Cybersecurity: Managing risks for greater opportunities

Be afraid. But be prepared too.

Today’s post is from Laurent Bernat Of the OECD Information, Communications and Consumer Policy Division

Cyber attacks are “as dangerous as conventional warfare”, according to German Chancellor Merkel. “One of the most serious economic and national security challenges we face”, says US President Barack Obama. And France considers that it will face a large scale cyber attack against national infrastructure in the next 15 years. The stakes are high.

While the nature of these attacks continues to include criminal activities motivated by financial gain (identity theft, credit card fraud, cyber ransom, etc.), the main emerging threats are large-scale denial of service attacks, information leaks, targeted cyber espionage, and the disruption of critical infrastructures. Examples include the massive attack on Estonian networks in 2007, large scale denial of service attacks against Korea and the United States in 2009, waves of espionage targeting governments, institutions and firms, and large scale personal data leaks such as the one that affected 77 million customers of Sony in 2011.

Surprisingly, states themselves seem to be emerging as new sources of threats, as rivalries and disputes spill over into cyberspace. News accounts of cyber espionage, sabotage and deception now read like something out of a James Bond film. The alleged physical disruption of the Iranian nuclear enrichment programme using the Stuxnet worm is but a recent example.

So what are governments doing to prevent the World Wide Web from devolving into the Wild Wild West? According to a new study of national cybersecurity strategies in OECD countries, they’re focusing on how to deal with a serious cyber incident – a possibility envisaged in nearly all the strategies – but in a way that does not undermine the openness of the Internet. As the Internet has become an essential infrastructure for the economy and society, the consequences of interruption can have disastrous impacts.

National strategies now aim at achieving two interrelated objectives: strengthening security for the Internet economy to further drive economic and social prosperity, and protecting cyberspace-reliant societies against online threats. Managing these two objectives in parallel, while preserving the openness of the Internet and fundamental values, is probably the main challenge of cybersecurity policy making today.

The ongoing challenge for governments is to ensure that cybersecurity policies support prosperity and development rather than undermine it. To this end, the OECD promotes a risk-based approach whereby a certain level of risk is accepted in order to preserve the economic and social benefits made possible by an open Internet.  Security should thus aim to reduce risk to an acceptable level through appropriate and balanced measures rather than to simply control threats by reducing openness and interconnectivity. The flexibility, scalability and management aspects of this approach reduce the cost of security, without restricting choice, stifling innovation or limiting the adoption of new technologies.

An OECD consultation of non-governmental perspectives found that multi-stakeholder collaboration is the best means to develop effective cybersecurity policies that respect the fundamentally global, open and interoperable nature of the Internet. NGOs however express concerns regarding the blurring of boundaries between the economic and social dimensions of cybersecurity and the emergence of sovereignty considerations.

The OECD has now launched a broad consultationof all stakeholders from member and non-member countries to review its Security Guidelines. The review will take into account newly emerging risks, technologies and policy trends around such areas as cloud computing, digital mobility, the Internet of things, social networking, etc. It will also build on successful policies in national cybersecurity strategies and consider ways to foster greater international co-operation among governments, consistent with the 2011 OECD Recommendation on Principles for Internet Policy making. More to come!

Useful Links

OECD work on information security and privacy

Review of the 2002 Security Guidelines

OECD Principles for Internet Policy Making

OECD Recommendation on the Protection of Critical Information Infrastructures