 And then I think it's a good idea to kickstart this. So good afternoon, esteemed colleagues and participants. I bid you a warm welcome to the World Bank ITU joint seminar on Cyber Strategy, Design and Implementation, A Global Policy, Dialogue and Briefing. And my name is Mario Vaian, and I am the Director of the Global Forum on Cyber Expertise Secretariat. It is with great pleasure that I will be your moderator for today. This event is part of the ongoing Knowledge Sharing event series on Cyber Security at the World Bank, and also part of the ITUD Cyber Security Capacity Building activities for member states. And the event will present the second edition of the guide to developing a National Cyber Security Strategy that was launched in November 2021. And it will reiterate the importance of designing, adopting, implementing, but also maintaining a National Cyber Security Strategy. And the guide was developed by the World Bank and ITU in cooperation with a consortium of partner organizations and many of which I am glad to share are part of the GSE's multi-stakeholder community. We also participated as an observer in the process, and we will continue to support the fostering of Knowledge Sharing and international collaboration among stakeholders. So during today's event, a special focus will be put on the NCS life cycle and sustainable implementation of the guide, meaning long-term action plan, educational resources, budget, evaluation mechanisms, and so forth. The seminar will start with a policy dialogue panel for about 60 minutes, featuring different perspectives and case studies on designing and implementing cyber security strategies. And then thereafter, the panel will be followed by the NCS Masterclass for about 45 minutes, presenting the new guide and good practices for its implementation. But before we start today, I have some housekeeping rules. Please feel free to post questions in the chat box. And the event is also broadcast on the ITU YouTube website. And it is now without further ado that I would like to give the floor to Ms. Atsuko Okuda, regional director of the ITU to take the stage. Ms. Okuda, the floor is yours. Thank you, Mario. Good morning, good afternoon, and good evening, everyone. It's great to be here with you today at this global policy dialogue and briefing on cyber security strategy design and implementation, which has become a critical part of connecting the unconnected. Over the past two decades, people worldwide have benefited enormously from the growth and adoption of digital technologies and the many opportunities they bring. While digital transformation is a uniquely powerful enabler of inclusive and sustainable developments, it is vital that the underlying infrastructure and services are safe, secure, and resilient. The COVID-19 pandemic has served to illustrate why due to the COVID pandemic and the shift of service delivery to digital platforms and a parallel number of new internet users joined the internet. According to ITU's Facts and Figures 2021, some 800 million people joined the internet between 2019 and 2021. How to ensure their online safety and security is of paramount importance to us all. Equally worrying is a trend that over the past year, we have witnessed a surge in cyber incidents, malicious misinformation, campaigns, and targeted cyber attacks on critical infrastructure, such as hospitals. We need to act on now to reinforce our cyber protection as digital is becoming the new normal for everyone. That means that every country needs to put in place a comprehensive national cybersecurity strategy. In recent years, the number of national strategies has increased by 40 percent. Today 127 countries have won in place. However, important gaps remain. Regionally, we see some variation in existence or adoption of national cybersecurity strategies or NCS. According to ITU's Global Cybersecurity Index 2020, the average score in Asia and the Pacific is 0.93 out of 1 with 16 out of the 38 countries covered scoring 0 on this NCS metric. In addition, our increased dependency on ICT and the proliferation of digital risks all call for continuous updates to every country's cybersecurity posture, including NCS. Their colleagues developing an effective cybersecurity strategy is a complex task. We need to put our collective expertise to work to help every nation to protect their populations and their digital resources to help governments, a working group of partner organizations jointly developed and published the second edition of the guide to developing an NCS last November. This document is the result of a unique collaborative effort involving more than 20 specialist organizations from the public and private sectors as well as academia and civil society who shared their experience, knowledge and expertise. I'm confident that this new guide will serve as an invaluable tool for policymakers, regulators and every stakeholder with an interest in building a safe and robust digital environment. Of course, the importance of partnership cannot be overstated. For that reason, I'm delighted to be here today with the World Bank and our member states to promote strategic reflections on cybersecurity, cyber capacity building and cyber resilience. We are all convinced that this partnership should continue and expand to support governments and all stakeholders alike and to realize an inclusive, sustainable and safe digital future in Asia and the Pacific and beyond. Thank you very much for giving me this opportunity and back to you, Mario. Thank you. Thank you, Ms Okudo, for stressing the importance of the NCS cycle. I would like to ask Mr Mark Williams to take the floor. Mr Williams is Practice Manager of Global Knowledge and Expertise in Digital Development Practice at the World Bank. Mr Williams, the floor is yours. Thank you, Mario. Welcome. I'd like to add my welcome to those already comments already given. This is a great event. It's part of the, as has already been said, the result of a strong partnership between the World Bank and the ITU and other stakeholders in developing the NCS. It's been a very productive team effort. It's part of a bigger program of work on cybersecurity that the World Bank is doing, all of which today has been supported by donors initially through DDP and then more recently through the recently launched Cybersecurity Multidonal Trust Fund. So a big thank you to all the support that we've been provided in that area. The work, as has already been said, is fundamentally about partnership. It's about mutual learning. So I'm very happy to be able to welcome guests to this seminar today so that we can share experiences amongst ourselves about developing and implementing national cybersecurity strategies. So I'd like to welcome panelists joining us from Tonga in the east to Sri Lanka in the west. And then later on in the session we'll be joined by a second policy dialogue session with colleagues from the Kyrgyz Republic and Ecuador. So with that, with no further ado, I'd like to again welcome you all and I look forward to the discussion. Mariam, over to you. Thank you, Mr. Williams. And thank you, Ms. Okura, once again. You're stressed already, but recent years showed a significant increase in the attention governments give to designing and implementing national cybersecurity strategies. And today we can confidently say that most of the countries around the world either designed and adopted a strategy or are in the process of doing so. And within the GFC strategy and assessment task force, members are exchanging information with each other about new land or in development national cybersecurity strategies. They're also tracking it to see progress or possible assistance requests. And we are seeing a trend that there are many countries from the global north, but also from the global south, who are in the process of updating their strategy or have already published their second or even third strategy. And additionally, there are more and more countries who are receiving capacity building assistance from multi stakeholders in the NCS development cycle. We have gathered today a group of distinguished experts from across the Asia Pacific region to reflect from their perspectives and share best practices on designing, adopting, and also implementing and sometimes even redesigning the NCS. So I am joined this morning by Mr. Desik Sim. Mr. Sim is Director of Cybersecurity Planning Division at the Ministry of Science and ICT of the Republic of Korea. I'm also honored to welcome Mr. Mutia and by saying that I see Mr. Mutia has not joined yet. Hopefully he will join us later. So moving to Mr. Toy Moana. Mr. Toy Moana is Director of the newly established Digital Transformation Department under the Prime Minister's Office of Tonga. And then for this morning's session last but not least, also Mr. Richard Elwin, Principal Policy Advisor in New Zealand's National Cyber Policy Office within the Department of the Prime Minister and Cabinet. So good morning, good afternoon, good evening, gentlemen. For the first round of questions, my first question I would like to address to Mr. Sim. Mr. Sim, the Republic of Korea is a pioneer when it comes to designing and deploying cybersecurity policies, regulations, and strategies. And I'm certain that there is a lot to learn from the experiences of the Republic of Korea's government. So what would you advise other countries as the first steps to follow in designing and deploying cybersecurity policies and strategies? Mr. Sim, yours first. Okay, I am very happy to share Korean cybersecurity policy and our experience. First of all, policymakers have to identify and understand the constituency they need to protect and the stakeholders they need to invite. You may be able to work on the measures that are fit into different constituencies once you get to know their characteristics and how much they are important. Let me take a few examples. Every country has telecommunication operators that are fundamentals for national management and they are often run by private entities. If these operators have a failure, then you might have a problem on your national management. So for these operators, a strong regulation is to be applied. In case of Korea, we assigned those important operators as special management agencies. Because they can impact our national management. If you are one of those operators, you need to set up your own cybersecurity measures every year and get examination on how well you are implementing your security measures. However, if the government tries to cover the entire private sector with the same regulation, they would not like it. Private companies tend to think that the damage by a cyber incident is only limited to them. And think that it is their own decision to either accept it or to invest on cybersecurity. So for the private sector, we make it a little bit easy. For example, we made it mandatory to have their own cybersecurity management framework only to the companies with a certain scale and to assign a chief security information officer. Different parts should be applied to companies which have different scale. Unlike bigger companies, small and medium enterprises do not have enough investment power for cybersecurity. Even if the government set up the regulation, they can't implement it. That is why for small and medium enterprises, we are using support-oriented approach. For example, for small and medium enterprises, we provide cyber security consultation and financial support for purchasing security products. This should be also protected. As you all know, it is impossible that the government regulates or supports every single citizen. So we do many public campaigns on what people can do to secure their own IT assets. Thank you. Thank you, Mr. Sin also for pointing out the support approach. I would like to address my second question of this afternoon to Mr. Toymawana. Mr. Toymawana, Tonga finalized its cybersecurity capacity maturity module assessment in 2018. Reflecting on this process, would you be able to share how this helped Tonga understand its gaps and priorities? Mr. Toymawana, the floor is yours. Thank you for giving me the floor and a very good morning and good evening and good afternoon to everybody that's joining. I'd like to just try and answer this question according to how it's been presented to me. As you have said earlier, we had an attempt to conduct a assessment on cybersecurity back in 2018. However, there were a few complications that we ran into. So we completed this process just recently and we were default to use the ISO 27001 and ISO 27005 to contact our survey and also to our assessment. The outcome of the survey is as we arrived after this assessment, we found out that there were policies, a few things that were needed to be looked at, like policies covering access management, locking and monitoring network security. These were some issues that were picked up from the assessment. Generally, we were implementing this at least to some extent and I believe that this is due to most of our operations were done in silence for many, many years. And when we were trying to get this framework together so that we can have some comments around this area of cybersecurity, we found out that there were like some policies that were implemented but not fully implemented. Second areas of the information security were not widely covered with policies and procedures. Such areas include mobile devices and remote access, backup of systems and data, vulnerability and better management, business continuity, disaster recovery, and information system outsourcing. The other area that we get to learn from this assessment is the implementation of information security measures in the public sector. The biggest gaps that we found out was in the secure usage of mobile devices and certification of access controls as well as responsibilities of vulnerability and batch management which is the attitude with the awareness and raising of employees. With this assessment, we default back to the kind of developing a national cybersecurity strategy from ITU and also the best practice from other organizations. We came up with six strategic tasks for TOMA, namely the implement safe digital governance, implement a risk management, also a threat preparedness and incident response, enhance the skills active and reliable departments of the international community and provide an enabling cybersecurity governance framework. Those were the six areas that will come out of this assessment. As we started this assessment, we were fortunate enough that the World Bank came to support and finance a World Bank project known as the TOMA Digital Government and Support Project which started completing our TOMA Digital Governments Strategy framework which is the guidance for all the activities that we have been doing here in TOMA including the cybersecurity development of cybersecurity. At the moment, we are moving on to developing a cybersecurity manual for the dominant government agencies carrying out the upgrade for the civil registration and national identity system considering all ministries to the secure government network that has been established as part of the initiative that we've done for the government and increment the data center consultation program for the TOMA government so that they can be beneficial from the cloud computing transition. In the area of the risk management, we identify the threats and what the beauty of the public sector information system in quicko IT infrastructure. We also perform a regular risk assessment in public organization and critical private enterprises. We prepare a risk indication in TCS as part of the activities that are still undergoing through the risk management. Also, in the area of incident response we have been going through identifying and defining the incidence management process for all the ministries and agencies. Introducing a requirement for report incidents for these organizations and hence the public private partnership on cyber crime and promote the reporting of incidents. The other things that we are also enhancing right now is the investigation and for instance capability of our TOMA. With the skills as part of the initiatives that we are doing at the moment based on the assessment is to continue awareness fielding incorporate digital literacy skills development into the educational programs from the Ministry of Education and also allocate additional resources for training of the trainers. We also recognize the importance of our international community and partners. We have been in touch with a lot of them in coordination of assistance from them and also exchange program that has been going with these partners. And lastly, with the enabling cybersecurity governance framework we are undergoing right now the review and classify the cybersecurity roles and responsibility among the public and the private sectors stakeholders as well as enhance the cybersecurity cooperation between national stakeholders and promote common cybersecurity initiatives and projects. And also develop common templates for cybersecurity related policies and guidance documents. And I believe that these are the activities and the outcome of the of the assessment state being done throughout the years in the series. And I think that's the conclusion. Thank you so much, Mr. Toy Malana for also pointing out that there was a range of topics covered and also the multi-stakeholder approach stressing also the importance for public-private partnerships. Thank you so much. My next question I would like to address to Mr. Elwin. Mr. Elwin, many studies and reports highlight how cybersecurity activities promoted by international organizations or developed nations often follow a supply-driven approach with more advanced countries exporting models, frameworks, people's solutions even that are not necessarily adequate or tailored to other realities, especially in developing countries. So when it comes to developing a national cybersecurity strategy, New Zealand works closely with many countries in the Indo-Pacific region. And my question to you is in your experience, what have been some key steps that New Zealand has taken in ensuring a tailored support to recipients? Mr. Elwin, go ahead. Thank you. Hello everyone. One of the comments I think I'd make would actually echo one of our South Korean colleagues made that the first question you have to make is actually look at what your actual national needs are. Most recently New Zealand has been having some discussions with the Cook Islands, a dependent territory of New Zealand, about what they wanted to do for their cybersecurity strategy. And the questions we asked that we developed with them were very much the ones that we were asking ourselves for our own strategy. The friend, the set of questions was, you know, what's the state of your national ICT and digital online environment and what are your main concerns? So for New Zealand, we were our first answer to that question that we already had a cybersecurity strategy. We also had quite a bit of capability. So that was our base point. For someone such as the Cook Islands, we looked at them and they had an excellent ICT for business strategy. And looking at that, that was a base which then you could build off. Some other questions, also looking at how broadly you look at ICT and cybersecurity. So asking about the broad social and economic and security issues that are affecting your online environment. Also in New Zealand, most recently, we started to develop our digital strategy for New Zealand, which we're looking at five years, taking a very broad look at the digital environment in New Zealand. And when we're looking at trust as one of the main themes, we're expecting to hear a lot about cybersecurity. But we heard a lot through our public engagement around misinformation and disinformation, which is something we saw is quite, you know, very important. But we didn't see, until we did the public consultation, we didn't realise how much of the forefront of people's thinking it was in terms of where we'd be thinking about technical cybersecurity, people were thinking about the misinformation that they were receiving online. Also for both countries, looking at what were the particular opportunities you might have in advancing or protecting your national interests. One of the things that came up in the last New Zealand strategy was why we looked very much at what you might want to do in a technical sense. We hadn't looked at the previously the importance of building the cybersecurity workforce and ecosystem, which if you do want to, you know, ramp up your capability both within the public and private sector, the workforce is something you can't ignore. And that was something that we needed to put extra focus on. Also some of the other things that we were looking at is around technological and digital governance. With the amount of some of some of the issues in cybersecurity are always the same. Now we're getting into your networks, the things that you always need to defend against. But looking at how the internet and internet users are changing the structure of how people use digital services, we also needed to look at whether the digital governance that we had in place was appropriate for the new environment. So looking at not just the technical side again, but also at the regulatory side. Some of the other things that we're needing to look at is also very much related to that one is what's going on in the international environment. Such as we've seen with cybercrime at the moment, we have some jurisdictions who seem to be a bit more comfortable with cybercrime occurring in their countries. And that's something that is becoming more of an issue over time. And something we very much look at multi-stakeholder approaches both with industry and with other nations and international bodies. Possibly the last question that you're sort of looking at in terms of a cybersecurity strategy and looking at what the scope of it might be was around what sort of policy support you need for your national resilience. Most recently in New Zealand, the largest issue we've had was a ransomware attack on one of our largest hospitals. And that really showed that when we were thinking about national security and national resilience, cybersecurity was an absolute core part of that. And then this experience that many nations have had, but it was one of the things that brought it home to us about how our national security and national security resilience was very important for cyber that cybersecurity is very important for that to looking at some of just the basic level of services that we had. So just to sort of go back to the core question, if we're tailoring what you need in your cybersecurity strategy, the first thing you need to go back is actually determine what question you're asking. What are the things that are of value? What do you need to improve on? And what are the things you need to protect? And that's that's pretty much the summary of where we got to. We had a problem with being on mute. Thank you, Mr. Elwin. I'll reiterate my thank you to you. I also heard a lot about the importance of the environment, public engagement, the ecosystem, the multi-stakeholderism, but also listening to what is actually needed on the ground. Thank you for that. This morning we're also joined by Mr. Rohan Motia. Mr. Motia is chairman of the staff of Sri Lanka. And Mr. Motia, good afternoon. I have the following question for you. A national cybersecurity strategy should connect cybersecurity and resilience with the broader digital priorities and economic aspirations of the country. And this of course requires an all-encompassing understanding of the overall digital and economic environment and also the risk landscape. So my question to you is, what would you highlight as the critical activities that have helped Sri Lanka in identifying and prioritizing cybersecurity gaps and objectives? And then also would you say that these have any interrelations with the broader national priorities? Mr. Motia, the floor is first. Thank you, Mario. Certainly there are five main areas or five critical activities that we followed. First and foremost was a clear delineation between civilian and defense. We have separate entities attending to civilian cybersecurity needs and defense cybersecurity needs. It was very important. The second one was we looked at our governance structure and we nominated a board of directors with diverse backgrounds, including in banking, utilities, technology, treasury, defense, legal, academia and information security. Of course, many of these directors represent areas where we have CII's of critical information infrastructure. Our third step was to engage with our primary stakeholder, which is the government. Some of the areas or some of the national priorities that came out of that engagement were the economy, health care, education, utilities, digital inclusion and of course the justice system. Now, one of the benefits or outcomes of that early engagement with our primary stakeholder was that we are now a signatory to the Budapest Convention. In fact, that happened more than five years ago. Our fourth step was broader engagement with other stakeholders, including the general public. The fifth step was really developing strategy, including an action plan which consists of six trust areas. So overall, these were really the critical activities which helped us put this together while also linking with national priorities. Thank you. Okay. Thank you, Mr. Moutier, for also stressing the link with the national priorities. I am happy to welcome also Ms. Bolor and then Batzengel. Apologies if I pronounced your name not quite correctly. But Ms. Batzengel is the State Secretary and Acting Deputy Minister of the newly established Ministry of Digital Development of Mongolia. Ms. Batzengel, welcome. And I have a first question for you. Mongolia has limited resources in terms of human capital and cyber expertise and in recent years there have been a significant increase in projects aimed at helping countries to develop national cybersecurity strategies. And we would love to hear how the involvement of external stakeholders has impacted Mongolia in the development of its strategy. Ms. Batzengel, of course, yours. Thank you, Ms. Marsho. And thanks for having me. It's my pleasure to share Mongolia's view on cybersecurity with the experts from organizations. So in general, the government of Mongolia has been paying so much attention and working towards establishing digitalization. Not only the government of Mongolia, but we have a lot of support from the public, especially younger generation to transform Mongolia to the digital nation. For this reason, we have established a new ministry called Ministry of Digital Development and Education effective from 1st of January this year. Last year we had four major laws approved for the digital development would include law on cybersecurity. And it's arguably it's very late to approve the first cybersecurity law just now in a few months ago, but we are working very hard to build cybersecurity system. And recently the new ministry is approving has approved cybersecurity national policy. And for developing cybersecurity national policy, we have collaborated with various stakeholders, including ITU, the World Bank, JICA, EBRD, UN and other organizations. When it comes to cybersecurity and given the current situation with the war and COVID-19 and a lot of series of crisis that we are facing in the world, the world and the countries need to have interoperability when it comes to cybersecurity so we can have same language and same standards for cybersecurity. For this reason, we have worked with the UN, the World Bank and ITU and many other organizations to make sure that cybersecurity can be our common language to communicate and help each other in the future. I hope that answers your question, but I'm happy to answer if there is more clarifications. Yes, definitely and also a good advice on the interoperability and the help that is needed from other stakeholders in the world. Dear panelists, I have a more or less open question for you and then please raise your hand if you would like to answer to this question. The first question is, which phase of the NCS life cycle, as discussed today, do you believe your country would most benefit from? And then also, is there a phase where you feel there's already an abundance of resources? So again, in which phase does your country most benefit from and is there a phase where you would feel there is an abundance of resources? Who can I give the floor? Mr. Alwin, go ahead. Thank you. I don't think there'd be any area where we'd say there's an abundance of resource. There seems to be one of the areas where there's always just too much going on and not enough people. In terms of the life cycle of strategies being gone through on a third cybersecurity strategy at the moment, one thing that we find ourselves always in need of is reassessing our risk profile for cyber. Much as a matter of, as technology develops, as firms change and as even such as the structure of your online networks alter as moving between, say, mobile or fixed broadband, working out what parts of your system are under the most pressure and what's changed from the last time you might have assessed it is something that we find ourselves in an ongoing phase. We're always needing to reassess our risk profile, look at our vulnerabilities, looking at our strengths, and trying to assess where we need to put our next piece of effort. And as I noted, and when I was talking previously, workforce was something that at our last strategy we found that we needed to put more effort into. Thank you. Okay, thank you for that. Any of my other panelists would like to comment on that. Do you recognize what Mr. Alwin just mentioned? Mr. Toymawana, go ahead. You're on mute. Sorry. Yeah, I just want to also carry on from the point that Mr. Alwin is elaborated on. I think, you know, coming from a small island community as well, a small island population, we do recognize those issues with human resources, especially our trained people. We do have some private people, you know, well-educated and complicated people, but because, you know, countries like New Zealand close by two times, more greener, they attract our people to stay there. And also other surrounding countries like Australia, even in the US and Fiji. And it's really, really hard to tackle that face of that we are doing right now with developing capacity in this area of cybersecurity. One thing that we recognize is the involvement of technology is going by so fast. And we need to update our people with all the emerging technology. And also we also have some projects that are deploying new technology in the islands. And we're trying to make sure that we apply the concepts of cybersecurity to make sure it's secure. We're also trying to build a platform where our citizens can be able to use the online services and also other services that are electronics in the sense that they do it in a secured way. But those development is very important for our development, for our digital development throughout the country. But like what Mr. Erwin was saying, you know, it's always a question and always a challenge of keeping our people in country and also trying to keep them in one place. We also have the issues of financial issues where, you know, our public sectors are facing, especially with the COVID issues that we're facing right now, it's really hard for them to develop. So it's an issue that we are trying to tackle, especially in a small island setting, like as here in Tonga. And I can speak for most of our Pacific language islands. We'll be probably facing the same issue. We're trying to keep our experts in the island. We also try to finance the projects and finance chains that they can expose to the technology and also the fast evolving technology of today. Thank you. Thank you, Mr. Toymawana. Mr. Sin, would you like to comment? Korea is different from Sri Lanka and NJJ land. I think Korea can be benefit from the monitoring and evaluation phase. For the monitoring purpose, Korea is doing also a two citizens and companies about their experience on cyber instance and the davages. I don't think this is enough for evaluating how well the government is doing. When we will get each policy, there is a lack of system that can monitor effectively how well that specific policy turns out. And if I compare with other countries, I think Korea has more regulation frameworks and programs that can support the policies in the aspect of implementation pages. Thank you. Thank you, Mr. Sin. Also for pointing out the differences. Mr. Moti, I see a raised hand. Go ahead. Thank you, Mario. Certainly, infrastructure and capacity building are always going to be challenges. I think, however, we see as the biggest challenge is creating awareness because that's an ongoing thing and it's really something creating awareness with the general public who also happen to work in various organizations which may contain CIIs. Their personal behavior sometimes carries through to their work environment and the way we have evolved now with working from home and working on the goal, not being fully aware and conscious of exercising certain disciplines is going to be an ongoing issue because let's face it. Control measures for cybersecurity impose controls on individuals or individuals' behavior and which, as you know, we don't like. So we see this as our biggest problem and certainly an area that we could benefit with assistance from. Okay, Mr. Moti. Yes, I thought your screen went on freeze but that wasn't the case. That's it. Thank you. Thank you so much and this bridges nicely to the second question I have for the panelists and if you feel comfortable, raise your hand and this is a good follow-up question. Hopefully the answers will also be helpful to the World Bank and ITU's good initiative because the World Bank and ITU have partnered in drafting and disseminating the NCS. Where else would you encourage the World Bank and ITU or maybe other stakeholders to partner to assist you in advancing cybersecurity in your country? For that question, this is on advice who would like to take the floor on this question first. Yes, Mr. Moti, go ahead. Thanks again. This goes back to my last and my closing point to your previous question. We've got to find a way to make it attractive or interesting for citizens to become more aware of the need to practice good cybersecurity. Now, this is not just a requirement for us over here. I think whilst keeping mind cultural differences, I think there's a lot of commonality cutting across different geographies and trying to develop either a program or a benchmark that citizens could aspire to is something that perhaps I think a party like the World Bank could help with. Thank you. Good point, Mr. Moti. I see you have a raised hand. What would your advice be? Thank you. It's a very good question. We live in a world where we face a lot of inequalities. We have inequality in gender, we have inequality in education, we have inequality in income and economy. Now with the digital development, if we have inequality, I truly believe that it will be very, very hard, almost impossible to field that inequality gap for digital development and digital inclusion. On cybersecurity specifically, I would urge and encourage the World Bank and ITU to implement a program on cybersecurity capacity building as part of maybe digital literacy programs or digital education programs, but targeting those who are already left out from digital development. We obviously have a lot of, I don't know, maybe more than the half of the world's population who do not have good knowledge of how to protect themselves in digital environment. But in this case, we have to start with those who are already left out of digital development. So I think it would be a very impactful if the two organizations join together to implement such a program, especially in developing and emerging countries. Digital inclusion is key. Thank you for that. And then to close the panel, I give the floor to Mr. Toyo Moana for a piece of advice on this particular question. Go ahead. Thank you. And I'd like to thank my fellow participants and my fellow panelists, especially those who have been elaborating on those issues, which also apply to the small islands like Tonga. I think to answer your questions in regards to our context in Tonga, I think we have, IGU has engaged in a lot of ways in regards to mitigating the problems with the building capacity. They have issues, invitations for online courses and stuff like that, which is very good for us. And I'd like to thank World Bank and IGU for that. But I would like to see more development going through to the educational sector, especially to the younger generation. Because right now, for instance here in Tonga, the mobile penetration is really, really high. And a lot of the users are young ages, teenagers and also students. But yet, we haven't really seen a lot of development in that sector in regards to cybersecurity. I think it would be good to invest in, like protecting the schools. We give them connectivity, but we also need to make sure that their connection is secured and also teach them the concepts of cybersecurity from their young age, so that they learn from that school, from their program, at the value of cybersecurity. But I think right now, with the common restrictions, there's a lot of home schools. There's a lot of connectivity from home. I think it's an area of investment that we need to focus on is the youth. How can we get them, practice them to be more resilient when it comes to issues with cybersecurity. And I think investment in schools and maybe secure the infrastructure will be a good thing for our, at least for our local context here in Tonga. But I think it will be the same best way in the Pacific as well. Thank you. And I think on that note, we are also considering time we are concluding this panel session. So a warm thank you for me, also from the World Bank and ITU, to the panelists for joining today, also for stressing to look for the environment, multi stakeholder approach, importance of public-private partnerships. There are a lot of things mentioned. So thank you, panelists. The GFCE is working on this already also for the last seven years, bringing everyone together to strengthen global cyber capacity building and expertise by coordinating and sharing knowledge, matchmaking and collaborating, as you know. And the GFCE Strategy and Assessments Task Force has also developed a catalog of projects options for the NCS cycle. And I invite you also to have a look at that. To continue to take forward the important cyber capacity building work, we will also be co-organizing the Global Conference on Cyber Capacity Building later this year in partnership with the World Bank, Cyber Peace Institute and the World Economic Forum, and with support from several member states. The conference will provide an important opportunity to bring together the cyber community and the development community to meet, to discuss, to share and also increase awareness and set a mechanism for cooperation, as well as secure a high level awareness also for cyber capacity building. And this is bridging nicely to our next session because after hearing about the what, the question is now, of course, also on the how. And the masterclass that is about to follow is a great opportunity to learn about the new guide and how to use it. And also hear from our host today on the mechanisms in which the World Bank, ITU and also other stakeholders could support the design, the implementation and maintenance of the NCS. So the next session will start with an introduction of the second edition of the guide to developing a national cybersecurity strategy and also drive a dialogue on it. It will also present available resources and provide practical tools and know how for implementation of the guide and the focus on the NCS lifecycle and sustainable implementation of the guide, so long term action plan allocation of resources and budget and evaluation mechanism. And then it will be concluded with a Q&A session. So I also warmly invite you to post questions in the chat box. And then afterwards contact details of our teams to discuss future cooperation will be presented at the end of the masterclass. And that I'll shush. It is my honor to hand over to the following speakers, Jiago Moa Senza, a cybersecurity research officer at the International Telecommunication Union, and also Hagai Meza Hav, a cybersecurity specialist with the World Bank's Digital Development Global Practice and also co-lead of the Bank's Cyber Security Community of Practice. Gentlemen, the floor is yours. Thank you, Mario. Hello, everyone. So we can start this second session. As Mario mentioned, this will be a masterclass. We will discuss a little bit the lifecycle, what are the available resources and how countries can engage with these resources. So here you can see the agenda for today. And we will first start with a general introduction of the guide to developing a national cybersecurity strategy, which is the document in which this methodology is really explained. So I will give the floor to Hagai for his overview. Thank you, Jiago Moa, and good morning, good afternoon, and good evening to everyone. Thank you for the speakers for our speakers so far. So we want to start with telling you a little bit about the guide. I mean, what is this guide and why do we need it? So cybersecurity is relatively a new domain of activity and there was a need to structure and provide a comprehensive overview of the national cybersecurity strategy lifecycle. The main objective was to assist policy and decision makers to think strategically on how to construct a national response to cyber threat. So the first edition of this guide was published back in 2018 and maybe a question would be why do we need again to publish a second draft so far? So we should look on cybersecurity even in the eyes of maybe dog ears. Few years in cybersecurity is a lot and a lot have changed since the first draft of the guide was published. Threat landscape changed dramatically, especially since the pandemic started and we see increasingly complex and evolving risk threats on countries. Although there was a huge increase of the adoption of national cybersecurity strategy since the first edition of the guide was published, I think we're talking about a 40% increase based on the latest GCI index. Still around 60% of low income countries do not have a full NCS in place and this is one of the reasons why we need that. One more thing was that implementation of a strategy is one of the most important part. This is why we decided to put an emphasis today on the life cycle of a strategy. Not only preparing and designing the strategy but also applying it, adopting it, implementing it and maintaining it through the life cycle of the strategy. So of all these challenges together came together for the need to draft a new or an updated cybersecurity strategy guide and a collaborative effort of 19 organizations and contributors from different activities from different places, whether they are a public sector, private sector, international organizations like the ITU, like the World Bank, but other stakeholders as you can see here all came together to draft this unique guide. The second edition was launched last November and what we're going to present today to you is first of all the what, what is this one, this guide and the how. How should we use it and what are the resources that organizations can support countries in the implementation of this guide? Next slide please. Thank you. So to start with the what, we want first to introduce to you the three main pillars of activities on cybersecurity that constitute the framework to supporting NCS life cycle. I'll start with the first one to the left operation. I would say this is the core of what the, the core of the activity, what we call in the World Bank operations. This is the actual practical integration of different activities into projects, expanding the available resources to projects designing a specific elements of projects which are protected, secured by design and enhancing the client cybersecurity resilience. Operation is the first pillar. The second pillar is knowledge, information-driven approach, development of a global public goods on cybersecurity and expanding expertise in cyber. One example can be, you can see this is a second bullet here in the middle. One example that we're doing in the bank today is a model building a developing a model for cost benefit, a quantification of the investment in cybersecurity to enable decision makers in countries to get their decisions based on a real data and make the right decision on the level of investment in cybersecurity. So this is an example of a knowledge product. And then last but obviously not least is the partnership. The reason we are all together here as cyber sees no physical borders and we all have to work together sharing best practices and collaborating mobilizing resources together to support cyber development. This is the third pillar of the activities. Then if you take everything and you try to encompass that into the NCS, the framework to support the NCS, we can say that through this partnership we are developing this knowledge product that will be able to help and assist client countries in integrating cybersecurity activities throughout the life cycle of the cybersecurity strategy into the different projects into the operations. I'll stop here. I'll ask Giacomo to take the stage from here talking about the guide itself. I'll come back and see you. Thank you. Thank you again. So as mentioned in this session, we are going to talk about the life cycle and you can see it here. So the life cycle is really the process which organizes all the activities that should be in place to develop a strategy. You can see that there are five phases. We have the initiation, the stock taking and analysis, the production, the implementation and monitoring and evaluation. Now of course, this life cycle is not only for strategies, but it can be applied to any cybersecurity policy, so really any policy. We like to look at this life cycle like a methodology and this is a methodology which has at least three main objectives. So the first one is to ensure that the process is organized following a clear and well-defined governance structure. The second is that the strategy is relevant to the national context in which it will be implemented because it really has to address all the needs of the country. And finally, the third objective is that all the stakeholders that are relevant to national cybersecurity are involved throughout the whole process of the NCS life cycle. Now today we are going to put a lot of emphasis on the involvement of stakeholders because these are crucial aspects and here we are really talking about all kinds of entities at the national level that could play a role in developing and implementing the strategy, but also that are affected by the strategy. So we're talking about the public sector, the private sector, academia, civil society and so on. Now there are a lot of reasons why cybersecurity is seen as a sort of collaborative project and this can look a little bit weird because normally the state and the government in particular is the one responsible for the provision of security, especially when it comes to national security and national interest, but the employment of digital assets has become so extensive and so all-encompassing that governments are forced to recognize a sort of responsibility and we can also say a sort of authority toward their entities. For example, if we take critical infrastructure, these entities are often privately owned and they are privately operated, but they're an essential pillar of national security. So a successful policy, a successful strategy needs to incorporate all the stakeholders to figure out how to make the country more resilient and more ready. So now we are going to have a look at the five phases of the life cycle and the very first step in the initial phase, in the very first step, the government should set up a clear and well-defined governance structure and this governance structure will lead the whole development process. And to do so, the government should appoint an actor, an organism or an entity which is responsible and accountable for the strategy. In the guide, we refer to this actor as the lead project authorities. Now, when we work with countries, we are often asked who should be the lead project authority and the reality is that there is not a universal answer because it really depends on the national context. It can be an already existing entity for example and a cyber security agency, the ministry of ICT or telecommunication, the national cert, so it depends, but it could also be a new entity established on purpose for the NCS. Now, regardless of what entity is appointed, the lead project authority has the mandate of leading and managing the whole NCS development process. And to do so, it should prepare what we call the NCS development plan. Now, this plan should outline what are the main phases and activities to be put in place. It should identify the human and economic resources that are available. It should also define the timeline and it should define what form should the strategy adopt. For example, if it is going to be a policy, if it is going to be a regulation, a law and so on, because of course, it really affects the formal procedures and also the timeline. And of course, as I mentioned before, this plan should also identify what are the stakeholders to be involved, what are the rules and what are the responsibilities. So, once the plan is settled and approved by the executive, we can move to the second phase of the lifecycle, which is the stock taking and analysis. Before, we mentioned that one of the goal of the lifecycle is to ensure that the strategy is relevant to the national context, that this is a, yeah, this is tailored to the national needs. Because of course, not all the countries are the same. They may have different level of cyber security capacity, for example. They may have a different level of digitalization and they face different risks. So, this phase is all about this. This is an assessment to understand where the country stands in terms of national cyber security posture in order to identify the gaps and the needs. Broadly, in the guide, we say that there are two aspects that need to be assessed. So, the first one is the national cyber security landscape and the second is the cyber risk landscape. The first one, so assessing the cyber security landscape, really looks at the capabilities of the country. So, what are the resources that are already in place? And here, it's really important to stress that when we talk about cyber security capacity, we are not talking only about technical aspects, for example, tools or infrastructure, but we are really talking about the capacity 360 degrees. So, we are talking about people, legislation, diplomacy and so on. Because a posture, a cyber security posture goes well beyond technical aspects, but it really includes all the layers of a society. And in this chart, for example, you can see that we broke down the capacity using the framework of the GCI, the Global Cyber Security Index, which investigates cyber security using five pillars. So, legal, technical, organizational, capacity and cooperation. But there are a lot of different frameworks and my colleague Gagai will discuss about them in a minute. The second aspect to be assessed is the cyber risk landscape. And these entails identify all the national digital assets, understand their interdependencies, understand their vulnerabilities and what threats they're facing. And with these elements, it's possible to estimate the likelihood and potential impact of a cyber incident. Now, putting these two aspects together, so the cyber security landscape and the cyber risk landscape is a way to understand how far the existing capacity is adequate considering there is faced by the countries. So, this phase is really a way to adopt an information driven approach to build a strategy, to build a strategy which is really tailored to the national context and it's aimed at filling the most critical gaps that the country is facing when dealing with national cyber security. Back to you, Agai. Thank you, Giacomo. I'm just complimenting what Giacomo was saying now. We would like to present to you the different instrument that our organizations can support clients when we come to this phase of stock-taking and analysis. I'll very quickly just go over them so you can write down the names of the possible instruments and then we can follow up with that with pleasure. So, we divided it into three layers, the national layer, which this is usually what we will address when we are working on the national cyber security strategy, then the sectorial layer and sometimes we need to drill down to the sectorial layer all the way to the layer of the project. But if we talk about the national layer, to the left of this slide, this is, I would say, maybe the most strategic, not strategic, but a wide broader assessment is called the digital economy framework. This is a word bank instrument, a DE framework for analyzing the level of digitization. So, the whole digital sector here, digital transformation, not only cyber security, but cyber security is embedded in this analysis, in this assessment, as a pillar out of others, pillars could be, for example, digital skills, digital platforms, and cyber security is part of them. So, we can always start with that. Then we have the very famous and well-known ITUCGI Global Cyber Security Index, which is being published once, I think in two years or so, and it's stock-taking the country's level of preparedness on cyber security, the government commitment, and other parameters on cyber security specifically. One of the other frameworks that we use a lot, I think in the bank we had at least 40 to 50 adoption and rolling out of this assessment, this is the Oxford CMM, Cyber Maturity Model Framework, which is again a national level gap analysis on cyber security. Then another tool that we have is specifically for cyber crime, is a cyber crime assessment tool. This is a toolkit that was published by the World Bank a few years ago, examining the current lead scape, the current maturity of the country to confront a cyber crime and gives suggestions and proposal recommendations on how to build the capacity to combat cyber crime. So, you have this range of national level cyber security assessment that could be used in order to do this analysis, stock-taking analysis for the NCS. Very quickly, if there is a need to have a more in-depth cyber security analysis study for a specific sector, so we are developing now in the bank what we call the CIAEP toolkit, Critical Infrastructure Information Infrastructure Protection Toolkit, that will at the end provide a sectorial toolkit for assessment and analysis of a cyber security that is tailored to the specific sector, taking into consideration that there is a difference between the energy sector, risk landscape, health sector, risk landscape, etc. Last thing, last but not least, I mean if we have a project, we have different type and tools of a risk assessment for projects that are examining the specific project, ITU is providing the National Seer Treadiness Assessment and there are other risk assessment methodologies that are aligned and ready to be adjusted for their specific projects. So, this is in a way the map of the different tools that we have and we're going to come back later on the other stages of this guide to talk about other activities, other proposed support activities that we have. So, I'll stop here, Gia, I'll come back to you. So, thank you. So, just to come back to the life cycle, now we have a governance in place and in phase two we have identified the gaps and the risk of the country and now we can enter in phase three which is the production. So, this is the phase in which the strategy is drafted, reviewed, approved and published. Now, of course there are a lot of different ways to carry out this phase and there is not one which is more correct than another but what you can see here in the slide is a very general example. Now, of course, the text of the strategy should reflect and be based on the key findings of the stock taking and analysis. Now, based on these findings, the Lead Project Authority should create a general outline of the strategy and this outline identifies the main focus areas that are going to be addressed. For example, critical infrastructure protection, cybersecurity legislation, capacity building and so on. And for each of these focus areas, the outline should also address and define what are the main objectives to be reached. Now, once the outline is defined, the real drafting and the real drafting can start and in order to make this process more efficient, the Lead Project Authority can create working groups. And of course, this working group should be associated to the specific section of the outline to the specific focus areas depending on their expertise. Now, again, even in the drafting process, it's critical to involve all the stakeholders and this can be achieved in a lot of different ways. For example, the stakeholders could participate directly in the working groups. Consultation can be organized or maybe the draft can be circulated in order to collect comments and feedback and then to integrate this feedback in the strategy. And this is really important because this ensures in the first place that the strategy benefit from the knowledge of the main expert in the field, but also that the strategy takes into account the real needs of the stakeholders that will be affected by the strategy itself. And this is also helpful to ensure the buy-in of the stakeholders, because of course, if they participate to it, they feel that this is also their product and they can reflect their needs in the document. Otherwise, if this is something that comes from the top, maybe the buy-in is not ensured. So here you can see just an example of what we have just said. So the outline, the division in focus areas and the working group contributed to these focus areas and then we have the working draft. Now, of course, one of the working drafts is finalized. It should be submitted for approval and this follows the national formal process. So depending if this is a law, a regulation and so on, and it depends on the country, of course. And finally, the strategy is published and promoted. And some countries prefer to keep it confidential, but a general suggestion is to publish it and to advertise it. So all the stakeholders are aware, even the people are aware, and also the other countries and the international community are aware of the strategy. So this is a best practice that we always suggest. So now that the strategy has been published, we can move to the fourth phase, which is the implementation. And this is probably one of the most critical phase of the lifecycle. Something that we will never stress enough is that the strategy is not only a document where countries formulate high level objectives, but the strategy is a real strategy we can say with the capital S, where countries really plan what they intend to do in cyber space, how they are going to orchestrate the resources to protect their national interest. So we can say that the strategy is a document which is entirely oriented toward the implementation. And of course, normally in this document, the implementation is addressed from a very general perspective. It's limited to mention main gaps, main objectives, but it doesn't go really into details. So there is another document, which is the action plan, which really organizes how the implementation will run. Now if we go back one second, in phase four, we know what are the cybersecurity gaps, we have identified the objectives, and in the action plan, we are going to define the practical activities, the practical programs to reach these objectives. Now, of course, these activities should be organized considering some national aspects, for example, the budget available, because they should be achievable and they should be realistic. The budget is not always the same and it's always not enough. So it's really important to consider this budget. And the action plan is a document in which the lead project authority prioritized the resources in order to address the most critical gaps first and the most urgent needs. Now I will give the floor back to Agai to have a look at some of these activities that can be included in an action plan. Agai, back to you. Thank you, Giacomo. So before the action plan, I mean, I'll divide it into two. First part is the production phase that you talked before, Giacomo. So obviously, I mean, our organizations are happy to support with advising on the design and preparation of the NCS, support with the definition of the action on vegetation plan, advising of the framework for the national sub-security strategy life cycle and having workshops on the different component to support this advisory. But this is the first part. And as Giacomo was saying, I mean, the action plan at the end of the day is a strategy within the strategy. It's a prioritization of all the resources and the different activities that were elaborated in the strategy. So through this translation of the strategy into an action plan, we are providing what we call the menu of option. Menu of option is like a menu in a restaurant. It's a list of different activities that we can support in different aspects. And we'll talk about how to later in the presentation, but in a list of different activities that we can support along the life cycle of the implementation and maintenance of the strategy. I'll give you a few examples. You see here, there are seven focus areas that also articulated in the guide. I'll just choose maybe two or three examples to present. For example, an establishment, I think it's a number three here, an establishment or enhancement of a national search, strengthening of a national search, seared, socks, this is an activity that could be done. Public awareness campaign assisting with a rolling out of a public awareness campaigns, two different type of audiences. It can be for government officials. It can be for the general public, all the range of different awareness campaign. CIP, critical infrastructure protection plan for priority sectors based on the priorities that are provided in the strategy. That is another type of activity that we can assist. Cyber skills capacity strategy implementation. Another type of activities and there are many, many other activities. These slides will be available later in our menu of option. This is an active work that we are doing now to provide a full menu of options of different activities that we can support and what is the best way and mechanism to support it. Yeah, I'll stop here. Giacomo, back to you. Okay, thank you, Agai. Now we can move to to phase five, which is monitoring and evaluation. This phase is often overlooked, but I really want to stress that it is as important as the other four phases. About 200 years ago, Lord Kelvin, the scientist used to say that in order to improve something, you need to be able to measure it. And for cybersecurity, measuring is difficult. It's really a challenge, especially when we talk at the national level, not only because measuring cybersecurity means collecting a large amount of data that come from unstructured sources, but it's really challenging and complex to decide what to look for. So what indicators to use? What KPIs to use? For example, when we run our workshop, we often ask what indicators would you use to measure the implementation and evaluate the outcome of your strategy. And the typical answer is the number of cyber attacks, where if there are less attacks, it means that the strategy is effective and that cybersecurity is actually working. In reality, this idea is not necessarily correct because for example, if there are less attacks, does it mean that the country is getting better at preventing them or that the country doesn't even have the capability of detecting them? And also, we don't have a clear definition of attacks because they are qualitatively different in sophistication, for example, in impact. So at what stage do we consider a malicious action to be an attack? And finally, the number of attacks depends on the threat and in some periods, the threat can be higher. For example, during election time, it's typical to record a higher number of attacks, even if the cybersecurity capacity in place is exactly the same as before. So this is just an example to show that monitoring is tricky and it requires good indicators. It requires effective indicators. In the guide, we mentioned that indicators should follow the smart logic that you can see here. So they have to be specific, measurable, achievable, relevant, responsible, and time-related. And these indicators, when we talk about monitoring and evaluation for the strategy, should measure two critical aspects. And it's really important to understand the difference because these are aspects that require a different type of indicators and that are not necessarily related. So the first aspect is the implementation of the strategy. And the second is the outcome of the strategy. As I mentioned, the KPIs are different and these aspects are not related. For example, if our strategy has as the main objective to raise the cyber security awareness of the personnel in the public sector, one of the activity could be deliver a training to the personnel. Now, a KPI measuring the implementation could be, for example, the percentage of personnel taking part to the training. But even if a reach 100% of personnel trained, it doesn't mean that the personnel is automatically cyber aware because maybe the training was not good. It was a bad quality or maybe the participants didn't pay attention. So this means evaluate the specific outcome. And for this, I will have to use a different indicator. For example, I can prepare a quiz or a test or an exercise on the topic of the training and see if the result is good or not. And I can repeat this exercise every six months, for example, and see, for example, if the outcome are sustainable and they last long in time. So monitoring the implementation, it's easier because the indicators to be used and the aspects to be investigated are more concrete. Evaluate the outcome of the strategy is way more complex and definitely further research on the topic is needed at the international level. But yeah, so these are the two main aspects to be investigated. So this was the last phase of the life cycle. Now I will give the floor back to Hagai for maybe the most important slide of the presentation, which is the how to. So Hagai, back to you. Thank you, Giacomo. So now when we understand the different five stages of the guide, maybe the question that we are asking ourselves is, so what next? How do we really utilize it? And how do we use the resources and support that can be provided by different stakeholders? We're going to present to you here two line activities, I would say, that we can demonstrate here. But I must say this is not an exact science. So the bottom line, I'll state the bottom line now and I'll say it again at the end. Just reach out to us, reach out to the World Bank, reach out to ITU, the different stakeholders, you know, to engage in a discussion and then we can really decide how the mechanism of support can be rolled out. So here on this slide, you can see two different type of activities. One is what we call non-lending activities, and the other one obviously is the lending activities. The non-lending activities, some are calling technical assistance in the World Bank, is a smaller scale assistance and it's a standalone activity. It's not part of a big project, but a specific activity, a standalone activity. I'll give an example, that could be an assessment, that could be maybe a type of an advisory, that could be a specific training module, et cetera, et cetera. I'm sorry, usually it's being part of an active policy dialogue between the bank and the client country and the ministry responsible, or it can be even initiated. But you just reach out to us, we'll have our contact at the end, reach out to us, and we can do the connection and start, you know, rolling out in activities to support NCS. Then the support is of course subject to availability of funding, but the funding here is funding from the bank, so there are different type of funding, trust funds, or bank fundings, et cetera. And of course it supports different activities, part of them we already presented earlier today along the life cycle of this strategy. This is one type, one possible channel of support, one mechanism. The second one is what we call large-scale financial assistance to the country, part of a lending. Usually this lending should be triggered by a request that is coming from the ministry of finance of the specific country to the specific counterparts in the World Bank to trigger the process of starting to plan cyber security activity. Need to say usually cyber security will be a subcomponent, an activity within a much larger-scale holistic digital program, and usually we're talking about a program that are between five to seven years of implementation, it's a long implementation phase. Once we have a request from the client, we start a negotiation with the client, we start to discuss with the client to identify the different activities, the different gaps that we need to address to prepare to a price, and at the end of the day to get this project to the approval of the Board of the World Bank. This is a master activity and these two activities can work together as well. And I said at the beginning there is not a specific direct answer on how to do it. It's mainly a result of the discussion between the bank teams and I'm sure that's the same thing for the other organizations. Maybe Giacomo would relate to the ITU. So this is a result of a conversation between the teams and the government and the ministries on the other side of the campus in order to support in different activities along the life cycle of the strategy. Giacomo back to you. So thank you, Agai. Okay, so I think we can just provide a quick summary of the session. So some elements that I would like to mention that I think are really important is that the first one, the strategy is not a document but it's really a plan. It's a framework which covers how the country will orchestrate the resources to reach a practical cybersecurity objective. So we have to make the difference between the strategy level and the action plan. And as Agai mentioned, the action plan is a strategy within the strategy. Other elements to remember is that the strategy should follow an informed decision making. So the first step is really to collect information and really see the gaps, what are the needs, and address them. It is also important to involve the stakeholders because cybersecurity, again, is a collaborative effort, not only at the national level but also at the international level. The governance is key. The responsibilities, accountabilities, roles should be well defined, should be well established and clear to everyone. And we need an institution, an agency which has the grip on it. So which is the main focal point for the country. This strategy should be in line with human and economic resources available because, of course, a lot of countries, for example, would establish a strategy which is too ambitious. So then it cannot be implemented because there are not enough funds and these funds are not secured in the long term. And also international cooperation is key. So reach out to international stakeholders that can support you, not only international organizations but there are a bunch of stakeholders, for example NGOs, other countries, private entities and so on. And this is a good way to get support. Now I would like to conclude with a quote from the director of the development bureau of ITU, Doreen Bogdan Martin. And she said that cybersecurity and digital development are two phases of the same coin. And they are really interdependent and we cannot have a sustainable digital development if we don't have cybersecurity in place. And overall I would say that the role of security in general and cybersecurity is not to say no but it's always to say no but and try to put in place elements which makes this digital transformation possible and sustainable. So I think that's here you can see our contacts, we have the contacts of ITU, the website, the email and the contacts of the World Bank website and email. I don't know Agai if you want to add something here. Well thank you so much, Giacomo. So thank you. So thank you, Agai and Giacomo for this extensive presentation. And to you participants today we have heard of the what and also now of the how of the NCS guide and I cannot stress this enough. The guide is one of the most comprehensive overviews of what constitutes a successful cybersecurity strategy. It was posted in the chat but I'll reiterate it again. More information can be found on ncsguide.org. And then I would like to thank the speakers but also the panelists of the panel that we had earlier today and also a big thank you to the participants today from the Asia-Pacific region and also from across the world. We're thank you also to the organizers, the World Bank and ITU and all the other organizations who took part in the establishments of the NCS guide. If you missed something or you are willing to hear other partners from Central Asia, Africa, Europe and Latin America, they are invited to the second session that would take place today from two to four Central European time. Then if it's too late in your time zone, which I can imagine, a recording is also available on the ITU website and the link will follow shortly. Please note also that this event is part of the ongoing knowledge sharing event series on cybersecurity at the World Bank and also part of the ITUD cybersecurity capacity building activities for member states. And the next event is on gender inclusion through cyber schedule for mid-may. So with that, please stay tuned for future events and also feel free to contact us on the email seen on the screen. I would like to stress that more information could also be found on the GFC website, which is the GFC.org. Thank you all. Goodbye. Recording stopped. Thank you very much. So if it's the end, I will close the meeting and I will see you this afternoon. Bye. Yes, thank you. Thank you so much. You're over everyone. Thank you. Thank you very much. Thank you everyone. Bye-bye. Have a nice evening.