The NCS Guide 2021

The Guide to Developing a National Cybersecurity Strategy is one of the most comprehensive overviews of what constitute successful cybersecurity strategies. It is the result of a unique, collaborative, and equitable multi-stakeholder effort.

The partners came together with an appreciation of the need to strengthen cooperation and coordination across the international community on cybersecurity capacity-building.  The objective of this effort is to support national leaders and policymakers in the development of defensive and proactive responses to cyber risks, in the form of a National Cybersecurity Strategy, and in thinking strategically about cybersecurity, cyber-preparedness, response and resilience, and building confidence and security in the use of ICTs.

The Guide was developed through an iterative approach, which sought to reach agreement through consensus-building. It is based on existing resources and aims to facilitate its use by national stakeholders. Wherever possible, the relevant sources and tools used to develop each set of recommendations are listed in the Reference section to encourage their broader use.

Cybersecurity is a foundational element underpinning the achievement of socio-economic objectives of modern economies. The hope is that this second edition of the Guide to Developing a National Cybersecurity Strategy can continue to serve as a useful tool for all stakeholders involved in the development and implementation of this type of official document, including national policymakers, legislators, and regulators with cybersecurity responsibilities. In addition, it might have broader applicability, as the concepts introduced can be applied at the regional or municipal levels, as well as adapted for industry or used for academic research.

Note to readers on the update

Version 2 of the Guide to Developing a National Cybersecurity Strategy updates, refines, clarifies, and expands on Version 1, which was published in 2018. Since then, the cyber risk landscape has evolved and become increasingly more complex, and this iteration attempts to capture the main cybersecurity trends that should be taken into consideration in the national strategic planning. While Version 2 expands and enhances the content of version 1, it does not change the structure of the Guide nor the level of detail. Compatibility with version 1 has been an explicit objective of this revision. The updates made can be summarized as follows:

• Importance of funding with intent and investing in necessary resources: more detailed language has been incorporated to emphasize the need to invest in the necessary economic, human, and organisational resources for the full lifecycle of the Strategy (development, implementation, and revision);
• Stakeholders involvement: this version reiterates the crucial role of the private sector and civil society in the processes of incident response and management, information sharing, and awareness raising both domestically and abroad. Also, more emphasis is given to the role that international stakeholders can play in the development and implementation of a national cybersecurity strategy. There are a wide variety of international organisations, non-governmental organisations, and multilateral organisations that specialise in supporting national governments;
• Resilience and interdependencies: the updated content stresses the importance of considering a country’s internet-infrastructure entanglements and the resulting dependencies and vulnerabilities, the interconnections and interdependencies across sectors, and other supply chain risks. It provides more detailed good practices to encourage cooperation among different stakeholders to address increasing risks and improve resilience in the face of the expanding threat landscape;
• Multidisciplinary approach to cyber capacity building: this version of the Guide recognises that cybersecurity applies to all verticals of society, and provides more detailed recommendations to develop capacity building activities that are inclusive and multidisciplinary, including policy, law enforcement, education, awareness, and diplomacy efforts;
• Legislation, regulation, and human rights: this version has significantly expanded the coverage of good practices relating to the development of domestic cybersecurity and cybercrime legislation and regulation, and on the safeguarding of human rights and liberties.
• International cooperation: the updated Guide further emphasises the areas that a Strategy could cover in terms of cybersecurity cooperation and engagement at the regional and international levels, including on international trade agreements, regional economic partnerships, and voluntary norms of responsible state behaviour in cyberspace. It stresses the importance of international law enforcement cooperation and formal or informal mechanisms to share information, build trust, and support cross-border cooperation in combating cybercrime and other cyber-enabled crimes.

Joint foreword

Over the last two decades, people worldwide have benefitted from the growth and adoption of information and communication technologies (ICTs) and associated socio-economic and political opportunities. Digital transformation can be a powerful enabler of inclusive and sustainable development, but only if the underlying infrastructure and services that depend on it are safe, secure, and resilient. To reap the benefits and manage the challenges of digitalization, countries need to frame the proliferation of ICT-enabled infrastructures and services within a comprehensive national cybersecurity strategy.

To help governments in this endeavour, a consortium of partner organisations jointly developed and published the first Guide to Developing a National Cybersecurity Strategy (NCS) in 2018. Since then, the number of national cybersecurity strategies or frameworks worldwide has increased significantly. In 2018, only 76 countries had adopted a strategy while today more than 127 countries have such strategies in place, and many have used the Guide as a reference and blueprint.¹

However, the fast-changing nature of cyberspace, the increased dependency on ICT, and the proliferation of digital risks all call for continuous improvements to national cybersecurity strategies. Most countries have both accelerated their digital transformation and become increasingly concerned about the immediate and future threats to their critical services, infrastructures, sectors, institutions, and businesses, as well as to international peace and security, that could result from the misuse of digital technologies and inadequate resilience.

This second edition of the Guide could not come at a more critical time. The updated content reflects the complex and evolving nature of cyberspace, as well as the main trends that can impact cybersecurity and should, therefore, be included into national strategic planning. The objective of the Guide is to instigate strategic thinking and continue supporting national leaders and policy-makers in the ongoing development, establishment, and implementation of such national cybersecurity strategies and policies. We are confident that this new Guide will serve as a useful tool for all stakeholders with cybersecurity responsibilities.

As in the previous edition, this Guide is the result of a unique, collaborative, and equitable multi-stakeholder cooperation effort among partners working in the field of national cybersecurity strategies, policies, and cyber capacity-building. Twenty expert organisations from the public and private sectors, as well as academia and civil society, shared their experience, knowledge, and expertise to produce this updated Guide, which draws from existing know-how from the participating organisations, as well as references to complementary publications and other available resources.

We would like to express our gratitude to the partners involved for their invaluable support and commitment in making this project a great achievement as a concrete example of a successful multistakeholder collaboration. We want to encourage this partnership to continue to collaborate and we look forward to working even more closely with governments, regional and international bodies, law enforcement, academia, the private sector, civil society, and the United Nations entities to promote strategic reflections on cybersecurity, cyber capacity-building, and cyber resilience.

Jointly signed by:

Mr. Jorge Martínez Morando
Partner, Axon Partners Group Consulting

Mr. Alexander Seger
Head of Cybercrime Division, Council of Europe

Ms. Lessie Longstreet
Global Director, Outreach and Partner Engagement, Cyber Readiness Institute

Dr. Luis Franceschi
Senior Director, Governance and Peace Directorate, Commonwealth Secretariat

Ms. Bernadette Lewis
Secretary General, Commonwealth Telecommunication Organisation

Ambassador Thomas Guerber
Director, Geneva Centre for Security Sector Governance

Mr. Andrea Rigoni
Partner and Global Governments & Public Services Cyber Leader, Deloitte

Mr. Chris Gibson
Executive Director, Forum of Incident Response and Security Teams

Prof. Sadie Creese
Director, Global Cyber Security Capacity Centre

Ambassador Thomas Greminger
Director, Geneva Centre for Security Policy

Mr. David van Duren
Director, Global Forum on Cyber Expertise Secretariat

Ms. Lea Kaspar
Executive Director, Global Partners Digital

Mr Craig Jones
Director of Cybercrime, INTERPOL

Ms. Doreen Bogdan-Martin
Director, Telecommunication Development Bureau, International Telecommunication Union

Ms. Amanda Craig
Senior Director, Cybersecurity Policy, Microsoft

Col. Jaak Tarien
Director, NATO Cooperative Cyber Defence Centre of Excellence

Ms. Melissa Hathaway
President, Hathaway Global Strategies LLC, and Senior Fellow at the Potomac Institute for Policy Studies

Ms. Nicole Klingen
Acting Director, Digital Development, The World Bank

Dr. Robin Geiss
Director, United Nationas Institute for Disarmament Reasearch

Dr. Jehangir Khan
Director, United Nations Counter-Terrorism Centre, United Nations Office of Counter-Terrorism

Dr. Jingbo Huang
Director, United Nations University institute in Macau

Mr. Georges de Moura
Head of Industry Solution, Center for Cybersecurity, World Economic Forum

¹ Global Cybersecurity Index reports 2018 and 2020 https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx

Document Overview

The purpose of this document is to guide national leaders and policy-makers in the development of a National Cybersecurity Strategy, and in thinking strategically about cybersecurity, cyber-preparedness and resilience.

This Guide aims to provide a useful, flexible and user-friendly framework to set the context of a country’s socio-economic vision and current security posture and to assist policy-makers in the development of a Strategy that takes into consideration a country’s specific situation, cultural and societal values, and that encourages the pursuit of secure, resilient, ICT-enhanced and connected societies.

The Guide is a unique resource, as it provides a framework that has been agreed on by organisations with demonstrated and diverse experience in this topic area and builds on their prior work in this space. As such, it offers the most comprehensive overview to date of what constitutes successful national cybersecurity strategies.

To download the guide, click here 

Partners