Global Cybersecurity Index 2024: Security on the global stage
In a world where technology and digitalization are critical, robust Cyber Security is imperative. Nations are facing increasing threats and sophisticated tactics from cybercriminals aiming to disrupt economies, compromise national security, and erode public trust. The challenge lies not only in combating cybercrime but also in enhancing cybersecurity capabilities. What are the primary drivers of these capabilities across different countries?
The International Telecommunication Union (ITU) in its 5th edition of the Global Cybersecurity Index (GCI), recently published, examines countries' digital preparedness. We are faced with a complex and uncertain landscape in a hyperconnected world, making it essential to understand global efforts to protect cyberspace and identify the challenges ahead.
Cyber Security is a strategic imperative for governments and both critical and non-critical sectors of society.
The current cyber landscape highlights the ongoing need to improve and adapt Cybersecurity measures. Governments must evaluate cybersecurity efforts to foster development in this field.
✅ According to the ITU's index, while a perfect score reflects a strong commitment, there is always a need for further work on appropriate measures and responses. The GCI highlights many countries' efforts across five fundamental pillars: legal, technical, organizational, capacity development, and cooperation.
In this global scenario, nations are expanding digital services and connecting people but still have work to do to integrate Cybersecurity into their connectivity goals. Significant gaps exist in cyber capacity and challenges such as staffing, equipment, and funding.
Some countries are advancing in cybersecurity despite limited ICT development. According to the ICT Development Index (IDI), countries with high ICT levels face risks of insecure cyberspace due to lack of resources, affecting resilience and reliability.
Legal frameworks
Many countries have implemented legal measures that clarify cybersecurity concerns, encompassing privacy, data protection, and even online illegal activities. They emphasize the need for greater harmonization between laws and regulations, such as alignment with the General Data Protection Regulation (GDPR) and international cybercrime treaties. This has led to the adoption or updating of measures with technologically neutral language, providing more flexibility in interpreting and aligning online and offline crimes or obligations.
However, some countries show ambiguities in breach notification requirements and their applications (such as the EU Cyber Resilience Regulation), necessitating further efforts to ensure specificity and enforcement of legal and regulatory compliance.
✅ It should be noted that GDPR and similar laws have driven an increase in the number of countries with privacy laws and breach notification requirements. However, the trend has stabilized, and many still need to clarify their legal and regulatory frameworks regarding privacy, data protection, and notification.
These efforts can be complemented by capacity development to ensure that relevant stakeholders are well-trained and aware of current cybersecurity threats.
Technical measures
A solid Cyber Security foundation requires a combination of competent people, well-documented processes and procedures, and technologies. There is still a disparity in the implementation of technical measures to support cybersecurity efforts.
Computer Security Incident Response Teams (CSIRTs) are essential for detecting, preventing, responding to, and mitigating cyber threats. They function as national and international focal points, promoting a culture of disclosure, awareness, and training.
While less common, sectoral CSIRTs play a critical role, particularly at the regional level, allowing for shared resources and joint efforts to address common issues. Each sector faces specific threats and needs, especially those part of critical infrastructure and their supply chains.
People, processes, technologies, information, and environments enable nations to prepare for, protect against, and respond effectively to cyber incidents.
However, implementing sectoral CSIRTs faces challenges due to lack of resources and capabilities in several countries. Low-income countries and small island states focus on developing national CSIRTs. With the advancement of ICT infrastructure, sectoral needs can be addressed at the national level or through regional CSIRTs.
Additionally, conducting cybersecurity drills and exercises with the participation of all stakeholders is essential.
Organizational measures
Greater coordination and alignment are needed to shape more inclusive, data-driven national cybersecurity initiatives.
A country's Cyber Security posture requires the implementation of strong organizational measures to guide it effectively. Countries are showing significant progress with clear strategic objectives, action plans, execution, and measurement. The GCI highlights that without a well-defined network of partners working collaboratively with industry, civil society, and academia, efforts across different sectors and industries become fragmented and uncoordinated, hindering national harmonization in cybersecurity development.
National Cybersecurity Strategies (NCS) have become an increasingly common fundamental tool for governments to organize around cybersecurity, as they work to develop clear metrics and measures to track cybersecurity outcomes at the national level. This includes in-depth tracking of cybersecurity inputs, such as audits. Translating these parameters into policy and enforcement requires clear roles and responsibilities, as well as responsive organizational frameworks.
Additionally, existing strategies need reviewing and updating. The breadth and depth of NCS vary considerably, but in some countries, they at least stipulate:
- Cybersecurity of critical infrastructures.
- Lifecycle management principles.
- Stakeholder engagement.
- An action plan.
"Having an action plan does not guarantee that all best practices are prioritized or incorporated." The report notes that the implementation of practices such as "stakeholder engagement" and "lifecycle management" tends to occur at the beginning or end of the NCS, prompting recommendations to integrate these aspects throughout the strategy's lifecycle. As a result, valuable information and added value from the strategy with stakeholders is lost in aligning on key priorities and adaptation opportunities that help make the strategy relevant, sustainable, and effective.
The GCI highlights that audits are a common practice for assessing Cybersecurity and cyber risks. However, many countries do not include them in their action plans. Additionally, efforts in critical infrastructure often lack legal backing.
It also underscores that Cybersecurity professionals are well-trained to manage risks and respond to incidents. Many countries have national systems and responsible bodies that provide specific training in this field.
Online child protection strategies and initiatives remain limited.
Child protection in the digital environment is a fundamental aspect of public policies and requires collaboration across society. Although many laws already include measures against cybercrime and sexual exploitation, only a few countries have comprehensive child protection strategies that include awareness campaigns for educators, law enforcement, and reporting channels, supporting children and young people in their digital journeys and helping them understand online risks.
As children access the internet, it is necessary to protect and empower them to become active participants in creating a safe and trustworthy cyberspace.
Capacity development
Training and awareness efforts are crucial to building a strong Cyber Security ecosystem. Countries risk eroding progress in improving full and universal connectivity if they do not support capacity building and awareness in this area. Most countries engage in capacity development activities, mostly through awareness campaigns. Furthermore, countries are moving towards developing and enhancing qualified talent in the industry.
Private and public sectors, educational cycles, and research and development (R&D) spaces are part of efforts to promote national training.
Countries increasingly target specific demographic groups as part of their awareness campaigns. Building a Cyber Security culture is a constant challenge for all countries. Awareness campaigns are developed or supported to inform users and change their behaviors.
✅ The GCI emphasizes that targeted campaigns are essential to identify and educate about Cybersecurity threats. However, their effectiveness depends on the metrics used to measure their impact, especially on social media. Superficial metrics such as "likes" and shares do not accurately reflect true reach.
It is necessary to adopt human-centered approaches that address people's specific concerns and challenges to navigate a safe cyberspace. This includes tailoring campaigns to diverse audiences, considering cultural and socioeconomic factors.
Prioritizing meaningful engagement and behavioral outcomes over superficial metrics can ensure campaigns that truly empower people and contribute to a safer online environment for all.
There is still a lack of Cyber Security skills development programs at all educational levels, which poses a challenge.
Collaboration and public-private cooperation
Given that Cybersecurity is transnational, an effective response requires cooperation and collaboration between public, private, and governmental sectors. Furthermore, efforts have increased in the context of international, regional, and sectoral Cybersecurity agreements. However, many countries are not part of these agreements due to conflicts, lack of human resources, or unclear benefits.
"Operationalization and impact of agreements and frameworks remain a challenge." It is worth noting that collaboration with the private sector offers governments the opportunity to leverage its knowledge and expertise to enhance Cybersecurity. Nearly half of countries have interagency cybersecurity processes within their governments. However, collaboration with the private sector is less common: fewer than half of countries are involved in public-private partnerships with national or foreign companies.
Cyber Security efforts should not be fragmented, disconnected, and frustrating; it is a complex and interconnected problem that demands a holistic, comprehensive, and cross-cutting approach.
"The success of agreements, alliances, and processes depends on whether they go beyond paper and into action." Promoting information sharing, capacity building, and joint threat assessments allows the international community to more effectively address the evolving cyber landscape, including the growing intersection of cybersecurity and AI. Building national collaboration remains an area for improvement.
Cybersecurity is more than a matter of hardware or software; coordination among competent national actors is essential for achieving coherent commitments. There are encouraging advances, as responsible agencies can help drive more cohesive and collaborative cybersecurity approaches.
◾ Download the full report: Global Cybersecurity Index 2024 →
____
Imagen: Wirestock / Freepik.