 of process of work that has been done, of course, by the UN as a whole, which is the UN Secretary General Rodma for Digital Cooperation, as well as the UN Common Agenda that emphasize both the importance of trust, security, and stability. So that is really linked to the overall UN process and also to what countries are actually undertaking in terms of securing infrastructure and making sure that the online experience is safe. And we have seen also a certain increase of national strategies, sub-British international strategies at the country level. So we estimated today we have around 127 countries out of the 193 countries representing the UN. I mean, as UN member state that have one in place. So it is a good progress, but still we need to work more to bridge the gap. And the gap is still estimated at 60% in terms of least developing countries that don't have at all a national strategy and national sub-British international strategy in place. So it is really, really imperative that we carry on supporting and assisting, but at the same time that the countries are actually realizing that having a national sub-British international strategy is not only a complex task, but it's also a needed task. This is something that must be done at the national level. So we need to put our collective expertise to work to help nation in that sense. So in addressing this, the ITU facilitated, but only facilitated and I want to stress that because it was really, really purely 100% collaboratively equal footing approach. So a working group of partner organization developed the second edition of the guide to develop a national sub-British international strategy. In fact, the collaborative effort was involving 20 different specialized organization, a specialist organization between the UN, the private sector and the academic community. As you say, Mario GFC was part and actually contributed even if observed to the process. And I'm pretty confident that this guide will really serve as an invaluable tool for policy maker regulators and every stakeholders with an interest in building a safe and robust digital environment. So the role of a partnership here cannot never be overstated. We made an effort to have a collaborative approach in producing the guide and the very same approach has to be manifested at the national level where, when a country is undertaking a process of building a national strategy, it is really important to make this and to undertake this journey as a collaborative effort in engaging all the different stakeholders. So today we are with the World Bank with you to promote this kind of a strategy reflection on cybersecurity and as Mario was saying also to kind of add a little piece of learning on a usage of the guide and generally speaking on the national cybersecurity strategy concept. So I would like to encourage all of you to be part of this partnership to continue to collaborate in the future and to work closely with governments and regional and international organizations to law enforcement with academia, the private sectors and all the other entities to carrying on, let's say having this kind of collaborative and multi-stakeholder approach. And with that Mario, thanks a lot and thanks to everyone for the time and back to you. Yes, thank you, Mr. Obiso. We cannot stress enough that we can confidently say that most of the countries around the world either designed and adopted a strategy or are in the process of doing so, but we're not there yet. Within the GFC strategy and assessment task force, members are exchanging information with each other about new planned or national cybersecurity strategies in development. They're tracking the process and also to see progress or possible assistance requests. We're also seeing a trend that there are many countries from the global north, but also from the global south who are in the process of updating their strategy or have already published their second or even the third strategy. And additionally, there are more and more countries who are receiving capacity-building assistance from multi-stakeholders in the MCS development cycle. So today we have gathered a group of distinguished experts from across the world to reflect from their experience and also share best practices on designing, adopting and implementing the national cybersecurity strategy. And I am proud to present to you today the panel with esteemed panelists. I would like to start with Mr. Santiago Noriega of Ecuador. He is director of infrastructure, interoperability, information security and civil register of Mintel. Welcome. I have also with me here today, Miss Indira Sharshanova. She's deputy minister, digital development of the Kyrgyz Republic. I'm also joined today by Mr. John Riles, head of cyber policy coordination staff at the federal foreign office in Germany. Welcome. My fellow countryman, Mr. Peter von den Berg, head of international cybersecurity policy with the national coordinator for counter-terrorism and security. Welcome. And last, but not least also, Professor Lorena Alberto Schemann, professor of computer systems and of the administration and security of information systems at the Eduardo Montlain University in Mozambique. Welcome to my panel. I would like to start the first round of questions. And my first question would be to Mr. Riles of Germany. Mr. Riles, Germany is a well-advanced when it comes to designing and deploying cybersecurity policies, regulations and strategy. We believe that there's a lot to learn also from the experiences from the German government. What would you advise other countries as the first steps to follow in designing and also deploying cybersecurity policies and strategies? Mr. Riles, Lore is yours. Thank you very much. And warm greetings from Berlin. Very happy to join you from the German Federal Foreign Office. And I'd also like to say that Germany is very happy to support the World Bank Cyber Security Trust Fund. And very glad to learn that this webinar is part of the activities financed by that fund. Yes, getting started. That's usually the most difficult thing, really starting such a complex undertaking as the National Cyber Security Strategy. Germany has just been through that process and because we've just put out our latest strategy in the form. And what I would say is really most important is what was already mentioned by Marco Obiso from the ITU in his opening remarks, what he called the collaborative effort. And with that collaborative effort, I think we are really directly speaking to the importance of multi-stakeholder involvement. Because I would really think that for any government which is attempting to put out the National Cyber Security Strategy, the best starting point would really be to identify those key stakeholders from private industry, from science and academia, and also from civil society. And of course, also from the wider government, really identifying all the different government entities that have a stake in cybersecurity. Law enforcement had already been mentioned by the ITU in the opening remarks. And have that set of multi-stakeholders ready and then start a consultation process involving all these stakeholders to really learn about their priorities because once you really get direct feedback from private industry or from law enforcement, you get a much better picture of where work needs to be done, where gaps are, where weaknesses still exist. And I would say that really provides the best basis for a government to then start and work on its own priorities. Once you have these multi-stakeholders on board, once you have that consultation process going, you would obviously need to summarize the findings, make sure that you have a good strategic document summarizing all the input that you've gained, and then sit down without the stakeholders for a moment and think what is actually the wider political picture? What is our wider government agenda? What kind of goals do we need to achieve, for example, in terms of economic development over the next few years? What is the kind of threat landscape that we are finding? What kind of cyber attacks are we seeing? What kind of cyber crime is rampant in our country? So I would say these are very important considerations in terms of the threat landscape. And then when you put all these three things together, the input gained from multi-stakeholders, the government priority in terms of national development, where the economy is going, and also another very important issue in terms of cybersecurity, where do you want education to go? And then you can actually set out and make a plan of what needs to go into the national cyber security strategy, what are the issues, the kind of issues that need to be covered. And two other things that I would mention is that you would really need to think of from the start is one, how to get organized? How do you really organize this whole process? Really starting from the multi-stakeholder involvement? How do you actually build a good platform that makes sure all the stakeholders that you want to have on board actually find it attractive to come and talk to you? So you'd really need to think of good incentives to activate these stakeholders. And then how do you organize the best platform for having that kind of dialogue? The other thing is how do you organize the process on the government side in terms of really steering the process? Who's going to draft the agenda and the strategy? So that needs to be sorted out. And that's not always so clear-cut. What should really be the responsible government entity to do that? So I think that's also one very important question to be sorted out at the start. And then the final recommendation would be to really think of implementation really from the beginning. And implementation usually starts with availability of funds. So I would really say it's key to involve parliamentarians, yeah, the budget committee, but also others from the start and tell them about your work. Involve them possibly already as part of the stakeholder process to make sure that they are on board. They have the right sensitivity that will allow them to take prudent budgetary decisions once you need their funding. So I think these are the three points that I would mention or that I would recommend any government that thinks of starting a national cyber security strategy process should really take into account the moment they get started. Thank you, Mr. Riles. Also for reiterating the importance of having a multi-stakeholder approach. Thank you for that. I would now like to move to Mr. Santiago Noriega from Ecuador. Since 2018, we have seen a 40% increase in countries that have adopted their own national cyber security strategy, evidencing that cyber security is being perceived more and more as a priority. And my question to you, Mr. Noriega, would be would you be able to share how the perception of cyber risk and also the need to strengthen the cyber security posture has changed in Ecuador in the recent years? Go ahead, the floor is yours. Muy buenos días, me escucho. De acuerdo, muchas gracias en nombre del Ministerio de Telecomunicaciones de Ecuador, en nombre de la doctora Diana Meino. Es un gusto para mí estar ahora con ustedes, con la ITU y el Banco Mundial, en compartir este pequeño espacio donde podemos, de alguna manera, dar a conocer cómo Ecuador ha trabajado en este tema de la estrategia nacional de cyber seguridad. En función a su pregunta, puedo comentar que definitivamente en un mundo digitalizado, las amenazas se trasladaron a la red, como nos mencionaba nuestro panelista anterior y al igual que en un mundo físico, nadie puede estar totalmente a salvo. Sin embargo, si podemos tomar medidas preventivas y elevar así nuestros niveles de seguridad. La seguridad de los ciudadanos en el mundo digital es uno de los ítems de trabajo más importantes. Es así que en Ecuador cambiamos de paradigma, cambiamos nuestra forma de pensar y nos abrimos al mundo y trajimos al país a profesionales de la comunidad europea de Estados Unidos Central América y expertos de Estonia, específicamente para que compartan con nosotros su conocimiento en materia de ciberseguridad. Desde este Ministerio de Telecomunicaciones emitimos normativas utilizando estándares internacionales y guías de buenas prácticas en ciberseguridad para construir y sobre todo para fortalecer las capacidades nacionales que garanticen el ejercicio de los derechos de nuestros ciudadanos y la protección del Estado con las últimas tendencias tecnológicas a nivel internacional. Le puedo comentar a nuestros escuchas que entre algunas de las actividades que hemos ejecutado como Ministerio se encuentran como primer punto y muy importante la conformación de nuestro primer Comité Nacional de Ciberseguridad de los Ecuadorianos. El 16 de agosto del año 2021 se llegó a cabo la conformación de este Comité el cual es liderado por el Intel y lo conforman algunos ministerios de este país como son el Ministerio de Defensa, el Ministerio de Gobierno, el Ministerio de Relaciones Exteriores y Movilidad Humana, la Secretaría General de la Administración Pública y el Gabinete de la Presidencia de la República así como el Centro de Inteligencia Estrategica. Hemos efectuado ya desde entonces tres reuniones de nuestro Comité Nacional de Ciberseguridad. Adicionalmente les puedo comentar a quienes nos miran en este espacio que como Ecuador estamos fortaleciendo la política nacional y la estrategia de ciberseguridad de los Ecuadorianos con la cooperación no reembolsable internacional de la OEA a través de su Comité Interamericano contra el terrorismo SIGTE. El Banco Mundial, la Unión Internacional de Telecomunicaciones UIT, la Unión Europea, a través de su proyecto CYBERFORDED, el BIT y el Gobierno de Estonia. Adicionalmente como Ecuador impulsamos la adhesión al convenio de Budapest que como ustedes conocen es un instrumento multilateral para el combate de crímenes y delitos digitales. La entrada de Ecuador en este convenio estaba pendiente desde hace más de 15 años, pero ahora bajo un gobierno que trabaja por la ciberseguridad de sus ciudadanos. El Comité de Ministros del Consejo de Europa decidió extender una invitación al Ecuador para que acceda a esta convención el pasado 1 de abril del 2022. Actualmente trabajamos en las siguientes fases para acceder a este mencionado convenio. Adicionalmente como Ministerio de Telecomunicaciones en territorio en temas de ciberseguridad implementamos medidas obligatorias de fortalecimiento preventivo y correctivo de la protección de la información para las instituciones. Adicionalmente realizamos varias inspecciones físicas en cada una de las instituciones de nuestra administración pública para verificar el cumplimiento y el estado octual de estas infraestructuras tecnológicas. Actualizamos nuestro esquema gubernamental de seguridad de información, que es un documento que fija los lineamientos que deben cumplir las instituciones de la función ejecutiva, todo en base al temas de ciberseguridad. En noviembre del año anterior, desde 2021 recibimos la primera visita de una delegación de expertos de Europa, Cyber Resilience for Development, Cyber 4D, para promover la cyberresilience y ciberseguridad, así como la protección de datos. Esta visita permitió fortalecer la capacidad de respuesta ante incidentes. Se hicieron varios talleres, 680 personas de la administración pública central, es decir, del gobierno, la sociedad civil, empresas privadas y públicas, la banca, la academia, entre otros, tal como nos comentaba nuestro panelista anterior, que es importante atacar estos puntos de la sociedad. Adicionalmente fuimos seleccionados por Cybernet, proyecto de la Unión Europea, para establecer un hub de ciberseguridad en Latinoamérica y el CARIB, CLAG4, donde la Unión Europea compartirá sus conocimientos y las mejores prácticas en materia de ciberseguridad desde Ecuador al resto de países de la región Andín. Todos estos litos de gestión nos permitieron subir adicionalmente cuatro puntos en el inicio global de ciberseguridad de la Unión Internacional de Telecomunicaciones, pasando de contar de 26 puntos en el 2020 a tener 30 puntos en el 2021, y nuestra meta es alcanzar los 51 puntos en el 2025 al cierre de nuestro gobierno. Muchas gracias, Margo. Okay, thank you, Mr. Noriega, for also underlining the extreme importance of cybersecurity in the digital world, and also for explaining a bit more about the great development of having established the First National Cybersecurity Committee, in which different ministries of your country are established. So thank you, thank you for that. Next, I would like to give the floor to Professor Ciamani in his capacity as chairman of the board of the Mozambique Institute of Information and Communication Technologies, the INTIC, which is the ICT regulator of Mozambique. Professor Ciamani, Mozambique finalized its cybersecurity capacity maturity model assessment in 2016. And would you be able to reflect on the process and also share how this helped the country understand its cybersecurity gaps and priorities? Professor Ciamani, the floor is yours. Thank you very much for the question, but first I would like to thank the opportunity given to Mozambique to participate in this forum and share our experience. Yes, following the line of the previous speakers, Mozambique has been working on ICT development from 2000, where we have our ICT policy with the growth of the use of ICTs. We started noticing the increase of negative behavior and negative attitudes of internet user and we thought that would be important to think on actions to draft cybersecurity strategy. But we understood also that to be able to conduct the process of designing and implementing the cybersecurity strategy, it will be important to understand the landscape of the ICT using development and also identify the main areas where as a country, including government, private sector, academia and civil society would focus our attention in priority activities to promote preventive measures in order to enable the citizen to participate in the digital society. So the assessment that was conducted was helpful to us in terms of technically having the identification of the main weaknesses, in terms of human resource, institutional design and capacity in terms of policies and here more concrete in terms of the laws and regulation related to promoting safer environment in the cyber space, but also we were able to learn about the specific groups, social groups that were being the main targets of negative activity within the cyber space and we are talking here specifically of women and also of children. But we also learned interacting with the private sector that the critical infrastructure to provide social services was one of the area that would be needing to focus our attention. So the outcome of this assessment helped us to design the process of formulating the cyber security policy and strategy and also identifying the area where there is a need of a legal instrument, but also of a regulatory instrument in order to create an environment where the citizen, the government, the private sector could conduct the digital activities and mainly the provision of services and also allowing the citizen participation in the governance and also the development of economic and social activities. This is what I would refer and share as part of that process, but maybe the assessment was followed up by activities, conduct the government and more specifically by the Ministry of Science, Technology and Higher Education that oversees the ICT more in partnership with our colleagues from the Ministry of Transport and Communication that's dealing with the telecommunication infrastructure development in collecting experience around the world from other countries that we do have a bilateral cooperation but also with multilateral agencies in terms of the framework, the tools and instruments that are available so that when we start the process of designing we would not start from the blue out of the blue but we would learn from the best process and experience of other countries that have gone this path and they have already their strategies and also in the process of the implementation. Thank you, Mr. Gemana. I was over pointing out that it's important to understand the landscape first and also take a multi-stakeholder approach but not stay only with assessing a situation but move forward towards activities and by doing so also learning from other stakeholders in other countries. Thank you so much for your input. My next question would be to Mr. Peter van de Beeren from the Netherlands. My question is in the national cybersecurity agenda the Netherlands indicates that it is committed to strengthening the global cybersecurity chain by improving the security level of third world countries through strategic capacity building projects. Could you explain how this commitment is reflected in the NCS related activities and also what the Netherlands see as some of the main benefits of providing this kind of support to other countries? Mr. Van de Beeren, the floor is yours. Thank you very much, Mario. It's great to see you and thank you very much for participating in this panel. Also a great thank to the ITU and the World Bank Group for organizing this event and also congratulations on publishing the second edition of the guide on developing national cybersecurity strategies. I really appreciate sharing of the experiences the Netherlands has in developing and using implementing our national cybersecurity strategy. We are now in the middle of the process of our fourth strategy already started in 2011 and we hope this year to publish the fourth strategy. I think first of all, it's very important to look at the situational picture and the threat and cybersecurity landscape. As we all know, our society and our economy are fully digitalized and are very much dependent on the well-functioning of our digital networks. And we also see that threat from state actors but also from criminals, cyber criminals are becoming more intense and are increasing and becoming more sophisticated as we all have seen the past few months and years and practice on all the incidents we have seen. And we also see that cybersecurity cannot be seen in isolation from geopolitics internationally. So our resilience of our society and our economy and our national interests very much depend on the developments in the digital domain. And in that regard, the Dutch approach and the Dutch national cybersecurity strategy is characterized by a number of guiding principles and main elements as previous speakers. We also very much follow a whole society or a whole nation approach involving all kinds of stakeholders from the public sector, from the private sector and private partners from citizens and civil society. So it's really a joint effort and a joint responsibility to bring the level of resilience where we want it to be. And also our national agenda and our strategy is identified or characterized by an integrated approach covering all kinds of areas. So all the areas that are relevant at national level but also international level for bringing the cybersecurity further. A very important element and that's your question about in our strategy, a building block is capacity building. Cyber technology is being developed at an ever-increasing speed and our time to increase our capacity is running away. And we also know that at national level but also internationally the weakest link of our system and of our networks define the strength of our international chain. So also internationally to reduce the threat but also to increase our joint resilience against cyber threats and incidents is something that should be approached internationally and together. So in that respect capacity building is a very important element in our strategy and an important pillar. And for the Netherlands, the GSE the Global Forum on Cyber Expertise established in 2015 is a very important platform and vehicle to focus our capacity building initiatives. In that respect, a number of topics that I can mention are protection of critical information, infrastructure protection, CSUR maturity, public-private partnerships and coordinated sort of disclosure are topics that we are internationally cooperating on and using or putting in our capacity building projects. It's an essential block for both the Netherlands and the EU as well in their approach to cyber diplomacy. So in this arena and this domain human rights, respect for international law and customs, safety, security, economic growth and development are all respected. And through our capacity building efforts we aim to reduce the number of places where cyber criminals are offered impunity by increasing technical, judicial and diplomatic striking powers. And to address these global challenges such as decreasing the digitalization gap and improving responsible state behavior in cyberspace it's essential to create international alliances and Netherlands shares its expertise, for instance in international law and public private ships as I already indicated. I will finalize by mentioning that our capacity building activities and initiatives are focused on three main ways first of all the multi-stakeholder governance together with like-minded countries but also with involvement of the private sector and civil society. We focus and strive to have the governance of the internet to bring that further. We also focus on increasing the digital resilience of third countries. And also we try to broaden and intensify the coalition in the multilateral framework such as the United Nations. On the process how we are now developing our fourth strategy I think we'll be something in the second round of the discussion. Thank you very much. Thank you, Mr. Van de Bergh also for describing that's important to have a situational picture of the cybersecurity landscape that resilience depends on the developments in the digital domain but also on stressing the importance of cyber capacity building. And as you have heard the Netherlands has expertise on a wide realm of cyber issues not in the least on critical information structure protection also on C-shirts and public private partnerships. So thank you for that, Mr. Van de Bergh. My next question is addressed to Ms. Indira Sharjenova of the Kirchis Republic. Ms. Sharjenova, the Kirchis Republic published its first national cybersecurity strategy in 2019 following a cyber maturity assessment and training program conducted in cooperation with the World Bank the Oxford Cyber Security Capacity Center and also KISA. And I have two questions for you. What were the main challenges with the implementation of your national cybersecurity strategy and also what assistance from the international community would be most helpful? So Ms. Sharjenova, of course yours. Hello dear colleagues, all participants, let me welcome the name of the Minister of Digital Development of the Kirchis Republic. I would like to thank you for the opportunity to participate and perform at such a event where we consider the challenges of cyber security which is the most relevant issue in the trend and in the modern world when we have an active digitalization and we are responsible for your questions. I would like to note that as you said with the support of the World Bank through the involvement of the Oxford Global Center of Potential Development in the field of cyber security, the Korean Agency for Internet and Security was conducted research on the results of which were provided recommendations in the field of cyber security. All these recommendations were based on the strategy of the development of cyber security 1923 of the Kirchis Republic. If we touch on how much it helped us, of course, recommendations were very helpful to us. They were important to us. The help provided by the research, by the recommendations, of course, was based on the implementation of this strategy. The strategy was developed for us and the plan of the world events for the implementation of this strategy is expected. According to the results that we have today, that is, the Coordination Center for Cyber Security with the National Security Committee of the Kirchis Republic. This Coordination Center was created with the support of the Korean Agency of International Coordination in the Kirchis Republic. Also, according to the results of the joint work of the Ministry of Digital Development with the support of the World Bank and the ITU of the International Coordination Center, we are created and created in the center for reaction to cyber threat. This is local for the Ministry and the Department. Also, in the field of legislation, we have done a lot of work, developed and established normative legal actions in the field of cyber security regulation. Also, we have a very good result, we can note that we have a special agency on the protection of personal data. And this agency is created at the Cabinet of Ministers, which is also such a good achievement for the security of data. At the same time, we realize that the trends of development in general digital technologies and solutions, of course, increase risks in the field of cyber security. Accordingly, we need specialists in the field of cyber security. And we feel the lack of specialists in this industry. And we also need to do so that our legislation does not react to these threats of cyber space, that is, so that they are more such a model to be able to adapt. Also, we note that our strategy for cyber security, 1923, it was oriented to the 23rd year. That is, from this, that next year we need to review certain moments, review our next tasks. And in this part, I would like to note that again, the help of international experts and donors, considering the strategy of cyber security and their recommendations on changes would be very appropriate. And we need this, which we note. And as it were, that is, we are modeling new models, new action plans, actions for the next few years. And that's all I would like to say. Thank you for your attention. If there are any more questions, I am ready to answer. Ms. Sharjanova, thank you so much for your input for this panel. You mentioned development of a new cyber security strategy stretching until 2023, and then also stressing the importance of having a plan of measures to implement. You stressed also that a coordination center thereafter was established, as well as a center to respond to cyber threats and then also how important adaptation of national legislation is. So thank you so much for that. In the meantime, dear panelists, we have received a question from the audience and this question is specifically addressed to Mr. Noriega. And Mr. Noriega, the question is, cyber security requirements tend to be financially heavy to small and medium enterprises. How to balance the obligations imposed by policymakers and regulators with sustainability? Would you be OK to take this question, Mr. Noriega? Of course, thank you very much for the person who asked this question. Indeed, the balance that you mentioned is mandatory in the deployment of a national cyber security strategy. In Ecuador, in coordination with several ministries, and specifically with the Ministry of Production and Foreign Trade, and in Ecuador, several agencies have been made to reduce the cost of several telecommunications and security teams, and we are still working on it in a coordinated way in order for this reduction to be effectively, as you mentioned, in some way promote accessibility and the accessibility of these teams in order to have this sustainability or this balance that is being sought between politics and implementation as such in each of the countries. Thank you very much. OK, thank you for your response to that. Mr. Riles, actually the question is now also addressed to Germany. So again, cyber security requirements tend to be financially heavy to small and medium enterprises and how to balance the obligations imposed by policy makers with sustainability. Mr. Riles, for you. Thank you. Yes, I mean, I think what we really need to to establish in the private sector is a culture of investment in IT security and to make sure that entrepreneurs see investments in that field as part of their overall investment strategy. What we see sometimes is that businesses like to invest in those IT equipments that allow them to gain more market share, increase sales. So everything that is really based on on expanding businesses is something that's part of the initial business plan, but really making room for investment in IT security at the same time is something that is not the most popular idea. And that is not not not that easy to sell with the stakeholders sometimes. So I think that's really very, very fundamental is to make sure that that this becomes part of the corporate culture, that there can be no sustainable business model that does not invest in cyber security. So I think that's really the main point and because we are talking about private actors, so the funds will ultimately need to come from the private sector. This does not exclude the possibility of governments helping out with funding, providing seed funding for this in the first stages. But I would only see this kind of government aid as a first step because ultimately it's really businesses that need to take care of their own cyber security and that need to provide the right funding for that. Yes, thank you, Mr. Reils. I hope this answers the question from the audience. I received another question, which is addressed to all panelists, actually. So please raise your hand if you would like to respond to this question. And the question is, which phase of the NCS life cycle is discussed today? Do you believe your country would most benefit from turning the floor to the panel? Can I answer, try to answer the question now? Yes, please. Thank you very much. I think all phases are very important. We experienced in the Netherlands the path three cyber security strategies that it's very important to have a joint and again, multi-stakeholder approach for developing the strategy, starting with an integrated problem analysis. Where do we see the most important problems in our system that should be solved? And then as a next step to define specific as possible the objectives and the measures that are required to solve those problems. Something that was also came out from a number of evaluation of our previous strategy and that's something we are very much focusing on for our coming strategy is the element of evaluation and monitoring. So to be as specific as possible in your strategy so that it's possible to measure what effects and what results have the strategy accomplished and also to see what kind of additional measures should be taken to implement the strategy and to get the good effects and results. I think it's also important that also touches upon the previous question that organizations also as a means realize that of course their own cyber security is very important but they are part of a wider network. So the security of their own is also the security of the network they're part of. And in that respect, there was also I think a number of years ago in the Netherlands a report on indeed investments and that for instance, 10% of the business operations money of ICT budget should be spent on cyber security measures within companies. So I think that could be also a way to mainstreaming the importance of cyber security measures and requirements within organization at government level but also at business level. Thank you very much. On that note, would other panelists like to add to that or does the panel all in all agree that most faces are important? I see nodding. I think that could be the conclusion of this panel. I have a question received for Mr. van den Beeren from the Netherlands. And the question states that in the answering of a former question you have emphasized that a lot, you have emphasized the capacity building of the actors in charge of cybersecurity issues. This is how it is translated, especially in third world countries. And the question is more on how is this done in practice? There's a big interest. So building capacities is important for the people involved in cybersecurity issues. Could you please elaborate a bit more on what you mentioned before, Mr. van den Beeren? Sure, and thank you for the question. Well, as I emphasized, I think the global forum on cyber expertise or the platform is a very important channel, multi-stakeholder channel for the Netherlands to conduct our capacity building activities. So that's a platform where we invest quite a lot. And also, well, I think it's very important that not only it's supported and driven by countries, but also by other stakeholders, private industry. And we see, I think a lot of initiatives also coming from the private sector. And we very much cooperate with other countries. In coalitions within the EU, but also outside the EU, focusing on areas, for instance, Southern Africa and Indo-Pacific, to jointly develop such capacity building projects, as I indicated earlier. I hope that answers the question. And well, if there's a follow-up question, I would be happy to answer, of course. Sure, thank you, Mr. van den Beeren. Of course, reiterating the importance of the GFCE into this is music to my ears, but thank you for that. I have raised hand from Ms. Sharjanova. Go ahead, Ms. Sharjanova, the floor is yours. Thank you, dear colleagues. I would like to note that it's so important for the Kurdish Republic to develop human potential. As long as we don't write good strategies and plan certain events without highly qualified specialists to perform or provide stable functioning of all these plans, it is not possible. Therefore, I join the fact that, in fact, it is very important to raise the qualification of our specialists in the field of cyber security. There is also a question for the Kurdish Republic about the preparation of a certain type of specialists in the field of cyber security. We understand that such a pace of development of digital technology, of course, creates new challenges and we have new requirements for these specialists. These specialists must constantly increase the qualification to have the opportunity to provide support to the international experts. With the support of donor organizations, we conduct cyber training in the Kurdish Republic. For example, I will say that with the support of OBSE and ITU in 2021, the first cyber training in the Kurdish Republic took place. And today, certain training for state bodies in order to increase the qualification of specialists in the field of cyber security. But despite this, we would like to note that we still need to increase the qualification in order to ensure the implementation of these measures. We also need to train a large number of service bodies, municipal service bodies. We need to prepare these specialists so that they can provide us with the implementation of all the measures planned and perhaps even the measures that we will plan in the following years. So in this part, I would like to note that this is a very sharp question for us. And again, we urge you to pay attention to this and perhaps be able to review and look at the possibilities in this part of the implementation and support. Thank you. Thank you. Thank you. Ms. Sharshinova for pointing out that human capacities are very important, having a strategy is one, but we cannot forego that our experts need to be constantly trained and upgrade qualification as well to answer to an ever-changing cyber security landscape. I have two raised hands considering time. I would like to give the floor first to Mr. Riles and then thereafter to Mr. Noriega. And then I will see Mr. Chame, whether there is an opportunity for you, but there will remain to be also a possibility to answer questions later on. So Mr. Riles, first to you. Thank you. I just wanted to briefly pick up on what my colleague from Kyrgyzstan has just highlighted with regards to the importance of education and training. And I think for us here talking about national cyber security strategies, it's good for us to keep in mind that training does not come first and then there is a national strategy to implement but training is part of the national strategy and you can actually set your goals for training and education and for putting the right university or school qualifications in place. You can have all that as part of your strategy and then it becomes really this kind of comprehensive all society approach that I think in the end will really make success. So just a very brief remark on that. Thanks for that, Mr. Riles. Mr. Noriega, would you like to respond to that? Sí, muchas gracias. Nada más para complementar. Mucho depende de la fase en la que los países se encuentren en el caso de Ecuador. Nosotros estamos en pleno desarrollo de nuestra actualización de la estrategia nacional de ciberseguridad. Es súper importante para nosotros en esta primera fase ha sido identificar las partes interesadas que nos van a apoyar en el desarrollo de la estrategia nacional de ciberseguridad. Como lo decía el señor Marco Viso hace unos minutos antes, es súper importante atender las necesidades del sector privado, pues del sector académico, de la sociedad civil y partes del gobierno, todas aquellas que forman parte del gobierno así como las fuerzas de seguridad y del orden. Para nosotros como Ecuador, súper importante tener todas las partes interesadas a atender sus necesidades. Eso nada más quería aportar. Thank you Mr. Noriega for adding on to that. Mr. Shiman, please go ahead. Thank you for the opportunity. I would like to say that we totally agree with the aspects that the colleague for the panel have mentioned regarding the human resource development in all dimensions. But would like to make a comment on one of the aspects that from developing country and in Africa would think that it would be important in this process of implementing national cybersecurity strategy has to do with the international collaboration. International collaboration in all its dimension. For example, many of the providers of the digital platforms are international internet global companies providing their services, digital services using cloud systems. That the space of Africa for countries and many of the perpetrators of cybercrimes or abuse on the internet we would need to be part of international mechanism that could help us to identify and even to prosecute individuals that are not from within our countries but also who need the contribution of the private sector to help us as part of this process also as part of the operation but also as part of capacity building and training our countries. Looking also to the dimension that today within the digital society that's related to data and citizen protection we think that the aspects of data sovereignty it's an important dimension that we must bring to the aspects of the discussion of cyber security and also on the protection of the data protection elements that can be conducted within our countries using the institution and the cyber the system that we can implement but the importance of our participation on the global network of the national system to share the challenge to share the threats to share the platforms that we are using to counter the negative behavior would be important but also the aspects of participating in global forums like GFCA and the cyber for their project it's important we are lucky that most of this part of this international format where we've been learning and we believe that that will help our process of implementing our national cyber security strategy and getting from agencies like ITU and the World Bank that are helping us in this process thank you very much thank you so much Mr. Shaman I am sure we could continue this conversation and I would love to do so but for the purpose of this meeting I am told to move to the master class a word thank you to my panelists Mr. Shaman, Mr. Noriega, Mr. Rios Mr. van de Bergen and of course to Mr. Scherzenova for taking part in this this panel and it was mentioned a couple of times but the GFCA strategy and assessment task force has also developed a catalog of project options for the NCS cycle which can be used as a reference point to inform countries on the types of capacity building activities that can support countries' journey in the NCS development cycle and also the global overview of assessment also known as GOAT to learn also about different types of capacity assessments as an important stock taking step and these documents are all available on the Sible portal now to continue to take forward the important cyber capacity building work we will also be co-organizing the global conference on cyber capacity building later this year in partnership with the World Bank Cyberpeace Institute and the World Economic Forum and also with support from several member states and the conference will provide an important opportunity to bring the cyber community and the development community together to meet, discuss, share and increase awareness and also to set a mechanism for cooperation as well as secure high level awareness for cyber capacity building and this was stressed also this morning in the panel the importance of capacity building in the area of cyber so bridging this to our next session after hearing about the what now the question is on the how and the master class is a great opportunity to learn about the new guide and how to use it and to hear from our hosts today on the mechanism in which World Bank ITU and other stakeholders could support the design the implementation and also the maintenance of the NCF what we will provide you today is a start with the introduction of the second edition of the guide to developing a national cybersecurity strategy and then thereafter present available resources and provide practical tools and know how for the implementation of the guide and then there is also a focus on the NCF life cycle and sustainable implementation and that will then again be concluded with a Q&A session so please feel free to continue the conversation in the chat and specifically for questions please feel free to post them in the question box contact details of the teams to discuss future cooperation will be presented to you at the end of the presentation so now without further ado I'm presenting your speakers of today that is Miss Anna Levin she is senior digital development specialist at the World Bank and co-lead of the cybersecurity community practice at the bank and then also Giacomo Asenza a cybersecurity research officer at the international telecommunication union so over to you both thank you hello everyone thank you all for joining so as Mario mentioned now we are going to have a master class on the NCF life cycle mostly here you can see the agenda of today so we'll start with a very general presentation about the guide we'll talk about the multi stakeholder approach which produced this document then we'll have an overview step by step of the phases that build the NCF life cycle and we'll also have some focuses on the available resources of the World Bank of ITU and in general of the international community to support the countries in implementing the NCF life cycle so let's start with a giant introduction I would ask my colleague Kyung Min to provide and to talk a little bit about the guide yeah sure thank you hi my name is Kyung Min and in my experience the first edition which was published in 2018 played an essential role in development as it was often the only holistic and normative guide available to policy makers and national leaders this new edition was motivated by multiple factors including a 40% increase in national cybersecurity strategies worldwide the second edition is a timely update that incorporates lessons learned and the contribution of over 20 public and private organizations much like the first edition the new guide simplifies and also reproduces the entire life cycle of a national cybersecurity strategy it explains the evolving nature of cyber risks and the overall complexity of NCS with examples and principles next slide please so I won't read the names of the organizations on this slide unless like I'm supposed to but I will note that we formed eight working groups and frequently met to harmonize nomenclature concepts and principles I represented the bank in this process and I can tell you that the second edition is the outcome of many iterations and given the diversity of stakeholders the process was not easy nor should it have been right in all all these organizations were united by a common objective to create a global good for NCS and given the process it took and all the stakeholders involved were certain of the guide's exceptional value and hope it encourages closer cooperation between governments and other enterprises for cybersecurity and capacity building all right over to you Anat so you're probably wondering how can the World Bank support the national cybersecurity life cycle and there are really three main categories of our work in which we can help countries especially in developing world move ahead with the national cybersecurity strategy one of them is operations and when we say operations we really mean the World Bank's bread and butter and that's the large scale lending projects that we can make available another area is knowledge and the third area is partnerships so under work with countries to mainstream cybersecurity into their digital development and digital economy lending projects we do this by designing cybersecurity activities that are part of these projects and that will enhance the clients cyber resilience so this is a whole number of different activities that I'll talk about a little bit further down in the presentation as part of this we're also extending available resources to our project teams to be able to bring cybersecurity into all operations we at this stage are really trying to bring cyber into every project in fact you kind of have to rationalize why it's not in a project if it's not there secondly we really work on creating knowledge as a shared public good and that is in the form of practitioners notes in the form of deep analytical work in the form of data driven reports to be able to help policymakers with their decision making there are four examples of cybersecurity analytical work that we're working on right now that I've kicked off and that are being supported by our new cybersecurity multi donor trust fund and as an aside on this I just want to thank all of the donors who are part of this call at minimum the Netherlands and Germany who are contributors to the multi donor cybersecurity trust fund and who are supporting this work report on cybersecurity that really looks at how can cybersecurity resilience be made affordable in a developing country context we also have a piece of analytical work on the economics of cybersecurity that looks at the rationale for investing in cybersecurity to our vert losses and to increase GDP growth we have a menu of options for our task teams of what kinds of cybersecurity activities can be brought into our lending projects what are the choices what are the good practices in implementing those choices how much is that little cost and what are some of the procurement options for these cybersecurity activities and there are also a variety of diagnostic frameworks that I'll talk about a little bit further on as well of course the well-based convening power and our partnerships are incredibly important to us and that's why we're very happy also to be speaking with all of you today we have very strong partnerships on cybersecurity to help with fostering awareness and expertise and to mobilize resources to help developing countries Mario already mentioned the global conference on cyber capacity building that's being planned with WEF and with GFCE and with the Global Cyber Peace Institute for this fall and again the trust fund that I've already mentioned that all form very important cornerstones of the partnership and that allow us to bring this framework to support national cyber strategies to our clients next slide please okay thank you very much so now we can start with the life cycle as we mentioned which is one of the three pillars that are integrating the guide so the life cycle that you can see here is really a process which organizes all the activities that should be put in place in order to develop a strategy you can see here there are five steps we have the initiation the stock taking the production the implementation and the monitoring and evaluation now of course this life cycle is not only for strategies but it can really be applied to any cybersecurity policies so not only strategy in the group we like to look at this life cycle like a methodology and this methodology has three main objectives so the first one is to ensure that the management process follows a clear and well-defined governments the second is that the strategy so the final output is relevant to the national context in which it will be implemented so the strategy really needs to address the needs of the countries and finally the third is that all the stakeholders that are relevant to the management of national cybersecurity and that will be somehow affected by this strategy are involved in the whole development process now today we are going to talk a lot about the involvement of national and international stakeholders because this is crucial and when we talk about the stakeholders we are really talking about all the entities that play a role we are talking about the public sector the private sector academia civil society and so on now there are a lot of questions about why cyber security is seen as a sort of collaborative project a collaborative approach and this can be this can seem weird because normally the government is the one responsible for the provision of security especially when it comes to national security and the protection of national interest but this has become so extensive and so all encompassing that governments need to recognize a sort of responsibility and we can also say a sort of authority even to other entities if we take for example critical infrastructure these entities are often operated by private private owners but they are yet an essential pillar for national security so a successful policy a successful strategy really needs to incorporate all these stakeholders to figure out how to make the country more resilient and ready and also having the stakeholders involved in the process ensures that there is a sort of buy-in from their part so they will support also the implementation of this strategy so let's have a look at the five steps more into detail the very first step that a government should undertake is to set up a clear and well defined governance structure and this governance will lead the whole development process now to do so the government should appoint an actor an organism or an entity which is responsible and accountable for this process the next guide we refer to this actor has the lead project authority now when we work with countries we often receive the question who should be the lead project authority in reality there is not a universal answer because it really depends on the national context it can be an entity that already exists for example the cyber security agency or the ministry of telecommunication or the national cert the entity established a doc for the national cyber security strategy now regardless of what entities appointed the lead project authority has the mandate of leading and managing the whole NCS development process and to do so it normally prepares what we call the NCS development plan and this plan should outline the main phases the main activities that need to be put in place it should identify what are the human and the economic resources available it should identify the timeline which these activities would be carried out and also what form the strategy should adopt for example is it going to be a policy is it going to be a regulation a law and so on because this of course affects the whole process in particular the timeline and what entities should be involved and of course this plan should also identify what are the stakeholders that will play a role in the development process once the plan is settled and approved by the executive if this is the case we can move to the second phase which is the stock taking and analysis at the beginning we mentioned that one of the main goal of the life cycle is to ensure that the strategy is relevant to the national context because obviously not all the countries are the same they might have different level of cyber security capacity or maybe they can have different level of digitalization often they face different risks so this phase is really about this this is an assessment and this is an assessment to understand where the country stands in terms of national cybersecurity posture and this is helpful to identify the gaps and needs that will be addressed to the strategy now broadly we can say that there are two main aspects that need to be assessed the first is the national cybersecurity landscape and the second is the cyber risk landscape assessing the first aspect so the cybersecurity landscape is an exercise which looks at the capabilities of the countries so what are the resources that are already in place here it's really important to stress that when we talk about cybersecurity capacity it's not only technical aspects or technical tools or infrastructure but we are really talking about the whole approach that the country has to cybersecurity so also about people about legislation about diplomacy, about capacity building and so on because a cybersecurity posture goes well beyond the mere technical aspects and in this chart you can see that we use the framework of the global cybersecurity index the GCI to investigate cybersecurity capacity now this framework is built on five pillars we have the legal technical, organizational capacity and cooperative this is just one of the many frameworks that exist and my colleagues later will discuss a little bit more about this now the second aspect to be assessed is the cyber risk landscape this entails identify all the national digital assets understand their interdependencies understand their vulnerabilities and what are the threats they face and with these elements we can see the likelihood and potential impacts of the cyber incidents now if we put these two aspects together so the cyber risk and cyber security landscape we can understand how far the existing capacity is adequate if we consider the risk faced by the country so this talk taking and analysis phase is really a way to adopt an information driven approach to build the strategy which is really tailored to the national context at filling the gaps identified through this process I will give the floor back to Anna for her details about the stock taking and analysis phase thanks very much Chakramom we have a number of different ways to do stock taking and do analytics on cyber security in a country there are several methodologies that are being used and they all have different roles to play and you might choose them at different times so I want to go through some of the types of analytics that we've got in different methodologies so you see here on the left hand side it goes from the national level to the project level so let me start with the national level we oftentimes start with a digital economy framework so usually when we're invited into a country to do some analytics and this kind of stock taking exercise it sometimes is not specific to cyber security it will be about digital development or the digital economy as a whole and we're being invited in by the ministry and cyber security of course forms part of that so the digital economy framework is a world bank group analytical model of digital transformation and includes cyber security as a cross cutting segment and it's very much a standardized approach that has a number of different pillars and I'm happy to shoot a link of the digital economy framework as an analytical model into the chat box for those of you who are more interested in this framework has been implemented in dozens of countries already and produces a very thorough report on where the digital economy stands in that country we of course have ITU's global cyber security index which takes stock of country cyber security resources and is used by countries to drive continued cyber security improvements a lot of times we use the Oxford cyber security maturity model framework which is a comprehensive gap analysis very standardized standardized questions standardized answers it's often rolled out by us as part of the policy dialogue and project design so before we go in and develop a lending project and develop the activities under the lending project we do the cyber security maturity model by Oxford University to understand at a very high level where the country is at and what the recommendations are and what's needed we also have a World Bank Group cyber crime assessment toolkit which examines the landscape on cyber crime and makes recommendations to build capacity to combat cyber crime at the sectoral and sub sectoral level we are currently working on cyber security the communications information infrastructure protection toolkit which is maturity assessment specific to critical infrastructures and it looks at a variety of different sectors such as health finance transport in a number of different sectors it's very much specific to cyber security in those sectors and then of course under the projects under our lending projects we can do any kind of assessment that's customized and tailored to that country and its needs so in some cases we do risk assessment specific to those projects of course we have the national CERC readiness assessment that the ITU is also working on there's national cyber risk assessments so there's a variety of things that a country might also pick specific to that project and specific to their needs thank you so now we set up the governance we have identified the gaps and the risk of the country and we can enter in the third phase of the life cycle which is the production this is the phase in which the strategy is drafted, reviewed, approved now obviously there are a lot of different ways to carry out this phase and there is not one which is better than another and what you can see here is really just a general example so in this phase of course the lead project authority should refer to the key findings of the stock taking and analysis and based on these findings it should create an outline of the strategy which identifies the main focus areas to be addressed for example legislation or capacity building or critical infrastructure protection and so on and for each of these focus areas the outline should also address and define what are the main objectives to be achieved once the outline is defined the real drafting can start and to make this process more efficient the lead project authority can create for example working groups and these working groups of course should be associated to the specific focus areas based on the expertise of the members now even in the drafting process it's really important to involve all the stakeholders and this can be done in a lot of different ways for example they can directly participate to the working groups consultations can be organized or maybe the draft can be circulated in order to collect comments and feedback involving the stakeholders in the production ensures not only that the strategy benefits from the knowledge I would say the direct knowledge of experts in the field but also that the strategy is consistent with other initiatives for example the digital development strategy or the education strategy now once the draft is finalized it needs to be approved by the executive and published through the national channels and this of course should follow the national formal process depending on what shape was decided for the strategy regulation legislation and so on yeah this is just an example of how this production can work we said with the lead project authority creates the outline and then this outline is developed by the working groups now once the strategy has been published we can move to the fourth phase which is the implementation and this is probably one of the most critical phases of the life cycle something that never stressed enough is that this strategy is not only a document this is not only a way for countries to formulate high level objectives but this strategy is a real strategy we in ITU we used to say that this is a strategy with the capital S and this is where countries really plan what they intend to do in cyberspace how they are going to orchestrate their national resources to protect their national interest and we can say then that the strategy is entirely oriented toward the implementation now of course normally in the document of the strategy the document which is published the implementation is addressed from a very general perspective there are not a lot of details but there is another document which is the action plan which organizes how the implementation will run so if we go back one second in phase 2 we have identified the gaps and the needs in phase 3 we have also identified the main objectives now the action plan is the document in which we are going to match the needs and the objectives by identifying a set of activities and programs to reach these objectives and of course these activities should be organized considering the national context once again considering in particular what is the available budget because the action plan must be implementable and therefore should be realistic and this is a way to prioritize the resources to address the most critical gaps first and as well as the most urgent needs now I will go back to Anat to have an overview of some of the activities that can be integrated in an action plan Anat, back to you Thanks very much so the World Bank really is available to help developing countries with implementation of cyber security strategies and there are a number of areas that we are able to do so here is a selection of some of those areas along the guide focus areas that are used in the national cyber security guide so what we are doing here is providing you with some examples of things that we can support all of this information is going to be published later on this year in a public code that we are going to call menu of options maybe the title will change a little bit but it really is about the options of how the World Bank can finance and support you in these areas to materialize and realize what your action plan for cyber security so in the focus area of governance for instance we can support cyber security institutional structures so we see in a lot of countries the institutional structure is not yet perfectly in place and so anything that is required to put that into place can be supported here in a lot of countries we don't yet see compliance frameworks and audit frameworks for compliance be it for public sector, private sector or for SMEs which in other countries there is SMEs who really can't all accede to in 27001 and need some other kind of basic cyber security compliance framework that they can abide by guidelines for critical information infrastructure protection is also something that can be funded an action plan for a cyber security agency so some countries wish under a phase 1 to start their cyber security agency either as part of the regulator or the ministry or some other kind of agency or a phase 2 really to evolve it into a standalone cyber security agency so that's also something that can be supported in the focus area of risk management in national cyber security there's really a lot of things that we can support and finance as well so cyber risk assessments can be financed for a variety of different sectors and simulations and drills in the area of preparedness and resilience is really where we have some of our big ticket items so strengthening either management or strengthening of national certs, sea certs or socks is where usually most of the money goes because we really don't want to spend all of the money that we have to support countries on consultancies or reports that we'll gather does it's really all about strengthening your incident management response and it's about strengthening your certs and your sea certs so this is where the tools, the platforms, the equipment the applications for threat intelligence for prevention for monitoring and also the tools under capacity building and capabilities and awareness raising this is really where we get most of our requests so in developing countries we tend to hear please help us by training, training and more training so here there's a lot of funding available for training for a variety of audiences so we see for example that of course there's training for officials at technical levels but we also want to train government end users such as IFMIS systems who are not IT people but who need to know about password protection and phishing a lot of times we get requests for training of judges and prosecutors who need to understand how to adjudicate on cyber crime cases who need to understand what cyber evidence is need to be able to implement the cyber crime laws and then we get a lot of requests for training for budget deciders so these might be directors or deputy directors line ministries who don't understand cyber security but their IT staff gives them a proposal for a cyber budget and they don't approve it because they don't understand how important it is so we do also provide training for people like that to understand that that budget needs to be approved many countries are asking for support with establishment of a cyber security academy as part of an existing institute of higher learning this is in order not to every time somebody needs to be trained bringing in people from the outside to train them but it's really about building a local capacity to do that teaching on cyber security and then to produce that fresh cohort of graduates that the economy needs every year be it in government cyber security agencies or be it a CISOs in private sector or be it as analysts at certs and stocks of course we're also supporting public awareness campaigns and that's a component of every project that we work on on cyber security and when it comes to critical infrastructure services and essential services of course we can also support the establishment of capacity building for priority sectoral certs stocks and C-certs so oftentimes that's the government sector sometimes it's the communications sector banking and finance energy especially for electricity and water utilities so that is also something that can be supported and cyber security technical architecture can support those. For legislation and regulation our bank projects can support the drafting and the ushering through the approval processes of cyber security and cyber crime legislation and regulation a lot of countries are asking us for help with accession to budapest convention some countries that already have cyber crime legislation say well we're missing a segment on critical infrastructure legislation let's do a separate bill on that and of course any legislative reviews and assessments so that's another area of the NCS focus focus areas that we're supporting and lastly for international cooperation this is not a huge ticket item but as we all know we know and we're part of the choir since we're all here in this meeting it's very important so exchanges with certs, socks and C-certs you know allowing staff of one country's sock to have a study visit to another one study tours peer-to-peer exchanges and information sharing platforms and systems as I said none of this is really huge in terms of cost but is quite important so this is a sneak preview of the menu of options that will be published later on this year with you know a full comprehensive listing of the things that we can support to help countries implement their national cyber security strategies. Next slide please. Now we can move to the last phase of the life cycle which is monitoring and evaluation now this phase is often overlooked but this is as important as the other one. So 200 years ago Lord Kelvin the scientist used to say that in order to improve something you need to be able to measure it and for cyber security measuring is extremely difficult this is difficult because we are collecting a lot of data and this data are often from sources that are not structured but this is also difficult to decide what to look for so what indicators to use when we run our workshops we often ask this question so what indicator would you use to measure the effectiveness of your strategy and the typical answer is the number of cyber attacks if there are less attacks it means that the strategy is effective and that cyber security is working now this idea is not necessarily correct because just an example if there are less attacks does it mean that the country is getting better at preventing them or that the country doesn't even have the capacity to detect them also attacks are qualitatively different in sophistication in impact so at what stage do we consider a malicious action to be an attack and then the number of attacks depends also on the threat which is an external factor so for example during elections the threat is higher and there is a higher number of attacks even if the cyber security capacity in place is exactly the same so monitoring it's really tricky but it requires indicators that are effective, that are good and in the guide we refer to the smart logic and we say that indicators should be specific, measurable, achievable relevant, responsible and time related now this smart indicator should be used to measure two aspects in relation to a strategy the first is the implementation of the strategy and the second is evaluate the outcome understanding the difference between these two aspects is really important because the KPS to be used are different and because the two aspects are not necessarily related for example if in our strategy it says that we want to train the personnel of the public sector and provide a training about cyber security awareness a KPI measuring the implementation could be the percentage of personnel taking part to this training but even if I reach 100% of personnel trained it doesn't automatically mean that the personnel is cyber aware because maybe the training was of bad quality or maybe the personnel was not paying attention during the training so in order to evaluate the outcome I will have to use a different set of indicators one for example could be we prepare a quiz or an exercise on the topic and we see if the personnel which went through the training scores a good result or not then we can repeat maybe this exercise every six months and see if the outcome is sustainable and it lasts over time so with this we have completed the life cycle the five phases and we can move to the how to which is probably the most important slide of the presentation Anath back to you Thanks very much So let me unpack this slide for you the World Bank has two types I mean this is all fairly rough in general of course as you all know there's always slightly different ways of doing things but there are roughly two ways of providing support and one of them to the left is the non-lending activities and the other one to the right is in larger scale financial assistance which is the lending activities so let's start with the non-lending activities these are usually smaller scale pieces of assistance technical assistance and their discrete activities and sometimes they can be a little bit larger and programmatic types of activities but really most of the time there are a lot of activities so there could already be an active policy dialogue between the line ministry in charge of digital development and cyber security and sometimes this is the ICT ministry sometimes it's a telecom ministry and information technology ministry so in every country it's slightly different and sometimes there's already an existing active policy dialogue between this ministry and the World Bank team through that digital economy assessment framework that I mentioned earlier and at other times you may contact the cyber security community of practice which is Hagaimei Zahaven myself and we have a contact information at the bottom of the slide we are the cyber COP at the World Bank and as co-leads you may contact us also directly to sort of start that kind of dialogue support is obviously subject to the availability of funding either the availability of funding in the trust fund the cyber security trust fund or the availability of funding through some of our country management unit programs that are relevant for that specific country so I won't go into a whole lot of details of how that source of funding goes suffice it to say that if funding is available we may need a request from someone very senior at that ministry so the request always has to come from government we are unfortunately as we are an organization made of member governments we are not able to receive requests necessarily from NGOs or from private sector so the request always needs to be either somebody at ministerial level or at director general level or director level to the World Bank and through that we can consider how we can support the national cyber security design and the implementation of an action plan and advising on the national cyber security life cycle bear in mind and this is something I just put into the chat box as well it is the role of the responsibility of the government to devise their own strategies and obviously for clear reasons the World Bank can't write the strategy for you but under non-lending activities we are very happy to provide review support benchmarks good practice examples and be able to really work together for that government to devise that strategy and an action plan and implementation now if the government wants to do more which means also the implementation that's usually not something that can be done with non-lending activities because now we are talking really about larger scale financial assistance and sort of a holistic cyber security program and this usually falls into the lending program category now countries don't typically borrow from the World Bank just for cyber security it's a larger scale project that focuses on digital transformation or digital acceleration and we call these our digital economy projects and cyber security is a sub component of that project these projects are about five years long and they are usually in the millions of dollars and one project like that that is being developed right now is with our fellow panelist Dr. Elorino Shaman where in Mozambique we are actually developing projects like this with a strong cyber security component for implementation of the Mozambique national cyber security strategy so you have one example like that here in our very meeting so here we have very deep policy dialogue between the line ministry and the World Bank team in order to get this kind of assistance a request needs to be sent by the minister of finance to the World Bank's country director for lending support now the ramp up to this kind of letter the ramp up to this kind of request usually takes a while it's not something that happens right away the minister of ICT needs to be convinced and then the minister needs to talk with the minister of finance a whole lot of people need to agree on this at that point everyone's pretty much cited already on this and there's a letter that's processed that officially makes this request to the bank for lending support not everything in this process is on this slide bear in mind also that the country has to have cyber security or digital development so this is at this point a digital development project and cyber security is part of it there needs to be room and the lending envelope of the country so that has to do with calculations of GDP to debt ratio and existing loans and existing projects that this government has it also depends of course on competing priorities because every country has a certain amount of loan portfolio availability per year but for example in a year when COVID strikes and there's a global pandemic maybe the health sector will take priority and the digital development project will have to wait until the following year so there also needs to be an understanding between the World Bank's country director for that country and the minister of finance as to what are the priorities and how they are sequenced and whether and how much money there should be for our digital development project so all of these things are going on in the background but the request from the minister of finance to us and all things being sort of check marked and approved and okay unlocks for us for the task team the preparation funds to start preparing and identifying the loan and then there's a whole project life cycle that takes between six months to a year six months if we're really really fast tracking it a year is more normal so we're going to be able to identify the project we prepare the project we appraise the project so we decide how much money goes against which line item we prepare a procurement plan and we prepare the project appraisal document which really identifies everything that's going to be done and how much it's going to be costing and that project appraisal document is then sent to World Bank Board for approval and oftentimes in the country that is also approved either by cabinet there are oftentimes also processes in the country where that approval needs to be made so while that project goes on both sides the World Bank side and the government side for approval that project appraisal document then once approved enters status of an international treaty and once it is approved by both sides and declared effective so usually there are some effectiveness conditions things that need to be in place then we can really start with you know large scale implementation of the cyber security work that's to be done under the project so here we're talking about things that by and large other donors are not able to finance this extent into this level it really is about establishing certs and socks it's about building them up it's in the millions of dollars that go into building up cyber security capacity for that country so this is a rough high level description and for anybody who's interested in some details please feel free to ask those questions and I hope that's helped you to understand a bit of how we can support the national cyber security life cycle thank you so thank you Anat I think we are at the end of the masterclass so just to wrap up I would like to stress again that the strategy is not only a document but it comes with the implementation so the action plan is key and we can see the action plan as a sort of a strategy within the strategy where the country decides how it is going to orchestrate the resources in order to reach its cyber security objectives and I would like to conclude with a quote from the director of the development bureau of the international communication union where she said that cyber security and digital development are two sides of the same coin and there cannot be digital development if there is not cyber security because it really makes any digital development sustainable and solid and overall we can say that the role of security in general and also cyber security is never to say no to something is never to say no to transformation a way to say no but in order to make it more resilient and more sustainable here you can see the context of ITU and the context of the World Bank if you want to learn more or you want to get in touch please feel free to reach out I don't know if an actor can mean you would like to add something otherwise I think we can close the session from my side that's good feel free to email us at cybersecuritycop at worldbank.org if you have any other questions thank you it's good for me too thank you all for being here and with that a special thank you of course to Anat and Giacomo feel free indeed to connect if you have further questions and going towards concluding the session today we have heard on the what and the how national cyber security strategies and more specifically also about the NCS guide and I would like to stress that the guide is one of the most comprehensive overviews of what constitutes successful cyber security strategy so with that thank you to the speakers and panelists also to you participants from across the world and to the organizers the World Bank and the ITU organizations who took part in the establishment of the NCS guide please note there is a recording available at the ITU website and also know that this event is part of the ongoing knowledge sharing event series on cyber security at the World Bank and also part of the ITUD cyber security capacity building activities for member states so the next event is on gender inclusion through cyber that one is scheduled for mid-May please stay tuned for future events and feel free to contact us on the emails seen on the screen if you'd like to have more information on the GFCE all information on GFCE and also on the civil portal can be found on the GFCE.org with that I say thank you and goodbye recording stopped thank you thank you bye thank you very much so I close the meeting yeah Rose you can close the meeting thank you thank you bye have a nice day thanks Mario