The European Union has served as an enviable model in terms of the evolution of cybersecurity regulation. In comparison with the US, for example, the EU’s regulatory environment is generally built upon similar principles related to information-security measures. However, the EU faces additional challenges as it must try to accommodate a more diverse set of cultural, social, and strategic values across the bloc’s 27 member countries.
The EU has provided a model for the evolution of cybersecurity regulation. Government authorities generally require organizations entrusted with data, regardless of industry or sector, to abide by rules intended to protect sensitive, high-value information and other cyber assets. The regulatory environment is fluid, however; it varies in terms of requirements, potential penalties, and execution. The definition of compliance also differs, depending on jurisdiction.
The United Nations Conference on Trade and Development divides cybersecurity regulations into four basic categories: data protection/privacy laws, e-transaction laws, cybercrime laws, and consumer protection laws. Regulations aligned with these categories reflect global cybersecurity priorities: 82% of countries have laws governing electronic transactions, 80% formally identify and prosecute cybercrime, 66% address data privacy with specific laws, and 56% have codified online consumer protection.
The EU has sought to address cyber risk with policies including the Directive on Security of Network and Information Systems (the NIS directive), the Cybersecurity Act, and the General Data Protection Regulation (GDPR). While the NIS directive obliges member states to develop frameworks for cybersecurity practice, the Cybersecurity Act complements it with a certification framework. The GDPR marks the strongest step taken yet by any developed country to issue requirements for protecting consumer and user information from exploitation. In addition, the EU has established the European Union Agency for Cybersecurity (ENISA) to implement policies and assist member states during incidents.
Some incidents, like data breaches, may never be meaningfully prevented - even as regulations continue to evolve. Other countries and regions have made similar attempts to codify rules and cybersecurity best practices, which continue to evolve amid a shifting technology environment. The vanguard of regulators continue to seek to implement ever-stronger reporting requirements, enhanced detection capabilities, data security and disposal rules, and cyber-crime prevention. This trend will persist as long as governments acknowledge the real potential for negative cyber outcomes.
Cybercrime
The annual cost of cybercrime will likely increase by 15% every year until it hits $10.5 trillion in 2025, according to one estimate. The nature of ransomware attacks has shifted from annoyance to the disruption of key infrastructure.
An increasingly connected world brings with it unprecedented cyber challenges, potentially impacting just about every type of digital operation, undermining financial stability and security, and robbing us of our privacy.
News stories about data breaches, ransomware, and malware attacks are a seemingly daily occurrence, and the criminal compromise of the digital devices and networks we now depend upon severely diminishes their reliability - and the trust we place in them.
Everyone and every organization is a potential cybercrime victim; as people and businesses demand greater efficiency and productivity through internet-connected devices, what is collected for analysis can be targeted by cyber criminals - for leverage, to inflict damage, or to steal money (indeed, just as Willie Sutton once robbed banks because “that’s where the money is,” the digital world now fills that role). In the wake of COVID-19, many people have only increased their online presence for remote work purposes or entertainment, creating even bigger targets for criminal activity.
As a growing universe of connected Internet of Things devices has increased the number of available digital targets for would-be attackers, it has also amplified the ability to inflict harm more broadly and deeply. Gartner has estimated that there are now some two billion IoT devices in operation, and high-profile examples of damage inflicted through these targets include the Mirai botnet - which compromised more than 600,000 of them, including cameras, routers, and network storage devices (it then leveraged its control of the devices to launch distributed denial-of-service attacks on a variety of organizations).
Cybercrime is clearly not going away anytime soon, and people and businesses should prepare for how to best deal with it. Researchers at Verizon have found that nearly a third of all malware now being discovered is ransomware; the nature of attacks has meanwhile shifted from pervasive annoyance to the significant disruption of key infrastructure.
This was underscored by the Colonial Pipeline and JBS Foods ransomware incidents in 2021 - both organizations capitulated to attackers and paid out millions of dollars (though much of what Colonial Pipeline paid was later recovered).
Cyber and Supply Chain Risk
Internet cloud services are an increasingly prominent component of the supply chain - according to Gartner research, public cloud services will account for 14% of total global enterprise IT budgets by 2024, and there will be an estimated 18% increase in end-user spending in 2021 alone. These cloud services, which include software-as-a-service, infrastructure-as-a-service, platform-as-a-service, and desktop-as-a-service, present a challenge to the techniques traditionally used to manage on-premise cybersecurity.
Consumers of these services must generally rely on third-party assessments of their service provider - such as a Service Organization Controls report, or a Statement on Standards for Attestation Engagements 18 report - rather than having access to direct examination.
The SolarWinds attack underlined fundamental lapses in software supply-chain security. For any supply chain, robust and verifiable cybersecurity is key for maintaining trust and confidence. The buyers of third-party software, hardware, and information technology services often have limited visibility into the cybersecurity practices of their supply-chain partners; this opaqueness can very easily become a source of risk.
The SolarWinds attack, which was detected by a private company in late 2020 and involved the breaching of thousands of organizations including NATO and the European Parliament, in addition to a number of US government agencies, sharply underlined fundamental lapses in software supply-chain security.
Two years prior to that, a 2018 CrowdStrike study had found that 66% of respondents said they had experienced a software supply-chain attack, and 90% had incurred financial losses as a result. Determining the provenance of hardware is a key challenge in a complex supply chain; enterprises may be at risk of allowing devices with maliciously altered or counterfeit components to enter their inventory. And detecting malicious and counterfeit components requires levels of investment and technical expertise beyond the reach of most organizations.
The dramatic proliferation of low-cost, Internet-connected devices has created new challenges for maintaining adequate supply chain cybersecurity. This burgeoning Internet of Things, connecting everything from GPS monitors to temperature sensors, is tapping deep into enterprises often without the same degree of scrutiny applied to the acquisition of other classes of technologies.
Service-level agreements have therefore become the primary mechanism for measuring performance, and incentivizing behavior.
Cybersecurity and New Technologies
As technological change accelerates, cybersecurity risk proliferates. The more organizations make technological progress and lean into their digital transformation to boost performance, the more risk they assume. Some new technologies genuinely enable better cybersecurity - and not just as an overlay or afterthought. That is a good thing, because when organizations implement cloud-based solutions they can lose visibility, and as they collect and query big data for more (and more exact) answers, they can incur increased risk related to their digital information and decisions based on that information.
And, as organizations deploy more connected Internet of Things devices, the odds of triggering unintended outcomes increases. According to the results of a 2021 PWC global survey, executives ranked IoT and cloud services as very likely threat vectors that will have “a significantly a negative impact.”
The need for better protection is clear, and technology innovation can help. In addition, organizations may be able to bolster their defenses by outsourcing cybersecurity functions to specialized cloud providers. As data centre footprints shrink and more applications and infrastructure migrate to the cloud, organizations may also benefit from cloud-based cybersecurity services.
Data, in the form of more (and more refined) system and user logs, telemetry, and even geospatial details, can provide visibility into anomalous behaviour and indicate potential compromise. This can significantly enhance detection and response operations, by flagging relevant results and reducing false positive indicators. In addition, machine learning and artificial intelligence can help identify unusual cyber activity and automate necessary defense, detection, and response protocols.
Multifactor authentication that includes biometric elements like voice recognition, finger imaging, or facial geometry can improve trust. By automating these capabilities, organizations can potentially compensate for a lack of qualified cybersecurity talent. Other technology advancements can improve specific aspects of cybersecurity; blockchain technologies can increase confidence in critical transactions by using an internet-distributed network of systems to record them, for example.
New “Zero Trust” alternatives can meanwhile bond a user to their computer and location - to form a foundational, irrefutable digital identity. Accepting and adopting technological change is essential; organizations that embrace it should constantly be in search of ways to improve their cybersecurity programs.
Critical Infrastructure and Cyber Resilience
Cyber Risk Governance
The systems essential for sustaining a modern economy are increasingly interconnected and under attack. The US Department of Homeland Security defines critical infrastructure as assets and networks - physical or virtual - considered so vital their incapacitation or destruction would have a debilitating effect on national economic security, public health, or safety.
Around the world, there is a shared imperative to secure such vital systems. A study published by the Center for Strategic and International Studies in 2021 identified more than 200 significant cyber-attacks on critical infrastructure that had occurred in the prior year, affecting systems in more than two dozen countries.
Finance, telecommunications, emergency response, energy, health services, transportation, water supply, and food systems are all examples of functions that must be reliable and consistent - interruption or failure in any of them could result in economic hardship, loss of essential services, and a loss of safety. Many essential activities that support critical infrastructure have been increasingly digitalized, and rely on computers and networks - including the internet - to operate.
Any breakdown of cybersecurity defenses built to protect these functions could result in catastrophe, and our heavy reliance on technology demands a correspondingly concerted effort to secure it.
With adequate cyber resilience, organizations can confidently and consistently provide their products and services - without it, they risk falling short for their constituencies.
Resilience demands that an organization take a holistic view of its technology, and that it focus on foundational elements including cybersecurity, business continuity, and enterprise risk management, all coordinated around a single mission: to operate as planned, and to continue to meet expectations even in the face of cyber events that could otherwise thwart operations - and to be able to do so even when more comfortable, customary ways of operating are unavailable.
Everyone has a right to expect that critical infrastructure is digitally secure and sustainable in the face of any potential cyber threat. Critical infrastructure resilience begins with a serious assessment that takes an unclouded view of the vulnerabilities that may exist, and of the potential for them to be exploited - followed by the development of methodical tests and resolution plans for every conceivable risk scenario and potential operational failure that can impact an organization, specific to its sector and the services it provides.
Governance relies on risk-based decision making as a fundamental means to both drive the efficient use of resources, and to improve confidence in an organization’s ability to achieve strategic objectives. The number of corporate boards with a dedicated cybersecurity committee is expected to increase sharply by 2025.
All organizations rely on their employees’ ability to navigate a world of growing uncertainty, and to dodge threats to their ability to achieve its collective goals. Unfortunately, complex organizations can easily be overwhelmed; each risk demands a distinct analysis and potential investment of additional resources, to respond in ways that adequately reduce exposure.
A good governance structure will provide a framework that enables the right managers to make the right decisions, which will help prioritize and allocate resources as needed. All risks don’t necessarily require analytic rigour or subsequent investment - immediate hazards like icy sidewalks or commonplace cyber incidents like phishing emails can be addressed at lower management levels. That is not the case for strategic risks like global pandemics or advanced, persistent cyber threats that have the potential to disrupt or damage an organization indefinitely.
Vigorous, board-level engagement in risk governance is essential for success. Thankfully, boards are increasingly recognizing the importance of cyber risk governance; a study published by Ernst and Young in 2020 found that 81% of board members categorize cybersecurity as “highly relevant,” and Gartner researchers predict that 40% of all boards will have a dedicated cybersecurity committee by the year 2025 (currently, just 10% of boards have one).
A structure that effectively prioritizes and adjudicates risks to the right organizational level is required. Responsibility for risks is typically apportioned in accordance with an organization’s willingness to accept them, also called “risk appetite.” A risk-appetite statement can be used to direct employees and clarify who has the necessary level of authority to decide how to respond to any given situation.
The National Institute of Standards and Technology Special Publication 800-37 addresses the divvying up of risk with a three-tier structure including the organization, the mission, and the system. Meanwhile the ISO 27000 series of standards provides recommendations for the use of policy and organizational structure to reduce risk, and the COSO framework connects governance to culture by highlighting the importance of board oversight, culture requirements, core values, and human resource development.
Cybersecurity Skills Gap
Cyber Diplomacy and International Security
According to research conducted by the International Information System Security Certification Consortium, there is an estimated global shortage of nearly three million cybersecurity professionals. Key challenges include finding qualified professionals and cultivating greater diversity in the workforce.
The inability to acquire and retain cybersecurity talent necessary to tackle all of this is a key limiting factor for both the private and public sectors. Experienced workers command a salary premium but demonstrate high levels of mobility, though burnout and correspondingly high levels of staff attrition are serious problems in some cybersecurity domains.
Cybersecurity responsibilities can include data security, security risk management and assessment, security compliance, threat detection and remediation, network security architecture, and monitoring, supporting, or troubleshooting cybersecurity systems.
A Ponemon Institute study published in 2020 found that 65% of cybersecurity operations centre workers had considered leaving their current organization. The primary sources of dissatisfaction were stressful operating environments, and the sheer quantity of assigned responsibilities. In a 2020 examination of the workforce, ISACA researchers identified several core challenges for identifying and recruiting cybersecurity professionals - an alarming 62% of study respondents indicated that their cybersecurity functions were understaffed.
Respondents also expressed concern about the expertise of available workers, with 70% believing that less than half of all candidates are qualified for the positions they are seeking. The majority of hiring managers consulted (72%) believed that human resource departments fail to understand their cybersecurity resource needs.
A 2021 survey of senior cybersecurity leadership conducted by PricewaterhouseCoopers found that a blend of technical skills, business acumen, and communications skills were required for success in cybersecurity; 42% were seeking critical thinking skills, and 42% were seeking creativity (data science and artificial intelligence/machine learning experience are some of the most prominent emerging needs).
The International Consortium of Minority Cybersecurity Professionals reports that only 14% of the total workforce identifies as female, and a Frost & Sullivan study of the workforce in the US found that 9% of cybersecurity professional self-identify as Black, 4% as Hispanic, and 8% as Asian. The same study noted that minorities comprise 23% of senior leadership (director or above) roles, in contrast to 30% across all professions. Cultivating diversity among cyber professionals is a global challenge.
Cyber actors operate under the guise of nation-states whose stated aims are often in conflict with their observed activity. The confidence and trust binding the global community results from visibility - being able to observe actual current conditions, and to understand the actual mission.
The basis of cyber diplomacy is that we are one international entity sharing the same goals - the preservation of infrastructure, the protection of critical public and private technology processes, respect for digital data ownership rights, and the authority of data guardianship. Cyber risk does not observe national boundaries, and a cyber aggressor one day may become a cyber victim the next. Cyber missions can overreach and affect untargeted prey, and malware can proliferate in unexpected and unintended ways.
Proof comes via the attestation of a true and accurate promise of intent. In the cyber domain, these elements are often difficult to ascertain. Countries closely guard their technology secrets, and the very methods they use to guard them. Cyber actors operate under the guise - if not the direction - of nation-states whose stated aims are often in conflict with their observed activity. Examples include the WannaCry ransomware attack in 2017, and the SolarWinds attack identified at the end of 2020.
According to the United Nations Office of Disarmament Affairs, international peace and security are at risk; clearly, the decisions made by the global community about the rules of cyber engagement and necessary protections could have far-reaching consequences. The UN office works on five related pillars: existing and emerging threats; international law; norms, rules and principles; confidence building measures; and international cooperation and assistance in capacity building.
Often, what might otherwise have been discrete, malicious acts have evolved into global incidents. All nations should, at the minimum, consent to a common set of behaviours so that regardless of their objective, cyber-offensive activities remain within the limits of international norms that bridge local interests with global expectations.
As some nation-states seek to leverage cyber action to gain advantages, these norms should be sustained and remain inviolate - for the global good. Someday, one of these attacks may accidentally cause a devastating cyber calamity, and the global technology community will have to pick up the pieces. Member states should contribute to this work and then agree to the recommendations that result.
CYBERSECURITY
As human behavior and interaction continue to be shaped by increasingly ubiquitous technologies, organizations must continuously adapt their capabilities to deal with and prevent malicious actors from taking advantage of the shifting technological landscape.
Risks abound, but so do solutions, including those based on artificial intelligence and the “Zero Trust” model. As hazards morph, so must our responses; digital threats demand vigilance, determination, and resolve to react with precision to an ever-expanding cycle of risk.
The digital world connects everything and everyone to apps, data, purchases, services, and communication. Securing this world is essential for protecting people, organizations, habitats, infrastructure, and just about everything we value and rely on for health and prosperity - from smarter choices to smart cities.
Cybersecurity must be prioritized in all domains of society and the economy if we are to unlock the true potential of the digital economy. Cybersecurity is not a separate technology but rather a foundational set of systems spanning technology, people and processes for the
Fourth Industrial Revolution.