International Cyber Capacity Building

Headshots of Danny Nsouli and Cynthia A. Wright for the International Cyber Capacity Building podbast

With Danny Nsouli (left) and Cynthia A. Wright (right). Graphic: Danny Nsouli

Interviewer: Danny Nsouli

Welcome to the latest installment of the Knowledge-Driven Podcast.
In this series, CyberSecurity Software Engineer Danny Nsouli interviews technical leaders at MITRE who have made knowledge sharing and collaboration an integral part of their practice.

In this episode of the MITRE Knowledge Driven Podcast, we present an interview with Principal Cybersecurity Engineer Cynthia A. Wright conducted in 2022, in which she discussed how MITRE was supporting numerous developing countries through international cyber capacity building. Although the references to activities of Russia, Moldova, and even the U.S. State Department describe the state of the world and MITRE’s work as of 2022, cyber capacity building is just as important—perhaps more so—in 2024. This episode is part of our continuing series of podcasts on the work of the Great Power Competition (also known as Strategic Competition) initiative. Although the interview refers to “Western norms” and “Western values”, they are meant to cover a common/global vision for cyberspace. Join us, as we talk about what goes into improving the national security and economic growth of these partner nations.

Related Resources:

Click below to listen to podcast:

 

Podcast transcript

Danny (00:17):

This interview includes references to “FastJump”, an internal MITRE knowledge management tool that is only accessible from within the MITRE intranet.

Hello everyone, my name is Danny Nsouli, and welcome to MITRE’s Knowledge-Driven Podcast. Today, I will be discussing international cyber capacity building with Cynthia Wright. Cynthia, would you like to introduce yourself and tell the listeners a little bit about your role and experience at MITRE?

Cynthia (00:32):

Sure. I’m Cynthia Wright, I’ve been at MITRE almost eight years now. I am a Principal, cybersecurity strategy & policy person over in the Cyber Solutions Innovation Center. In particular, I work a lot with the State Department and some of our other sponsor agencies on international cyber capacity building.

Danny (00:56):

So, can you start by giving us a definition of what is cyber capacity building?

Cynthia (01:01):

Sure. It is kind of a new term. International cyber capacity building (ICCB) is an effort that several sponsor agencies, but primarily the State Department are involved in to help partner nations improve their national cyber capacity. That is: their ability to use digital technologies securely, to improve their national security, grow their economy, achieve other national goals that they may want to. ICCB is typically focused on developing or emerging economies. So, most of the countries we work with have very little relative cyber capacity when we first start working with them. They need help in just about every area.

Cynthia (01:45):

One of the reasons that we do cyber capacity building is that we are trying to help spread Western norms regarding internet freedom, human rights, and the rule of law in cyberspace. Cyberspace is a very contested arena: it’s one of the major areas of [the] Great Power Competition and a place where the United States and our like-minded partners really want to make sure that we continue to foster our ideals to keep the internet free, to keep it not balkanized, but one big space where people can find the knowledge and information that they need.

Cynthia (02:22):

So, MITRE developed its own international cyber capacity building model to support [the] State Department’s needs. They came to us five or six years ago and asked for something repeatable and based on best practices that they could take to countries all over the world to help them build their cyber capacity, develop national cyber strategies, and implement them. Today, we’re using that in almost 70 countries, and we have ongoing bilateral relationships with several of those.

Danny (02:49):

And can you go into a little bit more depth on what this model looks like?

Cynthia (02:53):

Yeah, sure. For one thing, it’s kind of based on your standard OODA loop. OODA loop is the Orient, Observe, Decide, and Act model that the DoD popularized, that many of our sponsors use. So, during that Orientation and Observation period, we do a lot of open-source and interview-based research to understand the unique threats, opportunities, and resource contexts of the countries that we’re working with. We want to make sure that the needs assessment that we develop is very specific to what that country wants to achieve in cyberspace and not something that the United States, for instance, thinks they want.

Cynthia (03:31):

Then we look at eight different areas of cyber capacity within each of the countries that we work with. The first one is risk management and resourcing, those two are closely tied together because these countries tend to have so few resources. We really want to help them make good risk-informed decisions. Civil and regulatory law, which helps define roles and responsibilities and figures out who can set standards and how they can enforce them. Policy and standards, the standards they actually set, and national policy about what kinds of things are appropriate to govern in cyberspace. Operational resilience, which includes critical infrastructure protection, incident response, cybercrime prevention and prosecution, cyber workforce development, and public awareness or the culture of cybersecurity.

Danny (04:22):

Great. And how does that relate to [the] Great Power Competition?

Cynthia (04:26):

International cyber capacity building and our model is really quite relevant to [the] Great Power Competition, partly because one of our greatest competitors–China–is very aggressively doing what they would call international cyber capacity building, but what is more typically focused on getting a foothold for their technologies and their workforce in a particular country.

Cynthia (04:51):

So, China is aggressively reaching out to many of the same developing nations as the U.S. State Department, and offering to, quote-unquote, help them modernize their economies, often in the critical infrastructure area. But what that tends to look like in practice is that they bring in their own equipment, their own workforce, their own technologies, and from that point forward the so-called partner nation no longer has control, or in some case, even access to the control systems of that critical infrastructure. And that gives China a real hold over countries that have some strategic importance to us. And it deprives the country itself of being able to develop their capacity in that area, to develop their own critical infrastructure protection capabilities and workforce.

Cynthia (05:40):

And Russia and China are also both actively seeking to promote a model of internet governance that doesn’t align with the values of the U.S. and the West. For instance, they help governments implement systems that can control internet content, what users can see, even surveil the public, track their transactions and where they go online, and restrict access to information that the governments don’t want them to see. So, by engaging cooperatively with these countries, the State Department hopes to provide an alternative to those models. And at the same time, help those countries become better international partners for things like fighting cybercrime, military operations, sharing information about cyber threats, and just generally sustaining that free, open, and secure internet.

Cynthia (06:24):

These days, the biggest example probably of [the] Great Power Competition that everyone is familiar with is Ukraine. And it’s a country we’ve been working with for quite a while. MITRE helped the Ukrainian government improve its cyber governance model, its critical infrastructure protection law, and its internal inter-agency operational coordination in responding to cyber incidents. And we know that that’s working because the Ukrainian government thanked us publicly for that and nodded that they had institutionalized the operational coordination model that we co-developed with them in their national cyber coordination center, and that that center has now helped them respond faster and more effectively to hundreds of Russian cyber attacks. I’m hoping that the work that we did has really been instrumental in helping them fend off this latest wave of Russian aggression.

Danny (07:13):

And are there any other areas in which you are engaging in international cyber assistance?

Cynthia (07:18):

Well, we’re constantly looking for new opportunities to expand this mission area. One of the most interesting ones that we’re working on right now is not actually for the State Department, it’s through MITRE Engenuity with funding from the Bill & Melinda Gates Foundation. In that effort, we have developed a dynamic cyber risk model aimed at making mobile digital financial services more secure and accessible in developing countries. And that helps to improve these economies by increasing the number of people who have access to really basic banking services like savings, credit, microloans because so much of the world remains unbanked today. And dealing solely with a cash economy can really lock a lot of people out of participation in those economies. So, the Gates Foundation wanted to improve that situation and make sure that it was done securely.

Cynthia (08:10):

So, in that case, we are looking at both the technical and the policy aspects of those economies to help figure out what the risks are, and how we can mitigate them both technically and more globally through policy and governance strategies. With regard to [the] Great Power Competition, this is another good example because one aspect of the mobile money ecosystem is the role of digital currencies. Some digital currencies and China’s digital yuan is one of those, and so are some of the mobile wallets offered through Chinese social media apps. These currencies are implemented in a way that allows the government to spy on users of those apps or currencies that lets them track every transaction, what people buy, who they send money to, that kind of thing.

Cynthia (09:04):

So, our model can help countries or assistance organizations, anyone who wants to be involved in that space, help them promote practices that emphasize privacy and security in ways that align with the specific governance and technology context of that particular country, what they can actually practically do with the tools that they have. So, that’s been a very interesting expansion.

Danny (09:27):

How are you trying to remedy the issues regarding the security of these financial services?

Cynthia (09:32):

Sure. Our model looks at the specific tech environment of a particular country. And by that, I mean, what kind of networks those mobile money services are operating on. For instance, if it’s a 2G network versus a 4G network, types of the phones used, whether the ecosystem is more reliant on banking technologies, mobile network operator systems, which are things provided by telecommunication companies, or like social media or similar apps. That all sounds very narrow and geeky, but if you can imagine trying to do all your banking from your cell phone when your cell phone is really just a flip phone that you can only work through with number-driven menus. Like if you want to do this, press “1”, if you want to send money, press “2”, it’s a very different environment than what we’re used to. And so, knowing what those technologies are, whether they’re using those kinds of phones or a smartphone that’s actually doing the transaction through the internet, makes a big difference in what kind of risks are out there.

Cynthia (10:35):

Same thing on the banking technology side, if it’s a bank system that they’re interfacing with, like so many people in the U.S. do, then it has certain protections built-in, but also risks that are unique to those proprietary systems. Whereas, if it’s some kind of application that’s offered over social media, those are going to be a different set of risks. So, we want to figure out: kind of where on that spectrum a particular country sits, so that we can help them figure out, out of all the risks that they could be considering, which ones are most relevant to their particular technology context.

Cynthia (11:11):

Once we’ve done that, then we take a look at the policy and governance environment of that country, to see what kinds of systemic efforts, like: economic or fiscal policy; technology licensing standards; national identity programs that help people, for instance, use biometrics and those kinds of technologies; government incentives like maybe getting benefits via a mobile wallet. Those kinds of programs could be applied in the environment to create a stronger, more accessible, and more secure digital financial services environment within the specific needs and abilities of that country.

Danny (11:49):

Does this model have any other applications?

Cynthia (11:51):

The approach does.  We are trying to use the approach in a couple of different applications. In particular, we’re looking at maritime security and health services as two different areas where this kind of model could apply. For instance, in maritime security, the technology environment we’d be looking at there ranges everything from smart ports (if your listeners are familiar with those), to pretty old-fashioned fishing fleets that might just be using normal radio systems. Stakeholders may be anyone from a national navy to a cruise ship operator. Every use case creates a different set of risks and opportunities to mitigate and different ways to create a more resilient system.

Danny (12:39):

Are there any other areas in which MITRE’s helping partner nations build their cyber capacity that relates to GPC?

Cynthia (12:46):

Sure. Cyber workforce development is another area in which we think that we are engaging in the Great Power Competition work. We help governments create public-private partnerships to help grow their own digital workforces and make the public more security-aware. As with that previous example, when China partners with a country, it almost always uses its own workers, which not only undermines the host government’s control over its own systems and critical infrastructure and stuff, but also lets them reap many of the economic benefits of having that digitally-savvy workforce. And it prevents the host country from developing that workforce and from becoming more economically competitive. That keeps those countries dependent on Chinese help.

Cynthia (13:32):

We offer a different model that helps strengthen their economy, strengthen their investment environment by making sure that, just in general, there are more best practices, better cyber hygiene in effect. And we offer them the ability to control their own development in partnership with their own private sector. And at the same time, by doing this workforce development effort, we are helping improve awareness of cybersecurity best practices just generally across the workforce in a way that can help prevent common threats like ransomware or phishing attacks, those kinds of things that–with better awareness–people can better secure their overall cybersecurity system. So, by helping these countries do that, we are helping to hopefully orient them more toward the United States and Western Allies and less toward China and Russia and those kind of more exploitive countries.

Cynthia (14:34):

We’re also looking for new ways to identify critical infrastructure, to help developing nations use a more risk-informed approach to focus their very limited resources. Remember, these are developing and emerging economies that we’re typically working with. So, we want to help them focus those very limited resources: not just on, for instance, 9 sectors or 12 sectors of critical infrastructure and services, but really on specific critical infrastructure assets that are most critical to their national security and their economy. So, once we’ve helped them identify a specific asset like a single power plant or a couple of rail lines, or a port facility, then we can help them figure out at the organizational level, how to apply specific tools to strengthen their cybersecurity. And those tools are things that MITRE has a lot of experience with, such as MITRE ATT&CK or the NIST Cybersecurity Framework.

Cynthia (15:33):

In Moldova, for example, which is potentially next in line as a target of Russian aggression, in the Black Sea Region, the government has struggled to protect its critical infrastructure, partly because they have pushback from certain interests in their parliament, that’s prevented them from formalizing their own critical infrastructure and law.  And partly, just because they’re one of the poorest countries in Europe. Even when they have all those sectors identified, they just can’t afford to protect everything. So, this approach should help them figure out specifically where they can get the most bang for the buck in investing in critical infrastructure cybersecurity. And hopefully, that will make them more resistant to Russian aggression, and to other cyber threats like ransomware.

Danny (16:13):

Are there any resources you’d like to shout out for our listeners who may want to learn more about this topic in their free time?

Cynthia (16:19):

In the international sphere, one of the most well-known is the Global Forum for Cyber Expertise. It has a library called the Cybil Knowledge Portal, C-Y-B-I-L portal, that’s available to anyone who wants to go look at these kinds of tools and approaches. And then, for people in MITRE itself, they can FastJump cyber_strategy. So that’s C-Y-B-E-R_strategy. (The underscore is important because otherwise, it’ll take you off to some other site that you’ll be locked out of.)

Danny (16:49):

Great. And do you have any final thoughts on smaller and developing countries and why they are important to GPC?

Cynthia (16:57):

Yeah, I think there’s a lot of tendency to think that some of these developing nations are just like charity cases, just recipients of U.S. assistance and that we don’t get anything out of that, but that’s really not true. These countries are strategically important to the United States. They’re in our economic sphere, they’re in our geographical backyard, or they’re in positions of geostrategic importance like on U.S. sea lines of communication, shipping paths, military operating areas, and so forth. When the State Department decides to engage with one of these countries, it’s because it has an impact on our national security, and therefore on [the] Great Power Competition. Many of these countries are also locations with important national resources like rare earths that both China and Russia are seeking to control. That’s very common in Africa, in particular.

Cynthia (17:50):

And finally, many are facing challenges like climate change, rising crime, or population explosions, that are going to make them potentially unstable in the future. And unstable countries are bad for everybody, they affect our national security and just the global security regime. Finally, engaging with these countries to make them economically stronger and more technically competent just makes them better partners, both economically and diplomatically for us. It reinforces international norms and Western values of information freedom and human rights and reduces the likelihood that they’re going to become areas of concern in the future. So, this international cyber capacity building work is really one way that the United States engages with potential partners in the world. We help spread our brand, if you will, and we help to create people who we hope will be better allies in the future.

Danny (18:40):

All right. Well, thank you for coming on to discuss your work. I’d like to give a quick thank you to MITRE and the Knowledge-Driven Enterprise for making this show possible. And again, thank you, Cynthia, for coming on to share. I’m sure our listeners learned a lot.

 


Danny Nsouli is an Intermediate CyberSecurity Software Engineer. He has a passion for computer graphics and enjoys learning about front-end solutions for consumer-facing project components such as data visualizations.

© 2022, 2024 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited. Case number 22-1598

MITRE’s mission-driven team is dedicated to solving problems for a safer world. Learn more about MITRE.

Archives

Pin It on Pinterest

Share This