Digital technology touches virtually every aspect of daily life today. Social interaction, healthcare activity, political engagement or economic decision-making – digital connectivity permeates it all, and the dependence on this connectivity is growing swiftly. Greater reliance on a networked resource naturally makes us more interdependent on one another. As the new, shared digital space evolves, the collective imperative is to develop a common set of expectations to address systemic risks, and to define not only the roles but also the responsibilities of all participants in the cyber ecosystem. The obligations will encompass several key issues – from privacy norms to Internet governance policy – but the collective ability to manage cyber risks in this shared digital environment is fundamental. It forms the crux of cyber resilience.
But as the nature of cyber threats is evolving, so should the approach to cyber resilience. Three observations help to put this in context :
- Cyber resilience is not an isolated issue. Cyber resilience is part of a much broader transformation across society driven by information and communication technologies. The term “digital hyperconnectivity” refers to the increasing or exponential rate at which people, processes and things are connecting to the Internet. This results in some key shifts :
- The impact of technology shifts from improving efficiency to enabling transformation of business operations and institutions.
- The structure of systems changes fundamentally, away from hierarchies towards networks.
- Disintermediation offers huge social and economic gains, but presents new governance and assurance challenges.
- Cyber resilience is not a single issue. When referring to cyber resilience or cybersecurity, it is easy to assume that a single topic or issue is meant. However, these terms refer to a set of issues that are as varied as they are distinct. One Internet may connect people, but the challenges are several. In the “real” world, retail fraud, organized crime, invasions of personal privacy, diplomacy, warfare, intellectual property and copyright violations, terrorism and activism happen in very different ways, and different governance mechanisms (such as institutions, treaties, regulations and market mechanisms) have evolved to deal with each of them. Of course, part of the challenge of the “virtual” world is that these mechanisms in their current form are not reliable. Designed in a pre-digital world, they move too slowly and ignore the digital age’s interdependencies. Indeed, in many cases, even the underlying values and concepts cannot be depended upon – the digital era has re-constituted ideas such as privacy, ownership and security. The common notion of security implies isolation, the protection of a defined perimeter or an objective defined by the prevention of an event. This notion of security seems quaint in a world where it is impossible to draw a clean ring around the network of one country or one company, and where large organizations can be the target of 10,000 cyberattacks per day.
- Cyber resilience is a socio-economic issue. Most critically, the realization is growing that cyber resilience is also a socio-economic issue, although it has been more commonly recognized as a technical and political issue.
From the digitally enabled car to smart cities, from energy infrastructure to air travel, from cashless banking to on-the-spot market prices for farmers in developing economies, humankind is witnessing an explosion of innovation in technology. This groundswell of creativity is not centred solely in Silicon Valley, but is occurring across industries everywhere. The phenomenon has massive potential to generate economic value. And many of its gains in recent years have derived directly from digital global connectivity.
Discussions of cyber risks tend to focus on doomsday scenarios or a feared “cybergeddon”. However, an equivalent concern perhaps should be the lost opportunities from a significant backlash or fragmentation of the current digital ecosystem. A backlash could result from a single major event, or through gradual erosion. Governments, businesses or individuals could cause it. Fragmentation could occur intentionally, as loss of trust leads to explicitly isolationist policies. Or it could occur semi-intentionally, as governments adopt increasingly protectionist stances on digitally enabled services. Or it could occur unintentionally, as uncoordinated policy developments in different jurisdictions result in a disparate set of requirements to operate globally.
Risk and Responsibility in a Hyperconnected World examines the link between responses to cyber resilience concerns and the creation of real economic value. If cyber resilience is a potential risk to growth and competitiveness, it is also an enabler. Countries and companies that invest in and develop cyber capabilities to instil trust in customers, citizens and investors will have a competitive edge in this digital era. This report also outlines the key action areas for leaders across private, public and civil society to drive collective cyber capabilities and resilience.
TABLE 1: FOUR CATEGORIES