What is the aim?
The aim is to provide information that can inform the strategy and to help illustrate how evidence-based strategy making can work, using up-to-date cybersecurity data relevant to the country.
Why do it?
Strategies are better when informed by evidence, especially timely and relevant data. However, policy makers may not have experience accessing cybersecurity data or using it to inform their recommendations.
What are typical outputs?
A report on the health of the internet ecosystem in the country. See case study on the right.
How is it delivered?
The consultant/organisation providing data and analysis will normally provide a document report and present the findings in person.
How easily can a country do it themselves?
Countries can access the data themselves but may find it helpful to have a consultant/organisation identify good data sources for them and help them interpret the national data.
What good practice guidance is available?
There is not a good practice document specifically on this activity.
Data sources countries might use include:
- CyberGreen–Provides statistics on vulnerabilities that cause DDOS risk (e.g. Open NTP; Open Recursive DNS)
- Mejiro–Is an online tool by JPCERT for visualizing national data on DDOS vulnerabilities
Cost
Internet Health Ecosystem analysis report: $20k –$30k USD/country (depending on risk indicators and depth of analysis).
Duration
3 months.
In 2019, the Economic Research Institute for South and East Asia (ERIA) asked CyberGreen to produce an Internet Ecosystem Health Analysis Report for ASEAN 10 countries. In 2018, World Bank Group asked CyberGreen to conduct Internet health analysis for East African countries at the East Africa Cyber Clinic.
CyberGreen collected data on vulnerabilities and risk conditions at the national level. They then conducted statistical analysis to assess the cleanliness of the Internet ecosystems within the countries and recommend specific policies and measures.
The Internet health risk indicators they used included:
- Systemic Vulnerabilities in the Internet Ecosystem: They uncovered open services which could be exploited as amplification DDoS attack infrastructure (Open DNS, NTP, SSDP, SNMP, CHARGEN). Raw counts of misconfigured devices were provided, along with trends over time, and breakdown by the top ISPs supplying or servicing those devices.
- Email Infrastructure Analysis: They assessed the level of implementation of the Sender Policy Framework (SPF) used for sending domain authentication, Domain Keys Identified Mail (DKIM), and DMARC (a technology for reinforcing SPF and DKIM domain authentication). This analysis tells the country whether these policies are being applied to avoid spam and other email-related threats.
- Other risk indicators, including:
- Routing security performance
- Ecosystem outdatedness
- ISP security best practice implementation