Cybersecurity: Managing risks for greater opportunities

Be afraid. But be prepared too.

Today’s post is from Laurent Bernat Of the OECD Information, Communications and Consumer Policy Division

Cyber attacks are “as dangerous as conventional warfare”, according to German Chancellor Merkel. “One of the most serious economic and national security challenges we face”, says US President Barack Obama. And France considers that it will face a large scale cyber attack against national infrastructure in the next 15 years. The stakes are high.

While the nature of these attacks continues to include criminal activities motivated by financial gain (identity theft, credit card fraud, cyber ransom, etc.), the main emerging threats are large-scale denial of service attacks, information leaks, targeted cyber espionage, and the disruption of critical infrastructures. Examples include the massive attack on Estonian networks in 2007, large scale denial of service attacks against Korea and the United States in 2009, waves of espionage targeting governments, institutions and firms, and large scale personal data leaks such as the one that affected 77 million customers of Sony in 2011.

Surprisingly, states themselves seem to be emerging as new sources of threats, as rivalries and disputes spill over into cyberspace. News accounts of cyber espionage, sabotage and deception now read like something out of a James Bond film. The alleged physical disruption of the Iranian nuclear enrichment programme using the Stuxnet worm is but a recent example.

So what are governments doing to prevent the World Wide Web from devolving into the Wild Wild West? According to a new study of national cybersecurity strategies in OECD countries, they’re focusing on how to deal with a serious cyber incident – a possibility envisaged in nearly all the strategies – but in a way that does not undermine the openness of the Internet. As the Internet has become an essential infrastructure for the economy and society, the consequences of interruption can have disastrous impacts.

National strategies now aim at achieving two interrelated objectives: strengthening security for the Internet economy to further drive economic and social prosperity, and protecting cyberspace-reliant societies against online threats. Managing these two objectives in parallel, while preserving the openness of the Internet and fundamental values, is probably the main challenge of cybersecurity policy making today.

The ongoing challenge for governments is to ensure that cybersecurity policies support prosperity and development rather than undermine it. To this end, the OECD promotes a risk-based approach whereby a certain level of risk is accepted in order to preserve the economic and social benefits made possible by an open Internet.  Security should thus aim to reduce risk to an acceptable level through appropriate and balanced measures rather than to simply control threats by reducing openness and interconnectivity. The flexibility, scalability and management aspects of this approach reduce the cost of security, without restricting choice, stifling innovation or limiting the adoption of new technologies.

An OECD consultation of non-governmental perspectives found that multi-stakeholder collaboration is the best means to develop effective cybersecurity policies that respect the fundamentally global, open and interoperable nature of the Internet. NGOs however express concerns regarding the blurring of boundaries between the economic and social dimensions of cybersecurity and the emergence of sovereignty considerations.

The OECD has now launched a broad consultationof all stakeholders from member and non-member countries to review its Security Guidelines. The review will take into account newly emerging risks, technologies and policy trends around such areas as cloud computing, digital mobility, the Internet of things, social networking, etc. It will also build on successful policies in national cybersecurity strategies and consider ways to foster greater international co-operation among governments, consistent with the 2011 OECD Recommendation on Principles for Internet Policy making. More to come!

Useful Links

OECD work on information security and privacy

Review of the 2002 Security Guidelines

OECD Principles for Internet Policy Making

OECD Recommendation on the Protection of Critical Information Infrastructures

Triple A shocks?

A is for aaaaaaaaaaaaaargh

Thanks to mass media and social media, awareness of risks (and imagined risks) is growing, while at the same time local difficulties can quickly become global shocks due to the increased physical and virtual mobility of people, concepts and things. But resilience has increased too. For instance, power failures rarely last long in OECD countries because providers have backups and can call on diversified sources. France had to shut or power down 17 nuclear reactors during the 2003 heat wave, but that didn’t deprive any customer of electricity.

But is diversity necessarily a good thing? Cybersecurity for instance is made much more difficult because of the multiplicity of software platforms, infrastructures, telecom networks, norms, and so on that a system depends on. But having only one operating system to attack may not be such a great idea either.

The lonely hacker creating global chaos has yet to materialise, but the fact that what seem like minor problems can now provoke major disruptions reveals an aspect of the risk landscape that will grow in importance: asymmetry. Greece’s GDP is only around $305 billion compared with over $16 trillion for the EU as a whole, but the prospect of a default is causing panic worldwide due to the numerous connections among financial markets that amplify the scale of problems, as we saw with the subprimes crisis. And to stick with finance, the number of traders actually speculating on Greek debt is tiny compared to the power they have.

In addition to asymmetry and amplification, a third “A” is likely to become more important: asynchronicity. This is to be expected as the complexity and number of interactions grow. It could take a number of forms, varying from lags between economic activity and commodity prices to decoupling of countries or regions from swings in the global economy. Asynchronicity complicates the risk landscape because it undermines the case for global solutions to a number of problems.

Why care? And if we do care, what can we do about it, given the scale and intricacy of the problems?

In reply to the first question, the number of people affected by catastrophes is increasing and with it the human and economic costs. Population growth and settlement patterns are putting a growing number of people at risk from natural phenomena such as floods, storms and droughts.

The number of recorded technological disasters such as explosions, fires, and transport accidents has also risen rapidly since the beginning of the 1970s, and economic expansion and competition, combined with greater concentrations of population, will increase the associated risks.

The last major new health catastrophe to appear was HIV/AIDS, but new diseases such as SARS and H1N1 continue to emerge and others are evolving, leading to fears that at some stage a dangerous, new global pandemic is inevitable.

Terrorist attacks remain a constant threat and the world financial system has learned nothing from major crises.

The question as to what we can do is more difficult. The pace seems to be accelerating, but if crises come more quickly, they go more quickly too. The last recession was due to the unravelling of a number of tensions in the system. These tensions were not reduced thanks to any government policy, but built up until they exploded into a systemic shock that plunged the world into a recession and would have destroyed the financial systems if states hadn’t pumped trillions of dollars into the economy. Is pay up and wait for things to improve really the best we can do?

Useful links

The OECD Project on Future Global Shocks

OECD work on risk management in agriculture, arguing that government policies should focus on planning for catastrophic risks like floods and droughts, instead of getting involved in normal farm business risks like price variations.