The shoulders we stand on: the start of cyber security capacity building

Cyber security capacity building started a decade and a half ago. Fortunately, somebody took a snapshot.

“The longer you can look back, the farther you can look forward”

Winston Churchill

Graham Greene and I once held the same job title: British political officer in Sierra Leone. He went on to sell 20 million copies of his 24 novels and was twice shortlisted for the Nobel Prize in Literature.  I write this blog.

We did not actually do the same job: he was an intelligence officer and I was a diplomat. Nonetheless this started me thinking about who had come before me and what advice they would give if they were still around.

It is in this spirit that I’ve begun my new role in the Global Forum on Cyber Expertise (GFCE) secretariat, by looking back. I wanted to know where international cyber capacity building began.  What I’ve learnt is that it has its roots in the mid-2000s.  And fortunately somebody at the time had the foresight to take a snapshot.

When did cyber security capacity building start?

I am not so foolish as to try to put a definitive date on the origin of either cyber security or international cyber capacity building.  At least not yet. So instead I’ll start with a recap of four significant milestones:

In 1971, Bob Thomas wrote a programme that hopped between terminals on ARPANET (a precursor to the internet) and left the message: “I’m the Creeper: catch me if you can.”

In 1988, Robert Morris committed the first crime to be successfully prosecuted under the US Computer Fraud and Abuse Act. His Morris Worm disrupted 10% of the internet through a security experiment that turned into an unintended DDOS attack. The US government responded by establishing the first computer emergency response team (CERT/CC) at Carnegie Mellon University. Morris went on to become an MIT professor and multi-millionaire.

In 2002, the ITU Plenipotentiary in Marrakesh passed Resolution 130 giving ITU a mandate for “building confidence and security in the use of ICTs”. In the same year, NATO included the need for capacity building in its report, “Vulnerability of the Interconnected Society”.

In 2007, the ITU launched the Global Cybersecurity Agenda, with capacity building as one of its five strategic pillars. This emerged from the World Summit on the Information Society (WSIS), which pointed the way towards capacity building.

So, if we were to search for a start date to international cyber security capacity building we might reasonably begin looking between 2002 and 2007. 

It is our good fortune that during this period somebody was mapping the international cyber landscape. Even better, they wrote a book about it.

The hunt for project zero

“A story has no beginning or end: arbitrarily one chooses that moment of experience from which to look back or from which to look ahead.”

Graham Greene

Michael Portnoy and Seymour Goodman are my unsung heroes of cyber capacity building mapping.  In 2008, they wrote Global Initiatives to Secure Cyberspace: An Emerging Landscape.  A new copy from Amazon will cost you £113 ($145). I think it’s worth every penny (cent). Although I must confess to having bought a second hand copy.

What Portnoy and Seymour’s book gives us is a 176-page snapshot of international collaborative efforts to improve cyber security in the mid-2000s.  Very few of the international cyber initiatives they found were capacity building projects, but by sifting through those that were we can further narrow the window for their start.

The earliest capacity building projects Portnoy and Seymour wrote about were in 2006.  In April, the Organization of American States held a regional cybercrime training workshop in Miami and the next year they delivered their first CSIRT training in Brazil.  In October 2006, the UNODC held a cybercrime forensics training workshop in Ghaziabad, India. 

Again, I am not foolish enough to conclude that 2006 was definitely the starting year for cyber security capacity building. Instead I’ll pose the question: do you know of any earlier projects? If you do, or you were involved in the projects in 2006, I would love to hear from you.

Even better, if you know Michael Portnoy or Seymour Goodman then please let them know I said thanks. As a cyber initiatives mapper, I stand on their shoulders.

Insights from the noughties

What else can we learn from Global Initiatives (2008)?

Reading the book one is reminded how deeply concerned the mid-2000s were with spam.  Skimming through Global Initiatives feels a little like watching the Monty Python sketch that inspired the term spam email: “we have spam, spam, spam, spam, spam, spam, baked beans, spam, spam and spam”.  

In case you share my curiosity as to just how spammy the mid-2000s were, I ran the numbers.  In Global Initiatives, spam is the 34th most frequent word (excluding a, the, and etc.). In fact, 2% of the whole book is spam. That’s more spam than terrorism, infrastructure or law.  Or if you’re a word cloud sort of person there was this much spam…

When did cyber security capacity building start? Around 2006. This word cloud represents the text of a book recording that period called Global Initiatives in Cyberspace (2008).
Can you spot the spam?

I find it heartening that a cyber issue that was such a serious concern a decade ago is now considered background noise (although by no means has it gone away). I am also curious as to what lessons we should learn from this. Would technology have dealt with the problem soon enough or was regulation required? And what role did the international initiatives play in this success?

Looking for insights beyond spam, I am also heartened by how early collaboration played a role in international capacity building.  I mentioned that UNODC delivered a cybercrime workshop in Ghaziabad in 2006.  By 2007 they were delivering follow-on training in Kerala in partnership with Microsoft.

What next?

As someone beginning to map global cyber security capacity building projects it encourages me to think we know the latest projects and soon, with the help of Portnoy and Goodman’s work, we might know the first. Then it will merely be a matter of working from either end towards the middle! How hard can that be?

(Follow this blog to see how really hard that will be!)

But Global Initiatives (2008) is not just a map of projects. It is the story of a journey and covers a wide range of international policy initiatives, events and agreements.

Bringing that story up to date with a new book for 2020 might not earn you a Nobel Prize for Literature, but it would gain you the gratitude of the capacity builders to come, who will stand on your shoulders.

Leave a Reply

Your email address will not be published. Required fields are marked *