Abstract
As often encountered in life, we are faced with a trade-off: on the one hand the opportunities afforded from communications networks, services and end-user devices are seemingly endless, but on the other hand, our reliance on them has proven to be an attractive target for cyber criminals to cause disruption. The risk becomes greater when the technology falls short on cybersecurity. This essay recognises there are no silver bullets preventing all cyber attacks and data breaches, but it looks at the various means to minimise the risks of exposure to them. I argue that governments are taking proactive steps in establishing what good cybersecurity practices should look like and industry has more incentives than ever to ensure cybersecurity is not neglected. However, security is only as strong as the weakest link, so fostering a shared sense of responsibility to act on cybersecurity, both at the individual and organisational level, is paramount.
Cybersecurity – a long underrated practice is now in the spotlight
Cybersecurity is broadly defined as the steps taken by individuals and organisations to reduce the risk of a cyber attack, a scenario in which an individual or group gains access to computer systems, networks and computer data for malicious intent, thereby compromising the integrity, confidentiality or availability of that data.1 The steps have a dual function of protecting devices we use and services we access as well as preventing unauthorised access to the vast amounts of data, including personal information, we store on our devices and online.2
Protecting our information is not new to the digital age – the practice has long been known as information security. Whereas information security aims to protect both forms of physical and digital data from unauthorised access, cybersecurity is chiefly concerned with protecting data hosted in the cyber domain. In simple terms, cybersecurity is a subset of information security.
As technology evolves, so does the risk of cyber attacks
Before personal computers became mainstream and connected to the internet in masses, cybersecurity could have been considered a niche profession, with cybersecurity incidents possibly deemed to be less of a concern. However, in recent years, the global importance of cybersecurity has been reflected in news headlines. I believe two trends are contributing to these events.
Firstly, we live in times where the number of end-user devices connected to the internet comfortably surpasses the global population.3 A recent study estimates a household in the United States owns on average 20.2 connected devices,4 and 17.4 and 10.3 in Europe and Japan, respectively.5 The reality is that for every additional connected gadget we embrace, we open the door to a new vector of attack, a way for a malicious actor to enter a network or system and exploit it. Weak and default passwords as well as a lack of continued security updates are just two of the common vulnerabilities found in ‘smart’ toys and home appliances such as teddy bears and doorbell cameras.6 7
Secondly, the communications networks connecting the above-mentioned end-user devices are becoming increasingly interdependent and complex. 5G, which has now been deployed in over 94 markets worldwide,8 is promising faster connectivity and lower latency making it apt for industrial usage and ‘connected everything’.9 Cloud computing and multi-access edge computing (MEC) are playing a key role in 5G deployments helping operators meet, manage and optimise the demands on their networks, accelerating their virtualisation and softwarisation.10 While cloud and MEC solutions offer security benefits, integrating them into the network architecture can result in new vectors of cyber attacks.11 For their part, communications providers are also having to deal with increasingly complex network configurations that need constant monitoring, a task that becomes more challenging as networks expand.
Additionally, as the number of devices we use increases, and the technology that connects them evolves, we are witnessing a more complex cyber threat landscape whereby ransomware, malware and social engineering tactics are becoming prominent techniques for cyber attackers.12 The fact that tensions between countries have been exported to the cyber domain is exacerbating this trend. Nation state actors are even resorting to using criminal organisations to deploy malicious cyber campaigns with societal and financial impacts of varying degrees.13
Privacy: one of the most important consumer protection issues is related to the security of a system or device
Debates about the trade-offs between privacy and security are common nowadays, but this essay views these concepts as closely linked.14 As indicated earlier, cybersecurity measures are not only important to protect the networks and devices we use, but also the personal and sensitive information they hold. When considering the three pillars of security outlined above – confidentiality, integrity and availability – it helps to view privacy and confidentiality as intertwined. Privacy refers to the right to manage and control personal information and keep it confidential.15 It is possibly one of the most important consumer protection issues of our times, with one recent survey finding that nearly 70 per cent of consumers globally are either somewhat or very concerned about their privacy online.16 This is particularly telling considering internet users globally spend over six hours online per day.17 The information we submit when we sign up to online services or accounts is usually managed through privacy policies which govern how a website or an application collects and handles our personal data. Having a privacy policy has become a legal requirement in many countries for businesses and organisations collecting personal data.18 Complementary to privacy policies, data security policies set out the controls an organisation implements to protect the data from unauthorised access. A service that collects our personal information, whether it be an email address, passport credentials or credit card details, can be targeted by cyber criminals. When a cybersecurity incident occurs it can often lead to a privacy breach,19 whereby cyber criminals get access to personal information for the purpose of selling or using this stolen data to attempt identity or financial theft.20
In an era of rapid technological evolution, where a large part of our society relies on networks and devices and values privacy, cybersecurity should be at the core of every network or product deployed into the market. Paradoxically, this has not been the case, requiring several high profile cybersecurity incidents, including privacy breaches, to bring attention to this problem.
How governments and the private sector are responding to the threat landscape and their shared responsibility in promoting increased levels of cybersecurity
From a tech issue to a public interest and national security concern: cybersecurity becomes a priority on governmental agendas
Developing a framework guiding a national cybersecurity posture has been high on many governments’ agenda. A survey of 194 countries conducted in 2020 found that 127 have published or are in the process of drafting a national cybersecurity strategy.21 Faced with increasing cyber attacks and an evolving cyber threat landscape, governments and regulators around the world have taken more assertive stances in relation to what they expect good cybersecurity should look like. This is evidenced not only by the release of joint recommendations from national cybersecurity agencies urging industry to take more action, but also by the rising trend in legislating and regulating for specific outcomes or rules to which the industry is expected to conform.22
On the networks side, governments are announcing new measures in recognition of networks being essential to society’s functioning and of new mobile generations (such as 5G and eventually 6G) underpinning most sectors of the economy in the future. In some cases, these are also driven by the desire to protect networks from foreign interference of countries deemed to pose national security concerns. Such measures include the implementation of technical requirements that would apply to major, if not all, communications providers (e.g. the Netherlands,23 Singapore,24 the United Kingdom25 ) or pre-authorisation or screening regimes for some network equipment (e.g. France,26 Australia,27 India28 ). Along with new measures, governments are also extending laws governing the security of national critical infrastructure to encompass communications networks (e.g. the EU’s directive upgrading its rules on the security of network and information systems29 ).
On the device side, not long ago, as put bluntly by a security expert, poor security practices had become ‘so endemic and so deeply entrenched throughout the world and its supply chains’ that the prospect of reversing course seemed nearly impossible.30 Yet the last few of years can be regarded as the reckoning from the private sector’s failings to prioritise and address in a more systematic way the security risks of devices and software.31 Mandatory rules in this area are still emerging but the calls to make manufacturers liable for security vulnerabilities is a notable trend, as seen with the EU’s proposal for the Cyber Resilience Act.32 Even countries which had long favoured non-mandatory approaches and the market’s ‘self-regulatory’ power, such as the US, are now espousing regulatory routes.33
As part of these new measures, policymakers are increasingly leaning on third party assessments and certification schemes for industry, namely manufacturers, to demonstrate a level of cybersecurity assurance and prove their products are compliant with new regulations. Certification can be useful in supporting regulators in their compliance-monitoring role, but does not, on its own, guarantee robust levels of security. Indeed, certification obtained based on information provided at one point in time cannot account for the dynamic and ever-changing threat landscape, which is especially true when assessing software based products given their millions of lines of code and frequency of updates.34
Nevertheless, the key takeaway is that governments and other relevant agencies have sent a strong signal to the industry: cybersecurity should no longer be an afterthought. Instead, networks and devices should be ‘secure by design’. The idea of building security principles into technologies at the outset of product design and development is an important step forward but it should not be reduced to a ‘tick box’ exercise. A comprehensive approach to cybersecurity is multi-faceted, part of an iterative process and crucially, it is as much a government objective as it should be for the industry.
The stakes are high: new compliance requirements aside, industry gains in investing in cybersecurity
Remarks about how policymakers have failed to keep pace with the fast changing technological world are clichéd but not without reason – the legislative process is often protracted.35 As legislation gets implemented and the threat of exorbitant fines for non-compliance materialises, the market incentives should drive industry to invest in cybersecurity. As the previous section alludes, suffering from a cyber attack and data breach is no longer a question of if, but when. While investing in cybersecurity is expected to increase a company’s spending, this cost is significantly outweighed by the financial and reputational losses in the aftermath of a cyber attack.36In this regard, a recent global survey reported that business and cyber leaders think effective enforcement of regulatory requirements is helpful in raising the quality of cybersecurity across their sector and their supply chains, not least because it helps signpost in board-level discussions the need to invest in cyber resources.37
Industry, and more specifically manufacturers and developers of software products, are usually best placed to remediate security flaws identified in their systems and devices. As mentioned above, applying a ‘secure by design’ approach does not guarantee a system will be immune from vulnerabilities, but identifying and fixing these are crucial to preventing them from being exploited by malicious actors.38 In fact, companies are setting up coordinated vulnerability disclosures (CVD) programmes designed to provide a mechanism for the security research community to safely disclose security flaws which can then be addressed and communicated to the public. This structured process helps companies improve the security of technologies overall.39
A principal motivator for standardisation has been enabling the interoperability of technologies between different countries and regions.
The role that technology standards play in securing networks and products cannot be underestimated. The fruit of a collaborative effort, a standard generally consists of a document, usually established by a consensus and approved by a recognised body, that provides guidance on a recognised way of doing something.40 International and regional standards development organisations are important forums where the technical community, usually practitioners from industry, come together and see standards adopted and embedded in products and networks. A principal motivator for standardisation has been enabling the interoperability of technologies between different countries and regions. Nowadays, good security practices are also driving industry to standardise guidance in this field, as seen with the first global standard for the security of internet of things consumer devices.41
Beyond governments and industry: cybersecurity is a shared individual and collective responsibility
It has been said that security is only as strong as the weakest link or component of a system.42 While improving security of networks and devices on the market is key, promoting similar ambitions in the systems we use internally and amongst the population goes hand in hand.
Organisations are adopting internal risk management frameworks to effectively reduce the risk of unauthorised access and misuse of data. Within the series of well-known ISO 27000 cybersecurity standards, ISO/International Electrotechnical Commission (IEC) 2700143 outlines the practices an organisation can implement to protect the confidentiality, integrity and availability of its information and assets.44 Similarly zero trust architecture, which assumes that no connection or device is safe and needs to be validated within a network, has become a popular security model for organisations globally.45 Indeed in 2022, 55 per cent of companies surveyed reported having in place a zero trust architecture, up from 24 per cent in 2021.46 On the government side, there has been momentum for the adoption of this framework, namely in the US through President Biden’s executive order which mandates the adoption of zero trust across federal agencies and its contractors.47 While governments and industry have been in focus, it is important to stress that cyber attacks are far reaching, affecting non-governmental organisations and educational institutions alike.48 Supporting initiatives geared towards building their capacity to withstand cyber attacks is helping to foster a holistic sectoral approach to cybersecurity.49
Finally, the way an organisation instils and embraces a culture of cybersecurity is fundamental. With the evolving threat landscape, the risk of cyber attacks is high and while technical security controls can help, pursuing ‘soft controls’ such as cyber hygiene (meaning the proactive steps individuals can take to improve their security and privacy in the cyber domain) can go a long way. This is especially important considering that a majority of cybersecurity incidents in the last few years – between 55 and 75 per cent depending on the study – are due to human error.50 Promoting an understanding of the cyber risks across the organisation and establishing proactive steps for personnel to report breaches are essential in protecting access to networks, devices and data. Beyond the organisational level, efforts in educating the population about the risks of cyber attacks and communicating steps individuals can take to protect themselves should continue to be prioritised.51 Alongside running dedicated cybersecurity awareness campaigns, such as October’s cybersecurity month, national agencies are now producing practical tips for citizens.52 53 As a longer term measure, cyber hygiene and training are being integrated into school curriculums.54 Drawing a parallel with online safety can be useful in this regard: along with enacting legislation that regulates illegal content online, Australia has developed a national framework for online safety education and created toolkits for schools and universities to help students build an awareness of harms online as well as promote a sense of responsibility in using digital technologies.55 This two-pronged model in legislating to safeguard online users’ experiences whilst also educating the population (in this case younger users) sets a good precedent for incorporating cyber hygiene measures in similar digital literacy programmes within educational settings. Estonia is a noteworthy example: digital competence under the nation’s curriculum describes the cybersecurity knowledge and skills young people should receive as part of their education.56
Conclusion
We have come a long way since university student Robert Tappan Morris inadvertently launched one of the first high profile cyber attacks in 1988, leading the reporter covering the story at the time to write: ‘They [computer security experts] said the attack would serve as a useful lesson that not enough attention was being paid to computer security’.57 Thirty-five years on, cyber attacks have become more prominent, but at least greater attention is being paid to cybersecurity. While we know that technology can never be 100 per cent secure, I propose in this essay that a concerted effort from multiple players can help mitigate the risk of cyber attacks and protect our data from breaches. Governments have a role in setting higher cybersecurity requirements for the technologies we use and on which we rely, and industry is having to comply with these new requirements and invest in direct measures to improve the security levels of their technologies. However, cybersecurity is not limited to improving the security of networks and devices on the market, nor solely a concern for governments and industry. Cybersecurity should be viewed as a holistic, shared and long-term responsibility. To illustrate this point I highlighted how bringing internal measures to protect systems and data and ingraining a culture of cybersecurity at the organisational and individual level are steps that governments and industry are championing, but ultimately we should collectively work towards ensuring that cybersecurity is at the forefront and not on the edge of our society and economy.