We must treat cybersecurity as a public good. Here’s why

cyber crime

(Taskin Ashiq, Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Mariarosaria Taddeo, Research Fellow and Deputy Director, Digital Ethics Lab, Oxford Internet Institute, University of Oxford & Francesca Bosco, Project Lead, Cyber-Resilience, Centre for Cybersecurity, World Economic Forum


Soon your fridge will be able to buy your food on Amazon, having noticed what you liked on Facebook and Instagram. Cybersecurity is crucial for this to happen; to make sure that, while our food preferences are being noted, our identity is not stolen, credit cards not cloned, and our devices are not tampered with by malicious actors out to steal data or modify a machine’s behaviour. As the Fourth Industrial Revolution progresses and the integration and interaction of different technologies is used to improve individual and environmental wellbeing, cybersecurity will be ever more important.

In 2015, the UN identified 17 Sustainable Development Goals (SDGs) to be achieved by 2030 – ranging from eradicating poverty and guaranteeing stability and peace to fighting discrimination and climate change. Digital technologies, particularly the internet of things (IoT) and artificial intelligence (AI), can facilitate efforts to achieve the SDGs. For example, AI can help detect malnutrition using photographs of individuals living in a given area. Here, too, cybersecurity is crucial. Should pictures of those individuals be stolen or the AI model become corrupted, the use of AI to fight starvation would become problematic. Cybersecurity underpins trust in, and thus the adoption of, digital technologies for humanitarian and environmental purposes.

It does not come as a surprise, therefore, that the value of the cybersecurity market is estimated to grow from $120 billion in 2019 to $300 billion by 2024. It is more surprising that, while efforts and investment to improve cybersecurity continue to grow, security developments lag behind the pace of the malicious use of digital technologies. Cyber threats are escalating in frequency, impact and sophistication. The World Economic Forum’s Global Risks Report 2019 ranked cyberattacks among the top-five risks. At a global level, cybercrime causes multibillion dollar losses to business; the average cost of cybercrime for an organization has increased from $11.7 million in 2017 to $13.0 million. That year, the WannaCry and NotPetya incidents showed that attacks targeting the cyber component of infrastructures (such as power plants), services (such as banks or hospitals servers) and tools and devices (mobiles and personal computers, for example) have great disruptive potential and can cause serious damage.

The lack of effective cybersecurity measures has a potential knock-on effect on the Fourth Industrial Revolution, and on the development of information societies around the globe. Two aspects are particularly relevant: stability and trust. Without effective security measures in place, cyberthreats may undermine the stability of information societies, making digital technologies a source of risk more than a source of development. At the same time, a lack of security around digital technologies will erode users’ trust, which will in turn cripple adoption and hinder innovation. Cybersecurity is an essential resource of information societies and improving it is vital to fostering societal development, technological progress, and harnessing the potential of digital technologies to deliver outcomes that are beneficial to society.

Which cybersecurity?

The term cybersecurity covers a vast domain. It ranges from designing systems that are robust and can withstand attacks, to the design of methods and systems for threat and anomaly detection (TAD), to guaranteeing systems’ resilience and defining systems’ responses to attacks. In societies that depend on digital infrastructure to function, systems’ robustness is an essential requirement. But improving it is a costly process. It requires accurate design, code verification and validation, testing and probing for vulnerabilities. This makes cybersecurity a club good – namely, a good that is not exhausted by its use (non-rivalrous), but whose access is regulated by its cost. The escalation of cyberthreats indicates that this approach is ineffective, if not problematic, because market dynamics and the costs associated with improving systems’ robustness lead to an uneven distribution of cybersecurity measures.

Consider, for example, the IoT. The robustness of digital end-point devices has an impact on their costs, to the extent that producers may sacrifice robustness in the interest of retaining commercial competitiveness. In 2018, a Symantec study reported an average of 5,200 attacks per month on IoT devices. As IoT increasingly pervades our private and public environments, its vulnerabilities may favour severe security and safety from threats. The question, then, is how do we develop and regulate the design of robust systems in an effective way?

Clearly, engineering robust systems has both a direct and indirect impact on the public in information societies. It enables critical national infrastructures and services to work, allows citizens to perform their daily routines, and can favour the socially beneficial outcomes of digital technologies. For these reasons, cybersecurity should not be framed and managed as a club good – it should be treated as a public good, that is, a non-rivalrous good that is also non-excludable (which means no user can prevent others from using it).

Make cybersecurity a public good

Managing costs is key to developing systems’ robustness as a public good. This does not mean that systems’ robustness need to come free of charge, but it is essential that the costs do not become a deciding factor in determining access. The key point here is to ensure that all users have access to digital technologies whose robustness is adequate to the purpose and the context of deployment.

This point can be clarified using two analogies: streetlights and national defence. These are two typical public goods; both come at a cost, but all citizens of a state access them independently of these costs, and they all contribute to maintain these goods by paying taxes. In the same way, cybersecurity can function as a public good if its costs are shared equitably among the relevant stakeholders. One implication of this approach is that the public sector will have to shoulder some of the costs of cybersecurity: this may include, for example, costs related to the setting of standards and certification procedures, as well as costs associated with testing and verifying technologies. But managing cybersecurity as a public good would also yield three important advantages: systemic approaches to security, shared responsibilities among the different stakeholders, and fostering collaboration.

Systemic approach: The management of a public good requires considering direct and indirect externalities, as well as medium and long-term consequences. This favours approaches to cybersecurity that focus on interdependencies among the security of different, but connected, technologies, their impact on the context of deployment and on the relevant public interest at stake.

Shared responsibilities: Management of cybersecurity as a public good calls for collaboration between the private and the public sectors to ensure that systems’ robustness is designed to meet the public interest. It is up to the public sector to set standards, certification and testing and verification procedures capable of ensuring that a sufficient level of security is maintained. At the same time, the private sector bears responsibility for designing robust systems and developing and improving new cybersecurity methods for the services and products they offer, as well as for collaborating with the public sector around controlling and testing mechanisms. Envisaging systems’ robustness as a public good also places some responsibility on the user in terms of their cyber hygiene practices.

The distribution of responsibilities among the various stakeholders together with the need to consider direct and indirect externalities is likely to foster collaboration and information sharing. Sharing information about the vulnerabilities of different systems involved in the same supply chain, for example, will become crucial for the private sector to guarantee systems’ robustness and to learn from its peers. At the same time, the public sector may support this by including information-sharing and collaboration as part of its capability-building initiatives and procedures.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Tokyo 2020 Olympics: from cardboard beds to recycled medals, how the Games are going green

Greece to stay in the euro area but the cost to its people remains elusive

The Monetary Union drives Europe into dangerous paths, CoR demands an EMU of regional content

Meet Alice, the battery-powered plane that could herald the age of electric air travel

Commission’s action against imports from China questioned

Fisheries: Commission proposes measures to conserve stocks of deep-sea species in the North-East Atlantic

Russia must urgently step up fight against foreign bribery

Threat from petty criminals who turn to terrorism, a growing concern, Security Council hears

Assembly President launches new initiative to purge plastics and purify oceans

Learning from our past mistakes: the mental health burden of two pandemics

Mobile technology saving lives: changing healthcare systems with simple technological solutions

Top officials say UN will support Bahamas’ rescue, relief efforts as Hurricane Dorian churns in Atlantic

Robots and chatbots can help alleviate the mental health epidemic

The dangers of data: why the numbers never tell the full story

The global economy is woefully unprepared for biological threats. This is what we need to do

Here are three ways blockchain can change refugees’ lives

Sherpa climbers carried out the highest-ever spring clean. This is what they found

Coronavirus Global Response: EIB and Commission pledge additional €4.9 billion

French Prime Minister passes Stability Program and takes his ‘café’ in Brussels this June

Paris, Washington, IMF against Berlin and ECB on money and interest

My twin from Guangzhou

This country came up with 5 novel ideas to tackle the pandemic

Antitrust: Commission fines Sanrio €6.2 million for restricting cross-border sales of merchandising products featuring Hello Kitty characters

It’s Time to Disrupt Europe, Digital First

EU Civil Protection Mechanism must be sufficiently funded to save lives

World Health Day: Statement by Commissioner Stella Kyriakides

This is what Belgium’s traffic-choked capital is doing about emissions

Warmer months ahead for many parts of the planet: UN weather agency

‘Stay at home’ UK tells people as global confirmed cases pass 380,000 – Today’s coronavirus updates

As India’s lockdown ends, a mental health crisis is just beginning

100 years on, UN labour agency mission focussed on growing inequality, says Director-General

Europe’s dirty air kills 400,000 people every year

GSMA Mobile 360 Series – MENA in Dubai, in Association with The European Sting

UK: Customs Union with EU or a longer delay of Brexit

Brexit: Six more months of political paralysis or a May-Corbyn compromise?

In the United States, there aren’t enough hours in the week to make rent

UN experts decry torture of Rakhine men and boys held incommunicado by Myanmar’s military

Rich economies not a promise of education equality, new report finds

Working together to end the AIDS-HIV pandemic

3 reasons why data is not the new oil – and why this matters to India

Superbugs: MEPs advocate further measures to curb use of antimicrobials

These are the best MBAs if you want to be an entrepreneur

Austerity lovers to put a break on Renzi’s growth vision for Europe? the Sting reports live from World Economic Forum 2015 in Davos

Brunei’s new penal code would enshrine ‘cruel and inhuman punishments’ UN rights chief warns

UN chief urges emergency fund support as one of the ‘most effective investments’ in humanitarian action

‘Power is not given, power is taken’, UN chief tells women activists, urging push-back against status quo

Digital Finance Package: Commission sets out new, ambitious approach to encourage responsible innovation to benefit consumers and businesses

COVID-19 and German constitutional court decision top meeting with ECB’s Lagarde

Berlin wants to break South’s politico-economic standing

Businesses are thriving, societies are not. Time for urgent change

A Glimpse into the Future of the Health with Mobile Technology

A new roadmap for corporate climate governance

Hatred ‘a threat to everyone’, urges Guterres calling for global effort to end xenophobia and ‘loathsome rhetoric’

UN working to prevent attacks on civilians in eastern DR Congo

Western Balkans: European Parliament takes stock of 2018 progress

Brexit update: Will the EU grant extention to Britain preventing economic chaos?

Misinformation and growing distrust on vaccines, ‘dangerous as a disease’ says UNICEF chief

8 steps towards a sustainable economic recovery

We now know how much ice Antarctica has lost in the last 25 years – three trillion tonnes

Von der Leyen on EU long-term budget: our opportunity to make Europe fit for the future

More Stings?

Advertising

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s