Re-thinking cybersecurity capacity building

What is it to be secure? The DSLA group examines top down and bottom up approaches to cyber capacity building
Main Top Image
Image created with the assistance of Dall-E 2

Policymakers have long recognised that cyberspace is interconnected. What happens in one country can affect others. As a result, security needs to be addressed collectively, and Cybersecurity Capacity Building (CCB) initiatives have become an increasingly popular set of solutions. According to the Global Forum on Cyber Security Expertise, CCB involves “equipping individuals and organisations with the knowledge, skills, and tools they need to protect themselves and their digital assets”. Though a useful definition, CCB comprises a broad spectrum of activities, actors, and ideas, leading to debates about how it should be practically implemented.

In some settings, CCB may involve helping a state develop its national cyber security strategy; in others, CCB means providing the tools for communities to build their own communication networks. With such a range of activities covered by CCB, what does the word security mean here? And who is responsible for identifying what it means to be secured, and how security should be constructed? Drawing on research from a workshop convened through the Digital Security in Latin America Research Group, this piece explores two approaches to CCB and the trade-offs they entail.

The first approach is top-down: solutions are designed and delivered by or on behalf of nation-states. The second approach is bottom up: communities design their security based on local needs and practical limitations. Both balance different risks and benefits. Neither can overcome all associated challenges. 

The sustainability of top-down approaches is not a challenge unique to CCB, but it is exacerbated by the dynamic nature of the cyber realm and complicated further if the relationship between the recipient and funding state is politically sensitive. On the other hand, the community-driven approach can pose challenges as vulnerable or under-resourced groups may lack specific expertise, awareness, or support. CCB interventions should ideally be a balance between the two approaches.  

Can better-resourced states help drive CCB efforts from the top down?

A common approach to CCB focuses on the top-down imposition of state-defined security solutions, with CCB driven by national security risks and the pursuit of economic development. The Oxford Global Cyber Security Capacity Centre assessment model exemplifies this approach. It assesses the maturity of a nation’s cyber-ecosystem, including policy, culture, capability, legal and technological aspects. Such competencies are primarily the state’s responsibility, and measurement across all dimensions is undertaken at the request of and in close consultation with state entities.

State-level participation is necessary to ensure buy-in from the recipient country and access to relevant sectors and data. States and international funders use assessment models to identify gaps in capabilities and therefore areas for CCB, such as supporting and enhancing national Computer Security Incident Response Teams through the CSIRTS Americas Network

The funder-recipient relationship is a central component of international CCB. Incentives for knowledge and capability transfer between states are derived from a mutual recognition that cyber risks are shared and that threats propagate unimpeded across international borders. In theory, enhancing the capabilities of host nations to protect against malicious actors improves cybersecurity for all.

This form of CCB is most usefully applied at scale. Upgrading a country’s digital infrastructure, as seen in the 2023 aid agreement between the United States and Costa Rica following the 2022 Conti ransomware attack, is one such example. The agreement sought to establish a centralised Security Operations Centre in Costa Rica and support cybersecurity training operations, recognising the risks posed by the country’s vulnerable cyber ecosystem internally and externally. This top-down CCB effort draws on outsider knowledge to bolster capabilities necessary for defending against well-resourced adversaries. 

However, this funder-recipient relationship does not necessarily result in sustainability. Technology progresses at a fast pace, and risks and safeguards are not static. It is necessary to continuously update software, upskill staff, raise awareness of new threats, and replace unsuitable equipment. Thus, long-term objectives can be at odds with annual budgets, programme reviews, and shifting priorities. One participant noted that funders “are often looking for drive-by solutions within limited timeframes. But that does not match with security life cycles or long-term needs”. 

Consequently, securing cyberspace from the top down represents a considerable challenge for policymakers and governments. CCB activities may only represent a short-term fix plastering over the inherent cracks of a system designed with security as an afterthought, rather than the panacea that will raise the global cybersecurity bar. 

Or do local problems require local solutions?

The second approach focuses on community-led initiatives that prioritise local empowerment and prosperity. It begins by considering what services people want and need to access. What assets are necessary to achieve this? Can digital assets address these needs? This approach primarily emphasises preserving certain ways of life. As one participant said, local solutions ask, “how can communities take advantage of digital tools without having to compromise the aspects that they don’t desire?”

If a community chooses to employ digital technologies, it also needs to understand how to use and maintain these technologies securely. “Infrastructural awareness” becomes crucial to identify and address security issues. Buy-in from the community is thus vital; asking local people about their daily practices can transform the effectiveness of capacity building.

Grassroots solutions often emerge out of necessity where centralised infrastructure fails to operate or simply does not exist. For example, Latin America has diverse geographies that cannot be downplayed when building cyber capacity initiatives: a 2022 World Bank report emphasised the acute rural and urban disparities across the continent. Locally identified requirements and locally enabled solutions are necessary because of the lack of state or major private sector infrastructure.  

In such contexts, other solutions might be considered, such as the HERMES project used in the Ecuadorian and Brazilian Amazon. HERMES is an open-source digital telecommunications initiative that uses shortwave radio to transmit and receive encrypted data, including chats, audio, photos, and GPS coordinates. This technology is designed to serve autonomous communities that the state has, consciously or otherwise, failed to provide adequate communication infrastructure. By using HERMES, these communities can concentrate on their broader security concerns, such as monitoring illegal activities like logging and mining. The evidence can then be shared with wildlife protection projects.

Finally, this approach recognises that the state itself can be a source of insecurity. With the rising tide of autocracy, the internet sometimes is not a means of enhancing connectivity, but rather a tool of state surveillance, as evidenced by the allegations surrounding Pegasus spyware. Often, the state is not the protector but the entity from which communities need protection. In such circumstances, top-down approaches are unsuitable.

A CCB user guide 

Both top-down and grassroots approaches have their own merits and limitations depending on the context and objectives of those involved. Sometimes, CCB activities are better led by the state, such as in Costa Rica, where the United States helped the country enhance its cyber capabilities to combat sophisticated cyber-criminal groups. Other contexts benefit from community-based approaches, such as the HERMES project, where the state is absent and preserving community autonomy is prioritised. 

CCB needs to be driven not only by assumptions of what funders believe is needed, but also by the actual needs of the communities. In short, do not try to fit a square peg in a round hole, but also do not assume your peg is square.