Download CYBER READINESS INDEX 2.0

G
ES
B
DI
POT
O
FOR
PO
TE
TU
C INST
I
MA
LIC Y ST U
DRAFT
February 2015
CYBER READINESS INDEX 2.0
A PLAN FOR CYBER READINESS: A BASELINE AND AN INDEX
Principal Investigator: Melissa Hathaway
Chris Demchak, Jason Kerben, Jennifer McArdle, Francesca Spidalieri
POTOMAC INSTITUTE FOR POLICY STUDIES
901 N. Stuart St. Suite 1200, Arlington, VA 22203
www.potomacinstitute.org
Copyright © 2015, Cyber Readiness Index 2.0, All rights reserved.
Published by Potomac Institute for Policy Studies
Potomac Institute for Policy Studies
901 N. Stuart St, Suite 1200
Arlington, VA, 22203
www.potomacinstitute.org
Telephone: 703.525.0770; Fax: 703.525.0299
Email: [email protected]
Follow us on Twitter:
@CyberReadyIndex
CYBER READINESS INDEX 2.0
A PLAN FOR CYBER READINESS: A BASELINE AND AN INDEX
PO
G
ES
B
DI
POT
O
Chris Demchak, Jason Kerben,
Jennifer McArdle, Francesca Spidalieri
FOR
Principal Investigator: Melissa Hathaway
C INST
I
MA
TE
TU
DRAFT
February 2015
LIC Y ST U
INTRODUCTION
No country is cyber ready.
securing the cyber infrastructure and services
upon which their digital future and growth
depend. The Cyber Readiness Index (CRI)1 represents a new way of examining this problem,
and is designed to spark international discussion and inspire global interest in addressing
the economic erosion from cyber insecurity that
is holding back more robust economic growth.
In the global economy, national economic
growth is largely dependent on the rapid adoption of information communication technology
(ICT) and connecting society to the Internet.
Each country’s digital agenda and economic
vision promises to increase productivity and
efficiency, enhance work force skills, drive innovation, and deliver gross domestic product
(GDP) growth. Yet, the availability, integrity,
and resilience of this core infrastructure is in
harm’s way and GDP growth is being eroded
by a wide range of nefarious cyber activities.
Global leaders must recognize that increased
Internet connectivity can lead to economic
growth, but only if that Internet connection,
underlying infrastructure, and the devices connected to it are safe and secure.
The CRI examines 125 countries that have embraced, or are starting to embrace, ICT and the
Internet and then applies an objective methodology to evaluate each country’s maturity
and commitment to cyber security across seven essential elements. This holistic approach
to evaluating progress towards cyber security
demonstrates the importance of a cohesive
strategy that includes government regulation
and enforcement, as well as market-based incentives and economic levers to focus public
and private sector attention on a secure and
prosperous digital future.
Until now, there was no methodology to evaluate any country’s maturity and commitment to
© 2015 Cyber Readiness Index 2.0, all rights reserved.
1
Until now, there was no methodology to evaluate any country’s
maturity and commitment to securing the cyber infrastructure and
services upon which their digital future and growth depend.
BACKGROUND
sustained if its core infrastructure is accessible,
available, affordable, secure, interoperable,
resilient, and stable. The threats to our connected society are outpacing our defenses and
GDP growth is being eroded every day. Put
simply, our cyber insecurity is a tax on growth.
The decision to pursue ICT enabled economic
development strategies has been embraced by
most countries around the world. Today, countries are provisioning near ubiquitous communications to every household and business, and
pursuing a development and modernization
agenda to nurture their information society
into the digital age. Initiatives like e-government, e-banking, e-health, e-learning, next
generation power grids, air traffic control, and
other essential services are at the top of most
countries’ economic agenda. These initiatives
are being pursued to increase productivity
and efficiency, enhance work force skills, drive
innovation, and deliver GDP growth. Some estimates offer that when ten percent of the population is connected to the Internet, the GDP
should grow by one to two percent.2 Moreover,
governments and businesses that embrace the
Internet and ICTs recognize it will enhance their
long-term competitiveness and societal wellbeing, and potentially contribute up to eight percent of gross domestic product (GDP).3 Recent
reports go even further and suggest that the
opportunity surrounding the modernization of
industrial systems (e.g., electrical power grids,
oil and gas pipelines, factory operations, etc.)
represents a forty-six percent share of the global economy over the next ten years.4
For example, it is estimated that the Group of
Twenty (G20) economies have lost 2.5 million
jobs to counterfeiting and piracy, and that
governments and consumers lose US$125
billion annually, including losses in tax revenue.5 The United States estimates the annual
impact of international intellectual property
(IP) theft to the American economy at $300
billion. This approximates to one percent of
its GDP.6 Furthermore, research by Toegepast
Natuurwetenschappelijk Onderzoek (TNO),
an independent research organization in the
Netherlands, has shown that cyber crime costs
Dutch society at least 10 billion euros per annum, or 1.5 to two percent of their GDP. This
loss is almost equal to the Netherlands’ economic growth in 2010.7 There are other estimates conducted by the United Kingdom and
Germany that indicate similar losses. No nation
can afford to lose even one percent of its GDP
to illicit cyber activities.
Moreover, while many governments around
the world champion the benefits of fast, reliable, and affordable communications in terms
of GDP growth, job creation, access to information, and the ability to innovate, few of
them are measuring the exposure and costs
of less resilient critical services, disruption of
Nations cannot afford to ignore this economic
opportunity, particularly in today’s stagnant
economic climate. Yet, the Internet’s ability to
deliver positive economic growth can only be
© 2015 Cyber Readiness Index 2.0, all rights reserved.
2
service(s), e-crime, identity theft, intellectual
property theft, fraud, and other activities exploiting the ICT hyper-connectivity in terms of
GDP loss.
1. National strategy;
Measuring the declining gains may force governments to better align their national security
agenda with their economic agenda and invest in the derivative value of both. Bringing
transparency to the economic losses may spark
national and global interest in addressing the
economic erosion. Global leaders can alter
their current posture by leveraging policy, law,
regulation, standards, market incentives, and
other initiatives to protect the value of their
digital investments and preserve the security
of their connectivity.
5. Investment in R&D;
2. Incident response;
3. E-crime law and enforcement;
4. Information sharing;
6. Diplomatic (international)
engagement/influence; and
7. Ability to respond militarily
to or in a crisis situation.
The CRI team is employing this methodology
to evaluate 125 countries’ maturity and commitment to securing their cyber infrastructure
and services.
The CRI selected the top 75 countries from the
International Telecommunication Union (ITU)
ICT Development Index (IDI) to emphasize the
importance of connectedness within the CRI.
The selection was further refined by adding
members of the G20 economies, because together they represent: ninety percent of global
GDP, eighty percent of international trade, sixty-four percent of the world’s population, and
eighty-four percent of all fossil fuel emissions.
It also brought the largest growing economies
of Brazil, Russia, India, China, and South Africa
into the Index.
The Cyber Readiness Index (CRI) 2.0 addresses
these issues.1 It helps inform a country’s understanding of its Internet-Infrastructure entanglement and resulting vulnerability. It also provides a solid foundation through which each
country can assess its cyber security maturity.
A commitment to cyber security may strengthen and preserve the promise of connectedness
and help a country realize the full potential of
the Internet economy.
CYBER READINESS INDEX
2.0 — THE METHODOLOGY
In order to be regionally representative and
globally inclusive, the CRI team assessed regional economic groupings with an eye for
regional state representation, regional state
membership in the G20, and overall economic
strength. These consortia include: Organization for Economic Cooperation and Development (OECD), African Economic Community
(AEC), the Latin American Integration Association (LAIA), Asia Pacific Economic Cooperation (APEC), Central Asia Regional Economic
Cooperation (CAREC), Gulf Cooperation
The CRI has two main components: it is designed to inform countries on the steps they
should consider to protect their GDP—and
their entire economy—by objectively evaluating each country’s maturity and commitment
to cyber security. The CRI 2.0 also defines
what it means for a country to be cyber ready,
and documents the core components of cyber readiness into a blueprint for countries
to follow. The methodology developed and
employed for this analysis encompasses seven
essential elements:
© 2015 Cyber Readiness Index 2.0, all rights reserved.
3
Council (GCC), South Asia Association for Regional Cooperation (SAARC), and the North
American Trade Federation (NAFTA). Included
countries from these regional economic groupings are represented in the IDI, and often are
also included in the World Economic Forum
(WEF) Network Readiness Index. This ensures
every selected country is embracing ICT and
investing in accessible and affordable Internet
services to promote economic growth.
Moreover, the CRI 2.0 will provide international entities, such as the ITU, the WEF, the
Organization of American States (OAS), and the
Inter-American Development Bank (IDB) with
a framework and complimentary approach to
their respective initiatives to help them evaluate countries’ progress towards cyber security.
The team will also engage with the aforementioned international organizations and the Oxford’s Global Cyber Security Capacity Centre
to explore opportunities for data collection/
exchange and to promote the use of the CRI
in their respective cyber security efforts. This
would, in turn, increase the interest of countries
to adopt the CRI in order to fully and credibly
participate in international discussions about
the priorities required to strengthen security
and preserve the promise of the ICT dividend
and Internet economy for all countries.
This selection of countries represents a significant portion of the globe and is demonstrative
of the diverse and representative nature of CRI
2.0’s country selection criteria (Figure 1).
Given that the GCC is not representative of
the entire Middle East, the CRI team chose to
add three additional states from the region.
The three selected states—Iran, Yemen, and
Lebanon—were selected based on World Bank
2014 GDP rankings and have the highest regional GDP rankings outside the GCC.
A detailed description of the seven Mission
Areas of the cyber readiness methodology
follows.
1. NATIONAL STRATEGY
The CRI 2.0 will provide a solid foundation
for each country to assess its cyber security
maturity, and serve as a framework for policy
and strategy development, operational initiatives, regulatory and legislative formulation,
and diverse market lever implementation—
constantly keeping focus on the tie between
economics and security (or lack thereof). The
CRI 2.0 will also continue to raise awareness
about the connections between a sustainable
cyberspace and GDP growth for every country, since the future of a country’s GDP seems
increasingly technology dominated and Internet-related. This will help facilitate discussions
on the economic erosion from cyber insecurity
and the integration of national security into the
core of technological progress.
Many countries have started devising specific
strategies for managing cyber security and
are taking important steps towards developing their cyber-related policies, doctrines,
legal frameworks, and technical capacities.
The first—and primary—area that indicates a
country’s cyber readiness is the articulation
and publication of a National Cyber Security
Strategy that both describes the threats to the
country, and outlines the necessary steps, programs, and initiatives that must be undertaken
to address those threats and protect the ICT
uptake by citizens, private and public organizations.8 Adopting a national cyber security
strategy is arguably one of the most important
elements of a country’s commitment to securing the cyber infrastructure, services, and ICT
© 2015 Cyber Readiness Index 2.0, all rights reserved.
4
Figure 1: CRI 2.0 Country Selection
Algeria
Colombia
Israel
Netherlands
Sri Lanka
Andorra
Costa Rica
Italy
New Zealand
St. Kitts and Nevis
Angola
Croatia
Japan
Nigeria
St. Vincent and Grenada
Antigua and Barbados
Cuba
Kazakhstan
Norway
Sudan
Armenia
Cyprus
Kenya
Oman
Swaziland
Argentina
Czech Republic
Kyrgyz Republic
Pakistan
Sweden
Australia
Denmark
Latvia
Paraguay
Switzerland
Austria
Djibouti
Lebanon
Panama
Taiwan
Azerbaijan
Ecuador
Lesotho
Peru
TFYR Macedonia
Bahrain
Egypt
Lithuania
Philippines
Thailand
Bangladesh
Estonia
Luxembourg
Poland
Trinidad and Tobago
Barbados
Finland
Macau, China
Portugal
Tunisia
Belarus
France
Malaysia
Qatar
Turkey
Belgium
Gabon
Maldives
Romania
Uganda
Bhutan
Gambia
Mali
Russia
Ukraine
Bolivia
Germany
Malta
Saudi Arabia
United Arab Emirates
Bosnia & Herzegovina
Ghana
Mauritius
Senegal
United Kingdom
Botswana
Greece
Mexico
Serbia
United States of America
Brazil
Hong Kong
Moldova
Seychelles
Uruguay
Brunei Darussalam
Hungary
Mongolia
Singapore
Uzbekistan
Bulgaria
Iceland
Monaco
Slovakia
Venezuela
Cameroon
India
Montenegro
Slovenia
Vietnam
Canada
Indonesia
Morocco
South Africa
Yemen
Chile
Iran
Namibia
South Korea
Zambia
China
Ireland
Nepal
Spain
Zimbabwe
Table 1: CRI 2.0 Country Selection
© 2015 Cyber Readiness Index 2.0, all rights reserved.
5
business environment upon which its digital
future and economic wellbeing depend.
Adopting a national cyber
security strategy is arguably one
of the most important elements
of a country’s commitment
to securing the cyber
infrastructure, services, and ICT
business environment upon
which its digital future and
economic wellbeing depend.
A sound National Cyber Security Strategy
should: state the strategic problem in economic terms; identify the competent authority9 that
ensures the strategy’s execution; include specific, measurable, attainable, result-based, and
time-based objectives in an implementation
plan; and recognize the need to commit limited resources (e.g., political will, money, time,
and people) in a competitive environment to
achieve the necessary economic outcomes.
Additional elements of a truly comprehensive national cyber security strategy should
include:
At least thirty-five countries have already published their cyber security strategy, outlining
key steps that are intended to increase their national security and resilience. Many others have
started drafting national strategies to guide
and coordinate all their efforts to advance their
cyber security posture. Common topics in these
strategies include: outlining organizational and
positional authority within the government;
fostering awareness and education among the
citizens; building an incident and crisis management response capability; expanding law
enforcements capacity to deal with the rate of
cyber crimes; facilitating private-public partnerships and developing trusted information
sharing exchanges; engaging in international
dialogue on issues such as privacy, security,
and data protection; and marshaling resources toward a research and development (R&D)
and innovation agenda. Many strategies begin
with statistics, quantifying incident volume and
the rate of infrastructure infection, and naming
the variety of threats. The data is used to justify organizational responsibility and increased
funding for missions and organizations. Rarely
do these strategies prioritize which services
and infrastructures are most at risk, nor do they
align the security measures and resource requirements necessary to reduce exposure.
1. The responsible parties and
roles in government agencies
and commercial-sector entities
affected by and responsible for
the implementation of the plan;
2. The mechanisms to secure critical cyber
infrastructure and ICT uptake by citizens
and public and private organizations;
3. The critical services (not
critical infrastructures) that the
plan intends to protect;
4. National standards for continuity
of service agreements (24 hours/7
days a week) and outage reporting
requirements for each critical service,
industry, and infrastructure;
5. The percentage of GDP embraced
by the plan (grossly); and
6. The financial and human resources
allocated for the implement of the
plan, to include goals and objectives,
and the roles and responsibilities
of government agencies and
commercial-sector entities;
© 2015 Cyber Readiness Index 2.0, all rights reserved.
6
The findings in this Mission Area, as with the
other six areas, represent a snapshot in time of
a dynamic and changing landscape. As countries continue to develop their national cyber
security strategies, updates to this Mission
Area will reflect those changes and provide additional guidance for those countries that are
working on formulating or further strengthening their current strategies.
incidents by containing and mitigating threats
as they occur.12 Although the specific organizational form of National CSIRTs may vary, and
not every country may have the same needs
and resources, these specialized and dedicated
units should provide a series of both proactive
and reactive functions, as well as preventive,
educational, and security quality management services. These services include, but are
not limited to: establishing shared situational
awareness; identifying, detecting, containing,
and managing security threats and potential
incidents; coordinating incident response activities; analyzing computer security incidents;
providing feedback and lessons learned; promoting activities that increase resilience; publishing alerts and advisories on cyber vulnerabilities and threats; promoting cyber security
awareness and best practices; and supporting
the national cyber security strategy. Obviously, a CSIRT first needs the right staff and tools
that can foster cooperation and coordination
in incident prevention, enable rapid reaction
to incidents, and promote information sharing
among members and the community at large,
both domestically and internationally.
2. INCIDENT RESPONSE
The second essential element of a “cyber
ready” country involves establishing and maintaining a national incident response capability.
Often, this capability takes the form of one
or more National Computer Security Incident
Response Teams (National CSIRTs) or Computer Emergency Response Teams (CERTs),10
responsible for managing incident response
in the event of natural or man-made disasters
that affect critical services and information infrastructures. These teams usually consist of a
blend of IT security experts and practitioners
from academia, the private sector, and even
government. In addition to providing the
specific technical competence to respond to
cyber incidents of national interest, these incident response teams strengthen the ability
of a national government to understand and
combat cyber threats. Operating a National
CSIRT, therefore, forms a core component of a
country’s overall strategy to secure and maintain technologies vital to national security and
economic growth.11
Additional elements of a sound national incident response capability should include:
1. A published incident response plan
for emergencies and crises, that
maps cross-sector dependencies and
addresses continuity of operations and
disaster recovery mechanisms, and that
is exercised and updated regularly;
National CSIRTs, unlike strictly governmental
ones, serve a broad audience ranging from
government departments, to private and public entities, to citizens. A well established National CSIRT or CERT provides reactive services
above all else—i.e., the ability to respond to
2. A network of national contact points for
governmental and regulatory bodies;
3. A network of national contact points for
critical industries that are essential for
the operation and recovery of critical
services and information infrastructures;
© 2015 Cyber Readiness Index 2.0, all rights reserved.
7
4. An information security alert system
that can be used by the national
crisis/response centers to effectively
address and transmit significant
alerts in a timely manner;
(ENISA),14 the Forum of Incident Response and
Security Teams (FIRST),15 and the ITU. Additional primary and secondary sources, such as
National CERTs’ websites and related news articles, will also be consulted. As countries come
to recognize the importance of establishing
National CSIRTs—a recognition of the need to
provide a domestically-focused, internationally
amplified operational response to cyber incidents—updates to this Mission Area will monitor, track, and evaluate those developments.
5. A demonstrable capability
in the incident containment,
management, resilience, and recovery
processes for critical services and
information infrastructures;
6. Rapid assistance mechanisms for the
government or specific industries
in case of major cyber incidents;
3. E-CRIME LAW AND
ENFORCEMENT
7. Ongoing research systematically
analyzing trends or groups of
computer security incidents of national
concern—sharing similar actors
or methods—in order to identify
intrusion sets and to substantiate
the alert being shared with other
national authorities for action; and
The third essential element of a “cyber ready”
country is demonstrated through its international commitment to protect society against
cyber crime. Most often, this capability takes
the form of involvement with international fora
dedicated to addressing international cyber
crime issues, as well as the establishment of
domestic, legal, and regulatory mechanisms
to fight cyber crime. The pertinent legal and
regulatory authorities designated with carrying
out such activities should not only define what
constitutes a cyber crime, but the existence
of legal and regulatory authorities should also
empower the governmental entities with the
mechanisms and resources to investigate and
prosecute cyber crime activities.
8. Financial and human resources
allocated for: the National CSIRT
or CERT to carry out its mandate;
the national contact points for
governmental and regulatory
bodies, and critical industries; and
to activate and regularly test the
information security alert system; and
9. Additional funding to measure
the country’s level of resilience to
cyber attacks and crisis through
national cyber security exercises.
Two international treaty agreements help
demonstrate a country’s commitment to protecting society against cyber crime: The Council of Europe’s “Convention on Cyber Crime”
and the Shanghai Cooperation Organization’s
“Agreement on Cooperation in the Field on
Ensuring International Information Security”. The Council of Europe’s “Convention on
Cybercrime”, in force since July 1, 2004 and
Initial findings in this Mission Area are based
on the inventories of National CSIRTs and
CERTs provided by the CERT Division at Carnegie Mellon University (CMU),13 the European
Network and Information Security Agency
© 2015 Cyber Readiness Index 2.0, all rights reserved.
8
commonly called the Budapest Convention,
provides an operative—although limited—
mechanism through which to harmonize divergent national cyber crime laws and encourage
law enforcement collaboration. The effectiveness of the Convention, however, is limited
by allowing signatory countries to back out
on broad grounds, including “prejudicing its
sovereignty, security, public order or other essential interests.”16 The Shanghai Cooperation
Organization’s “Agreement on Cooperation in
the Field on Ensuring International Information
Security” was signed in 2008 and lists as a major international information security threat the
“dissemination of information harmful to the
socio-political and socio-economic systems,
spiritual, moral, and cultural environments of
other States.”17 The CRI 2.0 credits countries
that have ratified or acceded to either of these
treaties because only then does a country
have a specific obligation and duty under law
to uphold a commitment in an international
context. Pursuant to these treaties, countries
agree to adopt appropriate legislation, foster
international cooperation, and combat criminal offenses, by facilitating their detection,
investigation, and prosecution both nationally
and internationally.
The CRI 2.0 credits countries
that have ratified or acceded
to either of these treaties
because only then does
a country have a specific
obligation and duty under
law to uphold a commitment
in an international context.
relation to legal structures and investigative
abilities, whereby the advanced APEC economies support other member-economies in
training legislative and investigative personnel.19 CRI will draw upon these international,
multi-national, and regional approaches to better inform the CRI 2.0. In addition, the CRI 2.0
may also include country information on cyber
crime from the Association of Southeast Asian
Nations (ASEAN), the International Multilateral
Partnership Against Cyber Threats (IMPACT),
and the ITU, among others.
Additional elements of a sound country-level
international commitment to protecting society against cyber crime include:
In addition to the international mechanisms
noted above, other international, multi-national, and regional approaches towards addressing
international cyber crime exist and are being
pursued: The UN General Assembly has passed
a variety of resolutions relevant to cybercrime,
such as the 2001 “Combating the Criminal Misuse of Information Technology,” and the 2003
“Creation of a Global Culture of Cybersecurity
and the Protection of Critical Infrastructures.”18
The Asia Pacific Economic Cooperation (APEC)
has also conducted a capacity-building project on cyber crime for member economies in
1. Demonstrated international
commitment to protect society
against cyber crime through ratifying
international cyber crime agreements
and/or putting mechanisms in
place to specifically address the
flow of international cyber crime;
2. Publication and dissemination of a
national cyber threat assessment on
government, critical infrastructure, and
critical commercial services networks;
© 2015 Cyber Readiness Index 2.0, all rights reserved.
9
3. Establishment of a mature institutional
ability to fight cyber crime, including
training for law enforcement, forensic
specialists, and legislators;
regional or multi-national approaches towards
addressing cyber crime. Primary and secondary
sources will be utilized to determine whether a
country has put in place and finances domestic
legal and regulatory mechanisms. Updates to
this Mission Area will monitor, track, and evaluate substantive and notable developments.
4. Establishment of a coordinating agency
with a primary mission and authority
to ensure that all international cyber
crime requirements are being met;
4. INFORMATION SHARING
5. Establishment of an accounting
mechanism to determine what
percentage of GDP is affected
by cyber crime (actual loss in real
dollars), in order to assess national
systemic cost-benefit tradeoffs and
allocate resources accordingly;
The fourth criteria that impacts a country’s
cyber readiness is its ability to establish and
maintain an information sharing mechanism
that enables the exchange of actionable intelligence/information between government
and industry. The bottom line is that identifying, assessing, and responding to targeted
attacks—which can have significant implications for global telecommunications, trade,
and business—requires more than traditional
monitoring and protection mechanisms. Most
governments and organizations around the
world have embraced new technologies and
information sources, and have joined information sharing programs to enhance their situational awareness and manage their exposure
to infections and breaches.
6. Demonstrated commitment to clean
up national infected infrastructures
through the creation of anti-botnet
and malware remediation initiatives;
7. Demonstrable evidence of a country’s
commitment to review existing laws and
regulatory governance mechanisms,
identify where gaps-and overlapping
authorities may reside, and clarify and
prioritize areas that require primary
attention (e.g. existing laws, such as
old telecommunications law); and
8. Identification and allocation of
sources of funding to support the
level of commitment, institutional
arrangements, national objectives,
personnel and institutions dedicated
to fighting cyber crime.
Initial findings in this Mission Area are based
upon a review of whether a country has ratified
or acceded the Budapest Convention or the
Shanghai Cooperation Organization’s “Agreement on Cooperation in the Field on Ensuring International Information Security,” and
whether the country is an active participant in
Formal information sharing mechanisms,
similarly to some of the services provided by
National CSIRTs and CERTs, can help foster coordination in incident response, can help facilitate real-time sharing of threat and intelligence
information, and can help improve understanding of how sectors are targeted, what information is lost, and what methods can be used to
defend information assets. At least three different models of information sharing regimes
have emerged to address cyber threats and to
help entities secure their information assets:
(1) Government driven; (2) Industry driven; and
(3) Non-Profit-Partnership driven. Each method
has its unique challenges, such as balancing the
© 2015 Cyber Readiness Index 2.0, all rights reserved.
10
need for exchanging accurate and actionable
cyber security information while protecting
firms’ confidentiality, safeguarding civil-liberty
concerns, and managing competing financial
and human resources. Two elements, however, are required for any of the three regimes
to succeed: trust within the sharing community
and buy-in from all interested parties. Put simply, when a sector or industry participates reluctantly or only participates solely out of fear
not to, success is hard to achieve.20
In addition, stakeholders must be able to share
valuable information on serious incidents,
which can only happen after the establishment
been particularly successful in this area. In the
UK, for instance, the Centre for the Protection
of National Infrastructure (CPNI)—a government driven initiative—provides protective
security advice to any entity within the country
that owns or operates the critical national infrastructure. CPNI has successfully created strong
partnerships with both private and public sector entities and works in close collaboration
with key partners domestically and internationally, including the National Technical Authority
for Information Assurance (CESG), the police,
and overseas agencies and businesses. Similarly, the Financial Services Information Sharing
and Analysis Center (FS-ISAC)—an industry
The bottom line is that identifying, assessing, and responding
to targeted attacks—which can have significant implications for
global telecommunications, trade, and business—requires more
than traditional monitoring and protection mechanisms.
of clearly defined requirements regarding what
type of information should be shared, who will
have access to it, and what security measures
should be taken to protect the information once
released by its original owner. The complexity
of this sensitive exchange grows proportionately with group size, and perhaps exponentially
when those group members are sovereign
states with distinct national security concerns.
Many individual countries have already developed strong national information sharing
programs that could be leveraged as good
practices for an international model. These
programs tend to focus on aligning similar
stakeholders into groups and subsequently
aligning the groups into a national program.
The United States and United Kingdom have
driven initiative developed by the financial
services sector in the US to help facilitate the
detection, prevention, and response to cyber
attacks and fraud activity—has built strong ties
with financial services providers, commercial
security firms, federal/national, state and local
government agencies, law enforcement, and
other trusted entities to provide reliable and
timely cyber threat alerts and other critical
information to member firms worldwide. Finally, the National Cyber-Forensics & Training
Alliance (NCFTA)—a non-profit corporation
with a mission of facilitating collaboration
between private industry, academia, and law
enforcement to identify, mitigate, and neutralize complex cyber-related threats—provides
another effective model of information sharing
regime. In addition to its state and local law
© 2015 Cyber Readiness Index 2.0, all rights reserved.
11
enforcement and industry representatives,
this non-profit-partnership driven initiative
enjoys international representation from Canada, Australia, England, India, Germany, the
Netherlands, Ukraine, and Lithuania. NCFTA
provides a streamlined and timely exchange of
cyber threat intelligence to corporations, and
partners with Subject Matter Experts (SME) in
the public, private, law enforcement, and academic sectors who work together to mitigate
risks and fraudulent activities and gather the
evidence necessary to prosecute criminals.
2. The ability and processes for the
government to declassify (write-forrelease) intelligence information
and share it with rest of government
and critical industries;22
3. A government clearinghouse that
can act as a trusted facilitator and
broker of authoritative information
between the government and
critical industries (very few countries
have this component); and
4. Defined budgetary lines allocated to
the government clearing house or
institutional structure dedicated to the
information sharing mechanisms so
that they can carry out their services.
Additional components of an effective national, cross-sector, and actionable information
sharing program should also include:
1. An institutional structure that can
transmit authoritative information
to government agencies and critical
industries, and that can ensure
that mechanisms exist (reporting
schema, technology, etc) for crosssector incident information sharing,
both operational (near-real-time)
and forensic (post-facto);21
Demonstrable evidence that cross-sector and cross-stakeholder coordination
mechanisms, meant to address critical
interdependencies—including incident
situational awareness and cross-sector
and cross-stakeholder incident management—are being effective. Examples of
these mechanisms include industry initiatives such as defense industrial base
programs or financial service ISACs.
(Partial credit will be given to countries
even if the government did not initiate
these programs).
Initial findings in this Mission Area are based
upon a review of whether a country has established information sharing and other coordination mechanisms. Primary and secondary
sources will also be utilized to determine
whether such mechanisms exist and are properly funded. Updates to this Mission Area will
monitor, track, and evaluate substantive and
notable developments.
5. INVESTMENT IN R&D
The fifth element required for a country to be
“cyber ready” is an investment in cyber security basic and applied research (innovation) and
fund cyber security initiatives broadly. Marshaling resources towards research and development (R&D) and innovation is essential for a
country that wants to take advantage of the
opportunities afforded by the Internet economy while simultaneously maintaining a strong
cyber security posture.
© 2015 Cyber Readiness Index 2.0, all rights reserved.
12
Government and businesses need to explore
technology development together, including
enhanced commercial- and off-the-shelf product development. There is a collective need
for an infrastructure that is Internet-based and
that allows us to live and work online with confidence. By investing in R&D and other cyber
innovations, countries and organizations can
work to close the gap between infrastructure
security and attacker capabilities, which would
help make the Internet a safer place. For example, the European Commission’s Programme
Framework-7 (FP-8) has allocated approximately 1.5 billion euros for security research to
drive the innovation agenda. One of the evaluation criteria for this investment is transnational
cooperation among companies and solutions
that meet pan-European needs. Objectives include: restoring security and safety in case of a
crisis; improving security systems integration,
interconnectivity, and interoperability; and increasing the security of infrastructure and utilities. In addition, the European Union’s Horizon
2020 program—the eighth phase of the FP-8—
provides an estimated 80 billion euros of funding for additional research and technological
development initiatives. And with the EU’s
underlying principle of open access, it intends
to improve research results, create greater
efficiency, improve transparency, and accelerate innovation. Similarly, the United States
has the National Information Technology and
Research and Development (NITRD) program
that prioritizes, coordinates, and funds a four
billion dollar annual IT research agenda across
many federal agencies. The NITRD program23
intends to increase the overall effectiveness
and productivity of federal R&D investments
by leveraging strengths, avoiding duplication,
increasing interoperability of R&D products,
promoting infrastructure improvements, and
enhancing the trust and integrity of online
transactions among other security initiatives.
Other government-sponsored initiatives that
can encourage cyber security innovation include offering incentive mechanisms such as
R&D tax credits. For instance, recognizing that
attracting a large number of leading organizations and investments to a new place requires
government encouragement and commitment, Israel has recently approved significant
tax breaks for cyber defense companies that
join their national cyber park in Be’er Sheva
and establish their activity there.24 The goal
is to create an economic and strategic cyber
security hub that will strengthen their unique
industry-academia-military ecosystem; increase
private-public partnerships in the cyber field;
serve as a center of excellence for innovation;
and allow for local continuity between training
and employment, thanks also to the proximity
of the industry to the sources of relevant human capital in the area (academia and Israel
Defense Forces units).
Marshaling resources towards research and development (R&D) and
innovation is essential for a country that wants to take advantage
of the opportunities afforded by the Internet economy while
simultaneously maintaining a strong cyber security posture.
© 2015 Cyber Readiness Index 2.0, all rights reserved.
13
5. At least one nationally influential
institutional body overseeing the
national commitment to cyber security
R&D and serving as an national and
international point-of-contact for
collaboration on this research;
Governments can also provide incentives in the
form of grants, scholarships, etc. to encourage
cyber security education and capacity building
in qualified academic institutions. The National
Security Agency (NSA) and the Department of
Homeland Security (DHS), for example, have
jointly sponsored the National Centers of Academic Excellence in Information Assurance (IA)
Education (CAE/IAE), Research (CAR-R), CAE
Cyber Operations, and most recently CAE Cyber Defense (CD) to promote higher education
in IA and fill the growing need of cyber security
professionals. Over 180 institutions in the United States have already received CAE accreditation, which benefits not only the designated
institution, but also students, employers, and
hiring managers throughout the nation.
6. An institutional body with the
mission to report on and then
encourage a rising commercial
adoption rate of counterpart/
complementary/subsequent research
(or government/commercial)
successfully transitioned programs;
7. Additional national efforts to support,
advance, and sustain cyber security
R&D considered effective, especially
in terms of the research/production
conversion rate (e.g., percent
implemented operationally within the
government) and of the commercial
adoption rate of counterpart/
complementary/subsequent research
(or government/commercial)
successfully transitioned programs;
Additional elements/components of a country’s commitment to advance its cyber security
R&D, education, and capacity building efforts
would include:
1. Government incentive mechanisms
(e.g., R&D tax credit) to encourage
cyber security innovation and
disseminations of new findings,
techniques, processes, and tools;
8. A declared percentage of GDP
or government budget (grossly)
dedicated to cyber security R&D; and
2. Government incentive mechanisms
(e.g., grants, scholarships) to
encourage cyber security education
and capacity building;
3. Programs committed to the
development, dissemination, and
routinization of interoperable and
secure technical standards, acceptable
to and reinforced by internationally
recognized standards bodies;
4. Degree programs in cyber security,
information security or similar program;
9. Commensurately credible amount of
funding provided to major research
institutions such as universities to
advance the national capacity in
cyber R&D, associated technology
industries, and citizen capacity in IT.
Initial findings in this Mission Area are based
upon a review of whether a country is investing in cyber R&D, education, and capacity
building—in addition to funding cyber security
initiatives more broadly. Primary and secondary sources will also be utilized to determine
© 2015 Cyber Readiness Index 2.0, all rights reserved.
14
the type, if any, of government incentive
mechanisms already in place and the resources dedicated to initiatives similar to the ones
discussed above. Updates to this Mission Area
will monitor, track, and evaluate substantive
and notable developments.
Additional elements of a sound diplomatic
cyber security engagement capability should
include:
6. DIPLOMATIC (INTERNATIONAL)
ENGAGEMENT/INFLUENCE
The sixth essential element of a “cyber ready”
country is demonstrated through its diplomatic
cyber engagement. Most often, this capability
takes the form of diplomatic activity where cyber is a key element of the discussions. To this
end, the establishment of a dedicated office
or personnel charged with focusing upon such
matters should be an integral component of
maintaining any cyber diplomacy capability.
At a fundamental level, cyber diplomacy has
two key components. Firstly, it seeks to define
what types of cyber activity should and should
not be permitted, commonly referred to as cyber norms of behavior. Secondly, it establishes
the framework and rules by which ICT economic cooperation should take place. In addition to
cyber-economic and cyber security diplomatic
engagement, cyber diplomacy encompasses a
myriad of other issues including: data localization, freedom of access, content restrictions,
use of data analytics, and privacy controls.
A key component of a country’s ability to
engage diplomatically on cyber-related issues is dependent upon the establishment of
dedicated cyber personnel or organizational
structures. The level of participation within
international fora is also a measure of one’s
diplomatic cyber maturity, which requires an
established cadre of personnel, organization,
and funding.
1. Identification of cyber security as an
essential element of foreign policy
(e.g. Track 1 top tier bilateral, allied,
and multilateral discussions);
2. Identification of ICT and cyber
security as an essential element of
international economic negotiations,
trade, and commerce;
3. The establishment of dedicated
personnel in their foreign office or
equivalent organizations whose
primary mission includes active
engagement internationally in
cyber security diplomacy;
4. Consistency between the numbers
and ranks of dedicated foreign
cyber diplomacy personnel and the
commitment of a country to engage
in cyber security diplomacy as a top
tier issue of national importance;
5. Identification and allotment of
funding sources for cyber diplomacy
personnel and engagement;
6. Participation and enforcement of
international, multi-national, and/
or regional agreements pursuing
common or shared cyber security
elements (e.g. implementation of
best practices, right to access); and
7. Demonstrated commitment to
influencing international negotiations
that pertain to the use of ICT or the
internationally, regionally, or nationally
shared aspects of cyber infrastructure,
including baseline technology,
controls, designs, and so forth.
© 2015 Cyber Readiness Index 2.0, all rights reserved.
15
Several international entities exist that offer a
forum for diplomatic cyber security discussions
and decision-making. The ITU, for example, is
undertaking an effort to standardize cyber security through “building confidence and security
in the use of Information and Communication
Technologies (ICTs),” and the development of
a global cyber security index that will measure
the cyber security capabilities of countries and
hence enable informed decisions to foster a
global culture of cyber security.25 In addition,
the OAS and the IDB have joined forces to
work with their Member States to systematically address cyber security as part of three issue
areas: (1) development that is both socially inclusive and environmentally sustainable; (2) ICT
as a tool to generate income and employment,
provide access to businesses and information,
enable e-learning, and facilitate government
activities; and (3) security of their core infrastructures and citizen facing services.
Country diplomatic cyber engagement can
also be measured by their engagement and
capacity to influence international cyber negotiations that are ongoing in these fora.
Initial findings in this Mission Area are based
upon a review of whether or not a country has
explicitly designated or established a governmental office or individuals charged with diplomatic cyber responsibilities. Further research
will be conducted to determine whether and
to what degree such governmental office or
individual participates and influences international negotiations on issues pertaining to cyber through direct research and engagement
with the international organization or public
accounts. Primary and secondary sources will
be utilized. Updates to this Mission Area will
monitor, track, and evaluate substantive and
notable developments.
7. ABILITY TO RESPOND MILITARILY
TO OR IN A CRISIS SITUATION
The seventh and final criteria that impacts a
country’s cyber readiness is the ability of its
national armed forces and related defense
agencies to defend the nation via cyberspace
in response to cyber security threats. Countries interested in this type of capabilities are
openly or covertly directing their military to
establish capacity or expertise to respond to
cyber security threats that rise to the level
of nationally critical “cybered” conflict26 from
within or outside military sectors, and national
geographic territory.
That any future conflict and crisis will contain
a cyber component is no longer a matter of
debate, particularly when one considers that
no modern military enters the battlespace
without some reliance on computers and computer networks. Today, however, countries are
considering response options in, through, or
enabled by cyberspace in response to a variety
of cyber security threats during peacetime as
well as during armed conflicts. Indeed, a new
spectrum of ‘cybered conflict’ has emerged by
which nations and transnational organizations
can openly or covertly—or both—undermine
the systemic resilience of others without moving towards active wartime hostilities. As a
result, not only are national ‘cybered borders’
emerging in various forms around the globe,
but governments are also exhibiting considerable interest in having both defensive and offensive cyber capabilities within the control of
their government agencies. Slowly, these tools
and their related institutions and policies are
being redefined as essential for a sovereign
state in a deeply cybered world. While most
countries have only indicated interest publicly
in developing a ‘cyber command,’ a growing
© 2015 Cyber Readiness Index 2.0, all rights reserved.
16
number of individual countries have already
designated specific institutions to operate continuously as the cyber command in their armed
forces.27 Others have, at least for now, sought
to place these capabilities in security organizations not directly located within their military
structures. A few others are developing these
capabilities covertly and embedding them in
more obscure or non-obvious existing institutions associated with defensive cyber security.
Adversary offensive cyber capabilities fundamentally challenge the ability of governments
to protect the wealth and future well-being
of their national economies. For this reason it
has become imperative for states to upgrade
national level cyber defenses. National law,
regional judicial agreements, and international
law have not succeeded in compensating for
major national economic loss as a result of cyber incidents. Since the overwhelming scale of
cyber attacks crosses all sectors, the demand
is for a national response to counter or disrupt these cyber attacks. In this circumstance,
governments instinctively look to increase the
defensive capabilities of those security agencies that are already capable of operating in,
through, and as enabled by cyberspace outside their national borders (i.e. the military or
intelligence services). Moreover, as corporate
entities continue to experience cyber attacks,
there has been a growing commercial interest
in ‘hacking back’ at their cyber attackers. Without a credible national government response,
these commercial entities are more likely to
act informally as vigilantes, with unpredictable consequences for networks, content, and
perceptions in cyberspace. Commercial entities with fewer resources are also beginning
to publicly demand that their governments
proactively protect their national commercial
systems from external cyber bad actors. For
most countries, meeting that demand has
That any future conflict and crisis
will contain a cyber component
is no longer a matter of debate,
particularly when one considers
that no modern military enters
the battlespace without
some reliance on computers
and computer networks.
traditionally been resolved by the military and
intelligence services.
Today, there is a growing consensus that there
is a need for a sovereign nation to be able to
detect, trace, map, and decide whether or not
to preemptively, directly, or laterally respond to
external cyber attacks. By creating a policy or
organization with offensive and defensive cyber
missions, countries are able to signal to adversary countries and transnational organizations
that they have the ability to respond in kind.
Additional components of a country’s commitment to develop and deploy dedicated military units with cyber defense—and perhaps cyber offense—capabilities/responsibilities may
include:
1. A defined command authority located
in an organization whose primary
mission includes the cyber defense of
the national military forces and, as part
of their defense mission, the nation;
2. An explicit designation of an institution
as a military “Cyber Command” or
functional equivalent with a label in
keeping with national preferences;
© 2015 Cyber Readiness Index 2.0, all rights reserved.
17
CONCLUSION
3. Additional nonmilitary units with
national cyber security missions,
such as “active defense”;
Countries are embracing the economic and
social potential of the Internet of Everything
(IoE)—the intelligent connection of people,
processes, data, and things. The ITU, the
World Bank and other international institutions
are measuring the benefits that ICT brings to
the economy and society. Equally important
is bringing transparency to the GDP erosion
from illicit and illegal activities that is tearing
at the very fabric of our countries (threatening
national security and our economic prosperity).
Adopting a security framework and knowing
cyber readiness level is essential to realizing
full potential of the Internet economy and our
digital future.
4. Efforts to establish and then sustain
mutual and/or regional agreements
allowing a common defense;
5. National agency and commercial
partners programs to conduct exercises
validating the effectiveness of policy
and governance mechanisms;
6. Specific rules of engagement for
the armed forced and related
institutions for operations in, through,
or enabled by cyberspace during
peacetime and armed conflict;
7. Plans for the country’s military to
directly participate in, help fund,
or advance the effectiveness of the
national level cyber security R&D
and information sharing programs,
including exercises at the unclassified
as well as classified level; and
8. Defined budgetary lines allocated
to major national military unit(s)
whose top-level mission explicitly
includes cyber security beyond
purely military networks.
Initial findings in this Mission Area are based
upon a review of whether a country has officially declared to possess dedicated national military unit(s) whose top-level mission includes
cyber security beyond purely military networks. Primary and secondary sources will also
be utilized to determine whether such units
are already active and properly funded, and
whether the country has acquired the ability to
respond militarily to, or in, a crisis situation via
cyberspace. Updates to this Mission Area will
monitor, track, and evaluate substantive and
notable developments.
The CRI can serve as a solid foundation to help
inform this urgent and on-going requirement.
It challenges the conventional thinking about
cyber security showing that it must be married
to the debate and desire for economic prosperity. The CRI identifies the essential elements
of a stronger security posture that can defend
against the GDP erosion. Moreover, the CRI
should spark international discussion about
priorities required to strengthen security and
encourage governments to take actions and
reduce risks.
This index will be updated periodically adding
evaluation criteria and assessing countries’
progress and evolution toward securing the
cyber infrastructure and services upon which
their digital future and growth depend.
© 2015 Cyber Readiness Index 2.0, all rights reserved.
18
ENDNOTES
1. The Cyber Readiness Index 2.0 builds
on a previously developed index, titled
“Cyber Readiness Index 1.0.” The
Cyber Readiness Index 1.0 developed a
methodological framework for assessing
cyber readiness across five essential
elements, which are broadly defined
as cyber national strategy, incident
response, e-crime and legal capacity,
information sharing, and cyber research
and development. The Cyber Readiness
Index 1.0 applied this methodology to
an initial set of thirty-five countries. For
more information on Cyber Readiness
Index 1.0, see: Melissa Hathaway,
“Cyber Readiness Index 1.0,” Hathaway
Global Strategies LLC (2013), http://
belfercenter.ksg.harvard.edu/files/
cyber-readiness-index-1point0.pdf.
2. World Economic Forum, “ICT for
Economic Growth: A Dynamic
Ecosystem Driving The Global
Recovery,” accessed November 5,
2013, http://www3.weforum.org/
docs/WEF_IT_DynamicEcosystem_
Report_2009.pdf.
Social Impacts of Counterfeiting and
Piracy: A Report commissioned by
Business Action to Counterfeiting and
Piracy,” Paris: ICCWBO, 2011: 47.
6. The National Bureau of Asian
Research, “The IP Commission
Report: The report of the
commission on the theft of American
intellectual property,” May 2013.
7. TNO, “Cost of Cyber Crime
Largely Met by Business,”
accessed November 5, 2013,
www.tno.nl/content.cfm?context=overtno&content=nieuwsbericht&laag1=37&laag2=69&item_
id=2012-04-10%20
11:37:10.0&Taal=2.
8. ICT infrastructure uptake includes fixed
and mobile (voice and data) market
segments—both subscriptions and
household data access—and investment
in and revenues by the telecom sector.
9. A competent authority is any
person or organization that has
the legally delegated or invested
authority, capacity, or power to
perform a designated function.
3. David Dean et al., “The Digital
Manifesto: How Companies and
Countries Can Win in the Digital
Economy,” Boston Consulting Group
report, January 2012: perspective 27.
10. The terms CSIRT and CERT refer
to a team of IT security experts
designated to respond to computer
security incidents. Both terms are
used interchangeably, with CSIRT
being the more precise term.
4. Peter C. Evans and Marco
Annunziata, “Industrial Internet:
Pushing the Boundaries of Minds
and Machines,” General Electric
report, November 26, 2012: 13.
11. John Haller, Samuel Merrell, Matthew
Butkovic, and Bradford Willke. Best
Practices for National Cyber Security:
Building a National Computer Security
Incident Management Capability,
Version 2.0 (CMU/SEI-2011-TR-015),
5. Frontier Economics London,
“Estimating the Global Economic and
© 2015 Cyber Readiness Index 2.0, all rights reserved.
19
Pittsburgh, PA: Software Engineering
Institute, Carnegie Mellon University,
2011, http://resources.sei.cmu.edu/
library/asset-view.cfm?AssetID=9999.
18. Judge Stein Schjolberg and Amanda
M. Hubbard, “Harmonizing National
Legal Approaches on Cybercrime,”
International Telecommunication
Union (July 1, 2005) p. 6.
12. Olaf Kruidhof, “Evolution of National
and Corporate CERTs – Trust, the
Key Factor,” in Best Practices in
Computer Network Defense: Incident
Detection and Response, ed. Melissa
E. Hathaway, NATO Science for Peace
and Security Series, Amsterdam:
IOS Press, February 2014.
19. Cybercrime Expert Group, Proposal,
Doc. No.: telwg29/ESTC/12.
20. Melissa Hathaway, “Why Successful
Partnerships are Critical for
Promoting Cybersecurity,” The
New New Internet, May 7, 2010.
21. Part of this would happen through
a CERT or ISAC, and when critical
infrastructure notices are pushed
out. The Netherlands has a way
to share information with industry,
similar to the US financial ISAC.
13. Carnegie Mellon University, “List of
National CSIRTs,” CERT Division, http://
www.cert.org/incident-management/
national-csirts/national-csirts.cfm.
14. European Network and Information
Security Agency (ENISA), “Inventory
of CERT teams and activities in
Europe,” Version 2.13, June 2014,
http://www.enisa.europa.eu/activities/
cert/background/inv/files/inventoryof-cert-activities-in-europe.
22. The UK and Brazil have mechanisms
in place to declassify (write-forrelease) intelligence information and
share it with their critical sectors,
much better than the US does.
23. For more on the NITRF Program
and its research areas, see:
www.nitrd.gov/Index.aspx.
15. Forum of Incident Response and
Security Teams (FIRST), “FIRST
Members,” http://www.first.
org/members/teams.
24. Embassy of Israel in New Zealand,
“Cabinet approves tax break for
National Cyber Park,” June 7, 2014,
http://embassies.gov.il/wellington/
NewsAndEvents/Pages/Cabinetapproves-tax-break-for-NationalCyber-Park-6-Jul-2014.aspx.
16. Council of Europe, “Convention on
Cybercrime,” Budapest, 23.XI.2001,
http://conventions.coe.int/Treaty/
en/Treaties/Html/185.htm.
17. See: “Agreement between the
Governments of the member
States of the Shanghai Cooperation
Organization on Cooperation in the
Field of International Information
Security,” Unofficial Transcript SCO,
December 2, 2008. Retrievable
at: http://media.npr.org/assets/
25. The ITU’s Global Cybersecurity Index
is distinguishable from the CRI based
upon the GCI’s focus upon ranking
countries, and its focus upon different
categories: Legal Measures, Technical
Measures, Organizational
Measures, Capacity Building
and Cooperation.
news/2010/09/23/cyber_treaty.pdf.
© 2015 Cyber Readiness Index 2.0, all rights reserved.
20
26. Cybered conflict differs from cyber
war or cyber battle. The latter is fully
technological and could, in principle,
be conducted entirely within a network.
It is normally a component of the
former. “Cybered conflicts are those
nationally significant aggressive and
disruptive conflicts for which seminal
events determining the outcome could
not have occurred without ‘cyber’
(meaning networked technologies)
mechanisms at critical junctures in the
determining course of events.” Chris
Demchak, “Resilience, Disruption,
and a ‘Cyber Westphalia’: Options for
National Security in a Cybered Conflict
World,” in Securing Cyberspace: A New
Domain for National Security, edited
by Nicholas Burns and Jonathon Price,
Washington, DC: The Aspen Institute.
27. The building of a ‘cyber command’ or
its equivalent says little about a nation’s
cyber power in terms of overall national
systemic resilience. A ‘cyber command’
indicates that a nation is able to
respond externally to cyber attacks.
© 2015 Cyber Readiness Index 2.0, all rights reserved.
21