Welcome to New America, redesigned for what’s next.

A special message from New America’s CEO and President on our new look.

Read the Note

Close

internet services arabic

Securing Digital Dividends

Table of Contents

Part II: Understanding the Important Communities

Mainstreaming will be a challenge. In order to make progress, we need to understand two primary stakeholders: The development community and the cybersecurity capacity building community. These communities, and the benefits of bridging them, are described here.

Chapter 3: Understanding Development

Two distinct communities of practice hold equity in mainstreaming cybersecurity in development. The first, the international development community, has existed as a community of practice for the better part of a century. The second, the cybersecurity capacity building community (which we cover in more detail in Chapter 4: Understanding Cybersecurity Capacity Building), has existed for closer to a decade and developed largely outside of major development institutions. These two communities possess complementary and often overlapping goals, yet in large part they operate in isolation from one another. To successfully mainstream cybersecurity in development, the work and lessons from the cybersecurity capacity building community must be folded into the development community. Understanding the activities, organization, and equities of each will be key to bringing these two communities together.

In this section, we provide a high-level overview of what constitutes the development community, how it works and is funded, what it does, and its notable equities when it comes to cybersecurity. If you are already deeply familiar with the inner workings of the development community, skip this chapter and move on to Chapter 4: Understanding Cybersecurity Capacity Building.

Organization

The development community can be divided, in large part, into four categories: (1) institutional donors, (2) bilateral aid agencies, (3) intergovernmental organizations, and (4) nongovernmental organizations.

Figure 1: The Development Community1

Category Examples Potential Activities
Institutional Donors The World Bank, African Development Bank, Inter-American Development Bank, the International Monetary Fund Provide expertise and funding, develop strategies
Bilateral Aid Agencies U.S. Agency for International Development, DFID, Norwegian Agency for Development Cooperation (NORAD), Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ), European Union Provide expertise and funding, develop national strategies
Intergovernmental Organizations The United Nations Development Program (UNDP), The Organisation for Economic Co-operation and Development (OECD), Organization of American States (OAS), Economic Community of West African States (ECOWAS) Provide expertise and funding, assist with strategy development and implementation
Nongovernmental Organizations Oxfam, The Bill and Melinda Gates Foundation, Doctors Without Borders (MSF) Provide expertise and funding, assist with implementation, advocate

Box 3

Featured Case Study: How Does the World Bank Work, Exactly?

The World Bank Group is a “global partnership [of] five institutions working for sustainable solutions that reduce poverty and build shared prosperity in developing countries,” and is one of the most prominent members of the development donor community.2 The bank’s five institutions—IBRD,3 IDA,4 IFC,5 MIGA,6 and ICSID7—have “their own country membership, governing boards, and articles of agreement,” but nonetheless work together with both the public and private sectors to connect “global financial resources, knowledge, and innovative solutions to the needs of developing countries.”8 IBRD provides “financial development and policy financing,” IDA provides “zero- to low-interest loans and grants,” IFC “mobilizes private sector investment,” MIGA “provides political risk insurance,” and ICSID settles disputes.9

The World Bank has 13 sector-based global practices, which work with regional units to develop and fund projects and programs. For projects in lower-income and conflict countries, the IDA portion of the bank leverages grants and credits (zero- or low-interest loans). For projects in “middle-income and creditworthy low-income countries,” the IBRD provides “loans, guarantees, risk management products, and advisory services.”10 Because loans require a counterpart in the recipient government who is willing to borrow (and therefore repay), loan financing is largely demand-driven.

In every case the World Bank works with a client or recipient country to develop a project or program based on the client’s specific needs. The bank uses tools, like maturity assessments, study tours, and cybersecurity strategies, to help clients understand cybersecurity risk, but the use of World Bank resources is largely driven by the recipient countries themselves.

In addition to the work of IDA and the IBRD, the bank leverages trust funds through the Development Finance Vice Presidency (DFi).11 These trust funds are often used to develop knowledge, support pre-implementation work, and pilot new models. They comprise the pot of money the bank relies on to explore new areas for investment. The investment from trust funds is roughly equal to all other lending done by the bank. Importantly, these trusts are funded via bilateral development institutions and the private sector. Some broad conditions for donations to trust funds—like the stipulation that a given donation must be spent on cybersecurity projects—can be negotiated by donors to the funds, though some restrictions on conditions exist.12

Finally, the bank’s institutions can leverage Reimbursable Advisory Services (RAS)—an instrument to deliver specific “technical advice, analytical services, and implementation support” to eligible clients requiring services that cannot be fully funded from the bank’s country program—for middle- and high-income countries.13 The World Bank is “then reimbursed for the costs of delivering these advisory services,” by the recipient. This portion of the bank’s work, however, is comparatively small.

Once a lending project or program is initiated, the recipient government is generally responsible for “executing” the project and the recipient, using funds provided by the bank, generally enters into contracts with the private sector to implement the project. Large consulting companies that are able to manage the risk of bidding for projects in low-income countries dominate implementation of many ICT-driven projects. The World Bank and other donor institutions have some measures, like debarment (also known as “blacklisting”), for private entities that abuse World Bank funds.

The way major institutions organize themselves can be seen as a legacy of early ICT for development phases from the 1990s and early 2000s. The early infusion of digital technologies into development practice with a focus on connectivity meant that many of the “digital development” practitioners were folded into existing transportation development teams, due to the similarities in “connecting” people. This structure is maintained today within the World Bank’s Transport & ICT Global Practice. Though the World Bank was a leader in folding an ICT practice into their work, other major development organizations have created separate teams focusing on digitization. In the case of the World Bank, these sector-specific teams or groups then often work closely with country-specific teams to craft projects or programs tailored to specific aid and project recipients in the form of Country Partnership Frameworks (CPFs) and Systematic Country Diagnostics (SCDs) which identify core local challenges and guide the bank’s support to a given country.

As digital technologies became increasingly important across sectors, the stovepipes in many of the prominent development organizations became more rigid and impermeable. In most cases, rather than enabling digitization specialists who could assist with digitization projects across different sectors, folding digitization into existing portfolios became the task of existing teams. In practice, for example, this meant that financial sector specialists led the digitization efforts for banking systems. The primary exception to this rule was, again, the transport groups in most major development organizations. Rather than focusing on digitization of specific sectors, transport became the home for connectivity initiatives focused on increasing the percentage of a given population able to access the internet.

In recent years, as major development institutions have begun to view “digital, data and technology as enablers rather than an end goal,” some have begun to reorganize to better reflect this reality, sprinkling “digital” throughout their programmatic areas, rather than creating a new digital stovepipe. However, progress in many of the larger institutions is slower.

Relevant activities

Two separate strands of development activity—which are sometimes conflated—are pertinent to cybersecurity capacity builders: connectivity initiatives and digitization programs.

Connectivity initiatives seek to build out internet infrastructure in order make the internet reach more of the population. These initiatives often also focus on providing the broader population of a country or region with the tools necessary to leverage newfound connectivity, like computer literacy. Running fiber optic cables to rural areas or increasing 4G satellite coverage and distributing cellphones are examples of connectivity initiatives.

Digitization efforts, by contrast, focus on bringing technological advances—like computer systems, networks, and the internet—into different aspects of society to improve efficiency. Often associated with the concept of “going paperless,” bringing government services online and the advent of e-banking are examples of digitization. Digitization can be digitizing existing industries, processes, and infrastructure, but can also involve just about any other project that incorporates or creates reliance on ICT. Connectivity and digitization are complementary. The more connected a given country, the broader and greater the impact digitizing key industries or services.

Funding

The way development donors support these activities varies depending on institution. The way multilateral donor institutions like the World Bank and the regional development banks raise their funds is complicated, but includes things like “funds raised in the financial markets, from earnings on its investments, from fees paid in by member countries, from contributions made by members (particularly the wealthier ones), and from borrowing countries themselves when they pay back their loans.”14

At the World Bank, the International Development Association (IDA), the institution that gives no-interest loans and grants, is the primary recipient of contributions from donor countries, though it has recently incorporated other funding mechanisms into its work.15 Country contributors can put conditions on their contribution and donors may attempt to steer money to a “limited number of ‘special themes’” during the process of replenishing IDA’s reserves, which happens every three years.16 Once money is allocated, the bank’s 13 global thematic teams and regional units then work with recipient countries to develop projects funded by this money.

Most major multilateral development finance institutions also utilize trust funds to support conceptual or pre-implementation work, pilot new models, and develop new knowledge. Thus, donor institutions often rely on trust funds to expand their work into new areas. In the World Bank’s case, these trust funds provide “predictable multi-year funding that is crucial for effective development,” and allow donors to “coordinate and target their scarce aid resources across multiple sectors.”17 The trust money is often used alongside other “projects developed and financed” by the lending institution.

The funding structures of bilateral aid agencies, like DFID and USAID, are relatively simple in comparison to their multilateral brethren. Although there is some variation in how funds are appropriated, these agencies are generally funded by national governments via taxpayers. In most cases, an aid agency is tasked with developing a budget request, which outlines the strategy for spending its allocation to be approved by national governments or boards. In some cases these bilateral aid agencies will allocate funds to global donor institutions in the form of trust funds, as discussed above.

Notable equities

The primary objective of the development community is to reduce inequality and cultivate better opportunities and outcomes for all people. The community coalesces around the SDGs. However, how the community has gone about achieving its goals has morphed over its many decades of existence. Today, a key equity worth understanding is the development community’s relationship with metrics.

Rooted in the economics discipline from its beginning, the development community, and donor institutions more specifically, rely heavily on metrics to decide how to spend money and monitor and evaluate their projects and programs. For prominent development economist Joseph Stiglitz, good metrics are imperative for development because they, “monitor and diagnose what is going on,” provide a means to “assess the source of the changes,” and “motivate civic action.”18 In many cases, these empirics are quantitative, though recent push back against Gross Domestic Product (GDP) as a primary measurement has lent a resurgence to qualitative metrics. However, because “society is too complicated to be summarized in a single number,” Stiglitz and other economists have advocated for the use of a dashboard “small enough to be easily digested [and] large enough to include monitors of key issues.”19 Rubrics for evaluating development practice do not conflict with the aims of cybersecurity capacity builders, and lessons from the development community’s experience in developing these rubrics can provide pathways for progress in the cybersecurity capacity building context.

Box 4

Metrics and Development Economics

As early as the 1930s, economists—the early acolytes of development practice—recognized the importance of measuring economic growth. As Simon Kuznets posits in his 1934 piece, “there is considerable value… in checking the unarmed observation of even a careful student by the light of a quantitative picture of our economy.“20 Joseph Stiglitz, one of the fathers of modern development economics, further insists that “metrics are important not just because they tell us how we are doing but because they serve as guides in policy-making.”21 For decades, measuring development outcomes often relied on aggregate metrics like gross domestic product (GDP) or gross national product (GNP). However, economists have long noted the shortcoming of some these kinds of aggregate metrics.

In a 1934 report to the U.S. Congress, Kuznets notes that, “the welfare of a nation can scarcely be inferred from a measurement of national income.”22 Kuznets further expounds that “the national income total is… an amalgam of relatively accurate and only approximate estimates.” Because of this flaw, “small differences or changes [in these metrics] should not be taken as unequivocal indications that differences actually exist or that changes have actually occurred.”23

In recent decades, and in part due to interventions from the likes of Stiglitz, development institutions have stressed the importance of more detailed metrics to monitor and evaluate the efficacy of development interventions on different outcomes and overcome “GDP fetishism.”24 This ethos permeates the development community to the extent that one development scholar likened it to a “fetish” and urges the cybersecurity community to proceed cautiously so as to not fall prey to some of the same pitfalls that over-reliance on metrics caused in the development community.25

Chapter 4: Understanding Cybersecurity Capacity Building

At a high level, there are two primary goals of the cybersecurity capacity building community—develop cybersecurity capacity around the world to (1) safeguard against systemic ICT risk (i.e. risk to the global financial system), and (2) deliver sustainable dividends from digitization and increased ICT adoption. Although more empirical work is needed to draw correlations, the work of the cybersecurity capacity building community often contributes directly to the achievement of SDGs and sustainable human progress more broadly, as described in Chapter 2. Most of the SDGs and the targets that contribute to them imply the use of ICT to further human development. In many of these cases, cybersecurity—and by extension the work of the cybersecurity capacity building community—serves to underpin confidence and trust in these ICT systems.

Organization

Today, the cybersecurity capacity building community consists of a set of broad categories of actors not dissimilar to those of the development community. The nascency of this community of practice means that major actors and their roles are less clearly defined than in the development community. Although the primary actors are arguably technology companies and government agencies, intergovernmental and nongovernmental organizations play important roles as well. As Norwegian scholar Lilly Pijnenburg Muller noted in 2015, the composition of the cybersecurity capacity building community faces challenges of its own as a great number of organizations exist to help measure capacity and maturity, but actual capacity developers are less numerous.26 Although the infusion of more money and the increasing maturity of the field have spawned more implementers, this problem persists today. In addition, the focus of some donor countries has shifted towards a model of exporting their experiences and frameworks as a part of their global cybersecurity agenda.

Figure 2: The Cybersecurity Capacity Building Community27

Category Examples Potential Activities
Government Agencies UK FCO; U.S. Departments of State, Homeland Security, Justice, and Defense; German Federal Foreign Office; National Internet Development Agency of Korea (KISA); the Cyber Security Agency (CSA) of Singapore Methodological support, technical support, infrastructure support, budgetary support
Technology Companies Microsoft, Symantec, AT&T, Cisco, Huawei Methodological support, technical support, infrastructure support
Intergovernmental Organizations Organization of American States (OAS), Organization for Security and Co-operation in Europe (OSCE), United Nations Office on Drugs and Crime (UNODC), International Telecommunications Union (ITU), European Union (EU), The World Bank, Association of Southeast Asian Nations (ASEAN), Interpol Methodological support, budgetary support, technical support, infrastructure support
Nongovernmental Organizations Packet Clearing House, Oxford Global Cyber Security Capacity Centre, CyberGreen, Forum of Incident Response and Security Teams (FIRST), DiploFoundation, Internet Society Methodological support, technical support, infrastructure support
Other Organizations Global Forum on Cyber Expertise, The Hewlett Foundation, academic institutions Methodological support, Budgetary Support

In part because there is no clear delineation of who is in and who is out of the community and in part because some of the budgets of capacity builders are not publicly available, it is next to impossible to identify a monetary amount spent on cybersecurity capacity building annually. However, the GFCE is in the process of consulting with its members to begin to grasp the scope of spending. Initial findings have not identified an authoritative amount spent on capacity building globally, but initial estimates suggest that the range of annual spending per “actor” ranges from US$8,000 to US$6,000,000.28 Estimates for total public and private annual spending on cybersecurity capacity building globally based on interviews for this report range from roughly US$50 million to roughly US$1 billion, with the mean estimate far closer to the lower end of that spectrum.29 Regardless, the scope of spending on this development challenge pales in comparison to spending on other issues, despite its cross cutting nature. By comparison, the total “sum of official development assistance, other official flows and private flows” from the OECD’s Development Assistance Committee (DAC) countries alone totaled over US$315 billion in 2016.30

Because the community of practice is still immature relative to the development community, parts of the field still need to be built. Specifically, the cybersecurity capacity building community has three shortcomings that could in part be aided by bringing the cybersecurity capacity builders closer to the development community.

First, as depicted by Figure 2, there is a great deal of overlap with regard to the potential activities and roles of different cybersecurity capacity builders. This overlap manifests not only in principle, but also in practice. Although one of the intended roles of the Global Forum on Cyber Expertise is to coordinate capacity building activity, its limited budget and secretarial capacity means that it is not fully delivering on this promise. In addition, information sharing between cybersecurity capacity builders could be improved. Too often, project information is shared bilaterally and after the fact. The cybersecurity capacity building community could do a better job of talking to one another before projects are funded and implemented.

Second, the methodologies for building cybersecurity capacity are underdeveloped. For development, major development economists and other social scientists helped drive forward methods and good practices in development. Due in part to the nascency of the issues facing cybersecurity capacity development, the academic community has not yet applied the same empirical rigor to identifying good practices for cybersecurity capacity building as it has in the past to understanding how to grow economies or develop good governance.

Third, there is a distinct shortage of implementers and on-the-ground, local networks. In many cases, cybersecurity capacity builders—donor government representatives, their contractors, corporations, and sometimes nonprofits—fly in, conduct a workshop or training session, and leave. While this is not universally the case and some projects or programs involve more extended in-country engagement, these projects appear to be the exception rather than the rule. This reality is driven at least in part by the lack of local, grassroots networks, but is also a reflection of the relative global scarcity of the expertise and funding required to build cybersecurity capacity.

Activities

Klimburg and Zylberberg provide a useful typology for describing cybersecurity capacity building activities of donor countries, outlined in Figure 3.31 Each of these categories of activity generally aim to improve the cybersecurity posture of recipients as a means to enable greater dividends from digitization and increased ICT access.

Figure 3: Activities of Cybersecurity Capacity Builders32

Support Type Description Examples
Methodological Delivering models and “policy options available to governments considering” cybersecurity capacity building activities Developing a national cybersecurity strategy Assisting in crafting cybersecurity regulation or legislation Providing methodological support for technical, infrastructural and budgetary activities
Technical “Training around the CERT/CSIRT structures” as well as “the help provided at law-enforcement level and support for community-based instruments” Joint cybersecurity exercises Sale of technical cybersecurity tools and training Cyber forensics training Cybersecurity educational programs
Infrastructural Providing expert support for the secure provision and deployment of technical infrastructure Assistance securely digitizing critical infrastructure Configuring firewalls and other security controls
Budgetary Providing funding for direct, operational expenses as well as providing funds for large scale infrastructure development and “sustained local engagement with partner governments” Funding the development of a national CSIRT Funding for workforce development programs Funding diplomatic participation in international cybersecurity conferences or meetings Funding for awareness campaigns

As depicted by Figure 3, the activities of cybersecurity capacity builders are diverse. Nonetheless, Oxford’s Global Cyber Security Capacity Center (GCSCC) and the GFCE have built a portal that attempts to capture all the cybersecurity capacity building initiatives and activities.33 Among the activities are things like “capacity building workshops for parliamentarians and senior civil servants,” “practical awareness training and campaigns,” crisis management exercises, and computer emergency response training material.34

Funding

Where development activities largely follow a structure where donors provide grants to recipients for programs and those recipients then execute specific projects (mostly) through a private sector implementer, cybersecurity capacity building does not follow the same model. Often, the donors, which are primarily foreign ministries from around the world, work directly with implementers which are sometimes private companies (like MITRE Corporation, which does much of the implementation work on behalf of the U.S. government), but can also be government agencies or competencies themselves. In many cases, rather than giving grants or loans directly to recipient countries, grants go directly to implementers earmarked for work in recipient countries. Separately, several private companies contribute resources to building better capacity on their own, without additional financial contributions from governments or other donors.

The work of the community is important, and the world’s critical infrastructure and information systems would be far less secure without it. However, given anecdotal evidence from high-profile incidents like the global ransomware attacks, the breaches of the SWIFT system, and the continued increase of DDoS attacks, there can be little doubt that far more work needs to be done. The current scale of the community—both in terms of human capacity and financial capacity—is not sufficient.

Chapter 5: The Necessity of Bridging these Communities

These two communities, which have existed largely separately since cybersecurity capacity building became a community of practice around a decade ago, each contribute to the sustainability of development and should be placed in positions of complementarity and coordination rather than viewed as purveyors of separate and sometimes competing activities.

Some countries have piloted projects to bring development experts from their bilateral development institutions together with cybersecurity capacity builders from foreign ministries. The U.K., for example, has piloted projects that bring the development experts of the Department for International Development (DFID) together with the cybersecurity capacity builders in the Foreign & Commonwealth Office (FCO). The Dutch have engaged in a similar process. However, most countries lag far behind.

Learning opportunities

Despite the tepidness of the institutional response of most development organizations, the benefits of bringing these communities together to mainstream cybersecurity in development programs and projects are numerous. For a start, the development community possesses decades of expertise on capacity development, from which the cybersecurity capacity building community would benefit. Cybersecurity capacity building is not immune from some of the same plights that have plagued other development fields. For example, the development community has wrestled with identifying and measuring good practices for several decades. The Global Forum on Cyber Expertise is now working to identify global good practices in cybersecurity capacity development, but could draw valuable methodological lessons from past experiences in the development community.

Just as the cybersecurity community can bring extensive cybersecurity expertise to the development community, the development community can bring extensive experience and expertise in building capacity and capacity development and on-the-ground experience and networks. This could be crucial for improving the delivery of cybersecurity capacity building programs as many of the organizations that provide cybersecurity capacity building have little or no presence on the ground. This reality can sometimes jeopardize projects. Drawing on the development community’s local presence and association with grassroots actors could be critical in enabling the delivery of better cybersecurity capacity building programs.

Avoiding a missed opportunity

Mainstreaming cybersecurity in development will also prevent the lower- and middle-income world from missing a key opportunity: learning from the mistakes made during digitization in the higher-income parts of the world. As prominent computer science pioneer Peter G. Neumann noted when reflecting on the insecurity of the modern internet, “The fundamental problem is that security is always difficult, and people always say, ‘Oh, we can tackle it later,’ or, ‘We can add it on later.’ But you can’t add it on later. You can’t add security to something that wasn’t designed to be secure.”35 As Steve Corker, former chair of the board for the Internet Corporation for Assigned Names and Numbers, notes, “we could have done more [to build security into the internet from the beginning], and most of what we did was in response to issues as opposed to in anticipation of issues.”36

Decades of experience in trying to secure digital systems in early adopting areas has led many cybersecurity professionals to wish that security had been given more credence in the early stages of digitization. The later adopters of digital technologies have an opportunity to learn from those mistakes. Bringing the cybersecurity capacity building community and its expertise into development circles will enable the development community to institutionalize these learnings and leverage the cybersecurity community’s expertise and networks.

Funding for better cybersecurity

Though not the primary goal of mainstreaming cybersecurity in development, an ancillary benefit of mainstreaming cybersecurity in development would be greater financial resources devoted to building cybersecurity capacity around the world.

It is difficult to pinpoint the exact amount spent by Ministries of Foreign Affairs, intergovernmental organizations, civil society, and industry on cybersecurity capacity building. However, every interviewee from both the cybersecurity capacity building community and those we spoke to in recipient countries cited a lack of funding and high costs as one of the primary barriers to developing cybersecurity capacity. Unlocking development assistance in its many guises to help build cybersecurity capacity is one of the many ancillary benefits of mainstreaming. This includes the likes of Official Development Assistance (ODA)—a term meaning money provided by official government agencies for the promotion of economic development and welfare of developing countries as its main objective37—as well as the work of donor institutions and private philanthropy more broadly.38

Citations
  1. This is not an exhaustive list of actors that fall under this category, but instead a sample of such actors to illustrate the types of institutions and organizations that might be included in each category.
  2. World Bank. “Who We Are.” World Bank. source
  3. The International Bank for Reconstruction and Development
  4. The International Development Association
  5. The International Finance Corporation
  6. The Multilateral Investment Guarantee Agency
  7. The International Centre for Settlement of Investment Disputes
  8. World Bank. “Who We Are.” World Bank. source
  9. World Bank. “What We Do.” World Bank. source
  10. World Bank. “Who We Are – IBRD.” World Bank. source
  11. World Bank. “Development Finance (DFi).” World Bank. source
  12. Interview with the author. Conducted February 2018.
  13. World Bank. “Reimbursable Advisory Services.” World Bank. source
  14. World Bank. 2012. “Getting to Know the World Bank.” World Bank. July 26. source
  15. World Bank. “How Does IDA Work?” World Bank. source
  16. Bretton Woods Project. 2010. “IDA replenishment.” Bretton Woods Project. February 15. source
  17. World Bank. 2017. “Fact Sheet on World Bank Trust Funds.” World Bank. April 18. source
  18. Joseph E. Stiglitz. 2017. “The Measurement of Economic Performance and Social Progress.” International Economic Association World Congress. June 19. p8. source
  19. Joseph E. Stiglitz. 2017. “The Measurement of Economic Performance and Social Progress.” International Economic Association World Congress. June 19. p20. source
  20. Simon Kuznets. 1934. “National Income, 1929-1932.” National Bureau of Economic Research. Bulletin 49. June 7. p1. source
  21. OECD. 2012. “Nobel Laureate Professor Joseph Stiglitz emphasises need for alternative measures of well being at 4th OECD World Form.” OECD. October 17. source
  22. Gernot Kohler and ‎Emilio José Chaves. 2003. Globalization: Critical Perspectives. Nova Science Publishers, Inc. New York. p336.
  23. Simon Kuznets. 1934. “National Income, 1929-1932.” National Bureau of Economic Research. Bulletin 49. June 7. p12. source
  24. Joseph Stiglitz. 2009. “GDP Fetishism.” Project Syndicate. September. source
  25. Interview with the author. Conducted October 2017.
  26. Pijnenburg Muller, Lilly. 2015. “Cybersecurity Capacity Building in Developing Countries: Challenges and Opportunities.” Norwegian Institute of International Affairs. p10. source
  27. This is not an exhaustive list of actors that fall under this category, but instead a sample of such actors to illustrate the types of institutions and organizations that might be included in each category.
  28. GFCE Secretariat. 2017. “GFCE Member Survey 2017.” Global Forum on Cyber Expertise.
  29. These numbers are based on interviews with the author and do not constitute an authoritative number. The GFCE is currently undergoing a process to identify an accurate estimate of cybersecurity capacity building spending globally. The US$1 billion estimate appears to be a high-end outlier with the majority of estimates clustered between US$100 million and US$300 million.
  30. OECD. 2018. “Total official and private flows.” OECD. source
  31. Alexander Klimburg and Hugo Zylberberg. 2015. Cybersecurity Capacity Building: Developing Access. Norwegian Institute of International Affairs. p20. source
  32. Alexander Klimburg and Hugo Zylberberg. 2015. Cybersecurity Capacity Building: Developing Access. Norwegian Institute of International Affairs. p20-39. source
  33. Global Cyber Security Capacity Centre. “Cybersecurity Capacity Portal.” University of Oxford. source
  34. Global Cyber Security Capacity Centre. “Global Cyber Capacity Building at a Glance.” University of Oxford. source
  35. Craig Timberg. 2015. “Net of Insecurity: A Flaw in the Design.” Washington Post. May 30. source
  36. Craig Timberg. 2015. “Net of Insecurity: A Flaw in the Design.” Washington Post. May 30. source
  37. OECD. “Official development assistance – definition and coverage.” OECD. source
  38. For a deeper examination of ODA and cybersecurity, see: Alexander Klimburg and Hugo Zylberberg. 2015. Cybersecurity Capacity Building: Developing Access. Norwegian Institute of International Affairs. p41-45. source

Close

Part II: Understanding the Important Communities

View as PDF

Table of Contents

Close

Securing Digital Dividends