The Role of the International Telecommunication Union (ITU) in Cybersecurity Governance: Capacity Building, Simulation Exercises, and Institutional Support

Abstract

As digital interdependence intensifies and cyber threats grow in scale and sophistication, cybersecurity has emerged as a critical dimension of national sovereignty, economic resilience, and global stability. In this context, international organizations play a pivotal role in fostering multilateral cooperation, disseminating technical standards, and supporting national capacity development. This article examines the institutional and operational framework through which the International Telecommunication Union (ITU)—a specialized agency of the United Nations for information and communication technologies (ICTs)—advances global cybersecurity. It analyzes the ITU’s key policy instruments, its approach to national and regional capacity building, and its support for practical cyber simulation exercises. The paper also clarifies a common misconception: the ITU does not operate or endorse a centralized global infrastructure branded as “CYBER RANGES.” Instead, it promotes a decentralized, sovereignty-respecting model of cyber resilience. The analysis draws on official ITU publications, technical guidelines, and verifiable program activities up to 2025.

Keywords: ITU, cybersecurity, cyber governance, cyber exercises, capacity building, national cybersecurity strategies, CERTs, international cooperation.

1. Introduction

Cybersecurity has evolved from a technical concern into a cornerstone of digital sovereignty and national security (Nye, 2017). Given the transnational nature of cyber threats, no single state can ensure its digital safety in isolation. Multilateral institutions thus serve as essential platforms for norm diffusion, technical assistance, and collaborative preparedness. Among them, the International Telecommunication Union (ITU)—established in 1865 and integrated into the UN system in 1947—has assumed a leading role in supporting member states, particularly developing countries, in building robust cybersecurity frameworks.

A persistent myth in policy and media discourse suggests that the ITU operates an official global “cyber range” platform under the name “CYBER RANGES.” However, no such branded infrastructure exists within the ITU’s institutional portfolio. Rather than deploying centralized simulation environments, the ITU adopts a facilitative, non-prescriptive approach, empowering states to develop context-specific capabilities through guidance, training, and regional partnerships. This article aims to clarify the actual scope and mechanisms of the ITU’s cybersecurity engagement, with particular attention to its support for simulation exercises and national response structures.

2. Normative and Strategic Frameworks

2.1. The Global Cybersecurity Agenda (GCA)

In 2007, the ITU launched the Global Cybersecurity Agenda (GCA) as a voluntary, cooperative framework to enhance confidence and security in ICT use. The GCA is structured around five interdependent pillars:

1. International cooperation,

2. Technical and regulatory measures,

3. Organizational structures and capacity building,

4. Risk assessment and response, and

5. Confidence-building and awareness (ITU, 2007).

As a form of “soft law,” the GCA does not impose binding obligations but provides a flexible roadmap for national and regional action, particularly in resource-constrained environments.

2.2. Technical Guidelines for Institutional Development

The ITU has produced widely adopted, open-access technical documents that serve as foundational resources for national cybersecurity planning:

• The National Cybersecurity Strategy Guide (NCSS) offers a step-by-step methodology for strategy development, implementation, and evaluation (ITU, 2021).

• The Guidelines for Establishing National Computer Incident Response Teams (CIRTs) outline governance models, legal frameworks, operational procedures, and cross-sectoral coordination mechanisms (ITU, 2014).

These publications reflect the ITU’s commitment to context-sensitive, non-dogmatic technical assistance, respecting national sovereignty while promoting internationally aligned practices.

3. Cyber Simulation Exercises and Practical Training

The ITU does not design, own, or operate centralized cyber range platforms. Nevertheless, it actively supports and facilitates practical cybersecurity exercises at national, regional, and interregional levels, often in partnership with regional organizations and technical agencies. These exercises fall into two main categories:

• Tabletop exercises: Structured discussions that test incident response plans, institutional roles, and decision-making protocols under simulated cyber crisis scenarios.

• Technical simulations: Hands-on drills in controlled environments that emulate real-world attacks (e.g., ransomware, DDoS, SCADA intrusion) on critical infrastructure or government networks.

Documented examples include:

• Cyber drills in Africa coordinated with the African Union,

• Regional tabletop exercises in Latin America and the Caribbean in collaboration with the Organization of American States (OAS),

• Capacity-building workshops in the Arab region supported by the Arab Regional Cybersecurity Centre of Excellence (ITU, 2023).

These activities are typically embedded within the programming of ITU-supported Regional Cybersecurity Centres, which act as hubs for training, information sharing, and incident coordination.

4. Regional Cybersecurity Centres and Multilateral Collaboration

The ITU has championed the establishment of Regional Cybersecurity Centres as focal points for cooperation and capacity development. Key initiatives include:

• The African Cybersecurity Centre (in partnership with the African Union),

• The Arab Region Cybersecurity Centre of Excellence (hosted in Oman),

• Ongoing efforts to establish a Latin America and Caribbean Cybersecurity Hub.

While some of these centres may incorporate simulation labs or cyber range-like environments, they are nationally or regionally managed, not centrally controlled by the ITU. The Union’s role is strictly that of a technical advisor and diplomatic enabler, not an operator.

Moreover, the ITU is an active participant in multilateral forums such as the Global Forum on Cyber Expertise (GFCE), where it coordinates with over 60 countries and international organizations to share tools, training modules, and best practices in cybersecurity.

5. Open Access to Knowledge and Training

In line with its developmental mandate, the ITU provides free online cybersecurity courses through the ITU Academy, covering topics such as national strategy formulation, incident response, and critical infrastructure protection. It also publishes annual reports, technical studies, and policy briefs—all publicly accessible—thereby promoting transparent, equitable access to cybersecurity knowledge.

This open-knowledge model reinforces the ITU’s mission to reduce the global cybersecurity capacity gap and support sustainable digital development.

6. Conclusion

The International Telecommunication Union does not function as a global cybersecurity service provider, nor does it maintain a proprietary simulation infrastructure such as a “CYBER RANGES” platform. Its strength lies in its neutral, facilitative role within the international system: providing adaptable frameworks, fostering regional ownership, and enabling states to build sovereign, resilient cyber capabilities.

In an era marked by geopolitical fragmentation and contested cyber norms, the ITU’s non-prescriptive, capacity-oriented approach offers a pragmatic pathway toward inclusive cyber resilience. Future research could assess the measurable impact of ITU-supported programs on national cyber readiness indices or analyze implementation challenges in low-resource settings.

References

• International Telecommunication Union (ITU). (2007). Global Cybersecurity Agenda (GCA). https://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCA.aspx  

• ITU. (2014). Guidelines for Establishing National Computer Incident Response Teams (CIRTs).

• ITU. (2021). National Cybersecurity Strategy Guide (NCSS).

• ITU. (2023). Cybersecurity Events and Activities. ITU-D.

• ITU. (2025). Cybersecurity Programme Overview. https://www.itu.int/en/ITU-D/Cybersecurity  

• Nye, J. S. (2017). Deterrence and Dissuasion in Cyberspace. International Security, 41(3), 44–71. https://doi.org/10.1162/ISEC_a_00266