B.Key Characteristics of National and Regional Digital Strategies

2.Key Themes/Issues

a)Information Security and Cybersecurity Strategies

Of all of the different kinds of digital strategies, none appears to be more common than cybersecurity strategies. There are over 50 such policies in place internationally, and 18 of the 20 largest countries by GDP have instituted such policies. Thus, a country is more likely to have an active national cybersecurity strategy than it is to have any other national strategy related to digital technology. Generally speaking, information security and cybersecurity strategies are focused on national security, encompassing a broad range of issues including national intelligence, network and information security, defense, critical infrastructure, and cyber resilience. Less commonly, the strategies may also address issues of online crime and law enforcement, as well as provide for public and civic education around issues of computer and network security.

• 
  Netherlands: In 2011 the Netherlands released its National Cyber Security Strategy, which focused on forming multistakeholder relationships, raising awareness of cybersecurity issues, and building capacity. In 2014, the Netherlands updated its strategy with a new document entitled “National Cyber Security Strategy 2: From awareness to capability.” This strategy builds on the previous strategy, including the application of lessons learned. Importantly, the 2014 strategy shifts to a model of acceptable risk as opposed to risk elimination, and emphasizes moving beyond awareness to addressing capability.²⁹
  
• 
  Brazil: The armed forces play a central role in Brazil’s approach to cybersecurity.³⁰ In 2010, Brazil’s Department of Information and Communications Security published the “Green Book on Cybersecurity,” which highlights the cybersecurity challenges Brazil faces in a variety of areas. In 2012, Brazil published the “White Paper to Guide Future Defense Priorities,” which outlined a Brazilian Center for Cyberdefense as part of the Brazilian military. Despite the emphasis on the military, a variety of stakeholders play a role in Brazil’s cybersecurity strategy. The Department of Information and Communications Security works with the University of Brasilia to manage a clearinghouse for information related to cybersecurity.³¹ And more generally, the Green Book emphasizes important roles for the private sector, academia and international fora including the OAS and the ITU.³²
  
• 
  Germany: The “Cyber Security Strategy for Germany” addresses civilian cybersecurity issues such as the security of critical infrastructure and public administration and the training of additional cybersecurity staff for federal agencies. The strategy places a heavy emphasis on international cooperation, including cooperation with the E.U., the Council of Europe, NATO, G8 and other multinational organizations. The strategy implements several institutional reforms, such as the creation of a National Cyber Response Center and a National Cyber Security Council. The National Cyber Response Center was created in order to foster cooperation between federal law enforcement and technical agencies, and its responsibilities include sharing information about vulnerabilities of IT products, the nature of attacks, and perpetrator profiles. The Security Council, with advice from the Response Center, represents the interface between German government agencies responsible for cyber defense and the business community. The strategy also emphasizes the development of technical and legal tools to improve responses to cyber attacks.³³
  
• 
  China: China’s cybersecurity strategy has been largely fragmented and uncoordinated. However, since 2012, President Xi Jinping has been trying to address this, establishing the National Security Commission and Central Network Security and Information Leading Small Group.³⁴ The National Security Commission focuses on domestic security concerns, while the Central Network Security and Information Leading Small Group focuses on network security relating to national security. In July 2015, China released a draft of a cybersecurity law that would enable the government to take stronger action against threats, including disabling access, creating emergency detection and response measures, and establishing industrial standards.³⁵
  
• 
  Indonesia: Although there is no current cybersecurity strategy, President Joko Widodo announced in early 2015 that he would form a National Cyber Agency (NCA), which would have responsibility for coordinating cybersecurity efforts in various parts of the private and public sector.³⁶
  

At the national level, the scope, content, and extent of implementation of these national policies varies widely. To address this disparity, there has been a recent movement toward regional coordination. These regional strategies represent an attempt to build a coordinated network of actors prepared to both prevent and respond to cyber attacks and cyber-crime. Primarily these regional strategies operate by requiring increased technical coordination, including the development and use of technical standards, sharing of threat intelligence, and building a stronger network of cybersecurity professionals.

• 
  African Union: The Convention on the Confidence and Security in Cyberspace, adopted in 2014, seeks to establish a common framework for African cybersecurity. It emphasizes the security of electronic transactions, the protection of personal data, the need to defend against cyber-crime, and moves toward a coherent national cybersecurity monitoring and policy. It also aims to lay the groundwork for international cooperation and cybersecurity governance. However, the Convention has faced criticism at both the processing and content levels. Private sector and civil society stakeholders—including a consortium that included Google, iLabAfrica, iHub, and CIPIT at Kenya’s Strathmore Law School—expressed concern about the closed-door process and the lack of transparency and expert consultation in the Convention’s development. Similarly, stakeholders expressed concern over the Convention’s ability to limit freedom of speech, jeopardize privacy rights, and grant broad power to “investigating judges.”
  
• 
  European Union: The European Union’s Cybersecurity Strategy, adopted in 2013, sets out five strategic priorities: (1) achieving cyber resilience; (2) reducing cyber-crime; (3) developing cyber defense policy and capabilities; (4) increasing the industrial and technological resources for cybersecurity; and (5) establishing a coherent cyberspace policy for the E.U. The strategy was accompanied by the Network and Information Security Directive, which is nearing adoption. The Directive will require both public and private actors in critical sectors to adopt new policies and practices for cyber-crime reporting and risk management in order to improve detection, mitigation, and response. Exactly which private sector actors will be impacted by these new measures remains controversial, but at a minimum it appears to encompass those involved in critical infrastructure. Overall, the E.U.’s cybersecurity strategy emphasizes a multistakeholder approach, engaging industry leadership alongside E.U. member states, the European Parliament and Council, the European Defense Agency, the European Network Information Security Agency, and Europol.
  
• 
  Organization of American States: The Organization of American States adopted a Comprehensive Inter-American Cybersecurity Strategy in 2004, and has built upon existing cybersecurity initiatives since that time. Its role has shifted from promotion of best practices and the development of national CSIRTs in the early 2000s toward cyber-security crisis management and regional multi-stakeholder engagement. The OAS has provided a framework for developing cybersecurity response networks, increasing national capacity, and preventing cyber-crime throughout the Americas. The Strategy acknowledges the importance of private sector participation in cybersecurity issues given its role in the ownership and operation of ICT infrastructure. It supports “fostering public-private partnerships with the goal of increasing education and awareness and working with the private sector.” It emphasizes the formation of hemispheric networks for crisis and threat response, the adoption of common technical standards, and legal innovation to ensure OAS member states have the appropriate legislative mechanisms to respond to cyber crime. Particularly in recent years, the OAS has effectively operationalized this framework to support the adoption of national cybersecurity policies and strategies at the member state level. Colombia, Panama, Trinidad and Tobago, and most recently Jamaica have all adopted national strategies under OAS leadership, with similar projects currently underway in Dominica and Suriname and two more slated to begin this year in Peru and Paraguay, respectively.
  
• 
  Budapest Convention on Cybercrime: The Convention provides a foundation for fighting cyber-crime at a global level. The Council of Europe drafted the Convention in 2001, and 46 nations have ratified it, including non-Council of Europe member states such as the United States, Australia, and Japan. The countries bound by the Budapest Convention represent only 12% of world’s population, but more than 55% of gross world product. The Convention attempts to harmonize law and increase international cooperation in investigating and prosecuting cyber-crime. The convention defines crimes of illegal access, illegal interception, data interference, forgery, fraud, child pornography, and offences concerning copyright. The convention also provides for criminal procedures to aid investigations and collect evidence.
  

b)E-Government Strategies

Outside of the national security context, several governments have developed domestic strategies relating to the use of digital tools to manage and deliver government services. According to one definition, e-government is the “the use of ICT and its application by the government for the provision of information and public services to the people.”³⁷ Traditionally, e-government has embodied three distinct and independent modes of operation: government-to-government, government-to-business, and government-to-consumer services. However, a recent UN survey observed that increasingly the lines between forms of e-government services are blurring.³⁸ The “United Nations E-Government Survey” is a regularly published report on the current state of e-government strategies, which evaluates both national approaches and overarching trends in the ecosystem.³⁹

• 
  European Union: One of the most significant e-government strategies at the regional level is the E.U.’s European eGovernment Action Plan 2011-2015.⁴² The plan has several goals. First, it aims to improve cross-border functionality of e-government services, with a particular focus on harmonizing laws for e-signatures and e-identities. Second, it aims to boost the use of those services, with usage targets of 80% of businesses and 50% of citizens. The E.U. is expected to launch a new eGovernment Action Plan in 2016, which will run through 2020. Currently, the focus of the new plan will be the E.U.-wide integration of business registers, the integration of European and national online portals into a single gateway, the full transition of all member states to e-procurement, and achieving interoperability for e-signatures.⁴³ On July 1st, 2015, a public workshop on the e-government agenda was held in Brussels.⁴⁴
  
• 
  Australia: In 2012, the Department of Finance and Deregulation of the Australian Government released the Australian Public Service Information and Communications Technology Strategy. This strategy has three main objectives: (1) using ICT to deliver better, more personalized, and linked government services; (2) using ICT to improve the efficiency of government operations; and (3) improving the engagement of stakeholders to improve decision-making. The strategy was intended to be implemented over several years by improving capacity and making key investments in ICT.
  
• 
  Switzerland: The 2007 Swiss e-government strategy focuses on three main objectives: (1) allowing businesses to complete administrative tasks with the government electronically; (2) allowing government entities to deal with each other electronically; and (3) allowing citizens to conduct certain administrative tasks with the government electronically. The e-government strategy identified several services that needed to be moved into interoperable online systems, and it also identified several changes to rules and systems that were required to enable those services.
  
• 
  United Kingdom: This 2012 strategy, updated in 2013, represents a commitment to “digital by default” in government services. The strategy included the redesign of several government services in order to increase the use of those services, including by those who have never been online. However, some observers have claimed that the online identity management system is insecure.
  

c)Comprehensive National Digital Agendas

Some countries, instead of developing specific policies for e-government or cybersecurity, have adopted comprehensive policies that seek to provide a coordinated approach to a broad range of digital issues. Such comprehensive strategies address areas as diverse as physical ICT infrastructure and data and consumer protection, among others. In general, we observe that these comprehensive agendas have two major characteristics: (1) they articulate a progressive vision for how their citizens can engage with, and benefit from, digital technologies; and (2) they are political in the sense that they embody a set of policy choices tied to social and economic development.

• 
  Canada: The Digital Canada 150 strategy has five core pillars: (1) improving digital connectivity and online infrastructure; (2) improving the security of online transactions through tougher privacy and security laws; (3) supporting digital adoption in the business sector through an investment of CAD 200 million to support small and medium-sized businesses in adopting digital technologies; (4) providing more open government data; and (5) supporting the creation of Canadian content, including a review of copyright law.
  
• 
  Mexico: In November, 2013, Mexico released its National Digital Strategy. This strategy is intended to help fulfil the June 2013 amendment to the Mexican Constitution that compels to the state to provide access to information and communications technologies. The strategy envisions five key areas for ICT adoption: (1) using ICT to improve the experience of citizens in obtaining public services; (2) using ICT to foster economic growth in the digital economy; (3) using ICT to improve the quality of education; (4) using ICT to improve the coverage, quality, and efficiency of health care services; and (5) using ICT to coordinate public and citizen responses to public safety crises. The strategy seeks to address these challenges through improving connectivity, digital skills, interoperability of technologic and governance systems, legal harmonization, and open data.
  
• 
  Germany: In November 2010, the German Federal Ministry of Economics and Technology released the ICT Strategy of the German Federal Government: Digital Germany 2015. The strategy represents a commitment to expanding digital infrastructure, improving privacy and security online, increasing research in the ICT sector to develop new products and services, improve education for ICT-related skills, and using ICT to address a variety of social challenges.
  

d)Comprehensive Regional Digital Agendas

Concurrent with governments developing their own comprehensive digital agendas is a recognition that in many cases the challenges require a regional approach. We observe a pattern in both the cybersecurity and e-government contexts where national strategies subsequently give way to regional strategies that often supersede or supplement the national ones. We expect that a similar pattern may emerge in terms of comprehensive digital strategies, but currently only the E.U.’s Digital Agenda for Europe represents such a comprehensive regional strategy.

• 
  Interoperability & Standards: improving the interoperability of devices, services, and data through standard setting.
  
• 
  Trust and Security: improving laws to protect against cyber-crime and readiness to fight cyber attacks.
  
• 
  Fast and Ultra-fast Internet Access: using public funds to invest in improved broadband infrastructure.
  
• 
  Research and Innovation: using public-private partnerships to expand research and innovation.
  
• 
  Enhancing Digital Literacy, Skills and Inclusion: using public-private partnerships between businesses and education providers to help provide better ICT education.
  
• 
  ICT-enabled Benefits for E.U. Society: using ICT in order to improve health care, manage climate change, digitize content, and more.
  

In May 2015, the European Commission announced sixteen initiatives to support the development of the DSM, with an aim to complete the initiatives by the end of 2016.⁴⁶ These initiatives include reforming telecom rules, improving consumer protection, improving E.U. copyright law, streamlining the VAT process, and creating public-private partnerships on cybersecurity.

3.Conclusion and Core Observations

The development of national and regional digital strategies represents an acknowledgement on the part of policymakers of the importance of digital technologies for the delivery of government services, improving their economies, and protecting their citizens. Perhaps more importantly than an acknowledgement, the development of national and regional digital strategies is an attempt to address the challenges and benefits from digital technology in a coordinated, strategic fashion.

Despite the growth of national and regional digital strategies, we observe several critical gaps in the ecosystem that may threaten their overall effectiveness:

• 
  First, we observe that there is an absence of best practices regarding the development of national and regional digital strategies. In particular, these strategies are a relatively new development such that there has not yet developed a clear set of lessons learned to aid others in developing such agendas. The challenge is not only to write a document that expresses a nation’s hope for advancing steadily forward in the digital age, but to do so in an achievable and effective way.
  
• 
  Second, and related to the first issue, we do not observe a norm or best practice of developing these agendas through public-private consultations. Notably, we observe only a few of the digital strategies making explicit references to the inputs of public-private partnerships in the development of their strategies. Mexico’s National Digital Strategy evidences both the first and second issue in that it notes that the most recent strategy will be more effective than preceding strategies in Mexico precisely because the new one was developed through public-private consultations; thus, Mexico demonstrates both lessons learned over repeated attempts and the value of public-private partnerships.
  

These two issues present an opportunity for the Forum and the FII to help develop and identify lessons learned from past efforts at crafting digital agendas and to convert those into best practices. Moreover, the Forum and the FII can help those drafting such agendas build partnerships that can strengthen the quality of the agenda and improve its overall effectiveness.

A final issue is the challenge of measuring effectiveness. While there are many ambitious digital agendas, there is little research or evidence as to how many have been fully implemented and how effective they have been. This represents two challenges of effectiveness: effectiveness in implementation and effectiveness in results, and both need additional observable metrics and measurements. There is an opportunity for the Forum and the FII to help countries better measure their effectiveness in both translating agendas into action and in achieving the ultimate goals set out in the agenda. Additionally, improved measurements of effectiveness can help determine what aspects of digital agendas should be duplicated in other places, and which need improvement.

Download 274.55 Kb.

Share with your friends: