https://orcid.org/0000-0002-8594-6035
![Sample our Politics & International Relations journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5947/TOC-Subject-Sample-2021-Politics-International-Relations.jpg"})
ABSTRACT
International cybersecurity capacity building emerged in the mid-2000s as a mechanism for countries and organisations to assist each other, across borders, in protecting the safe, secure and open use of the digital environment. In parallel with this practical cooperation, the international community negotiated norms and confidence building measures to support peace and stability in cyberspace. The purpose of this paper is threefold. Having critiqued previous definitions and frameworks for cybersecurity capacity building, the paper proposes alternatives that both better represent actual practice and are of more use to the negotiations on stability in cyberspace. The proposed framework shifts capacity building beyond developed-developing country relationships and stresses the many goals that it serves. The paper then explores the relationship between cybersecurity capacity building, norms and confidence building measures. It contends that capacity building does not just support norms and confidence building measures, but is also an instance of them, and it benefits from norms of its own. The paper concludes by considering the proposals for cybersecurity capacity building principles that emerged from the 2019–2021 round of cyberspace diplomacy at the United Nations and by recommending the next steps.
Disclosure statement
No potential conflict of interest was reported by the author.
Notes
1 The GGE consists of 25 national experts, while the OEWG is open to all interested states. The OEWG’s mandate covers a slightly wider set of issues, including whether to establish a regular institutional open-ended dialogue within the UN.
2 There are also alternative orthographies for both parts of the term: cybersecurity, cyber-security and cyber security; capacity-building and capacity building.
3 Homburger cited the following sources: EUISS (Citation2013), Klimburg and Zylberberg (Citation2015, 7) and Schia (Citation2018).
4 This formulation originated in 2014 as Pawlak’s definition of cybersecurity. It was then repurposed by Hohmann et al. as a definition of cybersecurity capacity building (Hohmann, Pirang, and Benner Citation2017) and later adopted by Hameed et al. (Citation2018) and Homburger herself.
5 Examples of previous North–North capacity building activities include: cybercrime exercising; personnel secondments; strengthening universities and research programmes; student scholarships; sharing threat intelligence; providing advice and training on technical skills (from incident response to threat analysis); advisory projects on standards schemes; and sharing public awareness campaign material.
6 The World Bank’s Development Assistance Committee (DAC) provides an authoritative categorisation for economic development. The only categorisation system covering all countries for cybersecurity is the ITU’s Global Cybersecurity Index (GCI). The GCI is considerably behind the DAC in respect of its authority, its resources, the robustness of its model and the quality of evidence it can draw on.
7 The definition refers to ‘individuals, organisations and governments’, where organisations should be understood to include, inter alia, companies, regional economic communities, international organisations, academia and civil society. The definition does not use the terms multistakeholder or actors as these are less easily understood by non-specialists.
8 This is why the definition says ‘ … use of, and relationship with … ’
9 The definition does this by using the phrase ‘safe, secure and open’ (my italics).
10 ‘Digital environment’ is used in the place of cyberspace for this reason.
11 Signed by 41 countries and 28 international organisations and companies.
12 All members of the GFCE have endorsed the Delhi Communiqué and its principles, either at the time it was issued in 2017 or as a prerequisite for joining subsequently. The 59 national members are included in the membership list here: https://thegfce.org/member-overview/.
13 The five thematic categories of capacity are: strategy and policy; incident response and critical information infrastructure protection; countering cybercrime; culture and skills; and standards. These are further broken down by GFCE working groups, who coordinate and share knowledge around each theme.
Additional information
Notes on contributors
Robert Collett
Robert Collett is a researcher, adviser and trainer specialising in cybersecurity capacity building. He is a Chatham House Associate Fellow and founder of Developing Capacity Ltd. From 2019 to 2020, he was the UK’s first seconded senior adviser to the Global Forum of Cyber Expertise (GFCE). Prior to this, he ran, and grew threefold, the UK’s international cyber security capacity building programmes. He has a 17-year track record leading programmes and policy initiatives as a UK diplomat, working at the intersection of foreign policy, security and development. During this period, he led the strategic communications for NATO’s Provincial Reconstruction Team in Helmand and managed a series of challenging projects from de-mining to countering violent extremism and cyber security.