Hello. This chapter explores cybersecurity as a global issue in the context of the digital revolution, and how ensuring cybersecurity through greater awareness and strong multi-stakeholder partnerships are crucial for achieving the Sustainable Development Goals in a hyper-connected and digitized world.
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Cybersecurity is a global issue that knows no boundaries. It affects individuals and society, small and large organizations and transnational companies, critical infrastructure systems that we all depend on, and even our national security.
Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are using more innovative methods and techniques to compromise systems. The increasing move towards digital records for health, education, government IDs, and just about everything else facilitated by the internet, means that the value of information has become attractive to those who wish to penetrate systems for financial gain, reputational gain, to cause instability, or who just want to demonstrate weaknesses that exist.
The Internet was never ever built with security in mind, and yet so much of the world’s data flows are transacted over public networks that are vulnerable to attack. It is therefore important that corporations and government agencies seek to secure the data they collect on behalf of consumers and citizens. To do this they can use the CIA model, which stands for Confidentiality, Integrity, and Availability in the context of security. Confidentiality of data means that a client can trust that their personal information will not be shared with those that are not explicitly authorized to view it. This can be achieved, in part, by implementing access control mechanisms, such as authorizing only certain people to access and/or manipulate information. With confidentiality, the data is either compromised or it is not. But integrity includes both the correctness and the trustworthiness of the data. The integrity of data has become increasingly important as more sectors adopt data-driven decision-making. If the data underlying the decision is corrupted, the impacts of that decision may be devastating for governments, businesses, communities, and individuals. To preserve integrity, you need prevention mechanisms that block any unauthorized attempts to change the data or any attempts to change the data in unauthorized ways; and detection mechanisms that simply report when the data’s integrity is no longer trustworthy.
These types of integrity mechanisms are particularly important for controlling cyberphysical infrastructure in sectors such as telecommunications, water and waste control, energy, oil and gas refining, and transportation, because these sectors affect large populations, and significant outages that can be harmful to highly urban communities in particular. So if a natural disaster hits and the water control system has been compromised and data is corrupted, the flooding could have devastating consequences that could have otherwise been avoided. So that’s Confidentiality and Integrity. Availability, as it relates to cybersecurity, is knowing that you can access or use a resource or data when you want to. Someone may deliberately deny access to data or to a service by making it unavailable, known as a denial of service attack. These types of attacks generally occur when a hacker overloads a system with superfluous requests, preventing some or all legitimate requests from being fulfilled. It generally means that computers cannot connect to a host machine on the internet, thus denying them the right to carry on with for example, a retail transaction, a cash withdrawal from an automatic teller machine, or the accessing of vital government records. As more and more systems go online, enforcing the confidentiality of data, the integrity of data, and the availability of system access will be crucial to ensuring that the systems function as intended, whether they’re online government services, mobile banking, e-health records, educational tools, or fundamental infrastructure.
Many of the types of cybersecurity issues we’ve discussed thus far fall into the category of “cyber threats”, which exploit weaknesses in infrastructure. Responses to these threats often involve technical rather than legal measures; as such, a variety of organizations ranging from NGOs to intergovernmental bodies are actively involved in cyber defense. In contrast, cybercrime refers exclusively to attacks on private entities with the intent of gaining profit or inflicting damage. It is estimated that cybercrime is costing us 600 billion to 1 trillion annually. As more data is collected online, the consensus is that cost of cybercrime will also rise commensurately. It also follows as the number of devices increase, the greater the number of avenues of attack for hackers to consider to penetrate systems. At the personal level, hackers are interested in your identity and the credentials found on your computer. Just as countries seek to reap the advantages of global reach through online business models, breaches in security can have chilling effect to those starting to use the internet. In countries in Africa, as consumer awareness about cybersecurity grows cyberattacks have had a detrimental impact on development and growth. Most of the population have also been exposed to phishing attacks-the practice of sending fraudulent emails that resemble emails from reputable sources. The aim is to steal sensitive data like credit card numbers and passwords. It’s the most common type of cyber attack. You can help protect yourself through education or a technology solution that filters malicious emails. At the national level, we have seen cyberterrorists steal fingerprint records and claim to have penetrated defense websites, making a mockery of defenses and attracting international attention. The potential to hack DNA databases is also a real possibility. At the international level, multinational organizations have had login and passwords stolen across jurisdictions. Although the potential for cybercrime can be mitigated by enhancing the security of internet networks, only national governments possess the proper legal tools and jurisdiction to prosecute attackers. But this is a truly multi-stakeholder environment, and we need to better understand data sovereignty, the applicability of international humanitarian law, and the United Nations charter in order to create international standards for managing cybercrime that reach across national borders. One such example is the Council of Europe’s 2004 Convention on Cybercrime, which has had some impact on international cooperation and data sharing between nations. Ultimately, security is everyone’s problem, not just IT groups tasked with protecting a government’s or company’s networks and data repositories. In 1992, the OECD produced security guidelines promoting a culture of security by leadership and extensive participation by government and business stakeholders. The main point raised by the OECD is that security has to be factored in during the design of any new technology system. Today, what we call privacy and security “by design” principles are being taught internationally as a way to emphasize the growing importance of cybersecurity. The principles they identified were nine-fold, and include awareness of risks, timely responses to risk, ethical conduct, and continuous reassessment, among others. The aim of cybersecurity is to prevent an attack before it even happens. This is the ideal solution, and where technology is the most helpful. This may take the form of antivirus software, firewalls, among many other toolkits like honeypots that lure hackers to reveal their identifying information. If an attack does happen, then detecting it as soon as possible is just as important. It is knowing what is happening and what is causing the exposure. Auditing systems in intrusion detection are most effective here. Finally, an organization or government agency who has suffered a cybersecurity attack needs to recover from the attack as soon as possible, that is assess and repair the damage caused, and get back to normal operation as soon as possible. It is important to remember that cybersecurity is not a static concern. Organizations need to assess their logical and physical relationships with other systems and partners to determine the level of intra-organizational activities, extra-organizational activities, and those on the internet. And as systems get linked to increase interoperability and efficiency, trust in partnerships is paramount when granting employees of other companies access to your system. Given that the internet is a truly global phenomenon that has a distributed architecture, there is no one country which rules over it. Instead given the ill-defined boundaries of cyberspace, a network of institutions are responsible for addressing threats and international relations. Increasingly, we are moving toward a governance model in cyberspace, and one where disclosure of data breaches is favored rather than closeted and uncoordinated responses to cybercrime.
NGOs, for the greater part, coordinate community-level responses. And one major international institutional response has been the emergence of CERTS (Computer Emergency Response Teams). These teams organize responses to security emergencies, promote the use of valid security technology, and ensure network continuity. Although the majority of CERTs were founded as non-profit organizations, many have transitioned towards public-private partnerships. But these types of organizations lack power at the national and international level.
The International Criminal Police Organization (INTERPOL) has also gotten involved in combating cybercrime, creating a 24/7 ‘Network of Contacts’ in order to help national governments “identify the source of terrorist communications, investigate threats and prevent future attacks.” The 24/7 Network of Contacts, empowered by Article 35 of the Convention on Cyber Crime, is a rare example of direct international intervention and collaboration. I’ve only really scratched the surface of everything there is to cover. But I want to leave you with these final thoughts about creating the culture of security that will help ensure that our data is safe and that technology lives up to its potential to be a useful tool for the betterment of mankind: Good practices need to be taught early and guides need to be developed for citizens, governments, and every other sector; stakeholders need to cooperate by sharing knowledge, especially about specific security incidents; capacity building is paramount when it comes to security at every level, beginning with leadership, strategic and operational staff. When it comes to cybersecurity at the national level, citizens and stakeholders must hold their governments accountable, especially as more and more government systems go online.
The ITU’s Global Cybersecurity Index (GCI) is a fantastic resource here, measuring the commitment of countries to cybersecurity. Harmonization, collaboration, and-above all-education required to make any progress against cybercrime. Empowering organizations to commit to cybersecurity will contribute to SDG 16-to promote justice and strong institutions-thereby ensuring security for all other ICT-related projects for sustainable development. Thank you.