In 2017 the office of the National Security Advisor published the Iraqi Cybersecurity Strategy (ICS), marking the first substantial and public effort by the Iraqi state to analyze the deficiencies in national cyber policy; drawing a road map for the construction of a cyber suprastructure for the nation to put Iraq on par with its international counterparts and allies. The first of its kind, the ICS accurately diagnosed the gaps in Iraq’s cyber policies as structural weaknesses related to human neglect, unexamined measures, and deprioritization of the cyber domain. Consequently, the strategy lays out an implementation agenda based on one-, three- and five-year fulfillment objectives ranging from the establishment of a federal cyber agency and the drafting of laws relating to cyberspace to the “creation of a cyber security culture” and university degrees in cyber security.
While the publication of such a document should be applauded as a display of the increasing prioritization of the cyber domain, the ICS of 2017 is nonetheless acutely flawed and has largely failed to induce the application of the framework it proposes. The Cybersecurity Strategy published was largely theoretical, detailing the general threats faced by private and public actors in cyberspace rather than focusing on the nature of the cyber threats Iraq faces in particular. Consequently, the strategy did not attempt to provide what can be considered a concrete analysis or schema for the classification of critical infrastructure which is or could be the subject of frequent targeting. Moreover, the document failed to outline which government entity or institution would be responsible for the implementation of its recommendations, plans, or objectives; providing no detailed strategic programs nor periods of implementation for the policies mentioned. Ergo, none of the objectives, policies or reforms suggested and proposed have seen any real progress in terms of their realization.
Taking into account the general groundwork laid down by the 2017 ICS, its shortcomings as well as the prevailing risks and threats in the cyber domain in Iraq, and the international guiding principles around cybersecurity, the Iraqi National Security Advisory, the Iraqi intelligence services, and the Iraqi government should take into account the following recommendations:
Working with international partners –– both private and public –– to launch Iraq’s own communications satellite to create the necessary bedrock infrastructure for an integrated information security system,
Charting a legislative, legal, and judicial ecosystem around the cyber domain which provides national standards and regulations for cybersecurity in both the private and public sectors, creating an enabling legal environment for enterprise and pricing an ecology for the persecution of cybercrime while ensuring civil liberties,
Establishing a dedicated national cyber agency under which cyber policy is implemented, responsible for cyber education and awareness, information security, and the defense of the Iraqi national cyberspace,
Entering into multinational treaties and agreements relating to cybersecurity as crucial mechanisms for codifying norms and behaviors while entering into bilateral treaties and agreements which stipulate both information sharing and capacity development,
Incentivising third country private sector expertise to install in Iraq to fill the current gap in technical expertise and professionals, providing a base upon which Iraqi human capital can be nurtured, developed, and encouraged in the long term.
These recommendations were formulated through analysis and study of the current architecture of Iraqi cyber policy and the state of its communications infrastructure as explored thereafter in this brief, as well as the consultations of the conduct of more cyber advanced nations and the guidance provided by transnational communications and cyber bodies.
