A safer digital future starts with better cybersecurity policy
Roxana Radu, Associate Professor of Digital Technologies and Public Policy, explores the essential principles for proactive cybersecurity policymaking. Professor Radu co-ordinates a new programme, Cyberspace: Statecraft and Policy, for policymakers who want to gain an understanding of cyberspace and the skills needed to navigate it effectively.
We are no longer asking “if” but “when” a cyber incident is likely to occur.
We’re asking not only what the costs of a cyber disruption are, but also how harmful it has been to individuals, organisations, communities, and countries. We are starting to understand the cybersecurity ecosystem better by examining more than the indicators of compromise and the cyber insurance policies and zooming in on resilience and recovery approaches. This change of attitude, which has started to permeate the cybersecurity policy circles, is one of the most promising developments in recent years. It steers the evolving field of cybersecurity in the right direction, laying bare the real challenge behind enhancing computer network security: preparing for its social, economic, legal and political reverberations.
The history of the Internet is one of private governance and systemic insecurity, anchored in geopolitical competition. For more than three decades, we have been working – with various degrees of success – to patch the vulnerabilities embedded in the hardware and in the software of our digital systems. For national security and public interest reasons, governments have always played a role in cybersecurity, for example in enhancing defensive capabilities or in regulating critical infrastructure. But these efforts have not (yet) resulted in a significantly more secure cyberspace, as these interventions remained fragmentary and unevenly distributed across the world. Most of them were grounded in a whole-of-government approach and remained “siloed” solutions dividing the “tech industry” and the “policy” world. The use of artificial intelligence tools in both cybercriminal activity and in cyber defence makes bridging these divides more urgent.
In technical terms, legacy systems are known to be particularly vulnerable — as are the path dependency strategies in government. A safer digital future depends on our ability to design better cybersecurity policies. The past three decades of poor security online have taught us at least three important lessons about doing things differently.
First, overcoming the government versus market dichotomy is much needed: governments can create a new set of incentives and reduce the embedded risk from market-specific behaviours. The promotion of transparency around security incidents and vulnerabilities is a recent direction of action across a number of jurisdictions, from the EU to the US, aimed at raising the bar for cybersecurity and prioritising mitigation of cyber attacks. In the face of evolving threats, a greater collaboration among government, industry, and academic institutions is the way forward.
Second, moving from reactive to proactive management of cybersecurity crises changes the conversation. Supply chain attacks turn cyber incidents into an imminent crisis. Understanding that responsibilities lie beyond the computer security team and preparing – at an organisational level – for a recovery scenario is the best way forward.
Third, beyond a solid understanding of the strategic value of digital assets, we need a data-centric approach to cybersecurity, which aligns security with individual and collective interests, in order to avoid serious harm and provide adequate support when a crisis hits. While new standards for product security practices are designed in the EU and beyond, a security approach to the data-lifecycle is only just emerging.
In 2024, the year of an unprecedented number of elections, geopolitical tensions will further shape the cybersecurity responses. These will co-exist with known problems that have so far been insufficiently addressed or dealt with in a path-dependent manner. Last year, ransomware remained the largest threat and phishing was the most frequent attack vector. The impact of ransomware is incompletely understood, as are the policy and legal changes necessary to respond to this persistent threat. At the Blavatnik School of Government, we are undertaking research to compare policy responses and legislative changes triggered by ransomware, using case studies from different continents. Visit our programme page to find out more about this rapidly evolving field.