Cyber portals play an important role in assembling, communicating, and facilitating access to information about cybersecurity – helping policymakers, diplomats, civil society organizations, academia, and the private sector in making sense of the growing landscape of initiatives and policies. As different organizations develop international and regional portals, the Igarapé Institute has recently launched the Brazilian Cybersecurity Portal to map the country’s national cybersecurity governance landscape. In this article, we would discuss some reflections on the importance of Cyber Portals to CCB and the lessons learned from the process of developing the national portal.
A Complex Landscape
From the Morris worm to the Colonial pipeline ransomware attack, the past 30 years have been marked by the increasing notoriety of both the vulnerability and interconnectedness of systems, networks and infrastructures. All sectors have not only witnessed but also increasingly sought to include cybersecurity as a key concern in technical and policy development. Internationally, discussions at the Open-Ended Working Group and the UN Group of Governmental Experts have revolved around the development and operationalization of cyber norms, in particular, the applicability of international law to cyberspace. Regionally, many organizations such as the OAS, OSCE and ASEAN have sought to work with member-states on the consolidation of cyber–Confidence Building Measures. Nationally, governments have been developing their national cybersecurity strategies and other policies that establish minimum standards for cybersecurity across sectors.
All these developments have contributed to what today is a rich and complex landscape of policies, standards, actors, projects, CCB initiatives, institutions, and spaces in which these discussions take place. However, amidst a growing patchwork of initiatives, policymakers, diplomats, civil society organizations, academia, and the private sector are faced with the challenge of keeping up with the growing field and navigating what has become a fragmented landscape of activities.
In response to this challenge, different organizations have started to develop a range of repositories and portals to aggregate, organize and make available information about norms and initiatives in a systematic and accessible way. Some examples are UNIDIR’s Cyber Portal, the GFCE’s Cybil Portal, OAS’s Observatorio de Ciberseguridad and, more recently, the Brazilian Cybersecurity Portal (Portal Brasileiro da Cibersegurança), developed by the Igarapé Institute.
The Rise of Cyber Portals
Cyber portals play an important role in assembling, communicating, and facilitating access to information about cybersecurity. They are both a resource for other sectors looking to understand and navigate some of the latest developments in the field and an important mechanism that can support organizations in planning their own capacity building efforts. Some portals focus on a thematic issue-areas and others on specific levels of analysis (national, regional, or international) or sectors. Rather than ideal types, there are some basic characteristics that enable portals to target and actively respond to knowledge gaps in cybersecurity. A few examples include:
Level-specific Portals: These are the portals that focus on mapping international, regional and/or national cybersecurity developments. UNIDIR’s Cyber Policy Portal, for example, provides an extensive map of UN Member States’ profiles and cyber policies.
Theme-specific Portals: Those that are dedicated to one or multiple thematic areas without the demarcation or explicit commitment to one specific level of analysis (national/regional/international). This is the case of Diplo Foundation’s Geneva Internet Platform Digital Watch Observatory that monitors and provides an overview of issues that range from cybersecurity and human rights to economic and infrastructure-related ones. Another example is the GFCE’s Cybil Portal that focuses mapping cyber capacity building initiatives and creating knowledge that can foster better targeted initiatives.
Repositories: Initiatives that are primarily dedicated to the consolidation of a digital archive for cybersecurity or presentation of the result of a mapping exercise. The National Security Archives Cyber Vault Library provides primary-source material that ranges from court case documents, to maps and glossaries. The OAS Cybersecurity Observatory is another example of a portal that has sought to periodically map cyber capacities and maturity across countries in the Americas region.
Building National Capacities Through Portals
In April 2021, the Igarapé Institute launched the Brazilian Cybersecurity Portal – one of the first portals fully dedicated to the mapping the national environment and discussion. The Portal gathers more than 70 documents and 100 national initiatives from 10 sectors, seeking to systematize and map the national cybersecurity governance landscape, that is, the key institutions, norms, and history of the field in Brazil.
In so doing, our objective was (and is) to (i) shed light on the particularities of cyber policy taking place in the national agenda, (ii) integrate knowledge from different sectors in developing their respective policies, and (iii) contribute to raising the baseline understanding of the current capacities and gaps for multistakeholder collaboration in national cybersecurity.
The Portal is the result of over two years of data collection and a series of interviews, consultations and meetings with experts from different sectors. More importantly, it is one of the responses to a diagnostic analysis of the national landscape in which we had identified that, while all sectors understand the importance of building cyber capacities and shared responsibility in doing so, there were some challenges for action, namely: (i) a lack of shared vocabulary to address cybersecurity threats and risks; (ii) existence of varying level of cyber maturity across sectors; (iii) lack of normative, strategic, and operational alignment; and (iv) different understandings of specific and shared risks across sectors – to name a few.
Portraying the national cybersecurity governance landscape can be a challenging task due to the fast-paced changes in regulation, the shifting and evolving institutions, and the sometimes-blurry lines between concepts such as cybersecurity, cybercrime, critical infrastructure protection and others. The Brazilian cybersecurity Portal responds to those challenges by providing a repository of legislations, policies and official documents; an interactive map of key actors (and what they have produced so far in terms of cybersecurity); a timeline of key developments; and recommendations for an integrated and multistakeholder approach to digital security risks.
Opening up the Discussion: Key Takeaways
More than a shared responsibility, cybersecurity requires consistent collective action – and Portals are one way of levelling the playing field of understandings. By integrating knowledge and working on strengthening cyber capacities, they serve as an increasingly relevant tool for national and international policy development.
Academia and civil society organizations have an important role to play in developing and implementing CCB initiatives such as building repositories and facilitating access to knowledge, especially at the national level – as many of the examples in the sections above show. Many of these organizations are actively following cybersecurity debates in different sectors, continually work with primary open-source data, and engage with key experts in the field.
Finally, our experience in building a national portal and collaborating with other portal developers has shown that there are multiple benefits in consolidating knowledge that go well beyond facilitating access, such as:
Mapping existing policies and what has already been achieved. Especially at the national level and in developing countries, it might seem that cybersecurity is a relatively new subject. What we found is that this is not always the case – Brazil, for example, has only launched its national cybersecurity strategy in 2020, but has engaged in the subject since the early 2000’s at least.
Identifying gaps in policy and institutional development. By gathering policy data in a systematic and methodologically rigorous manner, we were able to understand some trends in policymaking across the years – such as the securitization and militarization of the cybersecurity agenda from 2008-2016 and an increasing push towards sector specific regulations and data protection and security since 2018.
Translating how cybersecurity is framed within a specific country. Beyond international documents, national data allows for different sectors to better understand how cybersecurity is approached in a particular country and/or region. Some governments have concentrated the development of a national cybersecurity agenda to the ministry of economy, others to the ministry of defense, tracking these developments allows for a better positioning of the debate within these national realities.
Going beyond the ‘usual suspects’ or cybersecurity experts. Depending on the portal, it can serve as an important hub for both experts working in the field, but also to students, policymakers and others that might not be acquainted with cybersecurity.
Last, but certainly not least, portals can also be an invitation for sectors to contribute to collectively building knowledge on cybersecurity. All sectors have an important role to play in providing information and jointly building what is a holistic account of national capacities, policies, and institutions. NGOs and think tanks can meaningfully contribute to the discussion and development, ensuring that mapping efforts are reflective of human rights, provide greater transparency over cybersecurity policy and integrate a human-centric approach to new initiatives.
*This piece was originally published by the Global Forum on Cyber Expertise (GFCE) Magazine.