What is the aim?
To help a country understand the national critical infrastructure and systems it needs to protect it at the moment and how strong its processes are for managing the risk to those assets.
Why do it?
Countries should be able to identify and manage cybersecurity risks at a national level and use this to inform priority areas for future investment, which will be highlighted in a national strategy.
What are typical outputs?
A list of critical national infrastructure and/or critical information infrastructure. And a report, produced by the government itself, on the risk mitigation measures for this CNI/CII and its adequacy.
How is it delivered?
Typically, external consultants will bring together the government and private sector to establish a local team. They will train the local team, who will send questionnaires to the owners of CNI and together interpret the information that is sent back. The experts may help run a series of workshops to explain the process to stakeholders and, at the end, discuss the results.
How easily can a country do it themselves?
Moderately easily. Example questionnaires and assessment methodologies can be requested from GFCE members. However, international experts will often have tools for analyzing the questionnaire data. They will also have expertise in interpreting the results.
What good practice guidance is available?
The UK Home Office is developing a training portal and videos to enable remote delivery and to assist countries to train others.
- Spend time at the start talking to the owners of the CNI/CII to gain their trust in the process.
- Develop a local team of government and private sector representatives to encourage those who might be reluctant to participate.
- If a country is concerned about the confidentiality of the data, they can ask for the project to be designed in such a way that nobody other than the government sees the sensitive data and it is stored securely in the lead ministry.
- Build in time for the strategy process for the risk assessment, because it can take 6 months.
Varied ($40k – $130k USD per country dependent on requirement to travel).
In 2019, the UK Home Office engaged with the Ministry of Information and Communications (MIC) in Sierra Leone as part of its Commonwealth Cyber Program. Sierra Leone had not undertaken a CNI cyber risk assessment before.
The local NCRA team (made up of both government and private sector representatives) brought together multiple key critical national infrastructure sectors to establish a baseline of risk to their critical information infrastructure. UK Government provided expert guidance and analytical training to build the capability within Sierra Leone. The UK team also supported the analysis of the results, enabling the local team to develop a list of key priorities for future investment.
This process took 5 months, from August 2019-January 2020, and MIC has committed to repeating the process periodically; Sierra Leone now has a national capability. A results report was developed with an agreed list of recommendations. The local team also committed to working with each sector/organization to share and further analyze the individual results in order to take forward the prioritized capability gaps.
From the UK team’s perspective, the key outcome from the process was the improved relationship between the host government and their private sector. The activity was the catalyst required by the host Government to bring the various private sector stakeholders together for the first time. As a testament to bringing people together and the hard work by the local teams to build relationships, any initial distrust was transformed into strong relationships being built as the process went on. For example, a telecoms company reported a cyber attack to the government of Sierra Leone, which they openly admitted they would not have done prior to the NCRA process.
Training a hybrid team demonstrates the value of the NCRA and how it brings stakeholders together to build strong and trusted relationships; but it also showcases that cybersecurity is not just an issue for government. It is everyone’s responsibility.
Within the 3-workshop NCRA approach, the UK team has embedded an immersive cyber exercise. We delivered the exercise with the assistance of the local team at the NCRA Results briefing with the sector stakeholders in order to highlight the dependencies between sectors and the importance of building resilience.