It is our experience that any national framework must have a starting point or a foundation from where elements influencing the framework are identified. We have experienced that in the development of a framework at the national level, and applicable to national cybersecurity, some considerations need to be taken into account. One of the considerations is that it must operate within the ambit of the nation state’s legal and regulatory structure and that it must consider the prescripts described in the national legal and regulatory structure.
Sources that prescribe mandatory national cybersecurity functions are called authoritative sources. Some sources only make recommendations, and these are called normative sources. It is important though to understand that authoritative sources prescribe mandatory national cybersecurity functions, and the normative sources recommend general cybersecurity functions. Mandatory functions have to be implemented. Failing to implement them could lead to sanctions, such as fines, audit findings or expulsion from international bodies. General cybersecurity functions that are Non- mandatory in nature, may be implemented, and no sanctions are associated with not implementing them.
A National Cybersecurity Management Framework for Developing Countries
40 Authoritative sources thus prescribe, (mandatory) and normative sources recommend general cybersecurity functions that are non-mandatory in nature.
We will thus consult two types of sources. The two types of sources are:
• National authoritative and normative sources - describing national mandatory and non- mandatory cybersecurity functions.
• International authoritative and normative sources - describing international mandatory and non- mandatory cybersecurity functions.
These two types of sources provide us with two categories of cybersecurity functions. The first category is mandatory national cybersecurity functions that are specific to a nation state, and the second category is general cybersecurity functions that are non-mandatory in nature. These two categories are discussed in more detail in the text following.
• Nation-state mandatory, specific and applicable national cybersecurity functions are identified form national and international authoritative sources. Nation states have the option to augment their specific and mandatory national cybersecurity functions with the general (non-mandatory) cybersecurity functions. Since we have experience working on South African national cybersecurity efforts, only South African mandatory functions described in South African authoritative sources will be considered in this thesis.
• The general cybersecurity functions that are non-mandatory in nature, are identified from national and international normative and authoritative sources provide nation states with a pre- defined list of cybersecurity functions that are general in nature, and from which they may select one, or many from, for implementation. General cybersecurity functions are by definition non- mandatory.
A nation-state without its own authoritative sources may make use of a different country’s authoritative source documents, and from there, identify general cybersecurity functions for itself. Normative sources are documents such as standards, frameworks and best practices. Mandatory and general cybersecurity functions are discussed in more detail in the following sub-sections.
2.6.1 Mandatory cybersecurity functions
The sources providing mandatory prescripts at the national level are collectively known as authoritative sources. Authoritative sources are documents such as acts, regulations, national cybersecurity policy (NCS) and international treaties. These sources should be the starting point
41
The National Cybersecurity Management Framework
and should be consulted first during the development of national cybersecurity frameworks. They would prescribe mandatory requirements from a legal and regulatory perspective to be included in the framework. During a nation state’s national cybersecurity function management journey, the following elements need to be identified for it to determine mandatory national cybersecurity functions.
• National and international authoritative sources specific and relevant to the nation-state. • Mandatory prescripts and requirements for national cybersecurity functions expressed in the
nation state’s relevant authoritative sources.
Mandatory prescripts are found mainly in authoritative sources. A prescript is a rule, directive, command or law. From a cybersecurity function perspective, and at the national level, a prescript will express mandatory requirements that have to be included, or considered during the identification of national cybersecurity functions.
Some examples of South African authoritative sources are the NCPF [33], the South African Cybercrimes and Cybersecurity Bill [34] and the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (Act 70 of 2002) [35]. Identifying all these sources and following their prescripts ensure that the mandatory national cybersecurity functions, specific to the nation-state are identified.
One of the core tenets of the first level of our NCMF is that it first identifies, and then consults nation state specific, national and international authoritative sources that prescribe mandatory cybersecurity function requirements. We will now show in Section 2.6.2 that it is also possible to use an NCMF to identify general cybersecurity functions that are non-mandatory in nature.
2.6.2 General cybersecurity functions
The identification of general (non-mandatory) cybersecurity functions is done by considering only the general recommendations in national and international normative sources. Nations may also select to use the authoritative sources from other countries, and apply those as their normative sources.
The following needs to be considered during the identification of non-mandatory cybersecurity functions. These functions are, by definition, general in nature.
• National and international normative sources need to be identified.
A National Cybersecurity Management Framework for Developing Countries
42
2.7
General discussion of cybersecurity functions
Other than a country’s legal and regulatory framework, an NCS is of paramount importance as an authoritative source to steer cybersecurity activities at national level. A well thought through NCS will have considered national and international acts and regulations, and have their prescripts and recommendations captured.
Therefore, the national cybersecurity prescripts found in a nation-state’s NCS serve as our primary source to assist with the identification of mandatory national cybersecurity functions. With the application of the NCMF, the NCS is seen as a document of the highest authority, and the primary source of information on how cybersecurity matters at the national level should be conducted.
National and international authoritative source documents and their prescripts differ between countries, and this implies that mandatory national cybersecurity functions will differ from country to country. As an example, the national cybersecurity functions needed to support the Saudi Arabian National Cybersecurity Strategy “Developing National Information Security Strategy for the Kingdom of Saudi Arabia” [36] will differ from the national cybersecurity functions needed by South Africa, as prescribed in their “National Cybersecurity Policy Framework” [33].
The Kingdom of Saudi Arabia restricts social media, and in some instances, social media platforms are blocked in the country as prescribed by their NCS [37]. This differs from South Africa’s open and tolerant stance on social media. The Saudi Arabian restrictive social media policy necessitates the requirement for an additional national cybersecurity function, which is one of being able to monitor, and block social media platforms at the national level.
Another additional national cybersecurity function requirement is a cyberwarfare function. Saudi Arabia is actively engaged in a cyberwar with Iran and Yemen [38], and a cyberwar function is thus a requirement.
South Africa is not at war, or engaged in cyberwar with other nations, and has no requirement for a cyberwarfare function. These two national cybersecurity functions are not currently a requirement in South Africa.
There might, however, be exclusions, in that mandatory national cybersecurity functional prescripts and requirements could be similar between nation states. Such an example is the South Africa Protection of Personal Information (POPI) Act [39], which is based on the United Kingdom’s Data Protection Act of 1998 [40]. In this example, there may be similarities between the United Kingdom’s
43
The National Cybersecurity Management Framework
and South African national cybersecurity function prescripts and requirements needed to give effect to these two similar acts.
Table 1 shows that we may use national and international authoritative and normative sources to identify mandatory and non-mandatory cybersecurity functions. From these functions, we can identify the most commonly occurring functions to provide us with a list of general cybersecurity functions. We will do this in Chapter 4.
Table 1: General CSFs from mandatory and non-mandatory CSFs