This article launches a new programme of work at TBI on cybersecurity, investigating the steps governments around the world should be taking to create a safer net for economic and social prosperity.
Cyberspace, the “clusters and constellations of data” and “unthinkable complexity” as conceived by William Gibson, is now the environment of our daily lives. Growing at an almost unimaginable rate – it is estimated that currently more than 10 billion devices are connected to the IoT (Internet of Things) and by 2025, 152,000 devices will connect every minute – the exponential potential of this interconnectivity to provide access to critical life-improving technologies is being hampered only by the equally rapid growth of potential points of vulnerability on the network. This is often reflected in a national security-focused rhetoric of danger, with the digital ecosystem as a series of “threat landscapes”, the target of “offensive cyops” and “advanced persistent threats”. But cybersecurity, the combination of approaches that can help redress this, is often perceived as complex, costly, onerous or even futile.
Often considered secondary to more tangible issues, Western recommendations of cybersecurity-policy paradigms based on regulations and penalties have also been perceived by some emerging economies as a form of technological neo-colonialism. Measures that require heavy investment could limit the development of their innovation ecosystems.
In the long term, however, states without cybersecurity frameworks might find themselves unable to fully realise the potential of their digital economies. Recognising cybersecurity as an opportunity that not only enables access to key life-improving technologies but that will also be a competitive advantage in attracting sustained support and investment could be the key to increasing individual states’ cyber resilience, as well as strengthening the global digital ecosystem for all.
While emerging cybersecurity challenges, such as those for metaverses, space and beyond, might increasingly attract attention, it can be easy to lose sight of the fact that we still only have half the picture here on earth. As the digital divide begins to close, near to 4 billion people will not only join the internet but leapfrog into immediate reliance on aspects of digitally enabled life, including digital government, agritech and connected medical devices. This rapid investment in innovation is outpacing investment in cybersecurity, leaving a digital-security maturity paradox.
This creates a gap – an attacker’s arbitrage gap – which leaves governments, businesses and individuals exposed to a range of malicious and opportunistic cyber interference. The accelerated shift to increased internet reliance during Covid-19 magnified the risks of this gap. In a recent report, Gartner predicted that malware spreading at “wire speeds” across operational technologies could result in loss of human life by 2025; however, they also reported that organisations adopting a cybersecurity-mesh infrastructure will reduce the financial impact of cyber incidents by 90 per cent.
At the international level, those countries with weak cybersecurity infrastructure and policies could be left doubly vulnerable. Opportunistic cyber criminals will generally engage in a programme of small, easily-obtained gains over the uncertainty of attacking heavy security infrastructure. And as some states move to strengthen their cybersecurity ecosystem, the states with weaker security infrastructures become the low-hanging fruit attracting malicious cyber activity. Cybersecurity is no longer a luxury but a necessity.
Yet a global poll of 26 countries in 2018 showed that while there was overwhelming belief among those polled that their country, its infrastructure and its elections could be subjected to malicious cyber interference, there was also a lack of confidence, particularly in Europe and Latin America, that their countries were prepared to fend off such attacks. Currently, only ten out of 55 states of the African Union have fully ratified the African Union Convention on Cybersecurity and Data Protection (the Malabo Convention), and with a further six ratifications required for the Convention to come into force, Africa’s innovation ecosystem remains one of the most under-protected globally.
It is undeniable that the accelerated wave of malicious cyber activity over the last few years is among the most critical threats to global stability. However, the stream of widely touted shock-and-awe figures, such as the $590 million in ransomware payments in the first half of 2021 and predicted cost of cybercrime reaching $6 trillion, while rightly mainstreaming the gravity of the issue, can also act as an obstacle to the adoption of beneficial cybersecurity practices.
Political psychologists have long established the impact of fear on action and political behaviour: the political equivalent of the amygdala hijack that leads to either a fight or flight response. At one extreme, fear can paralyse decision-making and lead people to disengage from the issue completely. At the other end of the spectrum the increased anxiety might galvanise some into reactive decision-making on limited information that may provide short-term solutions, but potentially make them more insecure in the long-term.
In the cybersecurity realm fear arising from rapid magnification of levels of cyber threat, as well as the perceived complexity of cybersecurity measures, has led to diverging dynamics of cybersecurity fight and cybersecurity flight. Digitally advanced nations have responded with renewed urgency to re-examine national and international approaches to cybersecurity policy and practice with measures from new legislation with draconian punishments for failure to report cyber incidents and ransomware payments to joint inter-departmental and coordinated international initiatives to paralyse ransomware gangs such as REvil.
For many LMICs and SMEs, the myriad of regulations, alarmist rhetoric of cybersecurity companies capitalising on publicised malicious cyber operations and even the barrage of well-intended sources of guidance can have an equally overwhelming and paralysing effect. It is often perceived as something happening to those bigger and more sophisticated than themselves. At the individual level in the UK, a 2019 poll conducted for the NCSC revealed that while 80 per cent of people agreed that cybersecurity was a priority, this was not translated into changed behaviour with only 15 per cent of people feeling that they knew how to protect themselves online and 46 per cent finding information about how to be secure confusing. In either event, those states who are unable to implement holistic cybersecurity strategies could find themselves disadvantaged both regionally and globally, and ultimately less able to reap the benefits of the global internet.
In order to ensure that countries, particularly LMICs, and people are enabled to fully reap the benefits of digital life, a radical reframing of cybersecurity is required. Perceptions that cybersecurity is an unreasonable set of standards that are stifling innovation, or panic frames that lead to restrictive practices, need to be replaced with new narratives of opportunity. Narratives that emphasise the attractiveness and value of cybersecurity over the burden of maintaining a secure cyber ecosystem. In 2018, a Capgemini survey showed that cybersecurity and data privacy was a major source of competitiveness for retailers, outranking even price sensitivity. In Anthony Blinken’s statement announcing the new US State Department Cyber Bureau, he emphasised its role to boost US competitiveness and remain a leader in innovation.
With safe digital inclusion becoming a key pillar of the World Bank’s development agenda, its new Global Fund for Cybersecurity is headlining cybersecurity as the foundation for its work “in helping countries reduce poverty, tackle inequality, and accelerate economic growth”. From technologies to make deserts bloom to global collaboration on health security, those states and entities that are mindful and responsible partners sharing common values on cyber health will be those that will have access to the most meaningful and lasting economic relationships. They will also be those able to have their voice heard, shaping global conversations on cybersecurity. With only Kenya, Nigeria and South Africa representing Africa at the US Ransomware Summit, it is clear that those states that provide the frameworks and incentives to enable their infrastructure and systems to protect themselves and their partners will be the most sought-after partners in the digital revolution.
A vibrant, creative, mature digital economy that will lead to prosperity for all requires open and interoperable networks that are trusted, safe and secure. LMICs that are able to leverage the best practices and lessons to build a holistic cybersecurity policy that protects their innovation ecosystem, such as through the ITU’s recently launched Guide to Developing and National Cybersecurity Strategy, will inevitably have greater opportunities for growth, investment and development. Cybersecurity mature states providing sustained support to those more vulnerable will in turn strengthen the networks for all. However, encouraging states, SMEs and individuals to take that leap towards investment in cybersecurity requires a shift from advocating policy built from fear towards policy built on an optimistic rationale for cybersecurity.
A model that emphasises:
The value of committing to cybersecurity values as a path to economic gains and access to innovation for all.
Supply-chain security as opportunities to reap the dividends of being a trusted partner with shared security values.
Incentivising participation in local, regional and global reporting and information-sharing mechanisms as providing critical competitive advantage to an innovation ecosystem.
Increased perceptions of stability for long-term growth and prosperity when critical societal functions, infrastructure and systems of national significance are secured.
Support of international cybersecurity norms as the key to ensuring that LMIC voices are represented in shaping global cybersecurity policy for global good.
The ability to harness beneficial life-improving emerging technologies for sustainable futures with forward-looking and adaptable cybersecurity policies.
At the heart of all these is a model that inspires cybersecurity policy to be a vehicle towards a secure net for all. When states and societies take responsibility together to ensure that tomorrow’s future is built on safe digital inclusion and beneficial connectivity, the potential of the internet as a force for good will be realised.