PotomacInstitute CRIndex2.0

CYBER READINESS INDEX 2.
0
A PLAN FOR CYBER READINESS: A BASELINE AND AN INDEX
Principal Investigator: Melissa Hathaway

Chris Demchak, Jason Kerben, Jennifer McArdle, Francesca Spidalieri
November 2015
C INST
MA I
O
TU
B
POT
TE
ES
FOR
G
PO
DI
LIC Y ST U
Copyright © 2015, Cyber Readiness Index 2.0, All rights reserved.
Published by Potomac Institute for Policy Studies
Potomac Institute for Policy Studies

901 N. Stuart St, Suite 1200
Arlington, VA, 22203
www.potomacinstitute.org
Telephone: 703.525.0770; Fax: 703.525.0299
Email: CyberReadinessIndex2.0@potomacinstitute.org
Follow us on Twitter:
@CyberReadyIndex
Acknowledgements
The Potomac Institute for Policy Studies would like to thank the International
Telecommunications Union’s ICT Applications and Cybersecurity Division, and the
Organization of American States’ Inter-American Committee Against Terrorism for
their continuous support. The authors would also like to thank Sherry Loveless and
Alex Taliesen for their editorial and design work.
CYBER READINESS INDEX 2.0
TABLE OF CONTENTS
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . 1
BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . 2
CYBER READINESS INDEX 2.0 — THE METHODOLOGY . . . . 3
1. NATIONAL STRATEGY . . . . . . . . . . . . . . . . . . . . . . . . . 6
2. INCIDENT RESPONSE . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. E-CRIME AND LAW ENFORCEMENT . . . . . . . . . . . . . . . . . 13
4. INFORMATION SHARING . . . . . . . . . . . . . . . . . . . . . . . 17
5. INVESTMENT IN RESEARCH AND DEVELOPMENT . . . . . . . . . 20
6. DIPLOMACY AND TRADE . . . . . . . . . . . . . . . . . . . . . . . 24
7. DEFENSE AND CRISIS RESPONSE . . . . . . . . . . . . . . . . . . 27
CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . 31
BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . 33
ABOUT THE AUTHORS . . . . . . . . . . . . . . . . . . . . . 43
CYBER READINESS INDEX 2.0
Principal Investigator: Melissa Hathaway

Chris Demchak, Jason Kerben,
Jennifer McArdle, Francesca Spidalieri
The Cyber Readiness Index 2.0 is expanded from the Cyber Readiness Index 1.0, published November 2013.
INTRODUCTION
Today, no country is cyber ready.
It is a given that global economic growth is Global leaders understand that increased Inter-
increasingly dependent upon the rapid adop- net connectivity leads to economic growth only
tion of information communication technology if the underlying infrastructure and the devices
(ICT) and connecting society to the Internet. connected to it are safe and secure. Therefore,
Indeed, each country’s digital agenda promis- countries must align their national economic
es to stimulate economic growth, increase ef- visions with their national security priorities.
ficiency, improve service delivery and capacity,
drive innovation and productivity gains, and Until now, however, there has not been a com-
promote good governance. Yet, the availabil- prehensive, comparative, experiential meth-
ity, integrity, and resilience of this core infra- odology to evaluate a country’s maturity and
structure are in harm’s way. The volume, scope, commitment to securing its national cyber in-
velocity, and sophistication of threats to our frastructure and services upon which its digital
networked systems and infrastructures are real future and growth depend. The Cyber Readi-
and growing. Data breaches, criminal activity, ness Index (CRI) 1.01 represented a new way
service disruptions, and property destruction of examining the problem and was designed
are becoming commonplace and threaten the to spark international discussion and inspire
Internet economy. global action to address the economic erosion
caused by cyber insecurity.
© 2015 Cyber Readiness Index 2.0, all rights reserved.
1
Building on CRI 1.0, Cyber Readiness Index 2.0 ties. Similarly, India’s Prime Minister Modi laid
examines one hundred twenty-five countries out his vision to transform his country into a
that have embraced, or are starting to em- “digitally empowered knowledge economy;”
brace, ICT and the Internet and then applies leveraging India’s globally acclaimed informa-
an objective methodology to evaluate each tion technology (IT) competence to create jobs
country’s maturity and commitment to cyber in IT, telecommunications, and in electronic
security across seven essential elements. By device markets. In addition, India is seeking
applying this methodology, a country can bet- to become an innovator in ICT solutions for
ter understand its Internet-Infrastructure entan- health, knowledge management, and financial
glements and the resulting dependencies and markets.5 Finally, the European Commission is
vulnerabilities.2 Specifically, the CRI 2.0 assess- working to create a meaningful single market
es countries’ levels of preparedness for certain for digital services that can enable the free
cyber risks and identifies areas where national movement of goods, services, capital, and
leaders can alter or refine their country’s current businesses. Successful implementation of this
posture by leveraging or changing laws, poli- “Digital Single Market Strategy” is estimated
cies, standards, market levers (e.g., incentives to lead to an additional €415 billion per year in
and regulations), and implementing other ini- GDP growth across Europe.6
tiatives to preserve the security of their connec-
tivity and protect the value of their economy.
BACKGROUND
Countries must align their
Most countries have embraced ICT-enabled
national economic visions with
economic strategies and are working to pro-
vide fast, reliable, and affordable communica- their national security priorities.
tions to every household and business to move
their information society into the digital age.3
Modernization initiatives like e-government,
e-banking, e-health, e-learning, next gener-
ation power grids, and automating elements Governments, in developing countries in par-
of the transportation infrastructure and other ticular, are pushing for even more aggressive
essential services, are at the top of most coun- ICT adoption strategies to provide additional
tries’ economic agenda. For example, China’s services to millions of citizens in order to more
Internet Plus strategy seeks to actively encour- rapidly boost and deepen economic advanc-
age the healthy development of e-commerce, es.7 In fact, the World Bank estimates that for
industrial networks, and Internet banking, as every 10 percent of the population connected
well as facilitate the growth of new industries to the Internet, GDP grows by 1 to 2 percent.8
and the expansion of its companies’ inter- Moreover, recent research suggests a growing
national Internet footprint.4 Like many other recognition among governments and busi-
countries, China views the Internet as key to nesses that embracing the Internet and ICTs
its future growth and development opportuni- will enhance their long-term competitiveness
2
and societal well-being, potentially contribut-
ing up to 8 percent of a nation’s GDP.9 Some
reports go even further to suggest that the Resilient connected societies
modernization of industrial systems (e.g., elec- must drive modernization
tric power grids, oil and gas pipelines, manu- with security at its core.
facturing, etc.) represents a 46 percent share of
the global economy, and could rise to as much
as 50 percent in the next ten years.10
the exposure, attendant risks, and economic
Nations cannot afford to ignore this economic costs will exponentially increase if security and
opportunity. But few are considering the resilience are not at the core of their modern-
impact and economic costs of less resilient ization strategies.
critical services, exposure/violation of citizen
privacy, theft of corporate proprietary data and Measuring such losses to the economy will
state secrets, and the impact of e-fraud and force national leaders to better align their
e-crime—all of which lead to economic and country’s national security agenda with their
national security instability. Put simply, cyber economic agenda and invest in the derivative
insecurity is a tax on growth.11 value of both.14 Bringing transparency to the
economic losses caused by cyber insecurity
For example, it is estimated that the Group of may spark national and global interest in ad-
Twenty (G20) economies have lost 2.5 million dressing this economic erosion. The CRI 2.0
jobs to counterfeiting and piracy, and that establishes a framework to guide countries in
governments and consumers lose up to $125 securely pursuing the economic growth of a re-
billion to cyber crime annually, including losses silient, ICT-enhanced, and connected society.
in tax revenue.12 The United States estimates
the annual impact of international intellectual CYBER READINESS INDEX
property (IP) theft to the American economy 2.0 — THE METHODOLOGY
at $300 billion. This corresponds to 1 percent
of its GDP.13 Other studies conducted by the The CRI 2.0 has two main components: first, it is
Netherlands, United Kingdom, and Germany designed to inform national leaders on the steps
estimate similar losses in GDP. No nation can they should consider to protect their increas-
afford to lose even 1 percent of its GDP to illicit ingly connected countries and potential GDP
cyber activities. As countries continue to em- growth by objectively evaluating each country’s
brace ICT and Internet connectivity, however, maturity and commitment to cyber security and
resilience. Secondly, the CRI defines what it
means for a country to be “cyber ready” and
documents the core components of cyber read-
Cyber insecurity is a iness into an actionable blueprint for countries
to follow. The CRI 2.0 methodology represents
tax on growth.
a useful, unique, and user-friendly tool to as-
sess the gap between a nation’s current cyber
security posture and the national cyber capa-
3
bilities needed to achieve its economic vision. The CRI 2.0 methodology is being applied to
The blueprint developed and employed for this evaluate one hundred twenty-five countries’
analysis includes over seventy unique data indi- cyber readiness; assessing each country’s ma-
cators across the following seven elements: turity and commitment to cyber security and
resilient infrastructures and services (Figure 1
1. National strategy; and Table 1).
2. Incident response;
The country selection includes the top
3. E-crime and law enforcement; seventy-five countries from the International
4. Information sharing; Telecommunication Union (ITU) ICT Develop-
ment Index (IDI) to emphasize the importance
5. Investment in research and
of connectedness. Members of the G20 econ-
development (R&D);
omies were added because they represent 90
6. Diplomacy and trade; and percent of global GDP, 80 percent of interna-
7. Defense and crisis response. tional trade, 64 percent of the world’s popula-
tion, and 84 percent of all fossil fuel emissions.
The fact-based assessments for each coun-
try rely on primary sources, and each unique In order to be regionally representative and
data point is grounded on empirical research globally inclusive, additional countries were
and documentation. Countries are assessed selected from: the Organization for Economic
for each indicator across three levels of cyber Cooperation and Development (OECD), the
readiness: insufficient evidence, partially oper- African Economic Community (AEC), the Latin
ational or fully operational. American Integration Association (LAIA), the
Insufficient Evidence: evidence is lacking or has yet to be

located. It is possible, however, that the data exists but is not
yet publicly available or is classified.
Partially Operational: there is evidence of policies, activi-

ties, and/or funding, however, the activity may be immature,
incomplete, or still in the early stages of development. While
these initiatives can be observed, it may be difficult to mea-
sure their functionality.
Fully Operational: there is sufficient evidence to observe and

measure a mature, functioning activity.15
4
Figure 1: CRI 2.0 Country Selection
Algeria Colombia Israel Netherlands Sri Lanka

Andorra Costa Rica Italy New Zealand St. Kitts and Nevis
Angola Croatia Japan Nigeria St. Vincent and Grenada
Antigua and Barbados Cuba Kazakhstan Norway Sudan
Armenia Cyprus Kenya Oman Swaziland
Argentina Czech Republic Kyrgyz Republic Pakistan Sweden
Australia Denmark Latvia Paraguay Switzerland
Austria Djibouti Lebanon Panama Taiwan
Azerbaijan Ecuador Lesotho Peru TFYR Macedonia
Bahrain Egypt Lithuania Philippines Thailand
Bangladesh Estonia Luxembourg Poland Trinidad and Tobago
Barbados Finland Macau, China Portugal Tunisia
Belarus France Malaysia Qatar Turkey
Belgium Gabon Maldives Romania Uganda
Bhutan Gambia Mali Russia Ukraine
Bolivia Germany Malta Saudi Arabia United Arab Emirates
Bosnia & Herzegovina Ghana Mauritius Senegal United Kingdom
Botswana Greece Mexico Serbia United States of America
Brazil Hong Kong Moldova Seychelles Uruguay
Brunei Darussalam Hungary Mongolia Singapore Uzbekistan
Bulgaria Iceland Monaco Slovakia Venezuela
Cameroon India Montenegro Slovenia Vietnam
Canada Indonesia Morocco South Africa Yemen
Chile Iran Namibia South Korea Zambia
China Ireland Nepal Spain Zimbabwe
Table 1: CRI 2.0 Country Selection
5
Asia Pacific Economic Cooperation (APEC), nomic erosion caused by cyber insecurity and
the Central Asia Regional Economic Cooper- the degree to which national security concerns
ation (CAREC), the Gulf Cooperation Council are considered a component of a country’s dig-
(GCC), the South Asia Association for Regional ital and economic agenda. This methodology
Cooperation (SAARC), and the North Ameri- can lead to analytically based decisions on how
can Trade Federation (NAFTA). Countries from to respond to and get ahead of the problem.
these regional economic groupings are repre-
sented in the IDI, and are often also included in Finally, the CRI 2.0 provides international enti-
the World Economic Forum’s (WEF) Network ties, such as the ITU, the WEF, the Organization
Readiness Index. This ensures that every se- of American States (OAS), the Inter-American
lected country is embracing ICT and investing Development Bank (IDB), the World Bank, and
in accessible and affordable Internet services others, with a framework and complimentary
to promote economic growth. approach to their respective initiatives and in-
ternational discussions.
Given that the GCC is not representative of the
Middle East, three states that have the highest A detailed description of the seven essential
GDP rankings outside the GCC were also add- elements of the CRI 2.0 methodology follows.
ed: Iran, Yemen, and Lebanon.16 Each section contains an essential element with
at least ten supporting indicators for evalua-
This cross-section of one hundred twenty-five tion that when combined represent a blueprint
countries represents a significant portion of the of a country’s cyber readiness. Furthermore,
world and is demonstrative of the diverse and country examples are provided that illustrate
representative nature of the CRI 2.0’s country innovative and multicultural solutions towards
selection criteria. becoming cyber ready. While these examples
are by no means comprehensive, they do high-
The CRI 2.0’s focus on the interconnection be- light unique country-level approaches.
tween economics and security (or lack thereof)
provides a solid foundation for each country to 1. NATIONAL STRATEGY
assess its cyber security maturity, and serves
as a framework for informing policy and strat- The first—and most important—area that indi-
egy, operational and institutional initiatives, cates a country’s cyber readiness is the articula-
resourcing requirements, regulatory and leg- tion and publication of a National Cyber Secu-
islative formulation, and diverse market lever rity Strategy that aligns the country’s economic
implementation. Implementing CRI 2.0 will vision with its national security imperatives.
raise awareness about the linkage between a The Internet, broadband networks, mobile ap-
sustainable cyberspace and GDP growth for plications, IT services, software, and hardware
every country, given that the future of a coun- constitute the foundations of the digital econo-
try’s GDP is likely to be increasingly technology my and a country’s digital future.17 The Internet
dominated and Internet-related. Moreover, it and ICTs have become the backbone of family
creates the basis for understanding the eco- platforms (e.g., Facebook™, Twitter™, Insta-
6
gram™, Renren™, VKontakte™, etc.), business defense of the homeland, and other descrip-
engines, critical services and infrastructures, tors. A comprehensive national cyber security
and the global economy.18 The inter-depen- strategy needs to describe the threats to the
dencies and hyper-connectivity touch each country in economic terms, and outline the
sector. For example, advanced manufacturing necessary steps, programs, and initiatives that
uses industrial control systems and robotics to must be undertaken to address those threats
increase productivity and decrease the need and protect the Internet connectivity and the
for manual intervention. Modern agriculture ICT utilized by citizens and private and public
embeds Internet Protocol (IP) devices on organizations.19 The strategy should be under-
crops to determine fertilizer requirements and pinned by the economic potential of the Inter-
to adjust water supplies. IP devices are also net and ICT adoption and include the initiatives
placed on livestock to determine where the that will help reduce GDP erosion caused by
animals graze and consume water, assessing cyber threats, as well as increase the security
the animals’ health on a near-constant basis. and resilience of the country as a whole.
E-commerce, the free flow of goods and ser-
vices across borders, is displacing the role of
traditional storefronts, delivering a wide vari-
ety of items directly to the doorstep of on-line
shoppers shortly after they place an on-line
order. Transportation systems now use sensors, National cyber security strategies
mobile devices, and unmanned kiosks to man- must reflect the economic
age traffic and deliver tickets. Connected cities importance of cyber security.
use geo-location devices to track the speed
and location of automobiles to determine if a
driver has obeyed the laws of the road. Mod-
ernization initiatives in the healthcare indus-
try are digitizing citizens’ health records and
employing cloud-based computing to enable A sound National Cyber Security Strategy
swift access to healthcare records anywhere must not be just articulated. It must be ac-
in the world. Telemedicine uses high-speed tionable. Today, the primary topics reflected
Internet to deliver medical advice and services in most strategies include: outlining organi-
to underserved areas. Finally, financial systems zational and positional authority within the
exchange trillions of dollars daily, commodities government; fostering awareness and edu-
markets trade using digital currency, and In- cation among citizens; building an incident
ternet banking is replacing the need for local, and crisis management response capability;
physical banks. expanding law enforcement’s capacity to
deal with the rate of cyber crimes; facilitating
The threats to networked infrastructures are private-public partnerships and developing
on the rise. Countries are beginning to under- trusted information sharing exchanges; and
stand these threats and are outlining the need marshaling resources toward a R&D and
for infrastructure protection, data protection, innovation agenda. Many strategies begin
7
with statistics, quantifying incident volume and Statement:
the rate of infrastructure infection, and naming
the variety of threats. The data is used to jus- A. The publication of a national cyber secu-
tify organizational responsibility and increased rity strategy that is inclusive of economic
funding for missions and organizations. Rarely opportunities and risks associated with
do these strategies prioritize the services and ICT uptake;
infrastructures that are most at risk, nor do
they align the security measures and resource Organization:
requirements necessary to reduce exposure
and economic losses. A sound National Cyber A. The designation of a competent authority
Security Strategy should state the strategic and the clear delineation of its positional
problem or problems in economic terms; iden- authority;
tify and empower the competent authority20
that is accountable for the strategy’s execu- B. The identification of the key government
tion; include specific, measurable, attainable, entities affected by, and/or responsible
result-based, and time-based objectives in an for, the implementation of the national
implementation plan; and recognize the need cyber security strategy;
to commit limited resources (e.g., political will,
money, time, and people) in a competitive C. The identification of commercial-sector
environment to achieve the necessary security entities affected by, and/or, responsible
and economic outcomes. for the implementation of the national
cyber security strategy (recognizing com-
At least sixty-seven countries (with others in de- mercial-sector dependencies);
velopment) have already published their cyber
security strategy, outlining key steps that are Resources:
intended to increase their national security and
resilience.21 Many others have national strate- A. The identification of the financial and hu-
gies (not specific to cyber security) that guide man resources requested and allocated
and coordinate their efforts to advance their for the implementation of the strategy;
cyber security posture. Few countries, however,
are explicitly linking their economic and nation- B. The identification of the percentage of
al security agendas and specifically addressing GDP expected to be gained or lost (gross-
the economic importance of cyber security. ly) by implementing the strategy;
Fewer still are building actionable strategies.
Therefore, all countries have an opportunity to Implementation:
revise or develop their strategies to reflect the
economic importance of cyber security. A. The identification of the mechanisms re-
quired to secure critical cyber infrastruc-
Elements of a comprehensive national cyber ture and ICT uptake;
security strategy should include:
8
B. The identification of critical services (not experts and practitioners from academia, the
critical infrastructures) that the strategy in- private sector, and government. In addition to
tends to make more secure and resilient; providing the specific technical competence to
and respond to cyber incidents of national interest,
these incident response teams strengthen the
C. The identification of national standards ability of a national government to understand
for continuity of service agreements (24 and combat cyber threats. Operating a Nation-
hours/7 days a week) and outage report- al CSIRT, therefore, forms a core component of
ing requirements for each critical service, a country’s overall strategy to secure and main-
industry, and infrastructure. tain the services and infrastructures that are vi-
tal to national security and economic growth.24
The findings in this essential element, as with
the other six areas, represent a snapshot in National CSIRTs, unlike strictly governmental
time of a dynamic and changing landscape. ones, serve a broad constituency ranging from
As countries continue to develop their national government departments to private and public
cyber security strategies, updates to this es- entities to citizens. A well-established Nation-
sential element will reflect those changes and al CSIRT provides reactive services above all
monitor, track, and evaluate substantive and else—i.e., the ability to respond to incidents
notable developments. Thus, the CRI 2.0 will by containing and mitigating incidents as they
continue to provide a blueprint with new ex- occur.25 Although the specific organizational
amples to inform others in the formulation or form of National CSIRTs may vary, and not
revision of their strategies. every country may have the same needs and
resources, these specialized and dedicated
2. INCIDENT RESPONSE units should provide a series of both proactive
and reactive functions, as well as preventive,
The second essential element that indicates a educational, and security quality management
country’s cyber readiness involves establishing services. These services include, but are not
and maintaining an effective national incident limited to: establishing shared understanding
response capability. Often, this capability takes of the threats facing the country; publishing
the form of one or more National Computer alerts and advisories on cyber vulnerabilities
Security Incident Response Teams (National and threats; promoting cyber security aware-
CSIRTs) or Computer Emergency Response ness and best practices; identifying, detecting,
Teams (CERTs)—hereinafter referred to collec- containing, and managing security threats and
tively as CSIRTs—responsible for managing in- preparing for potential incidents; coordinating
cident response in the event of natural or man- incident response activities; analyzing comput-
made cyber-related disasters that affect critical er security incidents and providing feedback
services and information infrastructures.22 At and lessons learned (for shared learning); pro-
present, one hundred and two national CSIRTs moting activities that increase resilience; and
have been established worldwide and another supporting the national cyber security strategy.
four CSIRTs are under development.23 CSIRT
teams usually consist of a blend of IT security
9
For example, Singapore’s national CSIRT sible for incident response, awareness raising,
(SingCERT) was developed by the Infocomm data collection on cyber threats and intrusions,
Development Authority of Singapore (IDA) in and coordination with multiple stakeholders to
cooperation with the National University of include CSIRTs, academia, and the private sec-
Singapore (NUS) in 1997. It has since become tor. In addition, Brazil’s CSIRTs include teams
a part of the Cyber Security Agency of Singa- from the financial sector, military, government,
pore (CSA). SingCERT was designed as a one- and universities.28
stop center for incident response; facilitating
the detection, resolution, and prevention of Apart from national CSIRTs, similar regional
security related incidents on the Internet. Sing- entities have been established to enhance and
CERT provides technical assistance and coor- coordinate incident response activities within
dinates response to cyber security incidents, specific geographic regions. AfricaCERT, for
identifies and follows cyber intrusion trends, instance, is a non-profit organization that in-
disseminates timely threat information, and cludes eleven African countries and provides
coordinates with other security agencies to re- a forum for cooperation and the exchange of
Resilience of critical services is vital to national

security and economic growth.
solve computer security incidents.26 SingCERT technical information between operators of

has also been active in organizing and hosting Internet-connected networks in the region. Af-
Association of South East Asian Nations (ASE- ricaCERTs main objectives include, but are not
AN) and Asia Pacific Computer Emergency Re- limited to: coordinating cooperation among
sponse Team (APCERT) exercises. Additionally, African CSIRTS to handle computer security
Singapore hosts seven Forum of Incident Re- incidents; assisting in the establishment of
sponse and Security Teams (FIRST) members. CSIRTs in countries that currently lack incident
response capabilities; fostering and support-
Brazil’s incident response capabilities consist ing incident prevention and educational out-
of a national computer emergency response reach programs in ICT security; encouraging
team, CERT.BR, and thirty regional CSIRTs split information sharing; and promoting best prac-
across four states, all under the authority of tices for cyber security. Similarly, the APCERT
the Brazilian Internet Steering Committee. This comprises a network of twenty-eight member
Committee is a non-governmental, multi-stake- CERTs and other trusted security experts in
holder organization and the primary entity the region, and it aims to enhance awareness
responsible for network defense and incident and competency in relation to computer secu-
response in Brazil.27 Brazil’s CERT.BR is respon- rity incidents and improve incident response
10
capabilities across the Asia Pacific region.29 the decision making process, to include Parlia-
APCERT’s mission is the pursuit of a “clean, ment and Chief Executive Officers (CEOs) from
safe, and reliable” cyberspace through global companies responsible for Swedish critical
collaboration. In order to effectively commu- services. The exercise highlights crucial policy
nicate cyber threats, APCERT’s organizational and legal shortfalls, while at the same time
framework relies on a point-of-contact (POC) educating all participants on cyber security.32
system, in which each country delegates an Additionally, the Czech Republic conducted
APCERT member to serve as a POC during an incident response exercise in October 2015
times of emergency, in order to help facilitate that focused on threats to critical infrastructure,
timely response.30 Likewise, the Organisation with a specific emphasis on nuclear power
of Islamic Cooperation Computer Emergency plants.33 Some countries are also conducting
Response Team (OIC-CERT)—which includes exercises in reaction to cyber incidents that
member states in Southeast Asia, South Asia, have occcured. For example, South Korea’s
the Middle East, Africa, and Central Asia— President Park Guen-hye ordered cyber war
also works to enhance collaboration between drills and training for all staff, as a result of
member state CERTs and OIC-CERT. malware found in multiple Korea Hydro and
Nuclear Power (KHNP) plants.34
In addition to developing incident response
capabilities, countries are also participating in Furthermore, international exercises test op-
cyber incident response exercises. These exer- erational incident response capabilities while
cises help countries practice and develop skills simulating cooperation between countries. The
for effective crisis management and verify the United States, for example, conducts a biannu-
operational ability of a CSIRT to respond under al Cyber Storm exercise that seeks to strength-
pressure. For example, in November 2011, the en cyber preparedness in the public and pri-
German Executive Branch conducted a one- vate sectors. Each Cyber Storm exercise builds
day crisis planning/readiness exercise. The on lessons learned from previous real-world
goal of the exercise was to work out govern- incidents, to ensure that participants have an
ment response procedures for a multi-pronged opportunity to practice incident response to
attack that included: distributed denial of ser- ever-more sophisticated cyber incidents. The
vice (DDoS) attacks against critical infrastruc- 2016 Cyber Storm will include sixteen states,
tures; the injection of malware into the banking eleven countries, and fourteen federal agen-
system, causing a crisis with ATMs and credit cies.35 The European Union also holds bian-
cards; and the insertion of false traffic within nual cyber incident response exercises among
the air traffic control system.31 The Swedish Civ- member states and the private sector, entitled
il Contingencies Agency (MSB), the Post and Cyber Europe.36 During a 24 hour cyber exer-
Telecom Authority (PTS), and the National De- cise in 2014, Cyber Europe allowed nearly all
fence Radio Establishment (FRA) also host reg- European Union member states to test their
ular cooperative Chief Information Assurance response capabilities against as many as two
Officer (CIAO) courses for relevant employees thousand real-life cyber attacks, to include
working at the senior management levels. The DDoS, web defacement attacks, data exfiltra-
course culminates in a capstone exercise—a tion, and cyber attacks against critical infra-
cyber crisis management simulation—that in- structure.37 Moreover, the European Defense
cludes key public and private stakeholders in Agency (EDA) and the North America Treaty
11
Organization (NATO) also conduct region wide Elements of a sound national incident response
complex cyber crisis management exercises, capability should include:
with the goal of strengthening cyber incident
response capacity among member states and Statement:
understanding cross-border dependencies.38
The United States and the United Kingdom A. The publication of an incident response
also recently announced that they will test how plan for emergencies and crises;
financial centers on either side of the Atlantic
would respond to a massive cyber attack. The B. The identification and mapping of
exercise ran in November 2015 and tested cross-sector dependencies that address
country response and cross-Atlantic coordina- continuity of operations and disaster re-
tion and communication.39 covery mechanisms;
National CSIRTs can also be used as a mech- C. Evidence that the plan is exercised and
anism to build confidence between countries updated regularly;
and foster cooperation. For example, China,
Japan, and Korea—three countries that have D. The publication and dissemination of a
historically experienced tensions—have devel- national cyber threat assessment(s) on
oped a trilateral annual CSIRT meeting to dis- government, critical infrastructures, and
cuss cyber incident response mechanisms. The essential services networks;
meetings have helped instill confidence and
trust resulting in the development of a cyber Organization:
“hotline” to communicate on significant cyber
incidents.40 A. The establishment of a national CSIRT
to manage incident response and serve
Cyber incident response capabilties, joint a broad national constituency (beyond
meetings, and exercises are just a few of the government and critical infrastructure
basic mechanisms that can help a country pro- providers);
actively prepare for and mitigate the ripple ef-
fects of a major cyber incident. CSIRTs increase B. The identification of a network of author-
a country’s speed, recovery, and resilience itative national contact points for govern-
against cyber threats, reducing the likely over- mental and regulatory bodies;
all economic and operational impact of na-
tionally significant attacks or campaigns. Some C. The identification of a network of author-
of the key preconditions for the successful itative national contact points for critical
deployment of these incident response teams industries that are essential for the oper-
are a well trained staff, and effective rapidly ation and recovery of critical services and
deployable tools. This facilitates an incident infrastructures;
response team’s ability to foster cooperation
and coordination in incident prevention, en- D. The development of an information warn-
able rapid reaction to incidents, and promote ing and alert system that can be used by
information sharing among stakeholders, both national crisis/response centers to effec-
domestically and internationally. tively receive, address, and transmit ur-
gent information in a timely manner;
12
Resources: (ENISA),42 FIRST,43 and the ITU. Additional pri-
mary and secondary sources, such as National
A. The identification of the financial and CSIRT’s websites and related news articles,
human resources requested and allocat- are consulted to determine if the capabili-
ed for the National CSIRT to carry out its ties exist and are funded. As countries come
mandate; to recognize the importance of establishing
National CSIRTs, updates to this essential el-
B. The identification of additional funding ement will monitor, track, and evaluate those
to activate and regularly test the infor- developments.
mation warning and alert system, and to
measure the country’s resilience to cyber 3. E-CRIME AND LAW
incidents and crisis through national cy- ENFORCEMENT
ber security exercises;
The third essential element that indicates a
Implementation: country’s cyber readiness is demonstrated
through its commitment to protect its society
A. A demonstrated capability in the incident against cyber crime. Cyber crime is not simply
containment, management, resilience, a domestic issue; it transcends national bor-
and recovery processes for critical ser- ders and therefore requires transnational solu-
vices and infrastructures; tions. Countries must show an international
commitment to secure society against e-crime.
B. A demonstrated ability by national crisis/ Most often, this capability takes the form of
response centers to address and transmit involvement with international fora dedicated
alerts in a timely manner; to addressing international cyber crime issues,
as well as the establishment of domestic legal
C. Evidence of ongoing research methods and regulatory mechanisms to combat cyber
analyzing trends or groups of comput- crime. The pertinent legal and regulatory au-
er security incidents of national con- thorities designated with carrying out such
cern—sharing similar actors or tactics, activities should define what constitutes a cy-
techniques, and procedures—in order to ber crime and empower governmental entities
identify patterns; and with the mechanisms, expertise, and resources
to investigate and effectively prosecute cyber
D. The development and implementation of crime activities.
a system/program to regularly test and
measure the nation’s resilience to cyber Two international treaty agreements help
incidents and crises through national cy- demonstrate a country’s commitment to pro-
ber security exercises. tecting society against cyber crime: the Coun-
cil of Europe’s “Convention on Cyber Crime”
Initial findings in this essential element are and the Shanghai Cooperation Organisation’s
based on the inventories of National CSIRTs “Agreement on Cooperation in the Field on
provided by the CERT Division at Carnegie Ensuring International Information Securi-
Mellon University (CMU),41 the European ty”. The Council of Europe’s “Convention on
Network and Information Security Agency Cybercrime”, in force since July 1, 2004 and
13
commonly called the Budapest Convention, Notably, the UN Group of Government Experts
provides a mechanism through which to har- (GGE) that consists of twenty countries had a
monize divergent national cyber crime laws and break through moment when they agreed to
encourage law enforcement collaboration.44 cooperate on prosecuting terrorist and criminal
The effectiveness of the Budapest Convention use of ICT. Their commitments are codified in
is somewhat limited because it allows signato- the June 2015 GGE report On Developments
ry countries to selectively implement elements in the Field of Information and Telecommunica-
of the Budapest Convention based upon find- tions in the Context of International Security.48
ings that doing otherwise would “prejudice its The APEC also conducted a capacity-building
sovereignty, security, public order or other es- project on cyber crime for member economies
sential interests.”45 The Shanghai Cooperation to establish legal structures and build capacity
Organisation’s “Agreement on Cooperation in to investigate e-crime. As part of this project,
the Field on Ensuring International Information advanced APEC economies support other
Security,” signed in 2009 and sometimes re- member-economies by training legislative au-
ferred to as the Yekaterinburg Agreement, has thorities and investigative personnel.49
principles consistent with the law enforcement
approach of the Budapest Convention. It too The CRI 2.0 draws upon these international,
seeks to improve the informational legal base multi-national, and regional approaches to
and establish practical mechanisms of coop- assess a country’s cyber readiness. In addition,
eration among the parties in ensuring interna- the CRI 2.0 also includes country information
tional information security.46 Pursuant to these on cyber crime from the ASEAN, and the ITU,
treaties, countries agree to adopt appropriate among others.
legislation, foster international cooperation,
and combat criminal offenses, by facilitating While the intention to cooperate on cyber
their detection, investigation, and prosecution crime may exist and the ratification of cyber
both nationally and internationally. CRI 2.0 crime agreements is important, it does not
credits countries that have ratified or acceded necessarily demonstrate readiness to combat
to either of these treaties because by doing so cyber crime. States must also work to proac-
a country has a specific obligation and duty un- tively build domestic cyber law enforcement
der its domestic law to uphold a commitment capacity. For instance, the Advanced Centre
in an international context. for Research, Development and Training in
Cyber Law and Forensics at the National Law
In addition to the international mechanisms School of India University in Bangalore works
noted above, other international, multi-na- to translate the law into technical terms and
tional, and regional approaches towards advice-versa by providing training and education
dressing international cyber crime exist and to judicial officers, prosecutors, investigative
are being pursued. For example, the United agencies, cyber security personnel, technolo-
Nations General Assembly (UNGA) has passed gists, and others. Funded by the Department
a variety of resolutions relevant to cyber crime, of Electronics and Information Technology (De-
such as the 2001 “Combating the Criminal Mis- itY) in the Indian Ministry of Communications
use of Information Technology,” and the 2003 and Information Technology, the Centre pro-
“Creation of a Global Culture of Cybersecurity vides a unique hands-on training component
and the Protection of Critical Infrastructures.”47
14
in a cyber forensics lab that facilitates rapid
understanding of complex issues.50
Another example is the International Police

Cyber crime and fraud are a
Organization’s (INTERPOL) recent launch of tax on economic growth.
an INTERPOL Global Complex for Innovation
(IGCI) in Singapore. This facility enables law
enforcement officials to partner with industry
to develop new training techniques and use billion in damages globally.54 Some countries
advanced tools to tackle cyber crime and have worked to address this threat, with some
boost cyber security.51 For example, INTER- success. For example, the Canadian Govern-
POL created a simulation game to teach law ment’s DarkSpace Project-Advanced Analytics
enforcement officials about the intersection and Dark Space Analysis for Predictive Indica-
and risk of the Darknet and crypto-currencies. tors of Cyber Activity—spearheaded by Bell
The Darknet has enabled an underground (il- Canada and involving a team of experts from
legal) economy that sells personal identifiable Canadian government agencies, academic in-
information (PII), military intelligence, weapons stitutions, and industry—made a business case
designs, modular malware, zero-day exploits, for a ‘clean pipes’ solution to cyber threats
private encryption keys and credentials, and by providing a compelling body of evidence
many other types of illegally obtained data. to support proactively containing threats to
INTERPOL’s first simulation/training exercise Canada coming from the Internet. Findings
was conducted in July 2015.52 from the project made the business case for
a national clean pipes strategy and influenced
Apart from building e-crime and law en- a Cyber Security Standard for Telecommuni-
forcement capacity, states must also work to cations Service Providers.55 Another example,
clean the infections in their networked infra- in Japan, was The Cyber Clean Center, a five-
structures, known as botnets.53 Currently, an year funded effort, operated by the Japanese
estimated five to twelve percent of comput- CERT (JPCERT) from 2006 to 2011.56 This Cen-
ers worldwide are compromised as a part ter was the result of a cross-disciplinary col-
of a botnet network. The FBI estimates that laboration among JP-CERT, various security
eighteen systems are infected per second via vendors, and Internet service providers (ISPs);
botnet armies, causing an estimated $110 it created an automated “guardian network”
against botnet malware infection and exploita-
tion. It also further provided tailor-made solu-
tions to address specific malware on specific
computers.57 The Cyber Clean Center’s efforts
Reducing the number of have continued at Telecom-ISAC Japan.58 Fi-
infected networked devices nally, Australia’s iCode, a public-private part-
is an important investment nership through the Australian Internet Secu-
rity Initiative (AISI), aims to promote a security
in combatting e-crime.
culture among ISPs by reducing the number of
compromised computing devices in Australia.
The iCode encourages all Australian ISPs to
15
join AISI, and provides AISI ISP members with training for court judges, prosecutors,
daily malware infection and service vulnerabil- lawyers, law enforcement officials, foren-
ity data.59 sic specialists, and other investigators;
Cyber crime and fraud are a tax on economic B. The establishment of a coordinating agen-
growth. Cyber crime has reached an estimated cy with a primary mission and authority to
$445 billion worldwide, with a negative impact ensure that all international cyber crime
on national economies of at least 1 percent of requirements are being met domesti-
GDP and upwards of two hundred thousand cally and across jurisdictional lines (i.e.,
lost jobs.60 An investment in combating cyber cross-border cooperation);
crime and increasing law enforcement capacity
is a necessary investment for the economy. By Resources:
developing law enforcement capabilities to
fight e-crime through the ratification of treaty A. The identification of financial and human
documents, international cooperation, capac- resources requested and allocated for
ity development, the implementation of an- fighting cyber crime;
ti-botnet programs, and other initiatives, coun-
tries can mitigate their cyber risks and boost B. The establishment of an accounting
future economic growth. mechanism to determine what percent-
age of annual GDP is affected by cyber
Essential elements of a sound country-level crime (actual loss in real currency), in or-
and international commitment to protecting der to assess national systemic cost-ben-
society against cyber crime should include: efit tradeoffs and allocate resources
accordingly;
Statement:
Implementation:
A. A demonstrated national and internation-
al commitment to protect society against A. Demonstrable evidence of a country’s
cyber crime through ratifying international commitment to review and update ex-
cyber crime agreements or other equiva- isting laws and regulatory governance
lent agreement to fight cyber crime; mechanisms, identify where gaps and
overlapping authorities may reside, and
B. A demonstrated commitment to establish clarify and prioritize areas that require
national legal and policy mechanisms to modernization (e.g. existing laws, such as
specifically reduce the criminal activity old telecommunications law);
emanating from the country and promote
coordination mechanisms to address in- B. The establishment of criminal offenses
ternational and national cyber crime; under domestic law for actions directed
against the confidentiality, integrity, and
Organization: availability of computer systems, net-
works, and computer data as well as the
A. The establishment of a mature institution- misuse of such systems, networks, and
al ability to fight cyber crime, including data, to include the international infringe-
ment of copyright; and
16
C. Demonstrable evidence of a country’s attacks—which can have significant implica-
effectiveness in reducing infections em- tions for global telecommunications, trade,
anating from its own infrastructures and and business—requires more than traditional
networks (e.g. creation of anti-botnet and monitoring and protection mechanisms. Glob-
malware remediation initiatives). ally, most governments and organizations have
established information sharing programs to
Initial findings in this essential element are better understand risks posed by state and
based upon a review of whether a country has non-state actors and managed their exposure
ratified or acceded to the Budapest Conven- to vulnerabilities and subsequent infections
tion or the Shanghai Cooperation Organisa- and breaches.
tion’s Yekaterinburg Agreement and whether
the country is an active participant in regional, Formal information sharing mechanisms, simi-
multi-national, or international approaches lar to some of the services provided by Nation-
towards addressing cyber crime. Additionally, al CSIRTs and CERTs, can help foster coordi-
current botnet activity (both command and nation in incident response, facilitate real-time
Information sharing must be underpinned by

trust and buy-in from all stakeholders.
control nodes and total infections) emanating sharing of threat and intelligence information,
from the country is used to assess the effec- and help improve understanding of how sec-
tiveness of anti-botnet initiatives. The CRI 2.0 tors are targeted, what information is lost, and
draws on primary and secondary sources to what methods can be used to defend informa-
determine whether a country has established tion assets. At least four different models for
legal and regulatory mechanisms, other risk information sharing have emerged to address
reduction activities, and allocated funding to cyber threats and to help entities secure their
ensure successful execution. Updates to this information assets: (1) government driven; (2)
essential element will monitor, track, and eval- industry driven; (3) non-profit-partnership driv-
uate substantive and notable developments. en; and (4) a hybrid academic-, government-,
and industry-partnership driven model. Each
4. INFORMATION SHARING method has its unique challenges, such as
balancing the need for exchanging timely and
The fourth element that indicates a country’s actionable cyber security information while
cyber readiness is its ability to establish and protecting data’s confidentiality, safeguarding
maintain information sharing mechanisms that civil liberties, and managing competing finan-
enable the exchange of actionable intelligence cial and human resources and interests. Two
and/or information between governments and factors, however, are required for any of the
industry sectors. Key activities such as identi- four models to succeed: buy-in and trust, which
fying, assessing, and responding to targeted must be underpinned by clearly defined objec-
17
tives, roles, responsibilities, and outcomes. Put National Infrastructure Security Coordination
simply, when a party participates reluctantly or Centre (NISCC), which delivered focused in-
defensively, success is hard to achieve.61 formation security advice to critical national
infrastructure businesses.63 Similarly, Japan’s
Moreover, stakeholders must be able to share Information-Technology Promotion Agency
valuable information on serious incidents, (IPA), acts as the institutional authority charged
which requires clear definitions of what type with sharing information between govern-
of information should be shared, who will ment and critical industries, and has a proven
have access to it, and what security measures track record establishing trusted relationships
should be taken to protect the information with all major companies in the country and
once released by its original owner. The com- providing timely and effective intelligence. In
plexity of this sensitive information exchange addition, IPA works closely with the Ministry of
grows proportionately with group size, and Economy, Trade, and Industry (METI), the Na-
perhaps exponentially when those group tional Information Security Center (NISC), and
members are sovereign states with distinct the Cyber Rescue Advice Team (J-CRAT) to
national security concerns. respond to all major cyber incidents affecting
critical infrastructure.64
Many individual countries have already de-
veloped strong national information sharing Alternatively, in the United States, the Finan-
programs that could be leveraged as good cial Services Information Sharing and Analysis
practices for other countries to learn from. Center (FS-ISAC)—an industry driven initiative
These programs tend to focus on aligning sim- developed by the financial services sector—
ilar stakeholders into groups and subsequently helps facilitate the detection, prevention, and
aligning the groups into a national program. response to cyber incidents and fraud activity.
The Netherlands, for instance, created the It has built strong ties with financial service pro-
National Cyber Security Centre (NCSC)—a viders; commercial security firms; federal/na-
government driven initiative that evolved from tional, state, and local government agencies;
the Dutch GOVCERT into a successful pub- law enforcement; and other trusted entities to
lic-private partnership—responsible for digital provide reliable and timely cyber threat alerts
security and information sharing in the coun- and other critical information to member firms
try.62 One of its main tasks is to continuously worldwide. As part of these efforts, FS-ISAC
monitor all (potentially) suspect sources on the uses a different Traffic Light Protocol to deter-
Internet and alert public authorities and orga- mine which audiences can and should receive
nizations of any identified cyber threat. NCSC specific information.65 FS-ISAC is expanding
is also directly connected to all Information its threat information sharing internationally to
Sharing and Analyses Centres (ISACs) in the the United Kingdom and Europe. Other ISAC’s
country and information is shared under the also exist across many sectors, however are not
Traffic Light Protocol (TLP), which classifies in- as effective.
formation into four levels: red, yellow, green,
and white. The Dutch information sharing pro- The National Cyber-Forensics and Training Alli-
gram was modeled after the United Kingdom ance (NCFTA) in the United States is a non-profit
18
corporation with a mission to facilitate collabora- cies collect valuable cyber-related information,
tion among private industry, academia, and law and some have started to declassify this type
enforcement to identify, mitigate, and neutralize of intelligence and share it with other govern-
complex cyber-related threats. In addition to ment entities and critical industries. Indeed,
state and local law enforcement and industry real-time situational awareness is often key
representatives, this non-profit partnership-driv- to prevent or mitigate specific cyber threats.
en initiative enjoys international representation Some countries, such as Brazil, have devised
from Canada, Australia, United Kingdom, India, mechanisms to declassify (write-for-release)
Germany, the Netherlands, Ukraine, and Lithu- actionable information alerting other entities
ania. NCFTA provides streamlined and timely (public and private) to vulnerabilities, specific
exchange of cyber threat intelligence to corpo- threats and tactics, and potential defensive
rations, and also partners with subject matter solutions as part of their information sharing
experts in the public, private, law enforcement, initiatives.67 Enhancing the defensive posture
and academic sectors to mitigate risks and of the country is essential and some countries
fraudulent activities and gather the evidence are willing to declassify portions of intelligence
necessary to prosecute criminals.66 to better ensure security.
The ability of a country to exchange timely,

accurate, and actionable information—within
Real-time actionable information and between public and private sector entities
—helps reduce vulnerabilities and exposure
is key to mitigating cyber threats.
that can subsequently reduce attendant risks.
As information sharing increases in frequency
and quality, entities should be able to address
cyber threats to their networked infrastructures
Finally, Norway’s Center for Cyber and Infor- in a faster and more proactive manner. Estab-
mation Security (CCIS) at Gjøvik University Col- lishing and maintaining actionable information
lege is a joint initiative (academia, government, sharing programs is a fundamental investment
and industry) and represents another approach for economic growth.
to information sharing and collaboration on
cyber security. CCIS promotes a systematic Elements of an effective national, cross-sector,
country-wide approach to cyber and informa- and actionable information sharing program
tion security and provides information sharing should include:
schema to safeguard society’s ability to de-
tect, alert, and handle serious cyber incidents. Statement:
Additionally, it supports high quality national
research and development of solutions in the A. The articulation and dissemination of a
field of cyber and information security. policy on information sharing across sec-
tors that enables the exchange of action-
In addition to the various information sharing able intelligence/information between
programs that countries are developing, most governments and industry sectors;
governments’ defense and intelligence agen-
19
Organization: B. Demonstrable evidence of the ability and
timely processes for the government to
A. The identification of an institutional struc- declassify (write-for-release) usable cy-
ture that transmits authoritative informa- ber-related intelligence information and
tion from government sources to gov- share it with the rest of government and
ernment agencies and critical industries critical industries.69
(Government-to-Government);
Initial findings in this essential element are
B. The identification of an institutional struc- based upon a review of whether a country has
ture that ensures that mechanisms exist established information sharing and other co-
(reporting schema, technology, etc.) for ordination mechanisms. Drawing upon primary
cross-sector incident information ex- and secondary sources, the CRI 2.0 determines
change (bi-directional), both operational whether such mechanisms exist and are prop-
(near-real-time) and forensic (post-facto) erly funded. Updates to this essential element
(Government-Industry/Industry-Industry); will monitor, track, and evaluate substantive
and notable developments.
C. The establishment of an academic or
non-profit driven mechanism for vulner- 5. INVESTMENT IN RESEARCH
ability, incident, or solution information AND DEVELOPMENT
exchange (alternative model, for exam-
ple, NCFTA or the National Vulnerability The fifth element that indicates a country’s cy-
Database);68 ber readiness is establishing a national priority
for and investment in cyber security basic and
Resources: applied research and ICT initiatives broadly.
Advances in ICT have revolutionized almost
A. The identification of the financial and hu- every sector of the economy, transforming
man resources requested and allocated businesses, governments, education, and the
for the government driven authoritative way citizens live, work, and play. These innova-
information exchange or other institution- tions drive economic growth and can enhance
al structure(s) dedicated to the informa- resilience and set the conditions for a strong
tion sharing mechanisms; security posture.
Implementation: Government and businesses each have a role

to play and can combine the power of their
A. Demonstrable evidence that cross-sec- R&D budgets to enhance the next generation
tor and cross-stakeholder coordination of ICT and Internet-enabled technologies and
mechanisms meant to address critical solutions. Businesses and governments are em-
interdependencies—including incident bracing mobile Internet, cloud computing, big
situational awareness and cross-sector data, quantum computing, and the Internet of
and cross-stakeholder incident manage- Things (IoT), and must invest in the trust, secu-
ment—are adequately maintained and rity, and resilience of these digital services and
tested for effective performance; and technologies. By investing in cyber R&D and
20
other innovations, countries, universities, and cyber-physical systems, cyber security and
companies can improve their ability to close privacy R&D, high-end computing, and wire-
the gap between their cyber insecurity and at- less-spectrum sharing.71 The NITRD program is
tacker capabilities. For example, the European the United State’s primary source of federally
Union’s Horizon 2020 program has allocated funded work on advanced information technol-
an estimated €80 billion for research and tech- ogies in computing, networking, and software.
nological development initiatives. With the Eu- The program seeks to accelerate the develop-
ropean Union’s foundational principle of open ment and deployment of advanced information
access, the program intends to boost research technologies to enhance national defense and
results, accelerate innovation, create greater homeland security as well as improve United
efficiency, and improve transparency. Horizon States productivity and economic competi-
2020 has three main components. The first area tiveness. Additionally, the Defense Advanced
focuses on basic and applied science, entitled, Research Projects Agency (DARPA), the Intel-
“Excellent Science,” and plans to fund doctoral ligence Advanced Research Projects Activity
training for an additional twenty-five thousand (IARPA), and the Homeland Security Advanced
PhD candidates during the next seven years. Research Projects Agency (HSARPA) also have
The second area focuses on “Leadership in funding dedicated to cyber R&D. However, if
Enabling and Industrial Technologies,” with an the entire cyber R&D budget were to be add-
emphasis on ICT, nanotechnologies, advanced ed together, the total amount would still be
materials, and processing, among others. The the equivalent of less than 1 percent of United
third area funds solutions to address social and States GDP. Based on the enormity of current
economic problems, such as health, energy, and future United States cyber risks, 1 percent
transportation, and security. One of the evalu- of GDP is inadequate to close the cyber inse-
ation criteria for this investment is transnational curity gap.
cooperation among companies and solutions
that meet pan-European needs.70 Other government-sponsored initiatives en-
courage cyber security innovation by offering
market incentives such as R&D tax credits. For
instance, recognizing that spurring organiza-
Cyber security R&D innovation tional and corporate investment often requires
must enhance the trust, government encouragement and commit-
ment, Israel recently approved significant tax
security, and resilience of our
breaks for cyber defense companies that join
future networked society. and establish activities at their national cyber
park in Be’er Sheva.72 By encouraging a unique
industry-academia-military ecosystem through
the co-location of technical talent, Israel is cre-
Similarly, the United States prioritizes, coordi- ating an economic and strategic cyber security
nates, and dedicates over $4 billion annually hub. Be’er Sheva’s cyber park also increases
toward cross-cutting research through the Na- private-public partnerships in the cyber field;
tional Information Technology and Research serves as a center of excellence for innovation;
and Development (NITRD) program. Priority and provides an effective training and employ-
research areas for 2016-2020 include: big data, ment pipeline.
21
Grants and scholarships are another market Cyber Incident Experience Lab. Current proj-
mechanism used to advance cyber security ed- ects include building an advanced malware
ucation, develop knowledge, and build skills. detection platform and delivering solutions
For instance, the Brazilian government’s “Sci- for detecting, reporting, and managing cyber
ence without Borders” program offers schol- vulnerabilities through qualitative scanners.74
arships in all STEM fields, including computer
science and information technology. Likewise, Other private sector “cyber innovation hubs”
the National Council for Scientific and Techno- have emerged in Silicon Valley, Tel Aviv, Bos-
logical Development (CNPq), an agency within ton, New York City, and London. For instance,
the Ministry of Science, Technology, and Inno- London’s cyber innovation hub, titled CyLon or
vation, provides a “Science Initiation Schol- Cyber London, is Europe’s first cyber security
arship” to incentivize ICT education in young startup accelerator. CyLon works to foster the
students.73 cyber innovation ecosystem in London and
helps businesses develop information security
related products.75
These various R&D initiatives and cyber inno-

Cyber Innovation hubs accelerate vation hubs accelerate the transfer of ideas
and technologies into solutions to advance
the transfer of ideas and the digital marketplace, improve the security
technologies into solutions. and resilience of underlying networks and in-
frastructures, and improve societal well being.
Elements of a country’s commitment to ad-

vance its cyber R&D, education, and capacity
building efforts should include:
Cyber security innovation centers, such as
the Hague Security Delta (HSD), foster in- Statement:
novative cyber security R&D and promote
collaboration among private sector compa- A. A publicly announced commitment by the
nies, governments, and research institutions. government to invest nationally in cyber
HSD, a foundation supported by the Munic- security basic and applied research;
ipality of the Hague and the Dutch Ministry
of Economic Affairs, is the largest security B. Publicly announced incentive mechanisms
network in Europe with knowledge bridges (e.g., R&D tax credit) to encourage cyber
to the main security networks in the United security innovation and dissemination
States, Canada, Singapore, and South Africa. of new findings, baseline technologies,
Its cyber security program includes initiatives techniques, processes, and tools;
such as the Cyber Security Academy and the
22
C. Publicly announced government incen- Implementation:
tive mechanisms (e.g., grants, scholar-
ships) to encourage cyber security ed- A. The implementation of programs dedi-
ucation, knowledge creation, and skills cated to the development, dissemination,
development; and routinization of interoperable and
secure technical standards, acceptable to
Organization: and reinforced by internationally recog-
nized standards bodies;
A. The identification of at least one entity
with the responsibility to oversee national B. Evidence of national government efforts
cyber security R&D initiatives and serve as to support, advance, and sustain cyber
a national and international point-of-con- security R&D, especially as demonstrated
tact for collaboration; in terms of the research/production con-
version rate (e.g., percentage implement-
B. The establishment of institutionally sup- ed operationally within the government)
ported degree programs in cyber security, and of the commercial adoption rate of
information security or similar advanced successfully transitioned programs; and
technology areas that focus on security
and resilience of the digital environment; C. Evidence of additional commercial efforts
(e.g. cyber innovation hubs) to support,
C. The establishment of an entity with the advance, and sustain cyber security R&D,
mission to measure and report on the rate especially in terms of the research/product
of government or commercial successfully conversion rate (e.g. percentage imple-
transitioned programs (from research to mented operationally within the private
product/service) with a focus on the solu- sector) and of the government adoption
tions that improve security and resilience rate of successfully transitioned programs
of the digital environment; from the commercial sector.
Resources: Initial findings in this essential element are

based upon a review of whether a country is
A. The identification of financial and human investing in cyber R&D, education, knowledge
resources requested and allocated for creation, and skills development—in addi-
cyber security basic and applied research tion to funding cyber security initiatives more
and initiatives; broadly. Drawing on primary and secondary
sources, the CRI 2.0 determines the type, if
B. The identification of financial and human any, of government incentive mechanisms al-
resources requested and allocated for ready in place and the resources dedicated to
commercial or government transfer of en- initiatives similar to the ones discussed above.
hanced technology and innovation; Updates to this essential element will monitor,
track, and evaluate substantive and notable
developments.
23
6. DIPLOMACY AND TRADE The United States and the European Union
are negotiating a Transatlantic Trade and In-
The sixth essential element of cyber readiness vestment Partnership (TTIP), which is a similar
is demonstrated through a country’s engage- agreement to the TPP. This agreement seeks to
ment with cyber issues as part of its foreign increase market access, eliminate unnecessary
policy. At a fundamental level, cyber diplo- regulatory hurdles, establish rules to govern the
macy seeks to find mutually acceptable solu- entangled commercial relationships between
tions to common challenges. Cyber issues are the two regions, create jobs, and promote GDP
emerging in many different international rela- growth.76 Two of the core issues that are de-
tions areas including human rights, economic laying this negotiation are data protection and
development, trade agreements, arms control
and dual use technologies, security, stability,
and peace and conflict resolution. While cyber
security issues are entangled in almost every At a fundamental level, cyber
topic and most negotiators are experts in a diplomacy seeks to find
specific topic area (i.e., trade or arms control),
those experts are often not familiar with the
mutually acceptable solutions
added opportunities or risks that emerge in a to common challenges.
cyber context. Therefore, establishing a dedi-
cated office or personnel whose primary focus
is diplomatic engagement on cyber issues
should be an integral component of a country’s privacy. For the past decade, Europe and the
foreign policy. United States have agreed to common protec-
tion standards for the transfer and storage of
Given the slow pace of the economic recovery, all personal data, which moves and/or resides
many countries are pursuing new international between the European Union and the United
economic policies enshrined in trade agree- States.77 However, the leaked documents by
ments as a means to accelerate growth and Edward Snowden exposed the United States
create market opportunities. Yet, these eco- government’s intelligence services’ collection
nomic initiatives are becoming venues where activities on other governments and citizens,
national security concerns are being negoti- leading to a breakdown of trust among and be-
ated, sub-rosa. For example, the Trans-Pacific tween governments. As a result, many Europe-
Partnership (TPP) agreement was reached on an countries are demanding the establishment
5 October 2015. The agreement’s objective is of mutual state-level privacy standards, encryp-
to enhance trade and investment among TPP tion rules, and legal frameworks, in order to
partner countries, promote innovation, eco- keep pace with rapidly advancing technology
nomic growth and development, and support and also hold states accountable for adequate
the creation and retention of jobs. It took five protection of the data. Additionally, a recent
years to reach this agreement, in part because Court of Justice of the European Union ruling
of cyber issues. Partner countries could not has negated the long-standing agreement
agree on key issues, including data protection of “Safe Harbor” data protection standards
and privacy requirements (e.g., intellectual between the European Union and the United
property protection), data localization desires, States. The Safe Harbor executive decision had
and content restrictions.
24
allowed United States companies to self-certify avoid detection by monitoring tools, or to de-
to provide “adequate protection” for Europe- feat protective countermeasures.81 States have
an users’ data in compliance with the European different concerns on the dual-purpose appli-
data protection directive and with fundamental cations of these technologies. For instance, a
European rights, such as privacy. While negoti- vulnerability assessment tool often uses zero
ations are ongoing to update Safe Harbor, no day exploitations to discover networked vulner-
time frame has been provided for completion, abilities. These same techniques can be used
further complicating TTIP negotiations.78 At as weapons. Therefore, bringing these technol-
present, the American Chamber of Commerce ogies under export control regimes reflects the
to the European Union estimates that reversing belief that advanced technologies may defeat
Safe Harbor could cost the European Union up countries’ national defenses and present a na-
to 1.3 percent of GDP.79 tional security risk.
Another regionally based free trade agree- Other diplomatic negotiations and discussions
ment, the Regional Comprehensive Economic are ongoing that seek to establish a common
Partnership (RCEP) is currently under negoti- understanding and/or rules to increase stabili-
ation among ASEAN member states, China, ty and security in the global ICT environment.
India, Japan, Korea, Australia, and New Zea- This includes strengthening cooperative mech-
land. The sixteen participating RCEP countries anisms to address ICT security incidents and
account for almost half of the world’s popula- address ICT infrastructure-related requests
tion, nearly 30 percent of global GDP, and over (e.g., illegal activity emitting from a country
one quarter of the world exports. The goal of due to a bot-net infection). Diplomacy is also
the RCEP is to lower trade barriers, promote being used to define what type of cyber activ-
economic and technical cooperation, protect ities should and should not be permitted (e.g.,
intellectual property, encourage competition, standards for responsible state behavior), com-
facilitate dispute settlement, and improve mar- monly referred to as cyber norms of behavior.
ket access for exporters of goods and services. For example, the United Nations GGE recently
As part of these negotiations, some countries highlighted the global nature of the ICT envi-
are seeking to include mechanisms that protect ronment, existing and potential threats in the
their data, asserting a right to data sovereignty sphere of information security, and possible
for national security purposes.80 cooperative measures to address those threats.
The GGE found that adherence to internation-
There is also an entire series of negotiations al law, particularly UN Charter obligations,
underway in the security arena, focusing upon provides an essential framework for states’ ICT
technologies. For example, the Wassenaar use. They agreed to pursue a framework for
Arrangement on Export Controls for Conven- cyber norms, rules or principles for responsible
tional Arms and Dual-Use Goods and Technol- state behavior, and confidence-building mea-
ogies, which has forty-one signatories including sures (CBMs).82 Among the CBMs, the GGE
the United States, United Kingdom, Russia, and agreed to strengthen cooperative mechanisms
most European Union states, recently agreed between relevant state agencies in order to
to curb the sale of Internet “communications address ICT security incidents and develop ad-
surveillance systems” and “intrusion software” ditional technical, legal, and diplomatic mech-
that are specially designed or modified to anisms to address ICT infrastructure-related
25
requests (e.g., establish a CSIRT or other offi- pursue specific goals. The ITU, for example,
cial organization to fulfill such roles). Most re-
carries out regular international discussions
cently, United States President Barack Obama on the policy, technology, and regulatory en-
and Chinese President Xi Jinping agreed (in vironment of ICT and the Internet during four
principle) to follow the GGE recommendations of its global meetings: the World Summit on
and adhere to UN-established norms of online the Information Society (WSIS), the World Con-
behavior; especially those governing the use ference on International Telecommunications
of cyber attacks to harm the other’s critical in-(WCIT), the World Telecommunication Devel-
frastructure during peacetime.83 opment Conference (WTDC), and the World
Telecommunications Standardization Assem-
Building upon some of the common themes bly (WTSA).86 In addition, the OAS and the IDB
from the GGE, the leaders of Brazil, Russian, have joined forces to work with their member
India, China, and South Africa (BRICS) agreed states to systematically address cyber security
to cooperate with each other in order to ad- as part of three issue areas: (1) development
dress common ICT security challenges. They that is both socially inclusive and environmen-
agreed to share information and best practices tally sustainable; (2) ICT as a tool to generate
relating to the security of ICT use, coordinate income and employment, provide access to
against cyber crime, es- businesses and infor-
tablish a POC network mation, enable e-learn-
in member-states, and ing, and facilitate gov-
establish intra-BRICS co- ernment activities; and
operation using the ex- Cyber security is entangled (3) security of their core
isting CSIRTs. They also in all components of infrastructures and citi-
urged the international foreign policy and trade. zen facing services.87
community to focus its
efforts on CBMs, capac- Clearly, cyber security
ity building, the non-use issues are emerging
of force, and the pre- across a wide variety of
vention of ICT enabled conflicts. Moreover, diplomatic venues. Cyber security is not only a
84
in January 2015, the SCO introduced a revised security problem; it is a fundamental element
international code of conduct for information of trade, foreign and economic policy, and a
security to the UNGA, which sought to identify country’s future economic growth potential.
the rights and responsibilities of states in the Key components of a country’s ability to ef-
information space, promote constructive and fectively engage diplomatically on cyber-re-
responsive behavior, and enhance coopera- lated issues include the establishment of a
tion to address mutual ICT threats.85 The SCO dedicated and trained cadre of personnel, the
revised the 2011 Code of Conduct language development of specific organizational struc-
with language from the 2012 and 2013 GGE tures, and the allocation of funding devoted to
reports, in order to broaden appeal for the international discussions and negotiations on
Code of Conduct among G-77 members. issues pertaining to cyber security. For exam-
ple, Israel and the Czech Republic have placed
Other international venues co-mingle econom- cyber attachés in their embassies in key cities,
ic, development, and security topics as they to include Washington DC and Brussels.88
26
Additionally, the United States conducted a Resources:
one-week training cyber awareness program
for diplomatic personnel assigned to Asia.89 A. The identification of the financial and hu-
Developing this cadre of personnel is increas- man resources requested and allocated
ingly essential for a country to realize its future for cyber diplomatic engagement;
foreign policy, economic policy, trade, and
economic growth goals. Implementation:
Elements of a sound diplomatic cyber security A. Demonstrated participation in defining,

engagement capability should include: signing, and enforcing international,
multi-national, regional and/or bilateral
Statement: agreements pursuing mutually acceptable
solutions to common challenges; and
A. The announced identification of cyber se-
curity as an essential element of foreign B. Demonstrated evidence of efforts to
policy and national security (e.g. Official influence international trade and com-
discussions typically involving high-level merce negotiations that pertain to the
political and military leaders in bilateral use of ICT or the internationally, region-
and multilateral discussions); ally, and/or nationally shared aspects of
cyber infrastructure, critical services, and
B. The announced identification of ICT and technologies.
cyber security as an essential element of
international economic policy, negotia- Initial findings in this essential element are
tions, trade, and commerce; based upon a review of whether a country has
explicitly designated or established a govern-
Organization: mental office or charged individuals with dip-
lomatic responsibilities that include both the
A. The establishment of dedicated and economic and security aspects of cyber issues.
trained personnel in the country’s foreign The CRI 2.0 draws upon primary and second-
office or equivalent organization whose ary sources to determine whether and to what
primary mission includes active engage- degree governmental office(s) or individuals
ment internationally in cyber security participate in and influence international nego-
diplomacy; tiations on issues pertaining to cyber security.
Updates to this essential element will monitor,
B. A demonstrated consistency between track, and evaluate substantive and notable
the numbers and ranks of dedicated for- developments.
eign cyber diplomatic personnel and the
announced commitment of a country to 7. DEFENSE AND CRISIS RESPONSE
engage in cyber security diplomacy as a
top tier issue of national importance; The seventh and final element of cyber readi-
ness is the ability of a country’s national armed
forces and/or related defense agency to de-
27
fend the country from threats emanating from disrupted the control systems at a German
cyberspace. Countries interested in this type of Steel Mill, causing its blast furnace to shut
capability are directing their defense forces to down improperly, which resulted in significant
establish capacity or expertise to respond to damages.93 The same year, Sony pictures fell
cyber threats that rise to the level of nationally victim to a cyber attack where unreleased mo-
critical “cybered” conflicts.90 tion pictures were illegally copied, corporate
emails were stolen and then leaked, and finan-
Countries are becoming more connected and cial documents were exposed. Sensitive data
Internet-dependent that in turn is making them on tens of thousands of Sony employees were
more vulnerable to disruptive and destructive copied, and nearly 80 percent of the compa-
cyber activities. Most countries’ defensive pos- ny’s IT assets were destroyed, from data to
tures are weak in the face of sophisticated cy- hardware, by virulent malware.94
ber attacks. The globally connected nature of
modern competitions and conflicts encourage Countries must be prepared to defend their
cyber-enabled adversaries to move laterally connected and networked interests for current
across national systems and target a country’s and future conflicts. The speed and reach of
commercial and non-state organizations. For the Internet helps connect all aspects of soci-
example, in August 2012, Saudi Aramco suf- ety and provides easy access to military-grade
fered a targeted attack that used malicious cyber weapons, giving an asymmetric advan-
software to destroy data and damage nearly tage to many. Indeed, the diversity of malicious
seventy five percent of the company’s IT infra- actors including political activists, criminals,
structure.91 Corporate officials claimed that the terrorists, state and non-state actors—all with
Disruptive and destructive cyber activities

requires a credible cyber defense.
incident was intended to affect oil production. differing motives underscores the need to pre-
A few months later, in March 2013, multiple pare for worst-case scenarios. At present, more
financial institutions in South Korea, including than sixty countries have developed capabili-
Shinhan Bank—the country’s fourth largest ties for cyber espionage and attack, while also
bank—suffered damages from malware simi- demonstrating considerable interest in acquir-
lar to those used against Saudi Aramco. The ing or developing defensive and pre-emptive
bank’s e-services were disrupted and data was offensive capabilities.95 Additionally, countries
destroyed. The economic damages from this have started to devise different strategies and
incident were estimated to have reached ap- tools to upgrade their national level cyber de-
proximately $800 billion dollars.92 In December fenses. Most governments have instinctively
2014, hackers successfully manipulated and looked to increase the existing defensive ca-
28
pabilities of their security agencies that already Security Doctrine in 2016, which allegedly will
are capable of operating in, through, and as propose to develop forces for information
enabled by cyberspace outside their national warfare and information systems for strategic
borders (i.e. the defense organization or intel- deterrence and the prevention of conflicts.100
ligence services). Others have sought to place
these capabilities in security organizations not The Republic of South Korea (ROK) and Brazil
directly located within their military structure.96 have also established similar military organiza-
tions aimed at securing offensive, defensive,
For instance, in 2010 the United States estab- and response capabilities as well as ensuring
lished a dedicated military unit—the United complete victory in cyber warfare.101 South Ko-
States Cyber Command—to defend against rea has been expanding its cyber capabilities
cyber threats to military infrastructure. Its mis- and is reportedly training over four hundred
sion was expanded in 2015 when the Depart- new cyber troops for its ROK Defense Cyber
ment of Defense’s (DoD) published its second Command, bringing the total to around one
Cyber Strategy to guide the development of thousand.102
DoD cyber forces (under the command and
control of United States Cyber Command) and Additionally, while the People’s Republic of
to strengthen its cyber defenses and cyber de- China (PRC) has not publicly issued any for-
terrence posture. This new strategy highlights mal strategic doctrine for cyber or information
the need to be “prepared to defend the United military applications, it has published Military
States homeland and United States vital inter- Strategic Guidelines that provides direction for
ests from disruptive or destructive cyber attacks defense policy.103 The PRC’s 2013 White Paper:
of significant consequence,” and to build, the Diversified Employment of China’s Armed
maintain, and use viable cyber options to con- Forces and the 2014 “Opinion on Further
trol conflict escalation and shape the combat Strengthening Information Security Work,”
environment at all stages.97 stress the development of defensive cyber ca-
pabilities. The documents emphasize that the
Similarly, in December 2014, the Russian People’s Liberation Army (PLA) will not attack
Federation released its new Military Doctrine unless attacked, but if attacked, will counterat-
that highlights Russia’s development of cyber tack in cyberspace.104
warfare capabilities for both offensive and
defensive purposes as well as “non-nuclear A cyber defense agency need not be a uni-
deterrence.”98 Russia’s 2011 Ministry of De- formed agency within the nation’s military.
fense White Paper, “Conceptual Views on the National police and intelligence forces can
Activities of the Armed Forces of the Russian be the loci of a government’s central capacity
Federation in Information Space,” parallels to defend in cyberspace, although the armed
aspects of the Russian Defense Doctrine, but forces will also need to be modernized and
also explicitly includes public opinion and the cyber ready for more traditional conflicts. For
need to keep the media abreast of evolving example, Iceland has concentrated its cyber
conflict situations for de-escalation purpos- responses outside its armed forces. In the past,
es.99 According to the Russian media, Russia’s Icelandic cyber security responsibilities were
leadership plans to release a new Information informally divided among the Ministry of the
29
Interior, the Post and Telecom Administration, security. As countries become more reliant on
the Data Protection Authority, and the Icelan- the Internet and ICT systems, the more vul-
dic Police. However, in 2015 Iceland central- nerable they will become to “low level” cyber
ized all of its cyber capabilities under the Na- threats and asymmetric activity. Countries are
tional Commissioner of the Icelandic Police.105 faced with a Catch-22, greater ICT uptake is
Iceland’s June 2015 national cyber strategy essential for growth, but the more connected
also highlights the integral role of the NATO a country becomes the more risks they incur.
alliance to Iceland’s cyber defense.106 Opting out of the Internet economy is no lon-
ger an option. Countries must be prepared to
Finally, while Israel does not presently have a defend themselves in cyberspace. If a country
formalized “cyber command,” its cyber securi- is unable to defend itself, it is not cyber ready.
ty capabilities exist and are dispersed through-
out the Israeli Defense Force (IDF) and the Elements of a country’s commitment to de-
Military Intelligence Directorate. The Military velop and deploy dedicated national defense
Intelligence Directorate handles offensive ca- units with cyber defense capabilities/responsi-
pabilities, while the services deal with protec- bilities may include:
tion. Shin Bet, Israel’s internal security service,
is responsible for defending government sys- Statement:
tems and critical national infrastructure, and the
National Cybernetic Taskforce secures critical A. The publication of national statements
networks and private industry against hacking that assign an organization the nation-
and espionage.107 This may change, however, al cyber defense mission as a top tier
because in June 2015, Lt. Gen. Gadi Eisenkot, mission;
commander of the Israeli Army, declared his in-
tent to establish a new IDF corps—on par with B. The establishment of policies for the cy-
the Navy and Air Force—responsible for all ber defense organization to respond to
cyber activity. Should the defense minister ap- cyber threats;
prove the new corps, the new cyber IDF would
be operational within two years. Once opera- C. The articulation of national statements
tional, the new Cyber Command will integrate that direct the cyber defense organization
defensive capabilities currently provided by to develop capacity to respond to threats
the IDF with offensive and intelligence capac- within or outside the sovereign territory;
ity performed by Unit 8200 and other military
intelligence communities.108 This aligns with Organization:
the new IDF five-year plan, “Gideon,” which
was published in August 2015. “Gideon” spe- A. The establishment of a national-level
cifically calls for increased initiatives to fend off organization, within the military, whose
cyber attacks and other asymmetric threats, primary mission is the cyber defense of
which may emanate from non-state and terror- the nation;
ist groups in the region.109
B. The establishment of a national-level or-
A cyber defense capability is necessary for a ganization, not within the military, whose
country to ensure its national and economic primary mission is the cyber defense of
the nation;
30
Resources: Initial findings in this essential element are
based upon a review of whether a country has
A. The identification of financial and human officially declared to establish defense forces
resources requested and allocated for the whose top-level mission includes cyber de-
organization, within the military, whose fense of the nation. The CRI 2.0 draws on pri-
mission explicitly includes the cyber de- mary and secondary sources to determine the
fense of the nation; level of operational maturity. Updates to this
essential element will monitor, track, and eval-
B. The identification of the financial and hu- uate substantive and notable developments.
man resources requested and allocated
for the organization, not within the mili- CONCLUSION
tary, whose mission explicitly includes the
cyber defense of the nation;
Implementation:
No country is cyber ready.
A. Evidence of conducted government-level
exercises that demonstrate national cyber
defense readiness;
The threats to our networked systems and
B. Evidence of conducted national-level infrastructures are real and growing and im-
exercises involving affected commercial pose costs in economic terms to countries and
entities that demonstrate national cyber society. Economic and national security agen-
defense readiness; das must align to bring transparency to cyber
insecurity. Showing this vital association may
C. Evidence of conducted exercises with spark national and global interest in address-
international partners (e.g. NATO mutual ing this economic erosion. The CRI 2.0’s com-
defense or APCERT Drill) that demon- prehensive, comparative, experience-based
strate cooperation through information methodology provides a blueprint to evaluate
exchange and assistance; any country’s maturity and commitment to se-
curing their national cyber infrastructure and
D. The establishment of standards for re- services upon which their digital future and
sponsible state behavior in cyberspace growth depend.
and identification of thresholds that per-
mit engagement for cyber defense; and The CRI 2.0 blueprint identifies over seventy
unique data indicators across seven essential
E. The establishment of rapid assistance elements: national strategy, incident response,
mechanisms (separable from CERTs or e-crime and law enforcement, information
equivalents) for the government or spe- sharing, investment in R&D, diplomacy and
cific industries in case of major cyber trade, and defense and crisis response. These
incidents. indicators and essential elements provide a
framework for a country to develop a stronger
31
security posture that can defend against GDP
erosion. In effect, the CRI 2.0 challenges the
conventional wisdom that cyber security is pre-
dominately a national security issue. The CRI
2.0 can demonstrate how national security is
closely intertwined with Internet connectivity
and rapid adoption of ICT which, when secure,
can lead to economic growth and prosperity.
Instead of simply studying the problem, the

CRI 2.0 offers a framework for a country to
evaluate the strength of its ability to prevent
economic erosion from cyber insecurity. The
CRI 2.0 will be updated periodically adding
evaluation criteria without losing comparative
validity with any prior assessments. In that way,
the CRI 2.0 will demonstrate countries’ prog-
ress and evolution toward securing the cyber
infrastructure and services upon which their
digital future and growth depend.
No country can afford cyber insecurity and the

losses it incurs. The CRI 2.0 data and method-
ology can help national leaders chart a path to
a safer, more resilient economy in a deeply cy-
bered, competitive, and conflict-prone world.
For more information or to provide data to the CRI

2.0 methodology, please contact:
CyberReadinessIndex2.0@potomacinstitute.org
32
BIBLIOGRAPHY
1. The Cyber Readiness Index 2.0 builds 5. Government of India, “Programme

on the previous Cyber Readiness Index Pillars,” Digital India: Power to Em-
1.0, which provided a methodological power, http://www.digitalindia.gov.
framework for assessing cyber read- in/content/programme-pillars.
iness across five essential elements,
namely: cyber national strategy, incident 6. European Commission, “Digital Single
response, e-crime and legal capacity, Market: Bringing down the barriers to un-
information sharing, and cyber research lock online opportunities,” http://ec.eu-
and development. The Cyber Readiness ropa.eu/priorities/digital-single-market/.
Index 1.0 applied this methodology to
an initial set of thirty-five countries. For 7. Melissa Hathaway and Francesca
more information on Cyber Readiness Spidalieri, “Sustainable and Secure
Index 1.0, see: Melissa Hathaway, “Cy- Development: A Framework for
ber Readiness Index 1.0,” Hathaway Resilient Connected Societies,” in
Global Strategies LLC (2013), http:// Observatory of Cyber Security in Latin
belfercenter.ksg.harvard.edu/files/ America and the Caribbean (forth-
cyber-readiness-index-1point0.pdf. coming December 2015 Organization
of American States publication).
2. The Internet-infrastructure entanglement
is the interdependence on Internet 8. World Bank, “Overview,” Information &
connectivity for the delivery of key Communication Technologies Program,
services including water, electricity, trans- last modified 2 October 2014,http://
portation, communications, health, etc. worldbank.org/en/topic/ict/overview.
For more on the Internet-infrastructure
9. David Dean et al., “The Digital
entanglement, see: Melissa Hathaway,
Manifesto: How Companies and
“Connected Choices: How the Internet
Countries Can Win in the Digi-
Is Challenging Sovereign Decisions,”
tal Economy,” Boston Consulting
American Foreign Policy Interests
Group report (January 2012): 2.
36, no. 5 (November 2014): 301.
10. Peter C. Evans and Marco Annunziata,
3. Examples of ICT enabled economic
“Industrial Internet: Pushing the Bound-
strategies being pursed around the world
aries of Minds and Machines,” General
include: Europe’s Digital Single Market;
Electric (26 November 2012): 13.
India’s Digital India (ID); China’s Internet
Plus (+); and the ITU Connect 2020.
11. Melissa Hathaway, “Cyber Readiness In-
dex 2.0 & Lessons Learned in the Design
4. State Council of China, “Internet
of national Cyber Security Strategies,”
Plus,” Guo Fa 40 (2015). Translat-
(presentation at the OAS-IDB Regional
ed by U.S. State Department.
Workshop on Cyber Security Policies,
Washington D.C., 23 October 2014).
33
12. Frontier Economics London, Estimating 21. International Telecommunications
the Global Economic and Social Impacts Union, “National Strategies,” http://
of Counterfeiting and Piracy: A Report www.itu.int/en/ITU-D/Cybersecurity/
commissioned by Business Action to Pages/National-Strategies.aspx.
Counterfeiting and Piracy, (London,
Frontier Economics Ltd, 2011): 47. 22. The terms CSIRT and CERT refer to a
team of IT security experts designated to
13. The National Bureau of Asian Research, respond to computer security incidents.
“The IP Commission Report: The re- Both terms are used interchangeably,
port of the commission on the theft of with CSIRT being the more precise term.
American intellectual property,” National
Bureau of Asian Research (May 2013). 23. The International Telecommunications
Union, “CIRT Programme,” http://
14. Melissa Hathaway, “Connected Choices: www.itu.int/en/ITU-D/Cybersecurity/
How the Internet Is Challenging Sover- Pages/Organizational-Structures.aspx.
eign Decisions,” American Foreign Policy
Interests 36, no. 5 (November 2014): 301. 24. John Haller, Samuel Merrell, Matthew
Butkovic, and Bradford Willke, Best
15. Harvey Poppel is credited with inventing Practices for National Cyber Security:
Harvey Balls in the 1970s while working Building a National Computer Security
at Booz Allen Hamilton as a consultant. Incident Management Capability, Version
2.0 (Pittsburgh, PA: Software Engineering
16. Based on 2013 World Institute, Carnegie Mellon University,
Bank GDP rankings. 2011), http://resources.sei.cmu.edu/
library/asset-view.cfm?AssetID=9999.
17. OECD, OECD Digital Economy
Outlook 2015 (Paris, France: OECD 25. Olaf Kruidhof, “Evolution of Na-
Publishing, 2015), http://dx.doi. tional and Corporate CERTs – Trust,
org/10.1787/9789264232440-en. the Key Factor,” in Best Practices in
Computer Network Defense: Inci-
18. Melissa Hathaway, “Transparency, dent Detection and Response, ed.
Trust, and Our Internet,” (presenta- Melissa E. Hathaway, (Amsterdam:
tion at GTEC Conference, Ottawa, NATO Science for Peace and Security
Canada, 20 October 2015). Series, IOS Press, February 2014).
19. ICT infrastructure uptake includes fixed 26. Singapore Computer Emergency Re-
and mobile (voice and data) market sponse Team, “FAQs,” https://www.
segments—both subscriptions and csa.gov.sg/singcert/about-us/faqs.
household data access—and investment
in and revenues by the telecom sector. 27. Ministério das Comunicações,
“Portaria Interministerial N 147,
20. A competent authority is any person or de 31 de Maio de 1995,” http://
organization that has the legally dele- cgi.br/portarias/numero/147.
gated or invested authority, capacity, or
power to perform a designated function.
34
28. cert.br, “About CERT.br,” http:// News, 22 December 2014, http://www.
www.cert.br/about/. world-nuclear-news.org/C-Activists-hack-
KHNPs-computer-systems-2212141.html.
29. “Documents,” APCERT. APCERT.
org, 13 October 2015. http://www. 35. Department of Homeland Secu-
apcert.org/documents/index.html. rity, “Cyber Storm: Securing Cy-
ber Space,” http://www.dhs.gov/
30. “Asia Pacific Computer Emergency cyber-storm-securing-cyber-space.
Response Team Operational Frame-
work” APCERT. APCERT.org, 13 36. European Commission, “Cyber Strategy
October 2015. http://www.apcert.org/ of the European Union: An Open, Safe,
documents/pdf/OPFW(26Mar2013).pdf. and Secure Cyberspace,” Joint Commu-
nication to the European Parliament, the
31. Melissa Hathaway, “Best Practices in Council, the European Economic and
Computer Network Defense: Incident Social Committee and the Committee
Detection and Response,” Global Cyber of the Regions, (July 2013): 7 and Eu-
Security Center (September 2013): 12. ropean Union Agency for Network and
Information Security, “Cyber Europe,”
32. Ingvar Hellquist (Colonel retd.), Senior https://www.enisa.europa.eu/activities/Re-
Advisor and Lars Nicander, Director, silience-and-CIIP/cyber-crisis-cooperation/
Center for Asymmetric Threat Studies, cce/cyber-europe.
Swedish Defence University, “CATS
Course and Cyber Exercise,” (interview 37. Doug Drinkwater, “Hundreds of com-
by Melissa Hathaway in Stockholm, panies face two thousand cyber-attacks
Sweden, 17 October 2012) and Swed- in EU exercise,” SC Magazine, 31
ish National Defence College, “CATS October 2014 in ENISA, “ENISA Cy-
Newsletter,” CATS Center for Asym- ber Europe 2014: Media Coverage,”
metric Threat Studies (Spring 2013). https://www.enisa.europa.eu/activities/
Resilience-and-CIIP/cyber-crisis-co-
33. Dusan Navratil, Director Czech Republic operation/cce/cyber-europe/ce2014/
National Security Authority and Robert cyber-europe-2014-information/
Kahofer, Special Assistant, “Cyber Czech cyber-europe-2014-media-coverage.
2015 - National Technical Cyber Security
Exercise,” (interview by Melissa Hatha- 38. European Defense Agency, “Complex
way in Washington DC, October 2015). Cyber Crisis Management Exercise
in Vienna,” 16 September 2015,
34. “South Korea says Nuclear Worm is https://www.eda.europa.eu/info-hub/
nothing to worry about,” TheRegister. press-centre/latest-news/2015/09/16/
co.uk, 30 December 2014, http://www. complex-cyber-crisis-management-ex-
theregister.co.uk/2014/12/30/south_ko- ercise-in-vienna and NATO, “Largest
rea_says_nuclear_worm_is_nothing_to_ ever NATO cyber defence exercise
worry_about/ and “Activists Hack KNHP’s gets underway,” 21 November 2014,
computer systems,” World Nuclear http://www.nato.int/cps/en/natohq/
news_114902.htm?selectedLocale=en.
35
39. Katie Bo Williams, “US, UK to test 47. Judge Stein Schjolberg and Aman-
finance sector cybersecurity this da M. Hubbard, “Harmonizing
month,” The Hill, 2 November 2015, National Legal Approaches on
http://thehill.com/policy/cybersecu- Cybercrime,” International Telecom-
rity/258827-us-uk-to-test-finance-sec- munication Union (1 July 2005): 6.
tor-cybersecurity-this-month.
48. The twenty countries that signed the
40. CNCERT/CC, “2nd China-Japan-Korea GGE report, include: Belarus, Brazil,
CSIRT Annual Meeting for Cyberse- China, Colombia, Egypt, Estonia,
curity Incident Response was held in France, Germany, Ghana, Israel, Japan,
Korea,” www.cert.org.cn/publish/englis Kenya, Malaysia, Mexico, Pakistan,
h/55/2014/20140916145739295996084 Korea, Russia, Spain, the UK, and the
/20140916145739295996084_.html. USA. See: United Nations, Report of
the Group of Government Experts
41. Carnegie Mellon University, “List of On Development in the Field of In-
National CSIRTs,” CERT Division, http:// formation and Telecommunications In
www.cert.org/incident-management/ the Context of International Security,
national-csirts/national-csirts.cfm. A/65/201 and A/68/98 (26 June 2015).
42. European Network and Information 49. Ernesto U. Savona, Crime and Technol-
Security Agency (ENISA), “ENISA- CERT ogy: New Frontiers for Regulation, Law
Inventory: Inventory of CERT teams and Enforcement, and Research (Dordrecht,
activities in Europe,” ENISA Version 2.16 The Netherlands: Springer, 2004): 50.
(June 2014), http://www.enisa.europa.
eu/activities/cert/background/inv/files/ 50. Advanced Centre for Research, Develop-
inventory-of-cert-activities-in-europe. ment and Training in Cyber Laws and Fo-
rensics, “Academic Programs,” National
43. Forum of Incident Response and Secu- Law School of India University, https://
rity Teams (FIRST), “FIRST Members,” www.nls.ac.in/index.php?option=com_
http://www.first.org/members/teams. content&view=article&id=502&Itemid=32.
44. Council of Europe, Convention on Cyber- 51. INTERPOL, “The INTERPOL Global
crime (23 November 2001) and Shanghai Complex for Innovation,” accessed 17
Cooperation Organisation, Cooperation September 2015, http://www.interpol.
in the Field of Information Security, int/About-INTERPOL/The-INTER-
61 plenary meeting (16 June 2009). POL-Global-Complex-for-Innovation.
45. Ibid. 52. Madan M. Obero, “Dark Web and

Crypto-Currency,” (presentation at
46. Shanghai Cooperation Organisation, Cyber 360: A Synergia Conclave, Ban-
Cooperation in the Field of Infor- galore, India, 30 September 2015).
mation Security, 61 plenary meeting
(16 June 2009), https://ccdcoe. 53. A bot is a malicious form of software
org/sites/default/files/documents/ that could use your computer to send
SCO-090616-IISAgreementRussian.pdf. spam, host a phishing site, or steal your
36
identity by monitoring your keystrokes. 59. Australian Internet Security Initiative
Infected computers are then controlled (AISI), “Overview of the Australian In-
by third parties and can be used for ternet Security Initiative,” http://www.
cyber attacks. For more information, acma.gov.au/Industry/Internet/e-Security/
see: Melissa Hathaway and John Australian-Internet-Security-Initiative/
Savage, “Stewardship of Cyberspace: australian-internet-security-initiative.
Duties of Internet Service Providers,”
Cyber Dialogue 2012 (March 2012). 60. McAfee, “McAfee and CSIS: Stopping
Cybercrime Can Positively Impact
54. Alastair Stevenson, “Botnets infecting 18 World Economies,” June 9, 2014,
systems per second, warns FBI,” V3.cok. http://www.mcafee.com/us/about/
uk, 16 July 2014, http://www.v3.co.uk/ news/2014/q2/20140609-01.aspx and
v3-uk/news/2355596/botnets-infecting- The National Bureau of Asian Research,
18-systems-per-second-warns-fbi. IP Commission Report: The report of
the commission on the theft of Amer-
55. Bell Canada et all, “The Dark Space ican intellectual property,” National
Project,” Security Telecommunica- Bureau of Asian Research (May 2013).
tions Advisory Committee (2011): 13,
https://citizenlab.org/cybernorms2012/ 61. Melissa Hathaway, “Why Successful
cybersecurityfindings.pdf. Partnerships are Critical for Pro-
moting Cybersecurity,” The New
56. Yurie Ito, “Cyber Clean Center,” New Internet, 7 May 2010.
(remote interview with Cyber
Readiness Index team, Washing- 62. Netherlands Ministry of Security and
ton DC, 10 November 2015). Justice, “National Cyber Security Centre
(NCSC),” https://www.ncsc.nl/english.
57. Ministry of Internal Affairs and Commu-
nications and Ministry of Economy Trade 63. In February 2007, the UK National
and Industry, “What is the Cyber Clean Infrastructure Security Coordination
Center,” Cyber Clean Center, https:// Center merged with the National Secu-
www.telecom-isac.jp/ccc/en_index. rity Advice Center (NSAC) for form the
html and Michael M. Losavio, J. Eagle Centre for the Protection of National
Shutt, and Deborah Wilson Keeling, Infrastructure (CPNI). For more on CPNI,
“Changing the Game: Social and Justice see: Center for Protection of National
Models for Enhanced Cyber Security,” in Infrastructure, http://www.cpni.gov.uk.
Tarek Saadawi, Louis H Jordan Jr., and
Vincent Boudreau, Cyber Infrastructure 64. Information-technology Promotion
Protection Volume II (U.S. Army War Agency (IPA), Japan IT Security Center,
College, Strategic Studies, 2013): 101. Initiative for Cyber Security Information
sharing Partnership of Japan (J-CSIP) An-
58. Telecom-ISAC Japan, “Chairman’s nual Activity Report FY2012, (April 2013).
Message,” 12 May 2011, https://www.
telecom-isac.jp/english/index.html. 65. Financial Services-Information Sharing
and Analysis Center, “Overview of the
37
FS-ISAC,” accessed 17 September 2015, (February 2015), https://www.whitehouse.
https://www.fsisac.com/sites/default/files/ gov/sites/default/files/microsites/ostp/
FS-ISAC_Overview_2011_05_09.pdf. fy2016nitrdsupplement-final.pdf.
66. National Cyber-Forensics & Train- 72. Consulate General of Israel in New York,
ing Alliance, “Become a NCFTA “Cabinet approves tax break for National
Partner,” https://www.ncfta.net/ Cyber Park,” Consulate General of Israel
become-ncft-partner.aspx. in New York, 7 June 2014, http://embas-
sies.gov.il/wellington/NewsAndEvents/
67. Raphael Mandarino, “MT2: Private Pages/Cabinet-approves-tax-break-for-
Public Partnership,” Institucional Security National-Cyber-Park-6-Jul-2014.aspx.
Cabinet, Department of Information
Security and Communications, Office 73. Ciência Sem Fronteiras, “FAQ”, http://
of the President, (presentation at 1st www.cienciasemfronteiras.gov.br/web/
INTERPOL Security Conference, Hong csf-eng/faqEGTI_2013-2105_v1-3,
Kong, 15-17 September 2010). Coordination for the Improvement of
Higher Education Personnel (CAPES),
68. National Institute for Standards and “Coordination for the Improvement of
Technology, “National Vulnerability Higher Education Personnel (CAPES)”,
Database,” https://nvd.nist.gov. http://www.iie.org/Programs/CAPES,
and CNPq, “Programas Institucionais
69. The UK and Brazil have mechanisms de Iniciação Científica e Tecnológica,”
in place to declassify (write-for-re- http://www.cnpq.br/web/guest/piict.
lease) intelligence information and
share it with their critical sectors, 74. “Cyber Security,” The Hague Secu-
much better than the US does. rity Delta, https://www.thehaguese-
curitydelta.com/cyber-security.
70. European Commission, “ICT Re-
search & Innovation,” Horizon 2020: 75. Zach Cutler, “5 Growing Cyber-Security
The EU Framework Programme for Epicenters Around the World,” Entre-
Research and Innovation, http://ec.eu- preneur, 3 September 2015, http://
ropa.eu/programmes/horizon2020/ www.entrepreneur.com/article/250024.
en/area/ict-research-innovation.
76. European Commission, “About TTIP,”
71. For more on the Networking and In- Trade, http://ec.europa.eu/trade/
formation Technology Research and policy/in-focus/ttip/about-ttip/.
Development Program (NITRD) and its
research areas, see: www.nitrd.gov/Index. 77. “Welcome to the U.S.-EU Safe
aspx and NITRD, “The Networking and Harbor,” http://www.export.gov/
Information Technology and Research safeharbor/eu/eg_main_018365.asp.
Development Program,” Supplement
to the President’s Budget FY 2016 78. Court of Justice of the European Union,
“The Court of Justice declares that
38
the Commission’s US Safe Harbour States,” 25 September 2015, https://
Decision is invalid,” Press Release www.whitehouse.gov/the-press-of-
117/15 (6 October 2015), http://curia. fice/2015/09/25/fact-sheet-president-
europa.eu/jcms/upload/docs/applica- xi-jinpings-state-visit-united-states.
tion/pdf/2015-10/cp150117en.pdf.
84. University of Toronto, “VII: BRICS
79. American Chamber of Commerce to Summit 2015 Ufa Declaration,”
the European Union, “EU Courts of BRICS Information Centre, 9 July
Justice’s decision in the Schrems case 2015, http://www.brics.utoronto.ca/
could disrupt transatlantic business, docs/150709-ufa-declaration_en.html.
hurt the EU economy and jeapordise a
Digital Single Market,” Press Release, 6 85. United Nations, General Assembly,
October 2015, http://www.amchameu. “Letter dated 9 January 2015 from
eu/sites/default/files/press_releases/ Permanent Representatives of China,
press_-_ecj_decision_on_schrems_will_ Kazakhstan, Kyrgyzstan, the Russian
disrupt_transatlantic_business.pdf. Federation, Tajikistan and Uzbekistan
to the United Nations addressed to
80. Hathaway, “Connected Choices: How the Secretary-General,” Develop-
the Internet Is Challenging Sovereign ments in the field of information and
Decisions,” 302 and Arun Mohan telecommunications in the context of
Sukmar, “The New Great Game in international security, A/69/723 (13
Asia,” The Hindu, 25 August 2015, January 2015), http://daccess-dds-ny.
accessed September 16, 2015, http:// un.org/doc/UNDOC/GEN/N15/014/02/
www.thehindu.com/opinion/op-ed/ PDF/N1501402.pdf?OpenElement.
arun-mohan-sukumar-column-the-new-
great-game-in-asia/article7575755.ece. 86. Melissa Hathaway, “Discussion Paper
for the Global Commission of Internet
81. “Wassenaar Arrangement on Export Governance,” (paper presented in
Controls for Conventional Arms and Stockholm Sweden, 27 May 2014).
Dual Use Goods and Technologies”
last updated 16 September 2015, 87. Inter-American Development Bank,
http://www.wassenaar.org/index.html. “IDB and OAS join efforts to promote
better cybersecurity policies in Latin
82. United Nations, Report of the Group America and the Caribbean,” 22 October
of Government Experts On Develop- 2014, http://www.iadb.org/en/news/
ment in the Field of Information and news-releases/2014-10-22/cybersecuri-
Telecommunications In the Context ty-workshop-for-latin-america,10957.html.
of International Security, A/65/201
and A/68/98 (26 June 2015). 88. Dusan Navratil, Director Czech Re-
public National Security Authority
83. The White House Office of the Press and Robert Kahofer, Special Assistant,
Secretary, “FACT SHEET: President “Cyber Czech 2015 - National Technical
Xi Jinping’s State Visit to the United Cyber Security Exercise,” (interview
39
by Melissa Hathaway in Washington 94. “The Reality of the Sony Pictures
DC, October 2015) and Rueuven Azar, Breach,” TrendMicro, 22 December
Deputy Chief of Mission and Dr. Evia- 2014, http://blog.trendmicro.com/reali-
tar Matania, Head of National Cyber ty-sony-pictures-breach/, Sean Fitz-Ger-
Bureau (interview by Melissa Hathaway ald, “Everything That’s Happened in
in Rockville, MD, 2 June 2015). the Sony Leak Scandal,” Vulture, 22
December 2014, http://www.vulture.
89. Craig L. Hall, US Consulate Gen- com/2014/12/everything-sony-leaks-scan-
eral, Kolkata, India, (interview dal.html#, and “Sony Breach May
by Melissa Hathaway in Kolkata, Have Exposed Employee Healthcare,
India, 23 September 2015). Salary Data,” Krebson Security, 2 De-
cember 2014, http://krebsonsecurity.
90. Cybered conflict differs from cyber war or com/2014/12/sony-breach-may-have-ex-
cyber battle. The latter is fully technolog- posed-employee-healthcare-salary-data/.
ical and could, in principle, be conducted
entirely within a network. It is normally 95. Jennifer Valentino-Devries and Danny
a component of the former. “Cybered Yadron, “Cataloging the World’s Cy-
conflicts are those nationally significant berforces,” The Wall Street Journal,
aggressive and disruptive conflicts for 11 October 2015, http://www.wsj.com/
which seminal events determining the articles/cataloging-the-worlds-cyber-
outcome could not have occurred with- forces-1444610710 and United Nations,
out ‘cyber’ (meaning networked technol- General Assembly, Developments
ogies) mechanisms at critical junctures in in the Field of Information and Tele-
the determining course of events.” Chris communications in the context of
Demchak, “Resilience, Disruption, and a International Security: Report to the
‘Cyber Westphalia’: Options for National Secretary General, A/70/172 (22 July
Security in a Cybered Conflict World,” 2015), http://www.un.org/ga/search/
in Securing Cyberspace: A New Domain view_doc.asp?symbol=A/70/172.
for National Security, edited by Nicholas
Burns and Jonathon Price, (Washing- 96. James Lewis and Katrina Timlin, “Cy-
ton, DC: The Aspen Institute, 2012). bersecurity and Cyberwarfare 2011:
Preliminary Assessment of National
91. Christopher Bronk, “The Cyber Doctrine and Organization,” UNIDIR
Attack on Saudi Aramco,” Surviv- Resource and Center for Strategic
al 55 (April-May 2013) 81-96. and International Studies (2011): 3.
92. Melissa Hathaway and John Stuart, 97. Department of Defense, “The
“Cyber IV Feature: Taking Control of Department of Defense Cyber
our Cyber Future,” Georgetown Journal Strategy,” (April 2015): 7-8.
of International Affairs (25 July 2014).
98. President of the Russian Federation,
93. Robert M. Lee, Michael J. Assante, “Military Doctrine of the Russian Fed-
and Tim Conway, “German Steel eration,” Russian Government (2014)
Mill Cyber Attack,” Industrial Control
Systems (30 December 2014).
40
translated by Thomas Moore, https:// 102. Zachary Keck, “South Korea Seeks
www.scribd.com/doc/251695098/ Offensive Cyber Capabilities,” The
Russia-s-2014-Military-Doctrine. Diplomat, October 11, 2014, http://
thediplomat.com/2014/10/south-ko-
99. Ministry of Defense of the Russian rea-seeks-offensive-cyber-capabilites/.
Federation, “Conceptual Views on
the Activities of the Armed Forces 103. For an overview of China’s cyber
of the Russian Federation in the In- strategy, see: Amy Chang, “Warring
formation Space,” (2011) translated States,” The Center for New Amer-
by the US Department of State. ican Security, (December 2014).
100. “The new doctrine of information secu- 104. Information Office of the State, “White
rity pointed out the danger of destabi- Paper: The Diversified Employmenet
lization via the Internet,” Russian News, of China’s Armed Forces,” April 2013,
10 September 2015, http://en.news-4-u. http://eng.mod.gov.cn/Database/
ru/the-new-doctrine-of-information-se- WhitePapers/ and Xi Jinping, Cen-
curity-pointed-out-the-danger-of-de- tal Military Commission, “Opinion
stabilization-via-the-internet.html. on Further Strengthening Military
Information Security Work,” partial
101. The Brazilian Ministry of Defence has also translation from Amy Chang, “Warring
recently instructed the Armed Forces States,” The Center for New Ameri-
Joint Chiefs of Staff (EMCFA) to enhance can Security, (December 2014): 20.
national cyber defense through the cre-
ation of a tri-service Cyber Defense Com- 105. Director Generals of Nordic Council,
mand (ComDCiber). While ComDCiber “Icelandic Cyber Responsibilities,”
will comprise all three services, the Army (meeting between Melissa Hathaway
will take the lead. ComDCiber will be and Director Generals and respective
based off of the previously established delegations of the Nordic Council who
Brazilian Cyber Defense Center Nucleus are responsible for National Computer
(NU CDCiber) in Brasília. See eeInigo Emergency Response Teams, Stock-
Guevara, “Brazil to stand up Cyber holm, Sweden, 19 November 2014).
Defence Command,” IHS Jane’s Defence
Weekly, 4 November 2014 and Diego 106. Minister of the Interior, “Icelandic
Rafael Canabarro and Thiago Borne, National Cyber Security Strategy
“Brazil and the Fog of (Cyber) War,” 2015-2026: Plan of Action,” Icelandic
National Center for Digital Governance Minister of the Interior (June 2015),
(2013): 5. On Korea’s cyber capabilities, http://eng.innanrikisraduneyti.is/media/
see : Republic of Korea, “Defense White frettir-2015/Icelandic_National_Cy-
Paper,” (2014), 57, http://www.mnd.go.kr/ ber_Security_Summary_loka.pdf.
user/mnd_eng/upload/pblictn/PBLICT-
NEBOOK_201506161156164570.pdf.
41
107. Yaakov Katz, “Security and Defense,”
The Jerusalem Post, 8 October 2010 in
James Lewis and Katrina Timlin, “Cyber-
security and Cyberwarfare 2011: Prelim-
inary Assessment of National Doctrine
and Organization,” UNIDIR Resource and
Center for Strategic and International
Studies (2011), 14 and “Eye on tech ex-
ports, Israel launches cyber command,”
Reuters, 18 May 2011, http://www.reu-
ters.com/article/2011/05/18/us-israel-se-
curity-cyber-idUSTRE74H27H20110518.
108. Mitch Ginsburg, “Army to es-

tablish unified cyber corps,” The
Times of Israel, June 16, 2015.
109. Michael Herzog, “New IDF Strate-

gy Goes Public,” The Washington
Institute: Policy Watch 2479 (28
August 2015), http://www.washing-
toninstitute.org/policy-analysis/view/
new-idf-strategy-goes-public.
42
ABOUT THE AUTHORS
Melissa Hathaway is a leading expert in cyberspace policy and cybersecurity. She serves as
a Senior Fellow and a member of the Board of Regents at Potomac Institute for Policy Studies
and is a Senior Advisor at Harvard Kennedy School’s Belfer Center for Science and International
Affairs. She also is a Distinguished Fellow at the Centre for International Governance Innovation
in Canada and was appointed to the Global Commission for Internet Governance (Bildt Com-
mission). She served in two Presidential administrations where she spearheaded the Cyberspace
Policy Review for President Barack Obama and led the Comprehensive National Cybersecurity
Initiative for President George W. Bush. She developed a unique methodology for evaluating and
measuring the level of preparedness for certain cybersecurity risks, known as the Cyber Readi-
ness Index. She publishes regularly on cybersecurity matters affecting companies and countries.
Most of her articles can be found at the following website: http://belfercenter.ksg.harvard.edu/
experts/2132/melissa_hathaway.html.
Chris Demchak is a subject-matter expert on the Potomac Institute for Policy Studies’ Cyber
Readiness Index project. Her research areas are digital resilience, cyber conflict, and the struc-
tures and risks of cyber space. She designed a digitized organization model known as “Atrium”
that helps large enterprises respond to and accommodate surprises in their systems. She is also
the author of Wars of Disruption and Resilience: Cybered Conflict, Power and National Security.
Jason Kerben is a subject-matter expert on the Potomac Institute for Policy Studies’ Cyber
Readiness Index project. He also serves as senior advisor to multiple Departments and Agen-
cies in matters related to information security and cyber security. In particular, he focuses on
legal and regulatory regimes that impact an organization’s mission. He develops methodologies
and approaches to assess and manage cyber security risk and advises on a myriad of specific
cybersecurity activities including international principles governing information and communi-
cations technologies, identity and access management, continuous diagnostics and mitigation
and cyber insurance.
Jennifer McArdle is a Fellow in the Center for Revolutionary Scientific Thought at the Potomac
Institute for Policy Studies. Her academic research focuses on cyber warfare, information warfare,
and Asian geopolitics. She is currently a PhD candidate at King’s College London in the War
Studies department.
Francesca Spidalieriis a subject-matter expert at the Potomac Institute for Policy Studies’ Cyber
Readiness Index Project. She also serves as the Senior Fellow for Cyber Leadership at the Pell
Center, at Salve Regina University. Her academic research and publications have focused on
cyber leadership development, cyber risk management, cyber education and awareness, and
cyber security workforce development. She recently published a report, entitled “State of the
States on Cybersecurity,” that applies the Cyber Readiness Index 1.0 at the US state level.
POTOMAC INSTITUTE FOR POLICY STUDIES
901 N. Stuart St. Suite 1200, Arlington, VA 22203
www.potomacinstitute.org

PotomacInstitute CRIndex2.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PotomacInstitute CRIndex2.0

Uploaded by

Copyright:

Available Formats

CYBER READINESS INDEX 2.

Principal Investigator: Melissa Hathaway

Published by Potomac Institute for Policy Studies

Potomac Institute for Policy Studies

Principal Investigator: Melissa Hathaway

Today, no country is cyber ready.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Insufficient Evidence: evidence is lacking or has yet to be

Partially Operational: there is evidence of policies, activi-

Fully Operational: there is sufficient evidence to observe and

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Algeria Colombia Israel Netherlands Sri Lanka

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Resilience of critical services is vital to national

solve computer security incidents.26 SingCERT technical information between operators of

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Another example is the International Police

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Information sharing must be underpinned by

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

The ability of a country to exchange timely,

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Implementation: Government and businesses each have a role

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

These various R&D initiatives and cyber inno-

Elements of a country’s commitment to ad-

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Resources: Initial findings in this essential element are

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Elements of a sound diplomatic cyber security A. Demonstrated participation in defining,

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Disruptive and destructive cyber activities

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

Instead of simply studying the problem, the

No country can afford cyber insecurity and the

For more information or to provide data to the CRI

© 2015 Cyber Readiness Index 2.0, all rights reserved.

1. The Cyber Readiness Index 2.0 builds 5. Government of India, “Programme

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

45. Ibid. 52. Madan M. Obero, “Dark Web and

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.

© 2015 Cyber Readiness Index 2.0, all rights reserved.