What was learned while developing Bhutan’s first National Cybersecurity Strategy
While the introduction of information and communication technologies (ICTs) brings undeniable benefits in terms of speed and efficiency of digital transformation, it can also significantly expand the cybersecurity risk landscape or “attack surface.”
Adopting and implementing an NCS can be particularly challenging for developing countries as it requires significant economic, human, and organizational resources. Committed to supporting governments by building capacity and transferring knowledge, ITU hosted a webinar on NCS development and implementation where international experts discussed key actions to build cybersecurity resilience and readiness.
A critical contribution came from the Bhutan Computer Incident Response Team (BtCIRT). We decided to share lessons learned while developing our NCS since Bhutan’s experience not only demonstrates the typical cybersecurity challenges faced by developing countries, but also how developing an NCS can turn these challenges into opportunities for stronger cybersecurity.
Embarking on a journey
Bhutan’s journey toward the definition of its first NCS began in 2012 with a readiness assessment conducted by ITU to measure not only the cybersecurity maturity level of the Kingdom of Bhutan, but also its cyberthreat landscape.
Following the assessment, the Bhutan Computer Incident Response Team (BtCIRT) was formally established in April 2016. The BtCIRT operates under the Department of IT & Telecom (DITT) of the Ministry of Information & Communications. Our formal mandate is to provide both reactive and proactive cybersecurity services to the entire nation, including guiding the development of a national strategy.
After a number of iterations, the first version of the NCS was finalized in October 2020 through two rounds of task-force workshops. At the time of writing, the NCS is awaiting public consultation after which it will be submitted to the Cabinet of Bhutan for approval.
Overcoming hurdles
Explaining the importance of cybersecurity and the necessity for a strategy was one of the most significant initial challenges. Despite the great engagement of the Kingdom of Bhutan in ICT development, many government and private sector leaders are from non-technical backgrounds. In a country where digital transformation is a work in progress, awareness of the importance of cybersecurity remains a big challenge. Senior management perceived cybersecurity as a purely technological problem with limited impact on other domains. In reality, cybersecurity is a shared responsibility that needs multidisciplinary and structured solutions from top management.
Another key challenge was gaining support and buy-in from stakeholders. As the NCS is a national endeavour and roadmap to achieving a safer online environment, it needs to cater to the whole country to ensure that it is comprehensive and inclusive through the involvement and collaboration of all stakeholders.
Not all perceived cybersecurity as a priority, and others held different views on how to implement it. It was challenging to bring everyone together in the first place, and even more difficult to achieve consensus on strategic direction and specific areas of concern.
Visibility, funding and partnerships key
Given this was the first time developing a National Cyber Security Strategy for Bhutan, all challenges constituted an important learning experience and an opportunity to enhance the country’s cybersecurity maturity.
First, developing the NCS spread cybersecurity awareness and visibility throughout the institutional apparatus. In Bhutan, the government accords the highest importance to digital transformation and information and communication technologies. The high-level ICT steering committee, with members representing top management from every sector (government, public and private), drives and monitors the implementation of ICT projects.
In terms of funding, the Department of IT & Telecom secured a dedicated budget projected over 5 years for the implementation of the NCS. Identifying critical information infrastructure, conducting cybersecurity awareness training and cybersecurity capacity building are among the initial activities to be carried out. The Strategy also clearly identifies stakeholders and their responsibilities.
After the approval of NCS, three working groups will be formed. The legal group will carry out the assessment on cybersecurity legislation, the Child Online Protection group will develop guidelines, and the Technical group will develop relevant security requirements and guidelines. All activities will be monitored monthly by BtCIRT and issues will be escalated to the High-Level ICT steering committee.
Finally, the public-private partnership model presents a potential opportunity to further build cybersecurity awareness in Bhutan. As the BtCIRT is limited in terms of human resources and capacity, it could improve incident reporting and handling, as well as enhance knowledge sharing. To that end, the implementation strategy includes a plan to set up sectoral Security Operation Centers to improve cybersecurity in critical sectors.
Looking ahead
The last two decades have seen the Kingdom of Bhutan undergo a far-reaching digital transformation, especially in terms of delivery and adoption of digital services.
Another recent trend is that many Bhutanese people have embraced cardless transactions. More recently, due to the COVID-19 pandemic, the health and education sectors have adopted innovative measures for service delivery.
As Bhutan continues its digital transformation work, global and national capacity building in this field remains a necessity for the successful development of National Cybersecurity Strategies. The result is not only the betterment of countries’ cybersecurity posture, but an opening of opportunities that will enable the benefits of digitalization to reach more citizens, for an altogether more sustainable digital future.
