focus on cyber rules, norms and principles, on the applicability of international law in cyberspace, on capacity building, on new and emerging cyber threats, and on multistakeholder participation for this new round of negotiation on responsible state behaviour in cyberspace.
In its statement, the United Kingdom (UK) encouraged member states to conduct cybersecurity needs assessments using the Cybersecurity Capacity Maturity Model for Nations (CMM) of the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford. The UK noted that the adoption of the model by so many organisations demonstrates its massive impact in global cybersecurity capacity-building.
“Despite its Oxford home, the CMM is a global effort delivered through a range of well-known experts, from the World Bank to the International Telecommunication Union, and through regional institutions such as: the Organization of American States; the Commonwealth Telecommunications Organization; the Oceania Cyber Security Centre; and the Cybersecurity Capacity Centre for Southern Africa,” said the UK representative. Since 2015, the CMM has been deployed in 87 countries, including the UK, to identify their gaps and needs in cybersecurity capacity. Thirty-six states have gone on to use the model for a second time to track their progress over time.
Statements by different delegations referred to the importance of multistakeholder perspective. This point was emphasised during the discussion at the OEWG as different actors have important roles to play in cybersecurity capacity and to preserve and maintain cyber stability. One of the key benefits of the CMM, as witnessed by the countries that have conducted the assessment, is the ability to understand the multistakeholder environment in national ICT policy communities and recommend mechanisms (based on good cybersecurity practices) through which governments are empowered to include elements of diversity and participation in the development and implementation of cybersecurity strategies.
Delegations also called for a demand-driven and coordinated approach to capacity building and a means for tracking the progress of global efforts and of the OEWG towards cybersecurity capacity building. One way of doing this, the UK notes, is to develop an understanding of what cybersecurity maturity is and to share this knowledge between states on a continuous basis, so that states and organisations can learn from each other. The CMM reviews highlight countries’ areas of strength, and the country reports provide an opportunity for sharing experiences and good practices for developing cybersecurity resilience. The global research of the GCSCC and its partners has demonstrated patterns of similarities in cybersecurity across regions that can be leveraged when designing approaches to cooperation on cybersecurity capacity-building.
What we do at the Capacity Centre
The Global Cyber Security Capacity Centre (GCSCC) conducts research to understand and identify trends in cybersecurity, to help the world prepare and respond to cyber threats. Together with a global multistakeholder community with expertise in cybersecurity capacity building, the Centre has developed a model that helps countries self-assess and identify their strengths and needs for their cybersecurity maturity. The Cybersecurity Capacity Maturity Model (CMM), which was last revised in 2021, considers cybersecurity maturity to comprise five dimensions which together constitute a wide breadth of national capacity that a country requires to be effective in delivering cybersecurity resilience. Dimension 1 looks at the country’s ability to develop and implement cybersecurity policies and strategy. Dimension 2 looks at culture and societal elements that affect public understanding and their ability to protect themselves in the cyberspace. Dimension 3 looks at the initiatives by different stakeholders in driving cybersecurity awareness among users. Dimension 4 looks at the capacity of countries to prosecute cybercrime and Dimension 5 looks at the availability of protective technologies and standards.
A regional-focused approach to cybersecurity capacity building
The GCSCC works with a constellation of regional partners generating region-specific knowledge in cybersecurity. In Africa, in 2020, the GCSCC, in collaboration with the University of Cape Town, Research ICT Africa, and the Norwegian Institute of International Affairs established the Cybersecurity Capacity Centre for Southern Africa (C3SA). In Australia, the GCSCC collaborates with the Oceania Cyber Security Centre (OCSC), which is a partnership between the eight Victorian Universities and the State Government of Victoria. Both centres deploy the CMM in their respective regions and carry out capacity-building initiatives and training informed by CMM research.
The success of the CMM in global cybersecurity capacity-building also stems from its wide use by countries, global development partners such as the Organization of American States (OAS), the World Bank, the International Telecommunication Union, the Commonwealth Telecommunications Organisation, the Inter-American Development Bank, the Global Forum on Cyber Expertise (GFCE) and others.