This section considers three phases in the lifecycle of a CCB project – design, implementation and evaluation – and provides suggestions for how each of the 10 principles might be applied in practice. The suggestions are not an exhaustive list of the ways in which the principles might be applied, and the principles might not be applicable in every project of this type. Rather, they are intended to be an aid that practitioners could use to generate ideas on how to follow a principles-based approach in their own CCB activities and contexts.
An actor’s role(s) in CCB – as a donor, implementer, beneficiary or stakeholder – influences what involvement they would have in employing the suggested guidance. However, the suggestions are not organized or grouped by role, as many of the activities will require collaboration between different roles and many actors will play more than one role in a project. Further research can develop suggestions for operationalization specific to each stakeholder group. In any CCB activity, these suggestions should be viewed as guiding rather than prescriptive steps, given the importance of the context of the CCB activity.
The example project in this section is one in which CCB is provided to support a national computer security incident response team (CSIRT) as it creates a national point of contact (NPOC) to join the OEWG POC network and seeks to improve capability for sharing cyberthreat intelligence (CTI).
In the ongoing OEWG discussions, all UN member states agreed on efforts towards establishing a global, inter-governmental points of contact directory (POC). Guided by the principles of sovereignty and non-intervention, the POC network is meant to be a confidence-building measure that aims at enhancing cooperation among states, enabling coordinated responses to ICT incidents, promoting information-sharing, and facilitating secure communication to prevent and address critical ICT incidents. The POC is meant to complement national computer emergency response teams (CERTs) and CSIRTs networks. Each state is requested to nominate a national point of contact (NPOC) as their representative to the OEWG’s global POC directory.
Specifically, in the example project used in this section the following activities are envisaged:
- Training and advice for the NPOC and supporting CSIRT staff on how to engage with, and make best use of, the OEWG’s NPOC network.
- Technical assistance to the national CSIRT so that it can install and use a cyberthreat intelligence-sharing (CTI-sharing) platform (e.g. Malware Information Sharing Platform – MISP) that will help it to securely share threat intelligence with other CSIRTs.
- A national exercise to prepare for a scenario in which time-sensitive information is received through the NPOC network or CTI-sharing platform.
For the purpose of this example, the CSIRT is assumed to be within the government and of a level of maturity that is ready to establish an OEWG NPOC role and effectively use a threat intelligence-sharing platform. These niche capabilities were chosen because they are of interest to the OEWG and allow for different aspects of the principles to be explored – it is not a reflection on their priority vis-à-vis other capabilities. Additional resources that can assist with the principles are suggested in Annex B.
To generate suggestions for how the principles might be operationalized in the example project, the authors combined insights from the two consultations (see Section 2), with a review of principles implementation toolkits from related fields and reports from capacity-building projects. A conference run by Chatham House in November 2022 – Strengthening Cyber Resilience Conference: Lessons on Cybersecurity Capacity Building from the UK’s Digital Access Programme – was also a source of lessons from past CCB projects.
Using the factsheets presented in Section 2 and the above sources, the authors first mapped what the design, implementation and evaluation phases of such a CCB project could look like. Phases were sub-divided into key components to make it easier to describe the different ways in which principles might be operationalized within them. For example, the implementation phase was sub-divided into the work of implementing activities and managing risk on the one hand and monitoring and reporting on the other. This is not a proposed framework for structuring the management of a CCB programme, but rather a framework for exploring and describing the principles’ operationalization.
Within the three-phase framework, the authors considered how a principles-based approach might be operationalized throughout the CCB life cycle, applying suggestions from the literature, workshops and conference. The options this generated are presented below to aid CCB practitioners to develop their own ideas for operationalizing the principles in their unique contexts. The guidance in this project example is comprehensive but framed to ensure that all actors involved in the project are able to understand the necessary considerations in the project’s design, implementation and monitoring. As such the guidance is not intended to be directed exclusively at one particular actor type.
Phase 1. Design