Five tests for risk-based approaches to national cybersecurity in resource-constrained environments

Digital Pathways publication
Ciaran Martin
Noran Shafik Fouad

Cybersecurity has emerged as a principal concern for governments in the 21st century. The increasing cyber dependencies and the massive development of information and communication technologies (ICTs) have widened the scope of potential vulnerabilities that can be exploited in cyber incidents;¹ lowered entry barriers for potential threat actors by decreasing the costs of malicious cyber operations; and in some (but by no means all) environments, created concerns that cyber offence has been prioritised over cyber defence. In many political discourses, cyber threats have long been accompanied by fears of a ‘cyber catastrophe’ that would threaten the stability of nations, particularly when critical national infrastructures (CNIs) are attacked. Cyber Pearl Harbour, Cyber Katerina, and Cyber 9/11 are all examples of futuristic cyber doom scenarios that many governments, particularly in the global North, have been using since the 1990s in framing cybersecurity threats as part of the realm of national security. As argued by Lee and Rid, the hype and fear around destructive cyber attacks had immunised cybersecurity budgets from the sorts of severe reductions in national security spending seen in the post-financial crash years In part, this is because investment in covert intelligence to detect and counter the most sophisticated threats is deemed by many security leaders as an essential part of the solution to the cybersecurity challenge.

Further, tough standards are demanded to protect CNIs, even if those standards are not always met. Governmental guidance to mainstream cybersecurity for public services, smaller businesses, or charitable organisations seems to recommend very advanced and expensive defences. As part of this process, institutional capacity for cybersecurity has been hugely strengthened in many countries. The USA, for example, has several very large security agencies – the National Security Agency (NSA), Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) – with advanced cyber expertise. The UK led the other so-called ‘Five Eyes’ intelligence alliance – the UK, USA, Canada, Australia and New Zealand – in setting up intelligence-led but civilian-facing cybersecurity authorities with costly technical capabilities. Much of continental Europe introduced a blend of covert intelligence agencies and separate, public-facing, cybersecurity authorities.

Such ideas, policies and institutions, which are primarily influenced by the experiences of the most advanced economies and powerful states, have largely shaped what national-level cybersecurity should look like. This has created a situation where countries that manage to develop their financial and technical capacities and transition into the status of ‘emerging economies’ invest heavily in militarising their cybersecurity strategies. For example, emerging economies such as Argentina, Brazil, Indonesia, Philippines, Mexico, and South Africa have all either already established or are in the process of establishing specialised military agencies for cybersecurity, that is, cyber commands. This increasing role of military and intelligence agencies in cybersecurity around the world has been criticised extensively by cybersecurity scholars for various reasons, including: the negative implications of militarisation on digital human rights and internet freedoms which transform activists into ‘cyber losers’ the atmosphere of insecurity and tension it creates in international relations; and the challenges it poses to democratic governance in fragile political settings.

Here, one important question remains largely under-explored: what cybersecurity requirements should countries with limited economic resources consider for digitalisation to improve public services and create the conditions for further economic growth? Put differently, what does good, cost-efficient, and economically viable national cybersecurity look like? There is little evidence available to help answer this question, and this is clearly an area where detailed quantitative research would be beneficial.

The nascent attempts to rank global cybersecurity efforts between countries further illustrate this point. Rankings vary wildly between the different indexes, which shows that the world is unable to measure cyber harm, and is nowhere near an agreed way of assessing what good cybersecurity looks like. For example, the International Telecommunication Union (ITU) ranks China 33rd in its Global Cybersecurity Index, whereas Harvard’s Belfer Center’s National Cyber Power Index ranks the same country second. Estonia’s National Cyber Security Index ranks Greece first in terms of preparedness to prevent cyber threats and manage cyber incidents, but Greece does not appear highly in any other major index. This is partly due to the very different methodologies these indexes use. For example, the ITU’s index focuses heavily on governance: national strategies, incident response capabilities, legal measures to regulate cybersecurity, etc, whereas the Belfer Center’s index measures countries’ observed behaviour towards cyber issues to achieve certain objectives, as well as the quality and quantity of output to achieve them (such as the number of patents filed per year, global top security firms, skilled workers, etc).

While we cannot currently accurately specify what good cybersecurity looks like, we can analyse what good risk-based approaches to national cybersecurity should aim at achieving. This is particularly important in low- and middle-income countries operating in resource-constrained environments in the early stages of economic development and digitalisation. This paper, therefore, discusses key considerations for risk-based cybersecurity by investigating the trade-offs that decision-makers should address so that scarce resources are best deployed to fend off threats that are more likely to happen and cause significant harm. The analysis is presented in the form of five tests that can be used to analyse the robustness of risk-based cybersecurity when resources are limited and to think about the potential paths that nations can take as they grapple with various economic and digitalisation challenges. As such, this framework does not present an exhaustive list of all the fundamental components of a cybersecurity strategy, but rather analyses the most important trade-offs and challenges that a cybersecurity strategy should address.