Digital Resilience: Security as a Global Public Good
Article information and share options
Cyberthreats are one of the primary challenges to ensuring we fully harness the benefits of the digital economy. Cyberattacks result in an annual loss of over $600 billion to the global economy. The average cost of a data breach is $3.62 million. Although criminal activities form the vast majority of cyberattacks, there is a growing trend in nation state intrusions onto critical infrastructure.
In addition to threats from attacks and other intentional actions, people and organizations are also at risk of unintended digital accidents and errors, and also acts of nature or man-made disasters that expose dependencies on digital technologies. These latter sources of insecurity and harm can be the source of primary and secondary risks. Examples of digital accidents include such things as propagation of erroneous news in markets, poor organizational decisions resulting from misunderstanding of data taken out of context, or pure mechanical errors like a mechanic pulling a plug that has unintended consequences. Examples of acts of nature include or man-made disasters that impede the availability of digital services and thereby undermine the performance expectations of people and institutions in digital services.
Addressing cyber threats requires attention to five main areas: (1) global normative principles; (2) national and regional policies and laws; (3) technical standards; (4) collaborative mechanisms; and (5) risk awareness and resilience. Normative principles guide nation-state behavior in the global commons, while national and regional policies and laws set our responsibilities and limits for cyber activity within individual nation-states. Technical standards provide a technical basis for such policies and laws, and allow for interoperability across nation-states. Collaborative mechanisms enable stakeholders to work across functional and national lines to address common threats and each of these areas depends on mutual understanding of the risk and sustained partnership between industry, government, the general public, and other stakeholders to foster digital resilience on all levels.
On normative principles, several important efforts are underway. At the third ASEAN Ministerial Conference on Cybersecurity in 2018, ASEAN members endorsed 11 normative principles propounded by the UN Group of Government Experts in 2015, and are examining mechanisms for implementing them. The Paris Call for Trust and Security in Cyberspace, issued in November 2018, brought together 552 official supporters, including 66 national governments, in support of several normative principles and commitments to action. These efforts are important to sustaining global dialogue about normative principles.
There have also been important recent policy developments. The European Union’s Cybersecurity Act sets a foundation to harmonize policy approaches across the EU’s 28 member states through EU-wide cybersecurity certification schemes – an important contribution to expanding interoperability. Meanwhile, several nations have recently passed foundational cybersecurity legislation, providing a basic legal framework for preventing, mitigating, and responding to cybersecurity threats.
Both industry and government stakeholders have led a number of important efforts to advance technical standards. Several companies united in 2018 to announce the “Charter of Trust,” an industry effort to strengthen cybersecurity that includes enforcing common technical standards throughout company supply chains. The US National Institute for Standards and Technology (NIST) issued a new version of its increasingly widely adopted Framework for Enhancing Critical Infrastructure Cybersecurity. And BSA, a leading international trade association, published the first detailed technical benchmark (The BSA Framework for Security Software) in one of the most important – and underdeveloped – aspects of cybersecurity: software security.
One important advance with regard to operational collaboration has been the initiation of negotiations of a 2nd Additional Protocol to the Council of Europe Convention on Cybercrime (the Budapest Convention), which will focus on measures to improve law enforcement’s ability to access and use digital evidence to pursue cyber criminals. Also, there are a number of ongoing and new collaboration initiatives on industry level that support data sharing and joint defense or joint learning; examples are the Information Sharing and Analysis Centers (e.g. FS-ISAC for the financial sector) or operational risk information sharing initiatives (e.g. ORX CISR- cyber and information security risk management approach).
Finally, there is some progress with respect to risk awareness and resilience building for the overall economy and the wider public. Public-private partnerships like the Cyber Security Alliance in the US or the Allianz für Cybersicherheit in Germany are examples of well-functioning set-ups with the aim to enhance the overall cyber resilience of society.
Progress on global normative principles has been slow. Following the UN Group of Government Experts’ recommendation of 11 voluntary normative principles in 2015, and their subsequent endorsement by the UN General Assembly, progress on implementing these norms and developing additional norms has stalled. In 2018, the UN adopted two separate resolutions on cybersecurity norms, one creating an open-ended working group of the General Assembly and one creating a new Group of Government Experts. The attending confusion and competition associated with these parallel efforts is likely to complicate further progress.
At the same time, there is currently no internationally accepted body that has the license (also figuratively) to analyze and certify hard-and software for states or companies to rely on when using these components or programs in their national critical infrastructure or operations.
Market Access Barriers
While many nations have made progress in adopting foundational cybersecurity policies, such policies have created concerns about potential market access barriers, such as domestic sourcing requirements or country-specific technical standards, and onerous mandates, such as data localization requirements or incident reporting. Policies and laws create particular challenges when they undermine interoperability, which not only disrupts transnational commerce but also undermines cybersecurity technologies and collaboration possibilities.
Lack of Technical Standards
There are significant gaps in internationally recognized technical standards relevant to essential aspects of cybersecurity, including security of the Internet of Things, software security, and supply chain risk management, and standards development organizations often cannot develop or update standards fast enough to keep pace with the rapidly evolving technology and policy environments. Many nations and businesses have insufficient resources allocated to supporting standards development, exacerbating this challenge. Moreover, emerging challenges often generate a diverse outpouring of disjointed national or individual efforts to develop standards that can undermine interoperability. For example, dozens of government and industry stakeholders are currently working to create Internet of Things security standards, risking the establishment of an uncoordinated landscape of potentially incompatible requirements in markets around the world.
Enhanced Threat Levels
Meanwhile, cybersecurity threats have grown more sophisticated and more alarming. Over the last few years, cyber attacks have increasingly targeted critical infrastructure and created physical damage, and have increasingly sought to exploit software supply chains. States have increasingly used cyber means to pursue national interests, often compromising the integrity of core national functions such as electoral and governance systems. These trends are likely to continue.
As governments scramble to address legitimate and increasingly urgent concerns about cybersecurity, one critical question will be whether they can adopt common solutions that can sustain interoperability and collaboration, or will pursue country-specific solutions that seek to protect nations from transnational threats by separating or isolating their digital ecosystems. Given the inability of any one nation or company to solve them alone, it is vital to consider security as a global public good and thus act in concert to better ensure safe digital networks. Global cooperation and commitments are needed.
Over the coming year, movements will be focused on how to advance policy harmonization that achieves stronger cyber defenses and more effective collaboration. Identifying and addressing key gaps in technical standards, developing new platforms for government-industry and transnational collaboration to combat malicious cyber threats, and advancing global and regional cyber norms represent critical areas for examination.
Keep everyone safe and secure is inclusive of all of society and the whole economy. Beyond certain highly exposed sectors like critical infrastructure and financial services, risk awareness is lagging behind and digital resilience is not yet understood. The same holds true for the general public, where risk awareness is only slowly rising. Reaching the broader public and economy and initiating behavioral changes towards more cyber resilience is a challenge that urgently needs to be tackled.
This article was originally published for the WEF.