Cybersecurity’s become the most important issue for many people working on the future of the Internet.
The more important the Internet becomes to everything we do, and the more societies become dependent on it, the more vulnerable we are to those who would exploit it to our disadvantage. Loss of trust in the Internet would pose a major problem to governments, online businesses and users. Yet the way many governments, businesses and users behave prioritises convenience and underestimates the risks. And there are complex challenges in the relationship between security, openness and rights.
Six starting points, and five thoughts on how we should be thinking about cybersecurity in an increasingly digital age.
We start from insecurity
First, the Internet’s innately insecure. When using it, we allow devices to exchange information we can’t see. Once we concede that, we are vulnerable.
Second, the pioneers of the Internet paid far too little attention to the implications of this. They were working in small groups whose members trusted one another. They did not anticipate the exploitation of the Internet for harm, its global reach, or its commercialisation. When the first virus was demonstrated, so it’s said, many thought that it was clever rather than a threat. If they, and we, knew then what they, and we, know now, they’d not have been so casual. But because the need to self-protect was underestimated, we’ve been struggling to catch up since then.
Third, the risks this poses are diverse and complex. We use one word – cybersecurity – to cover many things, from the security of the network itself, hardware and software, to the security of the state and the security of the individual. Some also include issues like child protection. The ways these are approached are obviously, connected, but the requirements and priorities of those affected differ. Strategising cybersecurity’s not simple. We shouldn’t try to think it is.
Insecurity’s not static
Fourth, insecurity isn’t a threat just to the Internet, but one to whole societies. As the Internet becomes more important to infrastructure, economies and the ways societies are organised, the risks of insecurity rise higher. If financial markets run online, for instance, there’s a (financial) killing to be made by those who can manipulate those online markets. Insecurity starts as a nuisance but could end up an existential threat if what’s insecure is crucial to our lives.
Fifth, the innovators here are those who pose the threat not those who counteract it. Most of the cybersecurity activity we see’s about two things: finding weak points before the other side gets to them, and fixing weak points after the other side has found them. The Internet of Things will make this worse. Many millions of devices already out in use are innately insecure, and most of them unfixable. IoT business models are driven by price, not by security.
And sixth, the boundaries here are difficult. The insecurity of the Internet can be abused, but so can its security. In some countries, law enforcement’s suspect. Some governments suppress the freedoms that we want to see both online and offline. It’s important to link security and rights, to protect the citizen from both criminality and loss of freedom.
Where we stand
All stakeholders need to think carefully about how to deal with the above. Listening to the talk at recent cybersecurity events, I’d suggest four problems in particular (as well as technical challenges I won’t go into here).
First, the high and growing level of risk, exacerbated by the Internet of Things. There’s widespread expectation that somewhere, sometime, soon, something will go badly wrong. What happens when it does – to how the Internet is seen and how it’s governed – is hard to guess.
Second, most people and many if not most businesses, organisations, governments, pay too little attention to security. As with data-sharing, most users prioritise convenience and take risks online. Many organisations still see cybersecurity as a cost, not a necessity. Recent attacks on Britain’s National Health Service would have been avoided, for example, if precautions had been taken. They weren’t because that would have diverted money from the Service’s main purpose. This isn’t going to change, but greater awareness can reduce the risks.
Third, there’s a lack of universal standards to secure security, and a proliferation of initiatives to address them. These initiatives are often poorly interlinked, and there are ambiguities within them. Governments want both to protect data by default and to access data by default, to meet different state security concerns. Businesses want to assure users that their data are protected but retain the freedom to exploit those data. Hence differences of view about encryption and data sovereignty.
Fourth, addressing this is undermined by mutual suspicion. Geopolitical blocs have different goals and worry that each other’s motives are impure. Governments and businesses both think that they should take the lead. Many rights advocates suspect the aims of both. And there’s a gulf of understanding amongst stakeholders, with smaller developing countries (for example) and smaller businesses struggling to keep up with the pace.
What to do?
There’s a great deal of discussion about what to do, and little space here to cover this. The five points that follow emerge, like those above, from observations made at recent meetings.
First, there’s a need for more awareness and acknowledgement of the scale and scope of the problem, by all stakeholders. Key to this is understanding what is happening. Understanding should provide a platform for strategy development. One approach to this in developing countries, which tries to keep pace with the changing nature of the challenge, is the Oxford Martin School’s Cybersecurity Capacity Maturity Model.
Second, there’s a need for more cooperation, between both countries and stakeholders.
Cybersecurity is a global, not a national problem. It’s natural for governments to suspect one another’s intentions, in cyber- as in other aspects of security. International agreements can at least provide rules that constrain conflicts and establish norms – see, for example, the UN Convention on the Law of the Sea – and they can facilitate joint action against third parties that threaten all.
Cybersecurity is, likewise, a problem for all stakeholders. Better security's only going to be achieved through mutual cooperation between governments, businesses and ‘the technical community’ (whose members may or may not work for either). The case for multistakeholder engagement is particularly strong here. Cybersecurity requires cooperation not contestation between government and business. Civil society has an important role in ensuring rights and security are maintained together.
Third, there’s a need for greater focus. The proliferation of international fora concerned with cybersecurity, related to different interests and with different goals, wastes resources and causes confusion. Some initiatives clearly contest with one another. It’s difficult for developing countries to engage with multiple initiatives as they try to develop the national strategies that are generally agreed to be essential.
Fourth, there’s a need to build capacity in all countries – developed countries where the threats are greatest currently (because they are more dependent on IT) and developing countries which are becoming more dependent and so face greater threats in future. This cuts across all tiers of online engagement and all stakeholders, from government officials responsible for public services to incident response teams; from financial services to corner shops; from intensive users to children taking their first steps online. Experience needs to be shared more widely.
And fifth, the future’s more important than the present. Most discussions I attend on cybersecurity focus on the here and now: how to deal with the problems that we face today. That’s obviously crucial, because the threat is current and those who threaten security are always one step ahead of the response. But the problems that we’re facing change day to day, and the threats we face over the next decade will be different, greater and potentially be much more harmful than those we know today. Planning around cybersecurity should focus on countering the threats we’ll face in future as well as on the threats we face today.
Cybersecurity is critical to the future of the Internet. We need to pay as much attention to it as we do to access if we want the Internet to thrive and deliver benefits. All stakeholders should recognise its importance and work together to develop forward-looking approaches that facilitate both security and rights.
Next week: a look back at ICT4D twenty years ago: what did we anticipate and not anticipate, what did we get right and wrong?
Image: DATACORP TECHNOLOGY (@DataCorpLTD) via Flickr