Earlier this week Digital.Report released the Russian-language version of the Cyber-Readiness Index 2.0 (CRI 2.0) produced under the auspices of the Potomac Institute for Policy Studies. The report emphasizes the significance of cybersecurity in the socio-economic development of a country and provides an actionable blueprint for governments to enhance their national cyber-readiness. Melissa Hathaway, former acting senior director for cyberspace at the National Security Council and presently senior advisor to Harvard’s Cyber Security Project, served as the report’s principal investigator. In an interview with Digital.Report, Melissa elaborated further on some of the Index’s key ideas.
What are “cyber readiness” and “cyber insecurity,” two terms that the report introduces?
Cyber readiness is an evaluation and assessment of a country’s preparedness level for certain cybersecurity risks. As a country pursues a digital agenda — increasing Internet penetration and information communications technology (ICT) uptake through-out society — it must equally commit to increasing the resiliency and stability of its Internet-infrastructure entanglement by reducing the exposure resulting from dependencies and vulnerabilities.
Preserving the security and resilience of these connected infrastructures is an essential component of a country’s digital future. Economic security and national security agendas must work in harmony to preserve the desired security and economic outcomes through mutually supporting policies, plans, laws, standards, market levers (e.g., incentives and regulations), and other initiatives.
Cyber insecurity represents the gap between the level of preparedness and the actual harm that is caused by an immature readiness level. Reliance on the Internet has come with a price: data breaches, criminal activity, service disruptions, and property destruction. By connecting so many aspects of a country’s economy and vital services to the Internet, countries are faced with new vulnerabilities that undermine the availability, integrity, and resilience of their core infrastructure, and more importantly, cause real economic losses in GDP terms that threaten our traditional views on security, stability, and sovereignty.
How do you measure cyber readiness, what are the fundamentals of your methodology?
The CRI 2.0 uses over seventy unique indicators across seven essential elements: national strategy, incident response, e-crime and law enforcement, information sharing, investment in R&D, diplomacy and trade, and defense and crisis response, to provide a framework for a country to develop a stronger security posture that can defend against GDP erosion. Each of these essential elements, if pursued in tandem, can help a country develop a stronger security posture that can defend against cyber insecurity and economic erosion. The CRI 2.0 challenges the conventional wisdom that cyber security is predominately a national security issue. It demonstrates how national security is closely intertwined with Internet connectivity and rapid adoption of ICT, which when secure, can lead to economic growth and prosperity.
The positive impact of the Internet on countries, communities, businesses, and citizens can only be sustained if the service is accessible, available, affordable, secure, interoperable, resilient, and stable. This is why the country selection for the CRI 2.0 had a focus on Internet connectivity and ICT uptake as well as economic strength. The country selection includes the top 75 countries from the ITU ICT Development Index (IDI) to emphasize the importance of connectedness. Members of the G20 economies were added because they represent 90 percent of the global GDP, 80 percent of the international trade, 64 percent of the world’s population, and 84 percent of all fossil fuel emissions. In order to be regionally representative and globally inclusive, additional countries were selected from a number of major regional organizations.
The process of evaluating the 125 countries on each of the 70 indicators is underway. Each is assessed according to three levels of cyber readiness:
- Insufficient evidence: evidence is lacking or has yet to be located. It is possible, however, that the data exists but is not yet publicly available or is classified.
- Partially operational: there is evidence of policies, activities, and/or funding, however, the activity may be immature, incomplete, or still in the early stages of development. While these initiatives can be observed, it may be difficult to measure their functionality.
- Fully operational: there is sufficient evidence to observe and measure a mature, functioning activity.
The results are averaged to create an overall readiness assessment per country. The analysis provides an actionable blueprint for a country to better understand its Internet-infrastructure dependencies and vulnerabilities and assess its preparedness to cyber risks.
While no one country is 100% cyber-ready, what are some of the most/least cyber ready countries?
While no country is cyber ready, there are countries that have developed some effective mechanisms to achieve cyber readiness/preparedness in line with the CRI 2.0 methodology. For example, Germany and South Korea have developed incident response exercises with a focus on critical infrastructure and nuclear power. The Member states of the Shanghai Cooperation Organization (SCO) have made a commitment to protect their society against cyber crime by ratifying an “Agreement on Cooperation in the Field of Ensuring Information Security,” known as the Yekaterinburg Agreement.
The Netherlands created the National Cyber Security Centre—a public-private partnership—to foster information sharing and collaboration in the country. Israel provides significant tax breaks for cyber defense companies to co-locate their facilities at their national cyber park in Be’er Sheva as a mechanism to foster cyber R&D. Russia is developing cyber defense and crisis response capabilities in the event of a cyber crisis. These are just a few examples of how countries are starting to demonstrate cyber maturity in specific areas. There are, however, many other mechanisms that can increase a country’s level of preparedness and the CRI 2.0 methodology describes them in detail.
The countries that are the least cyber ready are those that are undertaking development and modernization initiatives — embedding mobile Internet, cloud computing, big data, quantum computing, and the Internet of Things (IoT) into the core of their society, without regard to the attendant risks and vulnerabilities that come with these “advancements.”
Are there any identifiable correlations/patterns between cyber readiness and these countries economic/social/political developments?
There is certainly a correlation between a country’s cyber readiness and their economic development. The World Bank, for example, estimates that when ten percent of the population in developing countries is connected to the Internet, the country’s GDP grows by one to two percent, and the World Economic Forum reported that even doubling mobile broadband data use can lead to a 0.5 percent increase in GDP growth. The economics of embracing the Internet and ICTs cannot be ignored. The 2016 worldwide ICT spend is estimated at $3.6 trillion; the near term economic opportunity of connecting people, places and things is estimated at $19 trillion, and dome reports go even further to suggest that the modernization of industrial systems (e.g., electric power grids, oil and gas pipelines, manufacturing, etc.) represents a 46% share of the global economy, and could rise to as much as 50% in the next ten years.
Nations cannot afford to ignore this economic opportunity. But few are considering the impact and economic costs of less resilient critical services, exposure/violation of citizen privacy, theft of corporate proprietary data and state secrets, and the impact of e-fraud and e-crime—all of which lead to economic and national security instability. There are a number of studies that estimate economic losses of at least 1% of national GDP due to illicit cyber activities. The CRI 2.0 establishes a framework to guide countries in securely pursuing the economic growth of a resilient, ICT enhanced, and connected society. It provides a blueprint to assess the gap between a country’s current cyber security posture and the national cyber capabilities needed to support its digital future.
What are some practical steps a country can take to increase its cyber readiness?
The first step a country should take towards increasing its cyber readiness is to develop a National Cyber Security Strategy. This strategy must: outline the economic opportunities and risks associated with ICT uptake; identify the competent authority responsible for the implementation of the strategy; devise the mechanisms required to secure critical cyber infrastructure and ICT uptake; and recognize the need to commit limited resources (e.g. political will, money, time, and people). Other steps a country can take include: establishing a national incident response capability and an information sharing mechanism that enables the exchange of actionable intelligence between and among government and industry partners; devising new mechanisms or updating existing laws to protect society against cyber crime; investing in cyber security basic and applied research (innovation) and funding cyber security initiatives broadly; engaging with other governments diplomatically and during trade negotiations on cyber-related issues; and enhancing the ability of their national armed forces and/or related defense agencies to defend their country from threats emanating from cyberspace.
Moreover, as countries chart their path towards cyber readiness, successful execution of initiatives require management principles that include specific, measurable, attainable, result-based, and time-based objectives; and recognize the need to commit limited resources (e.g., political will, money, time, and people) in a competitive environment to achieve the necessary security and economic outcomes.
The report is directed at nation-states. What role, if any, can cyber industry and civil society play in this process?
The CRI 2.0 challenges the conventional wisdom that cyber security is primarily a national security issue, and thus a predominantly government problem. The CRI 2.0 blueprint shows how national security is closely intertwined with Internet connectivity and rapid adoption of ICT, which when secure, can lead to economic growth and prosperity. These goals can only be achieved when governments work actively and effectively with their industry partners and other Internet stakeholders, such as civil society. Indeed, governments must recognize the fact that the private sector designs, builds, operates, maintains, and restores the very systems that process, transmit, and operate the country’s most important information and most vital infrastructures. While governments remain the ultimate guarantor of their citizens’ safety and well-being, they cannot do it without the participation of their industry partners. Governments are struggling to identify the appropriate market levers that facilitate the risk reduction activities required to meet the economic and national security interests of their citizens. The CRI 2.0 identifies a number of areas where private-public partnerships are needed in order to be cyber ready.
In light of the Russian version release, what do you hope audiences in Eurasia take away from the report, and what would be your specific message to the region’s public and, perhaps, the governments?
In the last 30 years, the Internet and ICTs have become a preeminent catalyst of global economic growth and social development. As ICTs become more ubiquitous, they are reshaping many aspects of the world’s economies, governments, and societies—from the way goods and services are produced, distributed, and consumed, to how governments deliver services and disseminate information, to how businesses, and citizens interact and participate in the social contract. Countries cannot afford to ignore the opportunities and risks to the Internet economy.
Yet, the threat to our networked systems and infrastructures is real and growing. Data breaches, criminal activity, service disruptions, and property destruction are becoming commonplace. The resources available to increase the resilience of our infrastructure and decrease the exposure of our countries to damage, however, are finite. The CRI 2.0 offers a framework for a country to evaluate the gap between a its current cyber security posture and the national cyber capabilities needed to support its digital future. This comprehensive, comparative, experience-based methodology can help national leaders chart a path toward a safer, more resilient digital future in a deeply cybered, competitive, and conflict-prone world.
Finally, the CRI 2.0 methodology is dependent on original sources of information to properly represent the policies, plans, laws, market mechanisms, and other initiatives that are represented in the 70 different evaluation criteria. We welcome government, industry, and broad participation to support the data gathering and validation of the CRI 2.0 country level assessments. The Cyber Readiness Index team can be reached at: CyberReadinessIndex2.0@potomacinstitute.org. The success of this project depends on authoritative information and active involvement of each country.
Stanislav Budnitsky @sbudnitsky is the editor of Digital.Report and a Visiting Scholar at the Center for Global Communication Studies, University of Pennsylvania.