Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

Re-thinking cybersecurity capacity building

What is it to be secure? The DSLA group examines top down and bottom up approaches to cyber capacity building
Main Top Image
Image created with the assistance of Dall-E 2

Policymakers have long recognised that cyberspace is interconnected. What happens in one country can affect others. As a result, security needs to be addressed collectively, and Cybersecurity Capacity Building (CCB) initiatives have become an increasingly popular set of solutions. According to the Global Forum on Cyber Security Expertise, CCB involves “equipping individuals and organisations with the knowledge, skills, and tools they need to protect themselves and their digital assets”. Though a useful definition, CCB comprises a broad spectrum of activities, actors, and ideas, leading to debates about how it should be practically implemented.

In some settings, CCB may involve helping a state develop its national cyber security strategy; in others, CCB means providing the tools for communities to build their own communication networks. With such a range of activities covered by CCB, what does the word security mean here? And who is responsible for identifying what it means to be secured, and how security should be constructed? Drawing on research from a workshop convened through the Digital Security in Latin America Research Group, this piece explores two approaches to CCB and the trade-offs they entail.

The first approach is top-down: solutions are designed and delivered by or on behalf of nation-states. The second approach is bottom up: communities design their security based on local needs and practical limitations. Both balance different risks and benefits. Neither can overcome all associated challenges. 

The sustainability of top-down approaches is not a challenge unique to CCB, but it is exacerbated by the dynamic nature of the cyber realm and complicated further if the relationship between the recipient and funding state is politically sensitive. On the other hand, the community-driven approach can pose challenges as vulnerable or under-resourced groups may lack specific expertise, awareness, or support. CCB interventions should ideally be a balance between the two approaches.  

Can better-resourced states help drive CCB efforts from the top down?

A common approach to CCB focuses on the top-down imposition of state-defined security solutions, with CCB driven by national security risks and the pursuit of economic development. The Oxford Global Cyber Security Capacity Centre assessment model exemplifies this approach. It assesses the maturity of a nation’s cyber-ecosystem, including policy, culture, capability, legal and technological aspects. Such competencies are primarily the state’s responsibility, and measurement across all dimensions is undertaken at the request of and in close consultation with state entities.

State-level participation is necessary to ensure buy-in from the recipient country and access to relevant sectors and data. States and international funders use assessment models to identify gaps in capabilities and therefore areas for CCB, such as supporting and enhancing national Computer Security Incident Response Teams through the CSIRTS Americas Network

The funder-recipient relationship is a central component of international CCB. Incentives for knowledge and capability transfer between states are derived from a mutual recognition that cyber risks are shared and that threats propagate unimpeded across international borders. In theory, enhancing the capabilities of host nations to protect against malicious actors improves cybersecurity for all.

This form of CCB is most usefully applied at scale. Upgrading a country’s digital infrastructure, as seen in the 2023 aid agreement between the United States and Costa Rica following the 2022 Conti ransomware attack, is one such example. The agreement sought to establish a centralised Security Operations Centre in Costa Rica and support cybersecurity training operations, recognising the risks posed by the country’s vulnerable cyber ecosystem internally and externally. This top-down CCB effort draws on outsider knowledge to bolster capabilities necessary for defending against well-resourced adversaries. 

However, this funder-recipient relationship does not necessarily result in sustainability. Technology progresses at a fast pace, and risks and safeguards are not static. It is necessary to continuously update software, upskill staff, raise awareness of new threats, and replace unsuitable equipment. Thus, long-term objectives can be at odds with annual budgets, programme reviews, and shifting priorities. One participant noted that funders “are often looking for drive-by solutions within limited timeframes. But that does not match with security life cycles or long-term needs”. 

Consequently, securing cyberspace from the top down represents a considerable challenge for policymakers and governments. CCB activities may only represent a short-term fix plastering over the inherent cracks of a system designed with security as an afterthought, rather than the panacea that will raise the global cybersecurity bar. 

Or do local problems require local solutions?

The second approach focuses on community-led initiatives that prioritise local empowerment and prosperity. It begins by considering what services people want and need to access. What assets are necessary to achieve this? Can digital assets address these needs? This approach primarily emphasises preserving certain ways of life. As one participant said, local solutions ask, “how can communities take advantage of digital tools without having to compromise the aspects that they don’t desire?”

If a community chooses to employ digital technologies, it also needs to understand how to use and maintain these technologies securely. “Infrastructural awareness” becomes crucial to identify and address security issues. Buy-in from the community is thus vital; asking local people about their daily practices can transform the effectiveness of capacity building.

Grassroots solutions often emerge out of necessity where centralised infrastructure fails to operate or simply does not exist. For example, Latin America has diverse geographies that cannot be downplayed when building cyber capacity initiatives: a 2022 World Bank report emphasised the acute rural and urban disparities across the continent. Locally identified requirements and locally enabled solutions are necessary because of the lack of state or major private sector infrastructure.  

In such contexts, other solutions might be considered, such as the HERMES project used in the Ecuadorian and Brazilian Amazon. HERMES is an open-source digital telecommunications initiative that uses shortwave radio to transmit and receive encrypted data, including chats, audio, photos, and GPS coordinates. This technology is designed to serve autonomous communities that the state has, consciously or otherwise, failed to provide adequate communication infrastructure. By using HERMES, these communities can concentrate on their broader security concerns, such as monitoring illegal activities like logging and mining. The evidence can then be shared with wildlife protection projects.

Finally, this approach recognises that the state itself can be a source of insecurity. With the rising tide of autocracy, the internet sometimes is not a means of enhancing connectivity, but rather a tool of state surveillance, as evidenced by the allegations surrounding Pegasus spyware. Often, the state is not the protector but the entity from which communities need protection. In such circumstances, top-down approaches are unsuitable.

A CCB user guide 

Both top-down and grassroots approaches have their own merits and limitations depending on the context and objectives of those involved. Sometimes, CCB activities are better led by the state, such as in Costa Rica, where the United States helped the country enhance its cyber capabilities to combat sophisticated cyber-criminal groups. Other contexts benefit from community-based approaches, such as the HERMES project, where the state is absent and preserving community autonomy is prioritised. 

CCB needs to be driven not only by assumptions of what funders believe is needed, but also by the actual needs of the communities. In short, do not try to fit a square peg in a round hole, but also do not assume your peg is square. 

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.