A government has a range of levers to drive the implementation of its NCSS. As we will discuss later in the module, two of these are legislation and regulation, but they are not the only ones. Which levers a government chooses to use, and how, will depend upon its national circumstances and approach to policy.
The levers available to a government include:
- Create standards and tools related to cybersecurity to enable certainty and ease in cybersecurity activities. Examples: establishing a certification scheme to make it easier for companies to choose secure or capable suppliers; creating an online tool that any company, organisation or agency can use to check the security of its website; creating information sharing mechanisms and communities of trust.
- Provide knowledge and education to organisations and citizens. Examples: public awareness campaigns; education curricula; giving cybersecurity guides/toolkits to small businesses; circulating vulnerability and threat alerts from a National CSIRT or Cybersecurity Centre.
- Provide rewards or incentives for good cybersecurity. Examples: using government procurement policy to buy IT services from companies with cybersecurity certificates, which incentivise them to complete certification.
- The government leads by example by practising cybersecurity. Examples: the government can begin to roll out better cybersecurity approaches (e.g. two-factor authentication logins or email authentication) by adopting them first in ministries and publicising this to the industry.
- Applying pressure without criminalising. Example: producing ‘worst performers’ lists for implementing a particular recommended cybersecurity practice that they should be implementing – these might be published or shared just with the companies concerned.
- Government investment and Public Private Partnerships. For example where governments and the private sector share information on vulnerabilities in CNI to adequately address the vulnerabilities through collaboration.
- Funding academic research.
In addition to the above levers, a government has legislation and regulation, which has many uses including:
- Give new roles, powers or authorities to a government agency or an external body that the government has tasked with fulfilling a national cybersecurity role;
- Create a new agency or organisation;
- Make companies, other organisations or citizens responsible for taking certain actions the government wants to promote (e.g. protecting data in a defined way or reporting breaches); and
- Making it an offence to commit acts that the government wants to deter.
The levers available to a government can be viewed on a scale from strong encouragement (the ‘carrot’) at one end to strong deterrence (the ‘stick’) at the other.
Case Study for Encouragement Lever:
The SME Toolkit in Nigeria
Africa CERT is a good example of governments and the private sector collaborating across the African Continent.