The world’s leading digital media and regulatory policy journal

Cybersecurity on the edge?

In the winning essay of this year’s future leaders competition, NICOLE DARABIAN explains why fostering a shared sense of responsibility is key to minimising cybersecurity risks

Abstract

As often encountered in life, we are faced with a trade-off: on the one hand the opportunities afforded from communications networks, services and end-user devices are seemingly endless, but on the other hand, our reliance on them has proven to be an attractive target for cyber criminals to cause disruption. The risk becomes greater when the technology falls short on cybersecurity. This essay recognises there are no silver bullets preventing all cyber attacks and data breaches, but it looks at the various means to minimise the risks of exposure to them. I argue that governments are taking proactive steps in establishing what good cybersecurity practices should look like and industry has more incentives than ever to ensure cybersecurity is not neglected. However, security is only as strong as the weakest link, so fostering a shared sense of responsibility to act on cybersecurity, both at the individual and organisational level, is paramount.

Cybersecurity – a long underrated practice is now in the spotlight

Cybersecurity is broadly defined as the steps taken by individuals and organisations to reduce the risk of a cyber attack, a scenario in which an individual or group gains access to computer systems, networks and computer data for malicious intent, thereby compromising the integrity, confidentiality or availability of that data.1 The steps have a dual function of protecting devices we use and services we access as well as preventing unauthorised access to the vast amounts of data, including personal information, we store on our devices and online.2

Protecting our information is not new to the digital age – the practice has long been known as information security. Whereas information security aims to protect both forms of physical and digital data from unauthorised access, cybersecurity is chiefly concerned with protecting data hosted in the cyber domain. In simple terms, cybersecurity is a subset of information security.

As technology evolves, so does the risk of cyber attacks

Before personal computers became mainstream and connected to the internet in masses, cybersecurity could have been considered a niche profession, with cybersecurity incidents possibly deemed to be less of a concern. However, in recent years, the global importance of cybersecurity has been reflected in news headlines. I believe two trends are contributing to these events.

Firstly, we live in times where the number of end-user devices connected to the internet comfortably surpasses the global population.3 A recent study estimates a household in the United States owns on average 20.2 connected devices,4 and 17.4 and 10.3 in Europe and Japan, respectively.5 The reality is that for every additional connected gadget we embrace, we open the door to a new vector of attack, a way for a malicious actor to enter a network or system and exploit it. Weak and default passwords as well as a lack of continued security updates are just two of the common vulnerabilities found in ‘smart’ toys and home appliances such as teddy bears and doorbell cameras.6 7

Secondly, the communications networks connecting the above-mentioned end-user devices are becoming increasingly interdependent and complex. 5G, which has now been deployed in over 94 markets worldwide,8 is promising faster connectivity and lower latency making it apt for industrial usage and ‘connected everything’.9 Cloud computing and multi-access edge computing (MEC) are playing a key role in 5G deployments helping operators meet, manage and optimise the demands on their networks, accelerating their virtualisation and softwarisation.10 While cloud and MEC solutions offer security benefits, integrating them into the network architecture can result in new vectors of cyber attacks.11 For their part, communications providers are also having to deal with increasingly complex network configurations that need constant monitoring, a task that becomes more challenging as networks expand.

Additionally, as the number of devices we use increases, and the technology that connects them evolves, we are witnessing a more complex cyber threat landscape whereby ransomware, malware and social engineering tactics are becoming prominent techniques for cyber attackers.12 The fact that tensions between countries have been exported to the cyber domain is exacerbating this trend. Nation state actors are even resorting to using criminal organisations to deploy malicious cyber campaigns with societal and financial impacts of varying degrees.13

Privacy: one of the most important consumer protection issues is related to the security of a system or device

Debates about the trade-offs between privacy and security are common nowadays, but this essay views these concepts as closely linked.14 As indicated earlier, cybersecurity measures are not only important to protect the networks and devices we use, but also the personal and sensitive information they hold. When considering the three pillars of security outlined above – confidentiality, integrity and availability – it helps to view privacy and confidentiality as intertwined. Privacy refers to the right to manage and control personal information and keep it confidential.15 It is possibly one of the most important consumer protection issues of our times, with one recent survey finding that nearly 70 per cent of consumers globally are either somewhat or very concerned about their privacy online.16 This is particularly telling considering internet users globally spend over six hours online per day.17 The information we submit when we sign up to online services or accounts is usually managed through privacy policies which govern how a website or an application collects and handles our personal data. Having a privacy policy has become a legal requirement in many countries for businesses and organisations collecting personal data.18 Complementary to privacy policies, data security policies set out the controls an organisation implements to protect the data from unauthorised access. A service that collects our personal information, whether it be an email address, passport credentials or credit card details, can be targeted by cyber criminals. When a cybersecurity incident occurs it can often lead to a privacy breach,19 whereby cyber criminals get access to personal information for the purpose of selling or using this stolen data to attempt identity or financial theft.20

In an era of rapid technological evolution, where a large part of our society relies on networks and devices and values privacy, cybersecurity should be at the core of every network or product deployed into the market. Paradoxically, this has not been the case, requiring several high profile cybersecurity incidents, including privacy breaches, to bring attention to this problem.

How governments and the private sector are responding to the threat landscape and their shared responsibility in promoting increased levels of cybersecurity

From a tech issue to a public interest and national security concern: cybersecurity becomes a priority on governmental agendas

Developing a framework guiding a national cybersecurity posture has been high on many governments’ agenda. A survey of 194 countries conducted in 2020 found that 127 have published or are in the process of drafting a national cybersecurity strategy.21 Faced with increasing cyber attacks and an evolving cyber threat landscape, governments and regulators around the world have taken more assertive stances in relation to what they expect good cybersecurity should look like. This is evidenced not only by the release of joint recommendations from national cybersecurity agencies urging industry to take more action, but also by the rising trend in legislating and regulating for specific outcomes or rules to which the industry is expected to conform.22

On the networks side, governments are announcing new measures in recognition of networks being essential to society’s functioning and of new mobile generations (such as 5G and eventually 6G) underpinning most sectors of the economy in the future. In some cases, these are also driven by the desire to protect networks from foreign interference of countries deemed to pose national security concerns. Such measures include the implementation of technical requirements that would apply to major, if not all, communications providers (e.g. the Netherlands,23 Singapore,24 the United Kingdom25 ) or pre-authorisation or screening regimes for some network equipment (e.g. France,26 Australia,27 India28 ). Along with new measures, governments are also extending laws governing the security of national critical infrastructure to encompass communications networks (e.g. the EU’s directive upgrading its rules on the security of network and information systems29 ).

On the device side, not long ago, as put bluntly by a security expert, poor security practices had become ‘so endemic and so deeply entrenched throughout the world and its supply chains’ that the prospect of reversing course seemed nearly impossible.30 Yet the last few of years can be regarded as the reckoning from the private sector’s failings to prioritise and address in a more systematic way the security risks of devices and software.31 Mandatory rules in this area are still emerging but the calls to make manufacturers liable for security vulnerabilities is a notable trend, as seen with the EU’s proposal for the Cyber Resilience Act.32 Even countries which had long favoured non-mandatory approaches and the market’s ‘self-regulatory’ power, such as the US, are now espousing regulatory routes.33

As part of these new measures, policymakers are increasingly leaning on third party assessments and certification schemes for industry, namely manufacturers, to demonstrate a level of cybersecurity assurance and prove their products are compliant with new regulations. Certification can be useful in supporting regulators in their compliance-monitoring role, but does not, on its own, guarantee robust levels of security. Indeed, certification obtained based on information provided at one point in time cannot account for the dynamic and ever-changing threat landscape, which is especially true when assessing software based products given their millions of lines of code and frequency of updates.34

Nevertheless, the key takeaway is that governments and other relevant agencies have sent a strong signal to the industry: cybersecurity should no longer be an afterthought. Instead, networks and devices should be ‘secure by design’. The idea of building security principles into technologies at the outset of product design and development is an important step forward but it should not be reduced to a ‘tick box’ exercise. A comprehensive approach to cybersecurity is multi-faceted, part of an iterative process and crucially, it is as much a government objective as it should be for the industry.

The stakes are high: new compliance requirements aside, industry gains in investing in cybersecurity

Remarks about how policymakers have failed to keep pace with the fast changing technological world are clichéd but not without reason – the legislative process is often protracted.35 As legislation gets implemented and the threat of exorbitant fines for non-compliance materialises, the market incentives should drive industry to invest in cybersecurity. As the previous section alludes, suffering from a cyber attack and data breach is no longer a question of if, but when. While investing in cybersecurity is expected to increase a company’s spending, this cost is significantly outweighed by the financial and reputational losses in the aftermath of a cyber attack.36In this regard, a recent global survey reported that business and cyber leaders think effective enforcement of regulatory requirements is helpful in raising the quality of cybersecurity across their sector and their supply chains, not least because it helps signpost in board-level discussions the need to invest in cyber resources.37

Industry, and more specifically manufacturers and developers of software products, are usually best placed to remediate security flaws identified in their systems and devices. As mentioned above, applying a ‘secure by design’ approach does not guarantee a system will be immune from vulnerabilities, but identifying and fixing these are crucial to preventing them from being exploited by malicious actors.38 In fact, companies are setting up coordinated vulnerability disclosures (CVD) programmes designed to provide a mechanism for the security research community to safely disclose security flaws which can then be addressed and communicated to the public. This structured process helps companies improve the security of technologies overall.39

A principal motivator for standardisation has been enabling the interoperability of technologies between different countries and regions.

The role that technology standards play in securing networks and products cannot be underestimated. The fruit of a collaborative effort, a standard generally consists of a document, usually established by a consensus and approved by a recognised body, that provides guidance on a recognised way of doing something.40 International and regional standards development organisations are important forums where the technical community, usually practitioners from industry, come together and see standards adopted and embedded in products and networks. A principal motivator for standardisation has been enabling the interoperability of technologies between different countries and regions. Nowadays, good security practices are also driving industry to standardise guidance in this field, as seen with the first global standard for the security of internet of things consumer devices.41

Beyond governments and industry: cybersecurity is a shared individual and collective responsibility

It has been said that security is only as strong as the weakest link or component of a system.42  While improving security of networks and devices on the market is key, promoting similar ambitions in the systems we use internally and amongst the population goes hand in hand.

Organisations are adopting internal risk management frameworks to effectively reduce the risk of unauthorised access and misuse of data. Within the series of well-known ISO 27000 cybersecurity standards, ISO/International Electrotechnical Commission (IEC) 2700143 outlines the practices an organisation can implement to protect the confidentiality, integrity and availability of its information and assets.44 Similarly zero trust architecture, which assumes that no connection or device is safe and needs to be validated within a network, has become a popular security model for organisations globally.45 Indeed in 2022, 55 per cent of companies surveyed reported having in place a zero trust architecture, up from 24 per cent in 2021.46 On the government side, there has been momentum for the adoption of this framework, namely in the US through President Biden’s executive order which mandates the adoption of zero trust across federal agencies and its contractors.47 While governments and industry have been in focus, it is important to stress that cyber attacks are far reaching, affecting non-governmental organisations and educational institutions alike.48 Supporting initiatives geared towards building their capacity to withstand cyber attacks is helping to foster a holistic sectoral approach to cybersecurity.49

Finally, the way an organisation instils and embraces a culture of cybersecurity is fundamental. With the evolving threat landscape, the risk of cyber attacks is high and while technical security controls can help, pursuing ‘soft controls’ such as cyber hygiene (meaning the proactive steps individuals can take to improve their security and privacy in the cyber domain) can go a long way. This is especially important considering that a majority of cybersecurity incidents in the last few years – between 55 and 75 per cent depending on the study – are due to human error.50 Promoting an understanding of the cyber risks across the organisation and establishing proactive steps for personnel to report breaches are essential in protecting access to networks, devices and data. Beyond the organisational level, efforts in educating the population about the risks of cyber attacks and communicating steps individuals can take to protect themselves should continue to be prioritised.51 Alongside running dedicated cybersecurity awareness campaigns, such as October’s cybersecurity month, national agencies are now producing practical tips for citizens.52  53 As a longer term measure, cyber hygiene and training are being integrated into school curriculums.54 Drawing a parallel with online safety can be useful in this regard: along with enacting legislation that regulates illegal content online, Australia has developed a national framework for online safety education and created toolkits for schools and universities to help students build an awareness of harms online as well as promote a sense of responsibility in using digital technologies.55 This two-pronged model in legislating to safeguard online users’ experiences whilst also educating the population (in this case younger users) sets a good precedent for incorporating cyber hygiene measures in similar digital literacy programmes within educational settings. Estonia is a noteworthy example: digital competence under the nation’s curriculum describes the cybersecurity knowledge and skills young people should receive as part of their education.56

Conclusion

We have come a long way since university student Robert Tappan Morris inadvertently launched one of the first high profile cyber attacks in 1988, leading the reporter covering the story at the time to write: ‘They [computer security experts] said the attack would serve as a useful lesson that not enough attention was being paid to computer security’.57 Thirty-five years on, cyber attacks have become more prominent, but at least greater attention is being paid to cybersecurity. While we know that technology can never be 100 per cent secure, I propose in this essay that a concerted effort from multiple players can help mitigate the risk of cyber attacks and protect our data from breaches. Governments have a role in setting higher cybersecurity requirements for the technologies we use and on which we rely, and industry is having to comply with these new requirements and invest in direct measures to improve the security levels of their technologies. However, cybersecurity is not limited to improving the security of networks and devices on the market, nor solely a concern for governments and industry. Cybersecurity should be viewed as a holistic, shared and long-term responsibility. To illustrate this point I highlighted how bringing internal measures to protect systems and data and ingraining a culture of cybersecurity at the organisational and individual level are steps that governments and industry are championing, but ultimately we should collectively work towards ensuring that cybersecurity is at the forefront and not on the edge of our society and economy.


NICOLE DARABIAN

Nicole Darabian specialises in international cyber and tech policy at Ofcom. She has an MSc in media governance from the London School of Economics.

1 Known as the ‘CIA triad’. Confidentiality: data should not be accessed without authorisation; Integrity: data should not be tampered with; Availability: data should be available when requested to those with authorised access

2 See National Cyber Security Centre. What is cyber security? bit.ly/45w22xx

3 Cisco (2020). Annual Internet Report, 9 March. bit.ly/3Ej7RlV

4 Connected devices referred to in broad terms: internet of things devices (‘smart devices’) as well other devices such as smartphones, computers, tablets and laptops.

5 Koetsier (2022). ‘Smart Home: Apple Is the fastest-growing connected device company.’ Forbes, 31 August. bit.ly/44AT14S While the statistics may heavily represent countries where ownership of devices and access to connectivity are mostly privileged, all countries are exposed to cyber threats and as less developed countries catch up, so will the prominence of these threats.

6 Yadron D (2016). ‘Fisher-Price smart bear allowed hacking of children's biographical data.’ The Guardian, 3 February. bit.ly/3OV61MX

7 NCC Group (2020), Domestic IoT Nightmares: Smart doorbells. Research blog, 18 December. bit.ly/3OSVj9P

8 Standard and Poor (2023). 5G tracker: 94 markets worldwide have commercial 5G services. S&P Market Intelligence, 6 April. bit.ly/3Z32pxa

9 Latency is the time it takes for data to pass from one point on a network to another.

10 In simple terms, it refers to the decoupling of hardware from software in a network allowing key network functions to become software based.

11 Organisation for Economic Co-operation and Development (2023). Enhancing the security of communication infrastructure. bit.ly/3ZjnZgL

12 European Union Agency for Cybersecurity (ENISA) (2022). Enisa Threat Landscape 2022, 3 November. bit.ly/3L3Yjii

13 Individuals or groups who are sponsored by a government to conduct cyber-attacks against other countries or organisations. Center for Strategic and International Studies (2023), Significant Cyber Incidents Since 2006. bit.ly/484Xm3o

14 For instance, much of the privacy versus security debate today is centred around end-to-end encryption, namely in the United Kingdom (see bit.ly/3LiROZk) and the European Union (see bit.ly/3PxP9xqon) proposed legislation to combat child sexual material online on messaging platforms. Some advocate that lawful access to end-to-end encryption messages should be allowed in cases of child sexual abuse and national security concerns (e.g. terrorism). Others argue that encryption is fundamental to protect users’ privacy and ‘backdoors’ to encryption would weaken security protections.

15 Norton (2023). Privacy vs. security: What’s the difference?, 1 September. nr.tn/3EhP8qN

16 The International Association of Privacy Professionals (2023). Privacy and Consumer Trust, 23 March. bit.ly/3QViuCY

17 Meltwater and We Are Social (2023). 2023 Global Digital Report, 26 January. bit.ly/3L4iUmJ

18 The General Data Protection Regulation (GDPR) is the main example. bit.ly/3qODjp8

19 The term ‘privacy breach’ as opposed to ‘data breach’ is deliberate to emphasise the loss of confidentiality and control over data

20 This information can be sold on the dark web, a hidden part of the Internet that is not accessible through common web browsers and may be used by people to carry out illegal activities

21 International Telecommunication Union (2021). Global Cybersecurity Index 2020. bit.ly/45vXs29

22 Such as the recent guidance endorsed by seven countries: the US, Australia, Canada, the United Kingdom, Germany, the Netherlands and New Zealand. See US Cybersecurity and Infrastructure Security Agency (2023). ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, 2023. bit.ly/3PjhV4G

23 Telecommunications security and integrity regulation, 2021. bit.ly/47WQ55u (in Dutch)

24 Infocomm Media Development Authority (2023). Telecommunications Cybersecurity Code of Practice. bit.ly/3Eo8VVu

25 UK Department for Science, Innovation and Technology and Department for Digital, Culture, Media and Sport (2022).Electronic Communications (Security Measures) Regulations and Telecommunications Security Code of Practice, 2022. bit.ly/3L7jZKF

26 Légifrance (2019). Loi n° 2019-810 du 1er août 2019 visant à préserver les intérêts de la défense et de la sécurité nationale de la France dans le cadre de l'exploitation des réseaux radioélectriques mobiles. bit.ly/3P3tpYR

27 Cyber and Insfrastructure Security Centre, Australian Government Department of Home Affairs (2002).Telecommunications Sector Security Reforms (TSSR) Administrative Guidelines. bit.ly/45Tb733

28 National Security Council Secretariat (2021). Launch of the ‘Trusted Telecoms Portal’ for implementation of the National Security Directive on Telecommunication Sector. bit.ly/45wwtUf

29 European Commission (2023). New stronger rules start to apply for the cyber and physical resilience of critical entities and networks, 16 January. bit.ly/3EgqR4z

30 Rogers D (2021). ‘The Long Road to a Law on Product Security in the UK’. Mobilephonesecurity.org, 24 November. bit.ly/45MBHuI

31 For instance, the Cybersecurity Tech Accords is an industry agreement launched in 2018 in which signatories pledge to protect users and customers, including through the development of products and services that prioritise security, privacy, integrity and reliability (see bit.ly/468Vchn).

32 The European Commission’s Cyber Resilience Act Proposal, 2021. bit.ly/3PkQ7wC

33 The US’ recent National Cybersecurity Strategy clearly marks the country’s intention to propose new cybersecurity regulations, see the National Cybersecurity Strategy Implementation Plan, 2023. bit.ly/3qSAkfl

34 Information Technology Industry Council (2020). Policy Principles for Cybersecurity Certification. bit.ly/3KZX2J2

35 Having legislation and regulations in different countries raises the risk of having potentially diverging and/or contradictory compliance requirements. The technology industry operates across borders and multiple jurisdictions, predominantly at a global scale. Whilst not addressed in this essay due to scope, policymakers and regulators should ensure they consult with industry, as well as other stakeholders, throughout the process of setting cybersecurity regulatory frameworks and not work in isolation from the international context to minimise unwarranted divergences. E.g., see the OECD’s International Regulatory Co-operation, 2021. bit.ly/44B0S2g

36 Huang K, Wang X, Wei W, Madnick S. (2023). The Devastating Business Impacts of a Cyber Breach. Harvard Business Review, 4 May. bit.ly/3L1Wr9O

37 World Economic Forum (2023). Global Security Outlook Report 2023. bit.ly/3PjFjiC

38 A recent study found a strong correlation between poor ‘patching cadence’ for vulnerabilities and the likelihood of experiencing a cyber-attack. See Marsh McLennan Cyber Risk Analytics Center analysis of BitSight security rating and risk vectors and cybersecurity incident data in 2022. BitSight is a security rating company. bit.ly/3L7X6GR

39 Governments are also setting up CVD programmes at the national level, usually with the involvement of the national computer emergency response team or national cyber agency, to promote the process as good practice and coordinate vulnerabilities affecting governmental institutions or organisations related to critical infrastructure. E.g. ENISA (2022). Coordinated Vulnerable Disclosure Policies in the EU, 2022. bit.ly/3Z1qUKT

40 International Organization for Standardization (ISO). What are standards and how do they help? bit.ly/44xVa1p

41 The European Telecommunications Standards Institute (ETSI) EN 303 645: Cyber Security for Consumer Internet of Things: Baseline Requirements, 2020. bit.ly/45Sl4Of

42 DeNardis L (2020). The Internet in Everything: Freedom and security in a world with no off switch. Yale University Press.

43 The British Standards Institution. ISO/IEC 27001 - Information Security Management (ISMS). bit.ly/47TMu8d

44 These include but are not limited to using multi-factor authentication, access controls and encryption.

45 National Institute of Standards and Technology (2020). Zero Trust Architecture. bit.ly/45sUonj

46 Okta (2022). The State of Zero Trust Security 2022. bit.ly/45q70f4

47 The White House’s Executive Order on Improving the Nation’s Cybersecurity, 2021. bit.ly/45zQ5qD

48 Microsoft (2022). Microsoft Digital Defense Report 2022. bit.ly/45XAIIp According to the report, NGOs/think tanks and the education sectors are the second and third most targeted sectors globally by nation state actors. These types of entities are particularly vulnerable given they usually have limited resources, which can impact their ability to invest in cybersecurity and thereby, be perceived by cyber criminals as easier targets to compromise their systems and data. They also tend to hold large amounts of personal and sensitive information about people they interact with and serve which can be exploited for financial gains.

49 E.g. the CyberPeace Institute Humanitarian Cybersecurity Center bit.ly/3Rmm4pI and NetHope’s Digital Protection Programme. bit.ly/48bajbK

50 Thales (2023). 2023 Data Threat Report – Perspectives and Pathways to Digital Sovereignty and Transformation, 18 April. bit.ly/47Wdtju and Verizon (2023). 2023 Data Breach Investigations Report, 6 June. vz.to/3qLeSca

51 Observed globally to raise awareness about cybersecurity. Countries take the opportunity to disseminate campaigns for the general public offering practical tips about good practices, as seen in the United States (bit.ly/3sKziTg), European Member States (bit.ly/3LgpYwP) , (bit.ly/3LgwsM4), South Africa (bit.ly/484Z6cJ) and many more.

52 Non-exhaustive list: the United Kingdom’s NCSC Cyber Aware Initiative (bit.ly/3RfRFcF), Belgium’s Cyber Security Centre Stay Safe (bit.ly/3Z9FmAy), Estonia’s Be IT-Conscious (bit.ly/3Ey6qjK) and Singapore’s Cybersecurity Agency GoSafeOnline (bit.ly/45GGJcw). There are also demographic specific campaigns such as Singapore’s Cyber Safe Seniors (bit.ly/44KkPEa) and Australia’s Mighty Heroes campaign for 5 to 8 year olds which includes a segment on protecting personal information (bit.ly/3rfQQGd).

53 Such initiatives are not only being promoted by national agencies, NGOs are also taking on this important mission, e.g. the Africa Cybersecurity & Digital Rights Organisation (ACDRO). bit.ly/3EmWFEY

54 World Economic Forum (2020). After reading, writing and arithmetic, the 4th 'r' of literacy is cyber-risk, 17th December. bit.ly/44xXfuf

55 See e-Safety Commissioner’s Best Practice Framework for Online Safety Education. bit.ly/3ReWPG4

56 See Estonia’s Cybersecurity Strategy 2019-2022. bit.ly/3qXbIlv and Cyber Security Education in Estonia: From kindergarten to NATO Cyber Defence Centre, 2022. bit.ly/3R7DtT5

57 Markoff J (1988). ‘Author of Computer 'Virus' Is Son Of N.S.A. Expert on Data Security’. New York Times, 5 November. nyti.ms/3sAzV1C The Morris Worm was programmed to exploit vulnerabilities in a type of operating system and resulted in drastically slowing down, and even crashing, some computers connected to the then internet in the US. The incident received high media attention and is considered to be the precursor to what is known today as a distributed denial of service (DDoS) attack: a type of cyber attack that tries to make a website or network resource unavailable by flooding it with malicious traffic so that normal traffic cannot reach its intended destination.