Last year saw a huge increase in cyber-related incidents, including big data breaches, physical infrastructure tampering, Internet of Things (IoT) devices turning on their owners, ransomware, and even allegations of election hacking that captured the public’s attention.
Sometimes it seems there’s no way that enterprises and governments can effectively stop the rising tide of cyberattacks. The good news is, along with the launch of a global cybersecurity watchdog, stakeholders are now discussing these issues in major international forums that until recently were neither digitally focused nor multistakeholder in nature.
The inaugural meeting of the Global Commission on the Stability of Cyberspace (GCSC) was held last month, an event that was long in the making. The GCSC isn’t just another acronym. It’s the first organization of its kind dedicated to bringing together stakeholders and proposing norms for the security of cyberspace.
It comes after the successful 2014 launch of the Global Commission on Internet Governance (GCIG), which has issued recommendations on various issues including cybersecurity, online privacy and access to the internet. GCIG chair Carl Bildt, former prime minister of Sweden and a veteran international diplomat, is also serving as senior advisor to the new GCSC, adding to its weight and momentum.
I was honoured to be selected as a GCSC commissioner and want to highlight the creation of the commission, because, as I’ve said many times, actionable dialogue among stakeholders is key to improving cybersecurity. People have to come together to discuss the challenges, benefits and best practices of cybersecurity, since cyberattacks are everybody’s business. I also think it’s important to participate in these global dialogues not only to keep up, but also to incorporate local perspectives in the discussion. For example, as a Japanese person, I think the ageing population in Japan will have to address how Japanese citizens interact with the internet, as well as innovations such as artificial intelligence, and how we provide security while maintaining ease of use.
It’s worth noting that the first GCSC meeting was held on the sidelines of the Munich Security Conference (MSC). For 50 years, the MSC has served as a platform for heads of state, members of government, policy-makers and think tank staff to get together and talk about matters of security and military affairs. The MSC featured a wide variety of topics, but what’s most interesting was that all the sessions included a cyber component in the discussion.
The launch of the GCSC came on the heels of the RSA Conference International Security Forum in San Francisco. The International Security Forum is a closed-door event for discussions among senior, international, cybersecurity decision-makers and experts. The week-long RSA conference itself focused on the topic of IoT challenges, but compared to previous years, the special one-day forum had a greater presence of high-level government experts and policy-makers to discuss cybersecurity from a variety of perspectives such as policy, international law and sovereignty.
I was invited to the forum to make a presentation on critical infrastructure, but as is often the case, I gained more from discussions with my peers. It’s become very clear that countries throughout the world are struggling with the speed of innovation and associated cybersecurity threats. However, it’s also important to discuss and understand everyone’s unique perspectives, contexts and historical backgrounds so that we can collaborate on a global solution.
That’s why I wanted to share some of the topics of the off-the-record discussions that I attended. There was intense talk of what constitutes and defines critical infrastructure. For instance, are voting systems a critical piece of infrastructure that should be protected from cyberattacks? Some attendees questioned the need for a distinction between critical and non-critical infrastructure. Their argument is essentially that everything should be considered critical, for if not, some people could feel left out.
Meanwhile, other governments were under pressure to limit the scope of what constitutes critical infrastructure because local stakeholders don’t want the added burden of cybersecurity rules and regulations. This highlights how a topic can be interpreted differently and that the solution may not necessarily be technical, but arrived at through smarter regulation and basic principles that everyone can agree on.
Other talks focused on liability in breaches, the need for human resources that can communicate cybersecurity issues to other stakeholders, as well as information sharing, communication and coordination among government silos. On the human resources front, we should remember that this isn’t necessarily a technical need — we need people who can advocate for non-technical aspects, such as usability and psychology, as well as break down cybersecurity issues for politicians.
Another major forum that has highlighted cybersecurity in recent reports and conferences is the International Institute for Strategic Studies Asia Security Summit, known as the Shangri-La Dialogue. Last year’s dialogue had a session dedicated to cybersecurity, but when it reconvenes in June, this traditionally defence-oriented summit will most likely devote more time to cybersecurity problems.
The point here is that cybersecurity is becoming increasingly prominent at major gatherings of senior officials. This is in sharp contrast to just a few years ago when IT including cybersecurity could scarcely get any room on official agendas. Now, cybersecurity is central to the discussion, because systems, policies and tactics all have a cyber element to them. Thus, these conferences have quickly responded, upgrading the role of cybersecurity in both defensive and offensive narratives, while bringing it to the top of the event’s agenda. At the very least, it is now clearly accepted that there is now no difference between the digital and physical world: the guns, bullets, bombs and other weapons of yesteryear are now equally kinetic online threats. They are interconnected and interdependent in ways that we are only just beginning to understand.
From this trend, it’s clear that multistakeholder talks, which are a World Economic Forum tradition, are on the rise. Governments are increasingly concerned and getting involved, but also realize that the internet mostly runs on private networks and that they must therefore cooperate with the private sector and each other.
Furthermore, it is becoming obvious that there is a severe shortage of IT and cybersecurity talent and human resources at all levels of both business and government. The support of public sector officials, business and academia to create this next generation of leaders will definitely be a joint and interactive effort. There is no time to waste.