Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

9
Creating a Resilient Digital Ecosystem

In order to protect the information assets that the world economy depends on, companies have to prioritize information assets, implement differentiated protections, build cybersecurity into business processes, change user behavior, create resilient technology platforms, engage in active defense, and learn how to respond to breaches across business functions.

However, the digital ecosystem that companies operate in can be an accelerant or a barrier to digital resilience. If technology vendors build products to facilitate security, that makes it easier for companies to create resilient technology platforms, and if industry associations can pool and distribute threat intelligence, that makes it easier for companies to move from passive to active defense.

Putting in place the practices required for digital resilience will be challenging for individual companies, but getting such a supportive ecosystem will be at least as complex given the wide range of actors involved. In addition, cybersecurity is a global issue, so actors in different parts of the world will have different views on how to make trade-offs, for example, between security and privacy. All this means that there is far less consensus on the specifics of how to develop the broader digital ecosystem than there is on how individual companies should protect themselves.

Even in the face of all this complexity, there are still potential avenues of action and detailed discussion in the areas of public policy, community action, and system-wide structures. Continued collaboration between public, private, academic multilateral, and nongovernmental organizations will be especially important.

THE DIGITAL ECOSYSTEM

While each company must protect itself, it does so in the context of a broader digital ecosystem that shapes its risks, constraints, and options. Attackers may have greater or lesser fear of discovery and prosecution. Vendors may pay greater or lesser attention to how their products affect their customers’ ability to protect themselves. Educational institutions may produce more or fewer graduates trained in cybersecurity. Peer institutions may be more or less open to sharing best practices and intelligence.

The digital ecosystem represents the full set of actors that drive confidence in the integrity of information assets and therefore the confidence that consumers and businesses have in the digital economy—and the avenues for interaction or collaboration among them.

Many types of suppliers handle sensitive data and therefore affect the overall level of risk but two types of suppliers are especially important. Technology vendors have a disproportionate impact on the overall digital ecosystem depending on the extent to which their products and services can be used in a secure way. Insurance carriers could, over time, help companies manage the risk of cyber-attack in a more predictable and transparent way.
The public sector is taking an increasingly visible and active role in cybersecurity, but “the government” is far less monolithic than a single corporation. Even within a single jurisdiction, a panoply of ministries or agencies may aim to protect consumer privacy, prosecute criminal behavior, safeguard critical national infrastructure, discourage espionage, and promote economic development. In pursuing these objectives, ministries and agencies use a variety of tools, including regulation, criminal law, intelligence gathering, civil law, subsidies, development of state-owned capabilities, and collaboration with private or nongovernmental organizations.
Academic institutions are an important source of cybersecurity research, not only in their computer science departments but, increasingly, also in business schools, public policy schools, political science departments, and multidisciplinary institutes. Equally importantly, academic institutions educate and train the next generation of cybersecurity professionals.
Standards-setting bodies (e.g., the Internet Engineering Task Force or the Cloud Security Alliance) can develop protocols for private actors to interact in a secure way and technical standards that encourages them to eliminate vulnerabilities from their products and services.
Advocacy groups (e.g., the Electronic Frontier Foundation) seek to influence how private companies and government agencies address important issues they perceive as related to their primary mission in civil liberties, privacy or human rights.
Industry associations (e.g., the Information Sharing and Analysis Centers, or ISACs, in the United States) provide forums for companies to debate best practices, coordinate responses to common threats, and share intelligence.
Multilateral organizations (e.g., the Organization of American States) provide forums for different governments to work through complicated issues like legal jurisdiction, cooperation in law enforcement, and regulatory harmonization.

These stakeholders come together in a variety of ways to build a more resilient ecosystem. Some of the most important types of collaboration will be cross-industry, public-private, and multistate. Cross-industry collaboration can be the informal exchange of ideas among peers, more structured cooperation in the form of an industry association, or a commercial arrangement for shared capabilities. In public-private collaboration, the government shares intelligence, technologies, and best practices with companies on a voluntary basis. In multistate collaboration, different governments come together to address points of contention across borders.

These are only some of the types of collaboration possible within digital ecosystems. For example, individual companies or industry associates can collaborate with academic institutions to accelerate and improve the education of cybersecurity professionals.

THE POWER OF A RESILIENT DIGITAL ECOSYSTEM

Earlier in this book we laid out three scenarios—three ways in which the risk of cyber-attacks could affect the digital economy. In the “muddling into the future” scenario, both attackers and private companies improved their capabilities incrementally, resulting in a world in which cyber-attacks were an inconvenience but did not prevent companies from taking advantage of the digital economy. In the “digital backlash” scenario, attackers’ skills improved much faster than companies’ skills, reducing confidence in the digital economy and slowing the pace of technology innovation. In the “digital resilience” scenario, companies dramatically improved their cybersecurity capabilities, allowing the digital economy to develop quickly and robustly.

Collaboration among private companies, government agencies, and nongovernmental organizations could accelerate and expand the impact of the digital resilience scenario by creating the conditions that enable and encourage companies to implement sophisticated cybersecurity capabilities.

June 15, 2020

One of the things Elizabeth liked most about her job was its diversity. As CISO for one of the world’s largest and best-known petroleum and energy companies, no two days were ever the same. Even so, as she drove into the office today, she knew she was entering very new territory.

Her team had just discovered malware in the pipeline control and monitoring system in their two-year-old operation in Surulan. There was a growing middle class in Surulan, and it was rapidly being recognized more as an emerging economy than a developing one; nevertheless, it still suffered from security concerns, and the strength of its institutions varied greatly. No one was quite sure what the malware did, but it was definitely communicating back to a host. This was doubly concerning. The systems sensors tracked commercially sensitive information about the oil flows. More significantly, the system’s actuators controlled multiple physical systems and valves throughout the network—in the wrong hands these could not only stop the flow of oil but cause severe damage to the physical infrastructure. Some of the control points passed through residential areas and through larger processing plants; any explosion from too much pressure at these points would be far more damaging and could involve human casualties.

Elizabeth pondered her next move. She had led the team in its risk strategy when the system was deployed and connected to the enterprise TCP/IP network last year. All the right processes had kicked in immediately: the malware was immediately isolated and the server quarantined. Backup servers and data kicked in seamlessly. The malware was feeding a stream of simulated data so the attackers were not alerted to the fact that they had been detected, giving the team time to assess the situation, coordinate with law enforcement, and decide on the next steps.

The typical attackers for this global petroleum brand were variations of the politically driven hacktivist, sometimes leaning toward cyber-terrorism. Elizabeth had built strong relationships with the law enforcement community in all the major developed countries where the company had operations, as well as in some states that dealt with terrorism within their borders. At home, the company was considered part of the critical infrastructure, and there were protocols in place for situations where attacks appeared to be state sponsored. In this case, however, the malware seemed to be sending data to a local IP address within Surulan. Perhaps it was being relayed on from there to another site, but that was not visible from Elizabeth’s system. She knew her colleagues had dealt with the police and army in Surulan regarding the physical security of their infrastructure, but she had no idea of their cyber capabilities or who to contact.

Arriving at the office, she sent a note to her operational security colleagues and to her informal multi-industry network of fellow CISOs—peers that met a few times a year and kept in touch online in between. Could anyone offer any guidance? Her internal colleagues said they could forward the request through the appropriate channels, but warned that in the absence of a physical emergency there would be some bureaucratic drag in response times. One of her fellow CISOs, however, suggested she might be able to help and suggested they speak.

Lisa worked for a large retailer and was part of a multistakeholder group that provided capacity-building assistance to Surulan. Three years ago, her company had started to see a sharp increase in spam, phishing, and high-volume/low-value fraud out of Surulan. She had joined a group that comprised a number of international and regional organizations, academic institutions, and tech and nontech firms from around the world that invested in building cyber capabilities in developing and emerging economies. Lisa stressed her choice of words: this was an investment, not a donation. The Surulan government had made the program a priority after it saw the rise of crime originating from within its borders (and its inability to deal with it through the criminal justice system) was starting to negatively affect foreign direct investment. The program was personally sponsored by the minister for justice and the prime minister himself.

Just last summer, some of Lisa’s team had been on the ground in Surulan providing cyber forensic training to a newly created team within the Department of Justice. Other parts of the group had provided other services: assisting with the policy framework, the legal code, frontline officer training, police forensic capabilities, and so on.

Lisa put Elizabeth in touch with the leading civil servant in the Department of Justice and the appointed cyber lead in the police force. They worked together and shared the relevant information that enabled local law enforcement to get the warrant required to search the property linked to the IP address the malware was communicating with. The owner was a local businessman whose server had also been co-opted by the malware. Local law enforcement specialists and Elizabeth’s own team were able to trace the origins of the attack back to a third country source, which Elizabeth’s team was already very familiar with.

Interpol recognized the TTPs of the attack from other recent cases and, together with Elizabeth’s team, established a honeypot operation to gather further information about the attackers and their intended targets. This meant they were able to identify other targets who were unaware they were victims-in-waiting.

In parallel, Elizabeth made the business case internally for her company to contribute resource and funding to these international efforts. With operations in countries at all stages of development, the board quickly understood the win-win in continued investment in the rule of law and cyber capabilities in all countries. The company became a regular contributor to the multistakeholder group’s efforts and continued to gain advantage and critical insights through its growing network of increasingly sophisticated partners.

Elizabeth’s experience is becoming more common. As cyber- attacks proliferate, organizations need to reach out beyond their walls. Every organization sits in the center of its own ecosystem and needs to develop resilience across the board. This ecosystem thinking is fundamental to the core business strategy for most organizations in their journey to become digital enterprises—cybersecurity is no different.

Many organizations already engage in collaborative activities, from formal and informal networks in which to share common challenges and experiences to more structured networks that share intelligence and threat data. Beyond this, however, all stakeholders need to be aware of and contribute to the broader digital environment in terms of shared business practices, the role of government, and academic and private-public partnerships. Furthermore, serious proposals have been advanced to make some systemic changes that would change the nature of the operating environment significantly.

WHAT’S REQUIRED TO CREATE A RESILIENT DIGITAL ECOSYSTEM

Discussions with business executives, technology managers, regulators, law enforcement, civil society leaders, and others yielded a framework of potential areas for action across three themes (Table 9.1). Stakeholders can use this as a guide to help them develop a consensus view of their capabilities, define the precise next steps, and discuss roles and responsibilities. A much fuller version of this framework is shown at the end of this chapter (see Figure 9.3 and Table 9.2).

TABLE 9.1 Actions to Build a Digital Resilience Ecosystem

Theme	Areas for Action
Public and international policy	National cybersecurity strategy Domestic policy and incentives Foreign policy End-to-end criminal justice system Public goods
Community action	Research Information sharing Knowledge transfer Community self-governance Shared resources for capacity building Mutual aid
Systemic action	Risk markets Embedded security/changes to the Internet

TABLE 9.2 Recommendations for Building an Enabling Ecosystem for Digital Resilience

Institutional Readiness	Public and International Policy	Community	Systemic
Governance Prioritize information assets based on business risks Integrate cybersecurity into enterprise-wide risk management and governance processes Lead in practice and policy from most senior executives	National cybersecurity strategy Have a comprehensive and transparent national cybersecurity strategy integrated with the strategies and procedures of all policy domains Incorporate private and civil sectors and economic and security issues Establish a competent institution for the national strategy implementation and rollout	Research Increase education and awareness Encourage research on enterprise and macroeconomic impact of cybersecurity to prioritize and focus policies Create an atmosphere in which white-hat research is encouraged	Risk markets Expand reach and breadth of cybersecurity insurance markets
Program/network development Provide differentiated protection for the most important assets Enlist frontline personnel to protect the information assets they use Integrate cybersecurity into the technology environment Deploy active defenses to engage attackers Continuous testing to improve incident response	End-to-end criminal justice system Ensure law enforcement has the capability and resources to investigate cyber crimes Draw up an appropriate, comprehensive, and agile legal code for investigating and prosecuting cyber crimes Ensure legal advocates understand the cybersecurity ecosystem well enough to carry out due process	Shared resource for capability building Foster partnerships between governments and universities and private sector for skills development	Embedded security Explore ways to create a more secure Internet Develop a methodology for quantifying the impact of cyber-risks
	Domestic policy and incentives Start private, public, and civil dialogue to develop appropriate coherent mix of policy and market mechanisms Create governmental mechanisms that support law enforcement’s efforts and are appropriately agile	Information sharing Where legally feasible, find mechanisms for information sharing between institutions Improve the quality of the ISACs/Computer Emergency Response Teams and other information-sharing venues Promote an interoperable, extensible and automated system for sharing Provide common protocols for information regarding cybersecurity events
	Foreign policy Establish a national cybersecurity doctrine Identify persons at the local, state, and national level responsible for cybersecurity Establish formal and informal channels of communication between law enforcement entities Create interoperability among national-level entities responsible for cybersecurity Work to harmonize national and international policies surrounding the prosecution of cybercrime Establish a multistakeholder approach toward governance on this issue
	Public good Ensure evolving and robust incident response capability Increase investments in cybersecurity technical education Fund a cybersecurity research agenda Provide “safe harbor” protection for limited sharing of information among and between companies and government

Further discussions made clear that these levers have been applied only in a relatively incomplete or immature way in many countries or regions. Why? Making use of the levers above is even harder than implementing best practices in individual companies, especially given the variety of private actors, government agencies, and nongovernmental organizations, each with its own set of constraints and priorities.

Some of the issues related to cybersecurity can be highly emotional and politicized. Cybersecurity is not an isolated issue; inevitably, it touches issues like intelligence gathering, economic competitiveness, and consumer privacy that cannot be addressed as factually and dispassionately as how to segment a network or what practices to use in coding applications.

Given the multifaceted nature of cybersecurity, public dialogue on the topic remains fragmented. Issues such as intellectual property (IP) enforcement, national security, consumer fraud, terrorism, and organized crime may all be addressed in a discussion on cybersecurity, yet in the predigital environment, we evolved different institutions and mechanisms to deal with them even if they may be interrelated.

There is a fundamental disconnect between the global nature of cybersecurity as an issue and the national scope of many institutions. How can national governments effectively formulate policies to enable digital resilience when attackers and their targets may be separated by a dozen time zones. In many cases, global enterprises experience this disconnect most acutely. CISOs at the largest banks, manufacturers, and pharmaceutical companies point out how difficult it is to work with local enforcement to address a crime that may have touched assets on three continents or how challenging it can be to explain to regulators how they will secure a single global network. Of course, different countries may have not only different regulatory regimes and law enforcement practices, but also vastly different culture norms, for example, about employee privacy.

As a result, there are significant disagreements about how to proceed in the areas of collaboration and policy development. Almost everyone agrees that companies should share intelligence about attacks more extensively. Some CISOs said this could be accomplished within existing legal regimes. Others disagreed and argued that companies would not share more intelligence unless immunized from legal liability. Almost everyone agreed that more research on cybersecurity techniques and practices would be valuable. Some CISOs suggested that the public sector could play a valuable role in setting and funding a research agenda. Others argued that governments could not set intelligent research priorities in as dynamic a space as cybersecurity.

Attitudes toward regulation provide a good example of the absence of consensus. Forty percent of technology executives said that, on balance, cybersecurity regulation encouraged companies to be more secure in a helpful way. Conversely, 46 percent said it either requires a lot of time and effort but does not make companies more security, or that it actively makes companies less secure. There were pronounced differences by sector. Only a quarter of banking executives expressed positive views about cybersecurity regulation. They said regulations were cumbersome and locked into place outdated practices. In many cases, they said regulators lacked the expertise to make the right judgments about cybersecurity practices. By contrast, nearly half of health care technology executives, and about two thirds of their insurance counterparts had positive views of cybersecurity regulation. They said that while might regulation might be suboptimal, it could encourage senior management to devote the required resources and attention to cybersecurity (Figure 9.1).

images — **FIGURE 9.1** Executives’ Perspective on Cybersecurity Regulation Varies Widely by Sector, with Banking Most Skeptical

Such debates can feel distant for many companies, but there are costs and risks associated with not proactively shaping the broader ecosystem. For example, in November 2012, a motion to effectively hand control of the Internet over to national governments was narrowly defeated at the world congress of a technical standards body of the United Nations. Many feared that, if passed, the result would have been the fragmentation and militarization of the Internet, creating an extreme version of the digital backlash scenario described earlier in the book.¹ Yet most businesses leaders were not even aware that this vote was taking place.²

COLLABORATION FOR A RESILIENT ECOSYSTEM

Back in 2011, the World Economic Forum developed a set of Principles for Cyber Resilience that focused on recognizing the interdependence of actors within the ecosystem, the role of leadership, risk management, and promoting uptake along the value chain. These principles served as a critical backdrop for the development of the specific actions companies can take to protect themselves that run through much of this book. Similarly, they can provide an essential starting point for a set of actions that companies, governments, and other institutions can take in collaborating to build a more resilient ecosystem. Taken together, they highlight the opportunity for collaboration among the different participants in the digital ecosystem.

Recognize Interdependence

Every actor in the digital ecosystem depends on other actors. Companies depend on suppliers to protect sensitive information assets, on academic institutions to develop cybersecurity talent, on their peers for knowledge sharing, and so forth. Governments depend on companies to protect privately owned critical infrastructure. Governments also depend on each other to track cyber-criminals across national borders. As a result of this interdependence, all the participants in the digital ecosystem have to experiment with different types of collaboration to achieve goals that they could not achieve individually.

Understand the Role of Leadership

In previous chapters, we described the importance of senior leadership implementing the changes required for digital resilience. Given the cross-functional nature of cybersecurity and the complicated choices involved, only senior management can ratify the decisions and marshal the organizational commitment required for sustained progress. This is even more true in creating a resilient ecosystem. The diversity of the actors, the conflicting agenda, and the complexity of the issues require involvement from the senior-most business, public, academic, and nongovernmental leaders.

Focus on Risk Management

Recognizing that cybersecurity is about economics—that it involves optimizing choices about risk and economic return—provides a fundamentally different context, language, and set of objectives than arise when discussing it through a political or technological lens. It forces the question, “What is it we are trying to protect?” After all, the most digitally secure environment is one that is disconnected from the Internet, but at what cost?

In its 2011 Cyber Security Strategy, the U.K. government stated: “Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency, and the rule of law, enhance prosperity, national security and a strong society.” To achieve this, the government’s first objective was to “be one of the most secure places in the world to do business in cyberspace.” The U.K. government clearly understood the economic benefits from digital resilience and driving economic prosperity for all is a political goal that all leaders can rally around.

All nations compete against each other in the global economy while simultaneously collaborating on a common set of rules that enable such competition. The recognition of the huge potential economic gains or opportunity costs outlined in our scenarios earlier in the book should provide a clear incentive for all governments to ensure that they do not allow an inadequate or fragmented approach to hamper collective opportunities.

Promote Uptake along the Value Chain

As noted elsewhere in the book, cybersecurity plays an increasingly important role in commercial transactions. Criminals can steal important information from a company’s suppliers, or they can use network connections among business partners as avenues for cyber-attacks. Increasingly, many of the actors in the digital ecosystem can take a value chain view, in which they create standards and contractual terms that facilitate more sophisticated cybersecurity practices.

Despite the challenges moving forward, working sessions with many stakeholders confirmed that the Principles for Cyber Resiliency highlighted a set of important and feasible actions, many of which involve voluntary cooperation rather than state mandates. Governments could use national cyber strategies to increase alignment across agencies and with private and nongovernmental stakeholders. They could improve the skills and capabilities of the end-to-end criminal justice system, and use multilateral organizations to improve cooperation across borders. Companies could deepen and expand their efforts shared intelligence, best practices and capabilities, and also build more effective markets for valuing and transferring risks associated with cyber-attacks.

Domestic and International Policy

Two actions came to the fore in terms of domestic and international policy: using national cyber strategy and improving the capabilities of the end-to-end criminal justice system.

National Cybersecurity Strategy

Working sessions highlighted the value in each country having a comprehensive, transparent national cybersecurity strategy that is harmonized with the strategies and procedures across all domestic and international policy. At the time of writing, only 36 countries have published or announced the development of such a strategy, half of them within the European Union (Figure 9.2).³ The United States has focused on cybersecurity since the 1990s and has published a number of cybersecurity documents, but has no overarching strategy. Compare this to Estonia, which is one of the most digitally dependent societies and has a cybersecurity strategy that is integrated into the national defense strategy. Elsewhere in Europe, France and Germany’s strategies both give their respective governments a relatively active role, while the Dutch and Finnish plans focus on collaboration as the bedrock of the strategy. Without dedicated strategies, activities become overlapping, fragmented, and, at worst, conflicting in terms of investment, programs, and policy and legislative measures, all of which in turn hinders economic growth.

In developing and executing a national strategy, governments should incorporate the perspectives and requirements of the widest range possible of public and private bodies. The very process of developing such a strategy can be the catalyst to start the conversation between leaders in different sectors.

Active business involvement will be especially critical. In our discussions, most governments recognized the driving role that business has in achieving their goal of protecting citizens and ensuring digital resilience at the society level. Governments also recognized the economic benefits that the Internet has brought and have no wish to hinder businesses in creating economic value through digitization. As such, many governments are actively keen to engage business and understand the private sector needs in this space. However, a challenge we heard expressed in many of our discussions with policymakers was that consultation with the private sector does not always yield clarity. A common reaction was, “If we ask 30 different companies about their views on what policies are required in a particular space, we get 30 different responses.”

Businesses often talk about the need for policy alignment. However, they have a responsibility to develop a clear alignment on policy needs. Some disparity is inevitable—it may well be the case that the role of government cybersecurity policy is different for health than it is for automotive, but even this level of clarity is currently lacking.

A rapidly growing number of countries are actively looking at what kind of policy and regulatory steps they should be taking to deal with cyber-risks. Many are seeking input from the private sector. However, if the business community cannot align on defining its key policy needs in a globally connected digital environment, the risk of a highly fragmented landscape increases.

Finally, given the range of stakeholders involved in the process, one competent agency may need to be responsible for the strategy’s successful implementation and rollout to avoid challenges over ownership and purpose. This also gives stakeholders transparency into the process and a clear accountable point of contact. Just as governments struggled with diverging viewpoints across the business community, businesses and nongovernmental organizations struggle to understand agendas and actions of different government agents.

End-to-End Criminal Justice System

Law enforcement agencies need both the ability and resources to investigate cybercrimes, and a comprehensive and agile legal code to back them up in their investigations and prosecutions. As the chief information officer (CIO) of a financial services organization said, “Institutions can take all the actions they want on their own. However, if there is no law enforcement mechanism to pursue and prosecute perpetrators, then our actions are meaningless.” There is a whole set of actions governments can take, without compromising privacy, to enhance the enforcement of laws and the prosecution of criminals in the digital realm.

Modernize and clarify laws governing cyber-crime. The pace of innovation has created gaps in the legal code that need to be addressed. For example, the U.S. Electronic Communications Privacy Act (ECPA) is the main law governing communication privacy, but it was developed in 1986 before e-mail was in common use and before social networks had even been conceived. There may also be a meaningful disparity between the sentencing guidelines given for cyber-crimes versus their “real-world” equivalents.
Continue to invest in specialist units and capabilities. Cyber-crime is an arcane discipline, requiring technical depth to address. Specialist forensic capabilities to identify wrongdoers is especially important.
Expand basic digital competency in nonspecialist units. The ability to prosecute and defend an alleged criminal can depend on judges and lawyers having sufficient knowledge and understanding to process cases. Prosecutors and judges do not need to be cybersecurity experts, but they do need a basic level of digital literacy, for example, an understanding of how the Internet works. Similarly, it may be necessary to provide basic-level training in selected law enforcement agencies so that officers know how to handle reports of cyber-criminal activities and can follow the correct processes when a cyber-crime is reported.
Enhance collaboration with the private sector. Real tension can exist between companies suffering cyber-crime and law enforcement agencies. At times, each side has accused the other of being secretive, uncooperative, and only concerned with its own institutional interests. Confidence-building measures, like briefings from law enforcement on emerging threats, make it easier for companies and law enforcement agencies to work together effectively after a breach.
Invest in data gathering and analytics. Reporting crime gives the police data from which they can identify patterns. This helps both in terms of resource planning as well as in tackling organized crime. While true for all types of crime, it is especially useful in cyber-crime given the geographically dispersed nature of cyber-crime networks and rapid evolution of cyber-crime techniques. The ability to aggregate and analyze data on individual crimes would therefore be an enormous help.
Establish mechanism for cross-border law enforcement cooperation. Given the global nature of cyber-crime, dedicated units to coordinate with peers in other countries can be critical in bringing cyber-criminals to justice. These mechanisms are especially important where they may be policy differences between countries—countries that disagree on the extent of cyber-espionage can still cooperate in fighting fraud or disruption of online markets.

Effective criminal justice in this area will become even more important as the range of potential cyber-crimes expands. As our lives become ever more connected to the Internet, the range of risks that individuals face from products being compromised will increase, and there will not always be an obvious incentive for the provider of a hacked product to assume that risk. Questions are already being asked about the liabilities around driverless cars, or web-controlled household appliances, all of which have the potential to cause significant damage if corrupted.

Community Action

There are a whole set of actions that communities of countries and communities of companies can take together. Shared research includes pooling resources to invest in developing new techniques and technologies. Information sharing includes aggregating intelligence about attackers and attack paths they use. Knowledge transfer includes sharing best practices in how to operate cybersecurity organizations. Shared capability building includes creating shared utilities for activities such as vendor assessments or incident response. Mutual aid involves a commitment to provide assistance when a community member is under attack. Community self-government involves creating forums to align on priorities, for example, when providing input to governments as they develop national cybersecurity strategies.

Both countries and private entities can benefit from community action, which can help address complicated issues in a flexible way that incorporates the varying interests of the parties involved.

Assistance among Countries

There are opportunities for countries to assist one another in creating a resilient digital ecosystem, sometimes via multilateral organizations. For example, the Organization of American States (OAS) works to ensure political cohesion among member states, allowing the formulation and implementation of cybersecurity policies throughout the region. Over the years, the OAS Cyber Security Program evolved to address the challenges in a multifaceted and tailored way, establishing lines of action that can be adapted to best fit a country’s specific needs.

The OAS Cyber Security Program undertakes several initiatives with member states to develop their cybersecurity capabilities, for example, it has a program that develops national Computer Security Incident Response Teams (CSIRTs). Since 2006, the number of CSIRTs in the Americas has risen from 5 to 18. To ensure better communication between CSIRTs at the regional level, the OAS has developed a network that serves not only as a communication platform but as a tool where teams can perform incident response processes.

The program has also successfully mentored member states in developing national cybersecurity strategies. In 2011, after extensive collaboration with the OAS, Colombia became the first country in the region to officially adopt a national strategy, followed by Panama (2012) and Trinidad and Tobago (2013). The OAS Cyber Security Program also carries out technical assistance missions designed to address countries’ cybersecurity requirements, including technical incident response courses and crisis management exercises. In recent years, the program has also worked with the private sector to produce comprehensive reports on the state of cybersecurity in the Americas. These reports aim to detail the experiences member states have had in mitigating cyber-risk and to produce knowledge that brings Latin American and Caribbean perspectives on cybersecurity matters.

The OAS’s initiative here may provide a template for other community action among governments, especially in transferring capabilities from developed to less developed countries. For some countries, it may be difficult (especially in the initial stages) for spending on cybersecurity to become a priority when it has to compete with basic services such as health or education or even paying down national debt. Global enterprises and richer states can help by providing resources for capacity building—this can be in their own interest, in that it creates a safer and more stable digital economy.

Academic institutions, regional and international organizations, and civil society organizations can all play a critical role in identifying and promoting opportunities for countries to engage in community action. They can act as honest brokers to enable cooperation on research, information sharing, or knowledge transfer.

Community Building among Companies

Again and again, technology executives within a given industry will say, “When it comes to cybersecurity, we’re all on the same side.” This perspective drives active collaboration by some companies within some industries. Historically, CISOs at the largest banks have compared notes and shared intelligence informally, but only with peers they knew personally and trusted. More recently, some of the ISACs, especially those for financial services and the defense sector, have become effective forums for collaboration across a sector. For example, CISOs at smaller banks credit the intelligence received via the financial services ISAC with their ability to withstand a campaign of serious DDoS attacks in late 2012 and early 2013.

CISOs and other senior cybersecurity executives from 40 of the most important health care institutions in North America have met periodically since 2012 to share intelligence, exchange tangible best practices, debate issues with public policy implications, and develop strategies for improving the National Health ISAC. When the Heartbleed and Bash vulnerabilities came to light, members shared remediation tactics. Most recently, the group has started to plan a shared utility to perform common cybersecurity activities. All this collaboration has helped companies protect themselves more effectively.

There is still much to do in terms of community building among companies within sectors. Not every sector has the collaboration model that exists in financial services or health care. Across sectors, there are opportunities to broaden and deepen community action. In addition to shared utilities, collaboration across companies to develop more standard industry models for the risks from cyber-attacks could be very powerful.

As noted earlier in this book, most companies lack effective, repeatable mechanisms for assessing cybersecurity risks. A robust, standard risk model would immediately change the nature of the discussion. Rather than speaking in broad risk terms, which already makes the dialogue more business-like, a robust method of risk assessment would result in the cybersecurity discussion being fully incorporated into business decisions. Just as a new investment proposal would consider country risk, currency risk, operational risk, and competitive challenges, it would include a confident measure of cybersecurity risk. Similarly, a new product or service proposal would include the associated digital risks. This would enable what many cybersecurity experts struggle to achieve: getting security considered at the beginning of development or investment cycles rather than as an after-the-fact addition. It would enable “security by design,” whether for investments, new business opportunities, new product or service developments, or simply changes to the information or operational environment. The endorsement of industry groups would greatly increase credibility and facilitate adoption within individual companies.

Systemic Action

Some ideas for getting to a resilient ecosystem are fundamental and systemic. For example, in recent years, there have been various proposals to reshape the inherently open architecture of the Internet for security, but nobody has yet been able to lay out a practical approach for doing so—either in terms of a technical model that preserves the flexibility that makes the Internet so valuable or a political model for getting alignment to do such a thing.⁴ In contrast, using better and more standardized risk assessment techniques to enable deeper and more liquid markets for transferring the risks associated with cyber-attacks would greatly facilitate the emergence of a resilient ecosystem.

Certainly, companies can buy insurance against the risk of cyber-attack—premium revenue has been growing at about 13 percent per annum⁵—but the market is limited. Insurance executives will admit that they are in the early days of cyber-insurance, which lacks the data and models that they have relied on for decades in underwriting other types of risks. Given this, insurance carriers will cover notification costs, legal defense, forensics, and remediation costs, but will not cover third-party liability,⁶ reputational damage, or loss of IP or trade secrets.⁷ Almost all carriers limit coverage to $25 million, so some companies have recouped only a small percentage of the cost of a breach even when they have had coverage. As a result, the total cyber-insurance premiums amount to only about $2 billion⁸ out of a total market of $4.9 trillion across insurance products globally⁹ and only about a third of companies find it worthwhile to buy cyber-insurance.¹⁰

A more mature cyber-risk insurance market would change the landscape for both companies and potentially society more broadly. It would offer companies an important additional tool and would be a significant step in normalizing their treatment of cyber-risks. From different types of stakeholders we heard that pricing the risk of a cyber-attack via insurance would help senior executives engage more effectively on the issue. Even the debate about whether a company should buy coverage amounting to $500 million or $700 million would provide a useful framing for discussing the overall level of risk. Even more specifically, a CISO might be able to make the case that spending $5 million to put differentiated protections in place would be worthwhile because it would reduce insurance premiums by $7 million, just as facilities managers often justify fire suppression systems based on reduced insurance premiums. Better insurance markets could also reduce the turbulence that cybersecurity concerns are already introducing in the supply chain. For example, many potential purchasers of IT outsourcing services ask for unlimited liability related to loss of customer data, which providers are naturally reluctant to provide. Several IT outsourcing executives told us they could do business more effectively if they could ask potential customers how much liability they wanted the supplier to assume, and then buy the appropriate insurance and price it into the deal. Making the cost of liability explicit would smooth negotiations.

Small and medium-sized enterprises could be even bigger beneficiaries. Large corporations may be able to afford their cybersecurity spend, take out large policies, and manage losses as a part of doing business. Typically, SMEs cannot support the same level of investment in expertise, resources, and private-public partnerships, and while retail banking customers are reimbursed for any losses caused by cyber-fraud, the same protections do not extend to small businesses, who must carry the losses themselves. Verizon’s Data Breach Report found that 71 percent of cyber-attacks target companies with 100 employees or less.¹¹

Transferring risks requires an agreed methodology for measuring those risks and data about breaches and their impact. Developing any model to measure cyber-risk for an individual enterprise is challenging. Many companies have programs to try to integrate their security and risk practices, and a variety of models are emerging. Naturally, there will be limitations and caveats as there are for other risks, and practices will focus on the pragmatic and the measurable. For example, the disclosure of embarrassing activities by the CEO—whether revealed through a cybersecurity breach or not—cannot be fully predicted in advance. Just because the disclosure was possible through a cyber-attack does not mean it should be dealt with in the same way that the company deals with the theft of customer data or intellectual property.

One key challenge, however, will be how to develop common measurement models—or models that are common enough—to be able to share risk information between organizations and across markets. This will require not just harmony among different enterprise models, but will also need to integrate accounting, audit, and insurance perspectives. That is challenging but not impossible, and a smaller number of organizations are already engaging in informal dialogue with partners to share models. The other key challenge will be the development of granular and comprehensive data sets about cyber-attacks. Companies are obviously reluctant to disclose breaches unless they absolutely have to,¹² but more openness to sharing data, even in disguised form, will greatly help the development of insurance markets. The more insight carriers have into historical losses, the more aggressively they will underwrite policies.

Companies may be tempted to keep their proprietary models to themselves, but there would be enormous benefits to sharing at least components of such models. They can collectively develop best- of-breed practices and standardized models, both of which should rapidly accelerate the emergence of a robust cyber-risk market, which would benefit everyone.

● ● ●

As much as companies might do to protect themselves, and as much as they might put in place operating models designed for digital resilience, they still exist in a broader digital ecosystem of suppliers, customers, many types of governance agencies, academic institutions, and nongovernmental organizations. How these actors work with or against each other can be a tremendous accelerant or barrier to achieving digital resilience and maximizing the potential of the online economy.

As hard as it might be to put in place cutting-edge practices that drive resilience within a single company, it is even harder to build a resilient digital ecosystem. There is a wide variety of actors, with different objectives, constraints, and governance models, and the issues are complicated and sometimes politically charged.

That said, there is a path forward. A large majority of stakeholders we interviewed emphasized the importance of collaboration: between governments and the private sector in developing national cybersecurity strategies, among many types of actors in enhancing the ability of criminal justice systems to address cyber-crime, among states to disseminate cybersecurity capabilities to developing countries, across industries so that companies can help each other, and among many types of companies to create robust markets for cyber-insurance.

Just as senior executives must engage to ensure that companies make progress in protecting themselves, senior leaders of all types must engage to ensure progress toward a resilient digital ecosystem. For example, ministers and agency heads must drive national cybersecurity strategies, and senior business executives have to make sure that companies provide effective input. Building the right set of capabilities to investigate and prosecute cyber-crimes will require attention from the most senior law enforcement and justice officials. Likewise, senior business managers have to emphasize the importance of a resilient digital ecosystem and help their companies engage in the collaboration required to get there.

Notes

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.