White Paper

Global Agenda Council

on Cybersecurity

April 2016
World Economic Forum
91-93 route de la Capite
CH-1223 Cologny/Geneva
Switzerland
Tel.: +41 (0)22 869 1212
Fax: +41 (0)22 786 2744
Email: contact@weforum.org
www.weforum.org

World Economic Forum®

© 2016 – All rights reserved.

No part of this publication may be reproduced or

Transmitted in any form or by any means, including
Photocopying and recording, or by any information
Storage and retrieval system.

REF 180416
Contents

4 Executive Summary

6 Introduction

7 Emerging Trends

10 Current Tensions and

Considerations

19 Securing the Future

25 Conclusion

26 Appendix A

32 Acknowledgements

Global Agenda Council on Cybersecurity 3

Executive Summary

Fuelled by billions of users and endless new internet of balancing the market pressures of rapid innovation
things devices, we are in the midst of an explosion of against sustained investments in cybersecurity, which
hyperconnectivity. This means attackers can now disrupt may raise costs or delay delivery of products to market.
more people through more devices, and each year there are 2. Ecosystem complexities: Today’s software and
more breaches, more affected companies and users, and hardware environments are increasingly complex
more damage. It is increasingly clear that no one is immune ecosystems populated by a network of interacting
from cyberattacks. devices, networks, people and organizations. This
means cybersecurity solutions often require the
For this reason, it is imperative that the public and private voluntary engagement, cooperation and investments
sectors balance and prioritize the limited resources available of many independent entities, while the incentives and
to address cybersecurity challenges. Too often, cultural mechanisms for taking such actions are distributed
and financial pressures encourage devaluing investments inconsistently across the ecosystem.
in cybersecurity. Before those pressures can change, the
public and private sectors must better understand the
Additionally, there are obstacles that impede public-private
tensions that make it difficult to fully embrace cybersecurity
sector collaboration on cybersecurity issues, including trust
best practices, as well as the obstacles to effective
deficits between the government and private sector, the
collaboration.
challenge of maximizing the effectiveness of government
interventions while balancing security objectives with fast-
What the Private Sector Should Know About Public Sector
paced innovation, and the weakness of existing information-
Tensions:
sharing frameworks.
Among the many significant challenges that can make
it difficult for the public sector to effectively address
Securing the Future
cybersecurity issues, there are three particularly important
These powerful tensions within the ecosystem make it clear
hurdles:
that systemic changes are necessary to realign approaches
to cybersecurity. Although there is no quick fix, there are
1. International fragmentation: Differences in approaches
steps that organizations can take immediately to begin to
to cybersecurity, data jurisdiction and legal enforcement
address cybersecurity challenges. These include:
(not to mention culture, language and politics) across
jurisdictional and territorial boundaries can make it
1. Adopting best practices and cyber hygiene: An
hard to effectively prevent, investigate and prosecute
important first step is developing policies and
cyberattacks.
procedures that include regularly validating approved
2. International norm-setting: International political hardware and authorized software, establishing security
differences and country-specific agendas can make system configurations, timely patching of applications
it difficult to develop consensus norms regarding and operating systems, controlling and auditing user
cybersecurity let alone enforce those norms consistently privileges and educating users.
and effectively. 2. Improved authentication: Organizations must move
3. Roles with respect to the private sector: The varying and beyond insecure passwords to mechanisms such as
sometimes confrontational roles that the public sector two-factor authentication and continuous authentication
must play, spanning regulator to information sharer and technology, which will become increasingly important as
collaborator, can create tensions with the private sector more devices connect to our networks.
that can be counterproductive to trust and cooperation. 3. Preparing for attacks: It is critical that organizations
take steps to prepare for eventual attacks, including
enhancing forensic capabilities, developing business
What the Public Sector Should Know About Private Sector
continuity plans and developing plans for regaining user
Tensions:
trust.
Similarly, there are many significant challenges that can
make it difficult for the private sector to effectively address
cybersecurity issues, including two particularly important The public and private sectors acting alone cannot
obstacles: overcome the culture and incentives that make
cybersecurity so difficult today. To address these systemic
1. Misalignment of incentives for cybersecurity best challenges, the public and private sectors must come
practices: Companies often fail to take basic steps together in several ways, including:
to protect their systems and their users because
companies are placed in the difficult position of 4. Blended governance approaches: The public and

4 Global Agenda Council on Cybersecurity

 private sectors must explore new ways of collaboration
that would leverage the perspectives of governments,
companies, civil society and academia.
5. Careful government interventions: The public and
private sectors must collaboratively construct effective
regulations and frameworks that address cybersecurity
needs without hampering innovation or diminishing
trust.
6. Independent security organizations: Independent
organizations can reward implementation of best
practices and create high-information consumers.
7. Holistic cybersecurity education: More holistic
educational programmes can provide cybersecurity
professionals with a range of necessary skills beyond
the purely technical.

There is no silver bullet for cybersecurity, but that does not

mean the problems are intractable. Instead, it means that
careful collaboration between the public and private sectors
is necessary to address these complex challenges in an
ongoing and comprehensive manner.

Global Agenda Council on Cybersecurity 5

1. Introduction

The Global Agenda Council on Cybersecurity, one of the such measures will be inadequate. The private sector on
World Economic Forum’s 80 Global Agenda Councils, was its own cannot create a culture that emphasizes security
formed to explore and develop practical solutions to the practices, realign financial incentives that reward speed
challenging questions on changing cybersecurity trends and over security, or mend trust deficits with the public sector.
emerging new challenges. Cybersecurity can no longer be But together with the public sector, these challenges can
left to IT departments and security groups within companies. be addressed. Through the use of new multistakeholder
It is an issue that requires engagement at the highest levels processes, as part of blended governance frameworks,
of both industry and government. public-private partnerships can begin to change the culture
and incentives of security best practices, create frameworks
The council’s members include cybersecurity experts, for collaboratively constructing effective cybersecurity
policy-makers, business executives, civil society regulations and tools without hampering innovation or
representatives and academics. Over the course of several diminishing trust, and support the creation of independent
meetings, these experts have identified and debated some security organizations that enable well-informed consumers.
of the central issues, challenges and opportunities relating
to cybersecurity. This report synthesizes several of the ideas The World Economic Forum possesses a unique ability
expressed at these meetings. to focus the attention of decision-makers at the highest
levels of both the public and private sectors, and to
Cybersecurity has already become a critical issue across harness their energies in devising creative and effective
business, industry, government and civil society; it will only solutions. In that way, the Forum is the ideal institution to
grow more urgent as the online world becomes a central address cybersecurity issues. The Global Agenda Council
and underlying component of the physical world. As of on Cybersecurity, as well as the Forum’s Future of the
the end of 2015, 3.2 billion people are connected to the Internet Initiative’s Cyber Crime project, present unique
internet in some form, including 2 billion from developing opportunities for exploring innovative solutions to a complex
countries. And this is growing at a rapid pace. From 2000 to and ever-evolving problem. As described below, advancing
2015, the global internet penetration rate grew from 6.5% cybersecurity will require multistakeholder collaboration and
to 43%.1 Those people, and the many more who join each international cooperation. The World Economic Forum’s
year, rely on the internet for their jobs, commerce, culture Global Agenda Council on Cybersecurity is proud to be a
and communications. And they are connected by more contributor to that effort.
than just PCs and mobile devices; increasingly, everyday
products and core infrastructure – including refrigerators,
thermostats, the electrical grid and aircraft engines – rely
on embedded computers and network connections. As
society and industry become more dependent on these
internet-connected devices, the significance of cybersecurity
increases as well.

The public and private sectors each face difficult and unique
challenges in balancing their varied roles and responsibilities,
and prioritizing their limited financial, time and human
resources. Too often, members of the public sector fail to
appreciate the complexity of the challenges that the private
sector faces and vice versa. These misunderstandings can
inhibit effective collaboration and partnerships. This report
tries to break through those barriers to build a foundation in
which collaboration can thrive.

There are no easy solutions, but the good news is that

there are things the private sector can do right now to
address these cybersecurity challenges. By following and
implementing cyber hygiene and best practices, companies
can make an immediate and positive difference. However,
without cooperation between the public and private sectors,

6 Global Agenda Council on Cybersecurity

2. Emerging Trends

Many public and private sector decision-makers intuitively As cloud computing has become more common, the
appreciate that cybersecurity is an important consideration. centralization of services and the explosion of internet of
But less clear are the tectonic shifts pushing the issue to things (IoT) devices has created a hyperconnectivity that
the fore. Although there are many factors that contribute creates new challenges for cybersecurity:
to cybersecurity’s increasing saliency, three are worth
identifying here: (1) the shift toward cloud services and 1. Centralization of services: Cloud computing has
more devices’ built-in Internet connectivity; (2) the increased unburdened smaller companies from the need to
prevalence, severity, and fallout from data breaches, and invest in infrastructure, which has decentralized and
(3) the inability of security to keep pace with technological democratized opportunities for smaller companies
development. to deploy innovative services. But this has also led
to centralization at the infrastructure level on to a
handful of platforms. Only a few companies have
A. Increased Reliance on Internet- the resources to build and deploy the massive data
Connected Devices and Services centres necessary for modern internet services. For
that reason, a large portion of internet data and traffic
Key takeaway: The internet of things and cloud computing is managed by a concentrated pool of companies
are creating new opportunities for vulnerabilities and crime including Amazon, Microsoft, Google, Rackspace and
while simultaneously expanding the potential devastation of IBM. This centralization presents both challenges and
such attacks. opportunities; these large data centres are often better
equipped to maintain their services to defend against
Decreasing costs of hardware, software and internet attacks than the average small company but they also
connections, combined with greater bandwidth capacity, present more tempting targets for attackers.
are enabling companies to put internet connections into 2. Expansion of connected devices: The transfer of
previously unconnected devices,2 while making users services and data to the cloud has also enabled the
more reliant on data centres and cloud computing.3 Taken rapid adoption of interconnected devices, including
together, these two trends have enabled rapid changes both mobile devices and IoT. Increasingly, individuals
in the capabilities of software, products and services. But are relying on mobile devices for internet connectivity.
they have also opened new opportunities for crime and Mobile broadband (i.e., 3G and 4G connections)
espionage, and simultaneously expanded the potential penetration has reached 47% worldwide and is
devastation of such attacks. estimated to grow to 70% by 2020,5 enabling new
online services such as mobile banking in sub-Saharan
Cheaper and faster technology is making cloud computing Africa.6 Additionally, the cloud has enabled an array of
increasingly technically and economically viable. The cost internet-connected physical objects (IoT) ranging from
of digital storage has plunged from $300,000 per gigabyte critical infrastructure to personal devices. These objects
of data in 1981 to $0.03 per gigabyte in 2014.4 Files that have the ability to generate data through a variety of
would have taken days to download over a 28.8 kbps dial- sensors and then process and store that data in the
up connection can be transferred in minutes or seconds cloud. Some estimate that by 2020, there will be 25
over today’s broadband connections. These changes have billion connected “things” in use,7 most with durability,
enabled an array of new services that move many aspects latency, enrolment, vulnerability, authentication and
of computing, including data storage and analysis, to privacy challenges.
remote systems that provide access and computational
power to users on an as-needed and aggregated basis.
Companies are no longer required to build their own Taken together, this hyperconnectivity of services and
network infrastructure; companies can instead use infinitely products has greatly increased the ability of attackers
scalable cloud computing to rent remote storage and to reach more users through more devices. Every new
processing capabilities and easily scale up their resources connected device introduces another potential entry point
as they grow. In fact, major internet companies such as to the network, increasing the overall attack surface. Cloud
Dropbox, Netflix and Pinterest do just that – they have built computing and IoT are forecast to create unprecedented
entire platforms on server infrastructure rented from other opportunities for improving lives and enabling innovation.
companies. Consumers benefit from cloud computing as Unfortunately, they also invite a new set of cybersecurity
well, using online services to store, access, synchronize and challenges.
share files, photos and other digital assets.

Global Agenda Council on Cybersecurity 7

Cloud computing service providers’ incentives may not Sony Pictures suffered a crippling attack in late 2014,
always align with greater investments in cybersecurity, suspected to be the work of hackers tied to a nation-
or they may simply lack the necessary expertise. Many state government. The hackers, allegedly motivated by
companies that have marketed conventional industrial the pending release of the Sony film, The Interview, stole
machines or non-computerized appliances or services are and then released large files including unreleased movies
now grappling with complex security issues. For example, and scripts, internal financial reports, employee health
car manufacturers, consumer appliance manufacturers, information, and a trove of publicly embarrassing internal
livery services and industrial equipment manufacturers are emails. The attack crippled Sony’s systems, including:
facing many of the same challenges that have traditionally “The telephone directory vanished. Voicemail was offline.
been considered “computer” problems. The universe of Computers became bricks. Internet access on the lot was
devices connected to the internet is vast, and developers shuttered. The cafeteria became cash-only. Contracts
and manufacturers bring different corporate cultures, – and the templates those contracts were based on –
experiences and expertise when designing the security of disappeared.”15
their products. And for some, that experience and expertise
is limited. These examples make apparent that there is no single
cybersecurity threat or adversary. Instead, threats take many
forms. Attackers can be nation-states or affiliated hacking
B. Breaches and Vulnerabilities Are groups; they can be criminals, or a disgruntled employee.
Increasing in Frequency and Severity Attackers can be motivated by political or commercial gain.
They can take advantage of human mistakes, technical
Key takeaway: Attacks are inevitable. Over the past year, vulnerabilities, or a combination of these. They can use
major entities from nearly every sector have suffered any of the high-profile vulnerabilities that have been found
significant attacks and the commoditization of exploits and in popular user software such as Flash, critical security
vulnerabilities will only enable more attacks. protocol toolkits like OpenSSL (e.g., Heartbleed), and mobile
device operating systems like Android (e.g., Stagefright).
The number and severity of breaches continue to rise.
According to one report, there were 1,540 breach incidents It is difficult to measure the costs of such attacks. Many
in 2014, affecting over 1 billion records – a dramatic estimates exist, and while the exact amounts may not be
increase from 1,056 incidents affecting 575 million records accurate or useful, they underscore the potential severity.
in 2013.8 Cybersecurity is a challenge for entities both large For example, IBM and the Ponemon Institute estimate that
and small, sophisticated and not. A recent study conducted the average consolidated cost of a data breach is $3.79
for the UK government found that 90% of large businesses million.16 By contrast, the 2014 Verizon Breach Investigation
and 74% of small businesses had suffered a data breach Report suggests a range of costs, depending on the
over the past year, both increases over the previous year.9 number of stolen records; while a breach of 100 records
is estimated to cost a company anywhere from $1,000 to
Over the past couple of years, breaches have affected over $500,000, a breach of 100 million records could cost
some of the most important industries worldwide – including between $400,000 to just under $200 million. 17 Highly
finance, healthcare, entertainment – and governments. In regulated industries, such as healthcare, education and
mid-2014, a small team of criminals infiltrated JP Morgan finance, may have even higher data breach costs.
Chase’s computer system to steal the personal information
of 83 million individuals and small businesses as part of a Not only is no one immune from these high-cost attacks,
securities fraud scheme.10 In early 2015, attackers used a but it is becoming easier to obtain the tools necessary to
variety of exploits to steal 80 million social security records perpetrate them. Lucrative grey and black marketplaces for
and other personal data from the US health insurance selling hacking tools, software vulnerabilities and exploits –
company Anthem. And in October 2015, police arrested particularly coveted zero-day exploits – facilitate and enable
two teenagers for stealing bank and personal information of attacks. The increasing availability of the tools required for
up to 4 million customers from the UK telecoms company a successful cyberattack has increased both the number
TalkTalk.11 and sophistication of attacks,18 and developments like
machine learning, which will lead to attacks that rapidly
Government systems have also been the target of attacks. evolve, will only increase sophistication of attacks in the
For example, in January 2014 it was revealed that an future. Cyber criminals have evolved from discrete, ad hoc
employee of the Korea Credit Bureau had stolen the networks of individuals to a highly organized system of
personal credit card data of 20 million South Koreans financially driven criminal enterprises around the globe. And
and sold the information to marketing firms.12 In June this commoditization of cyber offensive tools will continue to
2015, the United States Office of Personnel Management enable the growth of cyberattacks.
discovered a year-long intrusion into its systems. The attack
compromised the records of over 21 million current and
former US government employees, including social security
numbers, sensitive background-check records and even
fingerprints.13 While the attacks were originally believed to
have originated from nation-state sponsored adversaries,
the Chinese government recently arrested several criminal
hackers who allegedly conducted the attack.14

8 Global Agenda Council on Cybersecurity

C. Business and Technology market pressures to address cybersecurity lapses in its
products, there is no guarantee that a new start-up will
Developments Outpace Security even exist in six months, let alone respond to issues.
Improvements This can make it harder for consumers to identify quality
apps and hold developers accountable when issues
Key takeaway: The speed and pace at which new products arise.20
and services are being developed outpaces the ability and/
or willingness of companies to address cybersecurity risks. Collectively, these changes in the marketplace can increase
the cybersecurity risks faced by consumers and users
The growing threat of attacks is compounded by the of products and services by making it harder for them
fact that the speed and pace of development for new to properly assess the associated risk of new tools and
products and services outpace companies’ abilities to services.
respond to cybersecurity threats. For many companies,
security considerations are secondary as they balance the
market pressure for rapid innovation against investments
in cybersecurity. Emphasizing cybersecurity may not lead
to immediate or measurable impacts on earnings or might
delay bringing products to market. For that reason, it is easy
for executives and board members to view investments in
cybersecurity as a waste of money or, worse, a waste of
critical time. Even seemingly small tasks such as rolling out
and installing updates and patches can take a long time. In
some cases, patches may break core product functionality
or prove too expensive and might be forgone entirely. The
2015 Verizon Breach Investigation Report, for example,
noted that “99.9% of the exploited vulnerabilities had been
compromised more than a year after” the vulnerability had
first been publicly disclosed and a patch made available.
More often than not, critical product updates remain
unapplied well after vulnerabilities have been discovered.19

The pace of technical development also makes it hard for

institutions and individuals to make informed purchasing
decisions. The technical complexity of cybersecurity is only
one piece of that information gap. Some of the same factors
that enable the fast pace of innovation also create barriers
to informed purchasing with respect to cybersecurity,
including:

– Lower barriers to market entry: Developing new online

tools and services might have previously required
companies to invest heavily in capital expenditures,
including servers and other network infrastructure. Now
companies can rent infinitely scalable architecture,
lowering the initial investment costs and making it easier
for anyone to enter the market, no matter what their
competence.
– Ease of becoming a developer: Big software companies
like Microsoft and Google have extensive hiring,
training and quality-assurance programmes, which can
help ensure (although by no means guarantee) that
end products reflect expertise in cybersecurity. Now,
however, app stores like those found on the Android
and iOS ecosystems have lowered the bar for becoming
a developer and distributor. These developers may
have neither the knowledge and experience to address
cybersecurity issues nor the resources to respond to
issues when they arise.
– Fewer signalling devices and less accountability:
With new market entrants emerging daily, it is harder
for consumers to rely on brand name as a proxy for
quality. Where a brand name company might face

Global Agenda Council on Cybersecurity 9

3. Current Tensions and
Considerations

These emerging trends create a complicated and quickly sharing of information between private and public
evolving cybersecurity landscape. Both governments and stakeholders.
companies struggle with unique challenges as they try to – Governments as promoters – governments actively
balance and prioritize resources and responsibilities. Too promoting cybersecurity and the local companies that
often, for the public and private sectors, security is an enable it through endorsement, funding and incubation
afterthought. Simple steps, like cyber hygiene and adopting programmes.
best practices, remain undone because of cultural and
– Governments as researchers – governments conducting
financial pressures that allocate financial, time and human
or funding research on technical or societal issues
resources to other priorities. While the public and private
related to cybersecurity.
sectors could begin to address these challenges together,
often they fail to appreciate the difficult tensions they each – Governments as service providers – governments
face. Before the public and private sectors can effectively providing cybersecurity (or information relating to it) for
collaborate on cybersecurity, they must better understand use by other government agencies or the public.
the tensions and considerations that shape their respective – Governments as educators – governments educating
approaches to cybersecurity. both citizens and the private sector about the
importance of and approaches to cybersecurity.21
A. What the Private Sector Should
In playing these various roles, each important in their own
Know About Public Sector Tensions way, governments are continually switching from one role
to the next, as they rebalance, reprioritize and reshape their
Key takeaway: The public sector must simultaneously play a objectives. This can create shifting, challenging and even
multitude of roles with respect to cybersecurity, which can confusing relationships with stakeholders and the private
create conflicts, confusion and distrust. Governments face sector. For example, in the course of responding to and
significant challenges as they attempt to balance those roles investigating cybersecurity incidents, governments must
while navigating complex relationships with national, regional balance cross-border cooperation while resolving conflicting
and global stakeholders. national laws and jurisdictional claims, and protecting
their own national interests. At the international level,
It is important for the private sector to keep in mind that governments must balance multilateral cooperation with
any single government or agency can be playing one or unilateral action as they encounter a messy and evolving
many roles in the cybersecurity ecosystem. And in playing set of global norms. And in the course of pursuing national
each of these roles, the government may have different, or security, governments struggle to find the right balance of
even competing, interests and objectives. These roles can cooperation and coordination with the private sector, as well
include: as the right balance between government’s offensive and
defensive roles.
– Governments as defenders – governments strive to
protect their citizens from harm, which may include 1. International Fragmentation
promoting cybersecurity best practices, aggregating
intelligence, or even engaging in offensive operations Key takeaway: Fragmentation, both legal and technical,
that weaken the cybersecurity of other countries. has complicated government efforts at responding to,
– Governments as users – governments rely on effective investigating and prosecuting cybersecurity incidents.
cybersecurity to defend their own systems. Outdated and inadequate bilateral and multilateral
– Governments as regulators – acting through their mechanisms have necessitated striking a difficult balance
legislative, judicial, regulatory branches, governments between cooperation and confrontation at the international
regulate to implement policy through the rule of law. level.
– Governments as stakeholders – acting through a variety
of bilateral and multilateral negotiations and agreements, Government efforts at addressing cybersecurity are often
governments establish international law or norms to complicated by the legal and technical fragmentation of
govern cybersecurity. the internet. The internet is not an international network,
but a transnational one. For that reason, responding to
– Governments as coordinators – governments and investigating cybersecurity incidents requires, among
coordinating public and private initiatives, through other things, coordination across territorial and jurisdictional
standard-setting processes, and by facilitating the boundaries. However, legal fragmentation has been a

10 Global Agenda Council on Cybersecurity

significant obstacle to international cooperation. This legal Similarly, in response to concerns about US surveillance, the
fragmentation emerges from differences across jurisdictional European Court of Justice struck down the “Safe Harbor”
and territorial boundaries in approaches to cybersecurity, data-transfer provision of the 1995 Data Protection Directive
along with differences in culture, language and politics. in October 2015. The Safe Harbor rule had permitted
companies outside the EU to store and process the data
In cybersecurity investigations, governments must carefully of Europeans, as long as they self-certified their ability to
balance claims of “data sovereignty”, which refers to the adequately protect that data. In response to the court’s
tricky questions relating to assertions of jurisdiction over decision, the EU and US announced a new framework
data as it is stored within, and transits across, national for transatlantic data flow. This new agreement – the EU-
boundaries. Any country physically involved in the US Privacy Shield – includes a requirement that American
processing, storage or transmission (origination, destination, companies wishing to import data from Europe meet
or intermediary) of data could be said to have a jurisdictional new obligations on how personal data is processed and
claim over data. Governments must carefully navigate these individual rights are guaranteed. In addition, the EU-US
complex, and often competing, set of assertions in order to Privacy Shield includes limitations, safeguards and oversight
obtain data necessary to an investigation. mechanisms protecting the rights of EU citizens during
US government law enforcement and national security
When governments try to resolve these jurisdictional investigations. The EU-US Privacy Shield also provides for
questions, it can lead to tensions with other nations and mechanisms for EU citizens to seek redress for violations of
with private sector companies. For example, in December the agreement and for annual reviews of the agreement.26
2013, as part of a federal narcotics investigation, the Although the EU-US Privacy Shield must still be adopted,
United States government was trying to obtain access to a the entire affair highlights the risk of greater fragmentation
particular customer’s emails that were stored at a Microsoft through conflicts over data sovereignty.
data centre in Dublin, Ireland. One option for the US
government would have been to exercise the Mutual Legal 2. National Security and International Norms
Assistance Treaty (MLAT) process, a system of bilateral
and multilateral agreements by which nation states commit Key takeaway: The development of norms can lag
to assisting one another in criminal investigations and substantially behind technological developments. And
prosecutions. In complex international investigations into even when norms are established, they can be applied
cybersecurity incidents, such cross-national cooperation inconsistently.
is often necessary and is an increasingly important part
of investigations. According to estimates from the US It is important for the private sector to keep in mind that
Department of Justice, over the past decade the number of governments operate in an international arena where they
MLAT requests to the US increased by 60%, with computer are continually constrained by norms of behavior. These
records requests increasing tenfold.22 norms can be an effective way to counteract fragmentation
through shared understandings and agreements for
However, as a mechanism for addressing cybersecurity, addressing cybersecurity challenges. Through mechanisms,
the MLAT process has, in practice, proven difficult and ranging from legal treaties to non-binding statements,
frustrating for law enforcement. Many of the MLAT informal customs and principles, governments have
agreements were drafted before the globalization of data increasingly sought to establish international norms
and, as a result, investigators are often waiting months and agreements on investigations into cybercrimes and
for responses to MLAT requests. Cybersecurity incidents acceptable practices relating to cyber activities. However,
require quick responses because digital evidence can the development of norms also poses challenges for
quickly disappear, which makes it difficult for governments governments as they must often act to address new
to rely on MLATs in these circumstances. For those reasons, cybersecurity threats well before norms are established and
in the Dublin case the US government instead served a must carefully choose when to adhere to norms and when
warrant on Microsoft, claiming that the US had jurisdiction those norms interfere with their national laws and interests.
over the data because Microsoft is a US company. Microsoft
opposed the warrant, asserting that the US government’s There have been several recent, and largely successful,
jurisdiction did not reach data stored exclusively in another attempts at addressing aspects of cybersecurity through
country. This is just one example of the difficult choices norms. However, these efforts also highlight many of the
governments must make in balancing cooperation and challenges for governments. For example, in 2001, the
confrontation in cybersecurity investigations. Council of Europe adopted the Budapest Convention
on Cybercrime. The convention aimed to facilitate
Additionally, governments face a feedback loop that detection, investigation and prosecution domestically and
encourages greater levels of fragmentation. Governments internationally by increasing international cooperation. The
often invoke the challenges of addressing cybersecurity Budapest Convention currently has 54 signatories, with 47
issues as a reason for increasing fragmentation, which, in of those having ratified the convention. While considered a
turn, only makes it harder to address cybersecurity. Several success in many respects, it also demonstrates some of the
countries, including China,23 Russia24 and Brazil,25 have challenges of norm-setting, including:
proposed or enacted data localization laws to stop one
kind of cybersecurity threat (nation-state surveillance) even – Delays: Nearly half of the ratifying countries took a
though it may complicate addressing other cybersecurity decade or longer to complete ratification.
threats.

Global Agenda Council on Cybersecurity 11

– Lack of Uniformity: The Budapest Convention, Over the past two years, several companies announced
while not limited to European countries, remains a the availability of device and end-to-end encryption in
primarily European agreement, with many significant their products. In 2014, Apple announced that iOS 8’s
stakeholders around the world actively in opposition. iMessage would encrypt communications end-to-end
– Narrow scope: The convention, by design, only touches and that iPhones would be encrypted by default.28 Shortly
on a small aspect of cybersecurity; attempts to expand after, Google followed suit by announcing that Android
the convention to other topics have so far had only Lollipop would encrypt user data in certain messaging
limited success. applications by default.29 In November 2014, popular
instant messaging service WhatsApp, currently owned by
– Conflicts of laws: Several countries have struggled with
Facebook, announced it would support an end-to-end
fully implementing the convention due to constitutional
encryption protocol called TextSecure.30 In March 2015,
or statutory conflicts, particularly those relating to
Yahoo introduced an extension that encrypted messages in
different conceptions of privacy and free speech.
Yahoo Mail.31
– Slow to update: Nearly 15 years old, the convention has
been criticized for not keeping pace with technological This trend towards greater encryption in consumer-grade
change and evolving needs.27 software and devices has created a difficult challenge for
governments, which must balance national security and
A more recent effort at international cooperation and law enforcement demands for additional information and
norm setting is the United Nation’s 2014-2015 Group of the need for security in devices to prevent crime and fraud.
Governmental Experts on Developments in the Field of Around the world, states have taken different regulatory
Information and Telecommunications in the Context of approaches to this challenge. In the United Kingdom, for
National Security (UNGGE), composed of representatives example, proposed legislation could potentially ban the
from 20 nations. The UNGGE released a report in July 2015, use of the end-to-end communications in applications
which built on previous efforts from 2010 and 2013. The including WhatsApp, iMessage and Snapchat.32 Similarly,
report detailed existing and potential threats to information the use of encryption in consumer messaging applications
security, the possible cooperative measures to address continues to be hotly debated in places like the US and
them, including norms, rules or principles of responsible France, particularly after the coordinated attacks in Paris in
behaviour for states, and suggested various confidence- November 2015 and increased attention to the threat from
building measures to strengthen telecommunication and groups such as ISIS.33
global information system security. That experts from 20
nations developed a consensus report on cybersecurity
represents a positive turn towards establishing norms with
respect to cyberspace. And although questions remain
B. What the Public Sector Should
about the ultimate enforceability of the agreement, it remains Know About Private Sector Tensions
a positive sign for the development of cybersecurity norms.
It is important for the public sector to understand that
3. Cooperation with the Private Sector the private sector often fails to adequately address
cybersecurity not because of a lack of solutions. In many
Key takeaway: The public sector faces a difficult cases, implementing those solutions may come at the
challenge of balancing the need to access information for cost of added expenses, reduced shareholder gains,
investigations with the security of communications, privacy delayed product releases, or impaired user experiences.
rights and commercial interests. There is no shortage of accepted best practices that
companies could implement that would reduce the risk
Governments play many roles and sometimes these roles of attacks and the harms that would come from those
can conflict, creating confusion and challenges for the attacks. For example, there are best practices relating to
private sector. Nowhere is that tension more apparent general corporate security, including the Center for Internet
than the current global debates about the proper limits of Security’s (CIS) set of Critical Security Controls for effective
governmental authority in accessing digital communications. cyber defence.34 And there are best practices relating to
Within the past year, conflicts over the use of encryption network security management, including the ISO 27001,
in communication devices and services have taken centre the International Organization of Standardization’s (ISO)
stage, often throwing into tension governments’ roles as exhaustive set of security standards for an Information
defenders, promoters, users and regulators. This debate Security Management System (ISMS).35 And there are best
has focused on both encryption of the devices that prevent practices relating to cloud security more generally, such
anyone other than the owner from reading data stored on as recommendations from the Cloud Security Alliance,36
the device, and end-to-end encryption of communications. and best practices for cloud security on specific platforms,
End-to-end encryption refers to the exchange of data over such as the best practices for Amazon’s Web Services.37
a communication channel that is completely encrypted from Government agencies have also made available sets of
the sender to the intended receiver, meaning that anyone best practices, including the Australian Signals Directorate’s
intercepting or passing the data, including service providers, list of 35 cybersecurity steps38 and the UK’s “10 steps to
law enforcement and intelligence agencies, cannot access cybersecurity”, covering issues such as user privileges,
the contents of the communication. system configuration, malware prevention and user
education.39

12 Global Agenda Council on Cybersecurity

Additionally, there are known best practices with respect already suffered a significant breach, when Sony Pictures –
to authentication. Understanding whether a user has another Sony subsidiary – was hacked in 2014, only 11 of
the proper credentials and authority to access a service, Sony’s 7000 employees were assigned to the company’s
system, device or network can be critical to ensuring information security team.43 In a 2007 interview with CIO
cybersecurity. There is increasing recognition that Magazine, Jason Spaltro – then executive director of
passwords alone are an insufficient form of authentication. information security at Sony – stated that the low value
Here, too, there are acknowledged approaches to placed on security was a “valid business decision to accept
improving authentication, including biometrics, or two-factor the risk” of a security breach, and that investing $10 million
identification, which combines something you know (e.g., a to avoid $1 million of penalties was not something he
password) with a physical object (e.g., an item unique to the would do.44
user such as a mobile phone, ID-card etc.).
Even companies seeking to invest in their human resources
There is no shortage of best practices and implementing often face a systemic resource gap: a lack of trained
them would have measureable results. The Australian cybersecurity specialists. A 2015 report from Cisco
Signals Directorate estimates that 85% of the attacks estimated that there were 1 million unfilled cybersecurity
it observes could be mitigated by simply following four jobs.45 In actuality, the knowledge gap is even greater
basic steps, including patching applications and patching because the Cisco figure counts only the demand for
operating systems.40 And yet, although many of these best full-time technical cybersecurity specialists, and does not
practices are known to mitigate a significant number of consider the impact of cybersecurity on numerous non-
cybersecurity risks, many enterprises in the private sector, technical positions. The employees in these non-technical
both large and small, fail to take these steps. In some cases, positions, despite a lack of cybersecurity training, are
the limitation is a lack of awareness about available best often asked to address cybersecurity challenges. These
practices. In many other cases, the obstacle for companies challenges can include addressing the businesses risks of
is in balancing the financial, time and human resources that cybersecurity threats, determining the interaction between
such changes would require against the competitive market physical security and cybersecurity, planning for public
pressures that demand quick profits and rapid innovation. responses after a data breach, managing cybersecurity
specialists, or engaging with government agencies following
1. Resources and Knowledge Gaps a serious cyberattack. Considering that any computer-using
employee is a potential cybersecurity risk or a part of the
Key takeaway: Companies face challenging questions response, a lack of basic cybersecurity training contributes
about prioritizing the application of financial, time and to the expanding knowledge gap.
human resources, necessitating difficult trade-offs between
investments in new products and features, securing their In general, companies have limited time and resources. They
own systems, securing end-user systems and data, and frequently must make a difficult set of balancing decisions
securing legacy products, all within a market that rewards prioritizing where those limited resources can be best
rapid innovation and being first to market. utilized. Even when putting resources into cybersecurity,
companies must balance between dedicating resources to
As seen above, there are many best practices and the security of their own systems and dedicating resources
standards that companies could follow for addressing to securing end-user products. While large companies
cybersecurity issues within their systems and products. may have more resources, they also may face additional
However, on the whole, even with the increase in high-profile challenges and costs of coordinating across various silos
breaches, there are still many companies that simply take within the company. By contrast, smaller companies
inadequate steps to secure either their own systems or may not have the financial or human resources capacity
their users’ data, or both. One reason for this gap between for addressing the multitude of complex cybersecurity
concept and implementation is that companies have limited challenges.
financial, time and human resources and they face many
pressures to prioritize issues other than cybersecurity. Companies must also make difficult choices in prioritizing
the vulnerabilities they choose to patch. For example,
Companies often have to balance the market pressures companies must decide how much of their limited security
of rapid innovation and shareholder returns with ensuring budgets should be spent on buying vulnerabilities from
security. Investments in security can prevent significant security researchers. The vulnerabilities marketplace has
losses but may not generate positive returns on investment become increasingly lucrative, which makes it increasingly
in the short term when compared to the potential returns expensive for companies to keep vulnerabilities out of
from investments in innovation and future product the hands of criminals. Some companies have created
development.41 Additionally, the market stresses rapid bug-bounty programmes as a means of participating in
product development and often rewards those first to that marketplace, but many companies’ bounties are not
market. In such an environment, it is easy for cybersecurity competitive with what governments or criminals might
to become a secondary priority to be addressed only after pay for a vulnerability or an exploit. Even when companies
the product is developed. know of the vulnerabilities, whether purchased or not, there
are more than can possibly be fixed. Companies must
Even in the wake of incidents, companies can place a allocate their limited resources and choose which bugs
low emphasis on security. For example, in 2011, Sony’s and vulnerabilities to address, while risking leaving gaps for
PlayStation Network was hacked, exposing the personal attackers to exploit.
information of 77 million accounts.42 Despite having
Global Agenda Council on Cybersecurity 13
Additionally, not every industry has a culture and an upgrade cooperation are essential. Companies face challenges in
cycle that is compatible with the fast pace of development in managing these ecosystems both where the ecosystem
the technology and software industries. In some industries, is the product of many different actors and companies
seemingly small changes like a software upgrade might deploying interoperable systems, and in situations where
trigger unacceptably large costs. For example, certain utility a single product is made up of components from different
operators in the US typically depend on their industrial companies or even different silos within the same company.
control system software to last for 10 to 15 years, and many
of those companies are still using Windows XP on their Interoperable system complexity:
critical infrastructure. This poses a significant cybersecurity Highly interoperable systems can create rich ecosystems of
issue as Microsoft ended support for Windows XP in 2014. services and devices, but they can also create cybersecurity
The industry, however, is locked into this outdated software challenges. Without a single point of control over the
because the tight integration between the management ecosystem, cybersecurity challenges can be addressed only
systems and the software means it would cost more than through a combination of trust and voluntary cooperation
$100 million and would take several years for them to between each participant. As the complexity of the
upgrade to newer systems.46 ecosystem increases, so, too, do the costs of coordination
and the risk of mismatched incentives. These challenges
The example of Windows XP in utilities is emblematic of have been apparent in Google’s Android mobile operating
a larger challenge: software and hardware vendors often system, where the lack of central control has led to several
cannot force their customers to upgrade and secure their cybersecurity breakdowns. Google provides Android as
systems. Once products are in the hands of customers, open-source software, and it has gained significant market
product updates can be impossible to fully implement. For share, installed on an estimated 80% of smartphones.48
example, in May 2015, a vulnerability was found to likely Although Google maintains the core code, the ecosystem
affect millions of routers due to a specific component, as a whole involves the participation of hundreds of
NetUSB, that many manufacturers had used in their handset manufacturers and carriers which can customize
routers. This vulnerability would allow an attacker to wipe the operating system before loading it on their devices or
or compromise a router, and potentially install malware to deploying it on their networks.
spy on the users, or even compromise the entire network.
Patches for the issue were deployed inconsistently. In Google cannot push security updates directly to end
some cases, the owner of the router might not understand users. Instead, it can take months for users to receive
the problem or know how to apply the patch. In other updates to Android, if at all. That delay is because handset
cases, just like with the utilities, the patch or update could manufacturers must first test the update to ensure it is
cause unacceptable disruptions for the end-users. Even compatible with their devices. Then the wireless carriers
well-intentioned companies can sometimes find that the must also test each new update. And both the handset
resources required to provide cybersecurity updates would manufacturers and the carriers might have modified the
far outstrip their ability to deliver them. Android code or created their own apps, and each new
update from Google might require extensive revisions
Finally, resource allocation can be a challenge when it to that custom code, further compounding the delays.
involves allocating resources across companies and For these reasons, wireless service providers and device
industries. In these circumstances, companies and sectors manufacturers often delay or forgo significant operating
may not be able to agree on who should bear the costs of system updates to avoid the cost in financial, time and
addressing certain risks. For example, in the US, many retail human resources that these updates require. As a result,
companies who use point-of-sale terminals have not moved many older Android smartphones never receive security
to more secure chip systems for credit card transactions and feature updates from Google. As of December 2015,
and continue to rely on antiquated and vulnerable magnetic only 29.5% of Android devices run the year-old Lollipop
strip technology. This is in large part because the retail version and only 0.5% are running the newest Marshmallow
companies are not eager to shoulder the cost of upgraded version.49 By contrast, Apple has much more control
point-of-sale terminals even if it leaves customers insecure.47 over the software that runs on its devices, a model that
allows the company to release updates directly to users.
2. Ecosystem Management Challenges Consequently, 70% of iOS devices are using Apple’s latest
operating system.50
Key takeaway: Companies face difficult challenges in
effectively addressing cybersecurity issues where solutions This challenge of updating Android devices became a
must be implemented by several independent actors significant security liability when researchers discovered
who own and manage different parts of an interoperable Stagefright in July 2015, which was a major exploit that
system, and where a single product is the result of several allowed an attacker to take over a victim’s device through
components made by different companies or even different a simple SMS message or audio file.51 When discovered,
silos within the same company. Google moved quickly to issue a patch to the software.
However, the Android device ecosystem took months
Software and hardware environments are increasingly to propagate out the fix and some older devices were
complicated ecosystems populated by a complex never patched. In response to this security failure, several
community of interacting devices, networks, people and companies within the Android ecosystem have pledged to
organizations. Because no single company can maintain change their processes to provide monthly patches.52
and control every aspect of the ecosystem, trust and

14 Global Agenda Council on Cybersecurity

A similar ecosystem challenge was the Heartbleed It is not enough for the public and private sectors to
vulnerability, which was disclosed in April 2014 and was understand the challenges they face. It is also important
believed to affect 17% (about half a million) of the internet’s for them to recognize and address the challenges and
secure web servers.53 The bug compromised any secure limitations of any efforts at collaboration. Collaboration
connection that utilized OpenSSL, allowing attackers to may not be easy, but it is essential for addressing many
eavesdrop on communications, steal data directly from cybersecurity issues because the internet is a transnational
services and users, and impersonate services and users. system spanning jurisdictional boundaries and public and
Although a patch for OpenSSL was made available quickly, private systems.
there was no central point of control that could force
updates; individual server owners were responsible for Many cybersecurity challenges affect both the public
applying the patch to their systems. Some owners patched and private sectors and benefit from the expertise and
their servers quickly and others took months. perspectives across governments, companies, academic
institutions, industry experts and the general public.
Single product complexity: Collaboration is critical for five reasons:
Ecosystem issues can also affect the cybersecurity of
a single product. Today’s complex devices often rely on 1. Technical gaps: The private sector controls many of
the integration of technology from many suppliers. These the critical systems and resources that comprise the
relationships rely on trust – most companies lack the internet.
time, money and resources to check the source code or
2. Talent gaps: The private sector captures a stronger
the design specifications of every component sourced
current of technical talent and expertise.
from others. Companies must trust that their vendors and
suppliers live up to their security assurances. 3. Information gaps: The public sector has greater access
to national and international threat information.
The 2015 hack of a Chrysler Jeep Cherokee showed 4. Enforcement gaps: The public sector is better
how difficult it can be to secure products made from positioned to investigate and prosecute cybercrime and
components from a variety of suppliers and vendors. The enable cooperation between companies that otherwise
Jeep entertainment system utilized Uconnect, a third-party might be impeded by concerns over competition and
application that connected to the internet. Using Uconnect’s reputation.
IP address, hackers were able to gain access to the Jeep 5. Development gaps: Partnerships can build bridges
from a remote laptop miles away and seize control of between mature and developing industries and
the car’s dashboard, steering, braking and transmission countries, facilitating knowledge and information
functions.54 In this case, manufacturing a complex product sharing.
like a car requires trusting that all of the components, when
placed together, will not create cascading vulnerabilities.
Although companies can conduct supplier and vendor The public and private sectors are intentionally distinct
audits or use other controls to try to catch vulnerabilities, and their differences are important. However, those same
that may delay and significantly increase the costs and differences can also make partnerships difficult. One of
complexities of developing new products. the main challenges to partnerships has been the trust
deficit that has grown between public and private entities,
Tighter collaboration between or within companies may help particularly after recent revelations about surveillance.
to address these ecosystem challenges, but more often
than not, company cultures prevent open communication The lack of trust is not the only obstacle to collaboration in
about systems and designs. Within companies, for both the cybersecurity ecosystem. The public and private sectors
competitive and institutional reasons, stovepiping is can attempt to collaborate through information sharing, the
common within divisions. Although this data siloing can creation of standards, incident response, security research
protect product secrecy and trade secrets, it can also and more. However, each of these collaborative approaches
prevent collaboration and information sharing. Similar requires balancing the multifaceted roles that both public and
concerns may prevent companies that collaborate on private sector entities play. For example, governments play
products with suppliers and vendors from sharing critical dual roles as both regulator and collaborator with the private
information. In all cases, these communication gaps may sector. Similarly, companies within an industry play dual roles
contribute to cybersecurity issues in complex ecosystems. of both competitors and partners in addressing cybersecurity
issues. These multifaceted roles and relationships create
tensions and obstacles for effective collaboration.
C. Broader Ecosystem Tensions and
Considerations 1. Trust Deficits Between Companies and Governments

Key takeaway: Effective collaboration between the public Key takeaway: As a result of a backlash to government
and private sectors requires that they recognize and surveillance, companies are hesitant to collaborate with
address the obstacles and limitations to collaboration, governments due to fear of negative perceptions, loss of
including their lack of trust, and difficulties in lawmaking and business and liability risks from divulging private information,
enforcement, and obstacles to research and information colluding with competitors, or exposing themselves to
sharing. additional penalties.

Global Agenda Council on Cybersecurity 15

One of the most significant obstacles to building and government interventions and innovation, and between
maintaining effective partnerships between the public and deliberative legal processes and the need for quick
private sectors is the fundamental lack of trust that emerged resolutions.
after the Snowden leaks in 2013. In response to revelations
about government surveillance, several major technology The public and private sectors can and do collaborate on
companies, including Apple, Facebook, Google, Twitter and cybersecurity issues through standard-setting, lawmaking
Microsoft, expressed concerns over publicly collaborating (encompassing both legislation and regulation) and legal
with government actors. These companies and others have enforcement. However, when collaborating in any of these
worked together to publicly protest government surveillance ways, it can be difficult for the public and private sectors
and lobby for surveillance reform. to find the right balance between government interventions
and innovation, and between deliberative legal processes
Companies have been particularly hesitant to collaborate and the need for quick resolutions. This difficulty is apparent
with the US government because of the potentially negative in some of the ways in which they collaborate:
financial impacts. Distrust of US government policies and
statements regarding surveillance have led several non-US Standard-setting: The creation and adoption of standards
companies and foreign governments to be suspicious of can help identify best practices, create shared norms,
any company that might be aiding intelligence collection. and enable interoperability across complex systems –
Some analysts have estimated that the Snowden leaks in all crucial to cybersecurity. Collaboration in standard
particular will cost major US technology companies billions setting can enable the development of norms that reflect
of dollars in lost sales.55 These factors push companies to diverse perspectives and offer unique solutions to difficult
distance themselves from the negative perceptions of a tight cybersecurity challenges. However, standard-setting has
collaboration with government, creating a cold climate in many challenges of its own:
public-private relations.56
– Speed: Standard-setting institutions are slow-moving
The debates about the use of end-to-end encryption and often fail to keep pace with technical innovation,
highlight this lack of trust between the public and private a particular problem when trying to address quickly
sectors. Because technology companies have been leery developing cybersecurity threats. By the time a standard
of voluntarily cooperating with law enforcement agencies, is finalized, it may be out of date and fail to fully address
several government leaders from around the world, including emerging issues.
Prime Minister David Cameron of the UK and leaders in – Compatibility: Products that were designed and
China, have sought the legal authority to compel access deployed before or even during the standard-setting
to online communications for lawful investigations.57 The process may be incompatible with subsequent
public and private sectors have struggled to agree on what standards and impossible or difficult to update.
is feasible. For example, NSA Director Admiral Michael
– Universality: Standards benefit from network effects.
Rogers proposed that technology companies implement
However, there are a variety of coalitions and institutions
certain technical changes to encryption that would enable
that are developing alternative or competing standards
government access, such as so-called “golden keys”.58 In
for addressing cybersecurity issues. This leaves many
response, members of the security technologists and the
standards without a critical mass of adoption and
private sector have claimed such solutions would introduce
creates a fragmentation that undermines effectiveness.
new vulnerabilities, threaten economic competitiveness and
weaken existing security measures.59
Lawmaking: The creation of legislation and regulation
An additional trust issue is that companies fear sharing is another opportunity for public and private sector
information with governments and other companies collaboration. In some cases, lawmaking can be more
may expose them to liability, either for divulging private effective than standards because it offers a mechanism for
information, inadvertently revealing information that subjects compelling compliance and uniformity with cybersecurity
them to regulation or sanction by other government entities, practices when the market might otherwise be fractured and
or for antitrust violations for colluding with competitors. uncoordinated. For example, several pieces of cybersecurity
legislation have been proposed including the recently
Overcoming these trust deficits is necessary for enacted US Cybersecurity Information Sharing Act (CISA)
collaboratively addressing cybersecurity challenges. of 2015, which could stimulate collaboration that would
However, there are other significant obstacles to not otherwise occur. Collaboration in the legislative and
collaboration between the public and private sectors. regulatory processes helps address the public sector’s
The tools that the public and private sectors can use for lack of technical and industry knowledge. But lawmaking,
collaboration each come with their own challenges. As will like standard-setting, can be ill-equipped at addressing
become apparent, trust (or a lack thereof) is an element of the fast-moving cybersecurity environment. Lawmaking
many of those challenges as well. processes can be slow and difficult, and the current
political environment in the US has made it difficult to enact
2. Standards, Regulation and Enforcement legislation.

Key takeaway: The public and private sectors, when Enforcement: Legal enforcement of cybersecurity issues is
collaborating in standard-setting, lawmaking and legal another avenue for public and private sector collaboration.
enforcement, must find the right balance between Investigations of cyberattacks, for example, often require

16 Global Agenda Council on Cybersecurity

such collaboration. However, as described previously, such 3. Knowledge and Information Sharing
collaboration requires a difficult balance between public and
private interests. Key takeaway: Knowledge and information sharing is a
critical tool in addressing cybersecurity challenges and, by
In all of these examples of standard-setting, lawmaking definition, it requires participation from both the public and
and enforcement, it can be very difficult for the public and private sector. However, trust deficits, secrecy obligations,
private sectors to balance the different roles they must play ineffective frameworks for sharing and liability risks all
at different times. For example, sometimes governments act constrain and limit sharing.
as a defender of cybersecurity and sometimes governments
seek to exploit cybersecurity vulnerabilities. Choosing Information and knowledge are key currencies in
the correct times and places to play those roles can be cybersecurity, as they are critical to both prevention and
difficult, and a trust deficit can exacerbate the problem. response, including:
For instance, documents from the Snowden revelations
indicated that when participating in a public-private process – Balancing resources: The public and private sectors
for establishing a new standard for random-number key have different perspectives, skill sets and time horizons,
generations, the NSA championed one in particular – the and information sharing is critical to addressing the
Dual_EC_DRBG generator. Documents from Snowden complete array of cybersecurity challenges. The
indicate that the NSA had used the standard-setting government is in a unique position to think about long-
process to urge adoption of a standard that it could term threats and the types of actors who are capable of
break, damaging trust and complicating its role in future carrying them out, as well as to aggregate information
collaborations.60 By contrast, there are times when the from a variety of sources. By contrast, the private sector
public sector in its enforcement role can help companies is in a unique position to implement and respond to
respond to and recover from attacks in ways that would many security threats.
have been impossible without government assistance. In – Building expertise: Not only do the public and
these circumstances, collaboration can help build trust and private sectors have different perspectives and
confidence in their partnerships. expertise, but they have different levels of maturity
and experience. Fostering a knowledge exchange
Case Study – Enforcement in Action: Cybercrime from governments and companies with experience
addressing cybersecurity issues to those without those
At the World Economic Forum, there are efforts under way experiences is important for sharing best practices and
to improve collaboration between the public and private preventing cybersecurity breaches. In fact, cybersecurity
sectors in improving the investigation and prosecution knowledge sharing has been identified as a central
of cybercrimes. The Future of the Internet Initiative’s component of sustainable development more broadly.62
Cybercrime Project, an effort complimentary to this Global
– Attribution: After an attack, identifying who caused an
Agenda Council, recognizes that meaningful and effective
incident and how is critical for patching vulnerabilities
approaches to combating cybercrime require close
and deterring future incidents. In attributing incidents,
collaboration between the public and private sectors. In an
sometimes, private and public entities receive an
effort to foster that collaboration, the Cybercrime Project
overwhelming amount of complex, difficult-to-
has identified several recommendations for effective public-
decipher information. Other times they receive too little
private partnerships:61
information. In either case, both sectors receive only
one perspective, necessitating information sharing for
1. Public and private sectors should share more
proper attribution. On several occasions, companies
information related to cyber threats, vulnerability and
and governments have made mistakes in attributing
consequences.
attacks, often due to bad or insufficient information
2. Public and private sectors should work to create new sharing.
platforms, strengthen existing platforms and coordinate
Information and knowledge sharing is an important form
these platforms to increase information-sharing and
of collaboration, but it faces many challenges. The most
improve investigations and prosecutions.
significant is the trust deficit described above, which creates
3. Public and private sectors should cooperate to resistance to collaboration of any kind, and concern about
encourage and advance wider adoption of the the accuracy of any information that is shared. In addition to
Budapest Convention on Cybercrime, or, of the the trust deficit, several other challenges exist, including:
principles it promotes.
– Secrecy obligations: Governments must balance their
4. Public and private sectors should work to build trust obligations with respect to secrecy in national security,
and discuss contentious topics related to cybercrime, intelligence and grand jury information with the need
such as encryption, cloud servers, data access and for bi-directional information sharing. Government
protection of privacy, to find appropriate solutions. secrecy obligations can restrict the extent and depth
5. Public and private sectors can engage in other initiatives to which governments can share information with the
aimed at reducing cybercrime. private sector. For companies, these secrecy issues
raise the concern that information sharing flows in one
direction – from companies to governments, with limited
reciprocity.

Global Agenda Council on Cybersecurity 17

– Institutional reforms: Certain organizations exist to help
facilitate open information sharing, such as the National
Cyber Security and Communications Integration Center
(NCCIC)63 in the US and the Cyber Security Information
Sharing Partnership (CISP)64 in the UK. However,
many of these institutional initiatives are created within
silos, without input from other stakeholders, or as
“quick fixes” to fill gaps temporarily. They often place
an emphasis on some aspects of reorganization, such
as agency-to-agency coordination, over other issues
like improving existing communication with the private
sector. For that reason, there is significant scepticism
over whether these reforms will be successful, whether
they address the correct issues, and whether they serve
the best interests of the private sector and the public at
large.
– Liability risks: Companies fear they may be held liable
either by directly revealing information that violates a
statute, or indirectly by revealing information that leads
to liability for unrelated offences. For example, a well-
intentioned disclosure to one government entity might
subject those records to public records requests, which
may in turn lead to further investigations by a different
government agency or civil lawsuits. To address this
issue, in the US, for example, the Cyber Security
Information Sharing Act (CISA) contains a strong liability
safe harbour that immunizes companies from private
rights of action and regulatory enforcement actions that
arise from certain types of information sharing. While
the law has been criticized for a lack of user privacy
protections and limitations on the downstream use of
the disclosures, public and private stakeholder groups
will have voluntary tools and standards for sharing
information and protecting privacy.65

Knowledge and information sharing is a key tool in

addressing cybersecurity challenges, and by definition
it requires participation by both the public and private
sectors. The development of effective laws, regulations
and standards, as well as prevention and attribution, all
require careful calibration of public and private interests
and perspectives. However, in the absence of knowledge
and information sharing, that calibration and balancing
of interests may be impossible. Unfortunately, there are
significant challenges that impede effective knowledge and
information challenge.

18 Global Agenda Council on Cybersecurity

4. Securing the Future

With so many difficult tensions making it hard to address For companies, this shift entails emphasizing security
cybersecurity, it is clear that systemic changes are throughout the entire product or service lifecycle, including:
necessary to realign the culture and incentives that shape (1) planning for security early in the product development
cybersecurity. This a complex and evolving space and no cycle, (2) taking into account the security of legacy systems,
single solution can adequately address the full spectrum of and (3) ensuring resiliency in the event of an attack. For
challenges. However, there are a variety of approaches that many companies, this lifecycle approach is a significant
can help. What follows is not an exhaustive list but a starting departure from their current approach to security. In a
place for how the public and private sectors can begin to market that stresses rapid product development and often
change the culture on cybersecurity. rewards those first-to-market, there can be enormous
pressure to deliver quickly at the expense of investments
There are steps that companies can and should begin in cybersecurity. This pressure was evident in Facebook’s
to take right now to improve cybersecurity. We identify early motto of “move fast and break things”.66 Importantly,
below several of these steps. But while they are crucial, Facebook also shows that companies can adjust their
they are not sufficient. The private sector cannot address approach, as its motto changed in 2014 to “move fast with
cybersecurity on its own. Changing the underlying market stable infrastructure” in order to reflect a commitment to
pressures and culture, improving trust with the public balancing quick innovation with security and stability.67
sector, and improving public-private information and
knowledge sharing, can only be done through collaboration A cultural shift on the part of private sector entities to better
between the public and private sectors. For that reason, address cybersecurity would involve numerous changes, but
the remainder of this report looks at some things the we identify three in particular as a starting place:
public and private sectors can do to help address these
larger structural challenges. These approaches include: (1) Adoption of best practices: There are basic steps that
the use of blended governance models; (2) the targeted companies should follow that, although not a complete
application of limited regulation; (3) the use of independent solution to cybersecurity issues, would have a demonstrable
security organizations to enable informed purchasing; positive impact. Several examples of these are included in
and (4) expanding security professionals’ skill sets to the appendix, and include:
encompass critical non-technical skills. While each of
these approaches can potentially address some of the – The CIS Critical Security Controls to enhance enterprise
cybersecurity challenges, no single recommendation here cybersecurity defences and incident response68
can change culture and perceptions. Only time, education – The Australian Signals Directorate’s list of 35 mitigation
and communication can realign cultural approaches to steps for reducing the risks from targeted computer
cybersecurity. network attacks, including application whitelisting,
applying application and operating system patches, and
A. Immediate Steps the Private enforcing a strong password policy69
Sector Can Take to Emphasize – The UK’s “10 steps to cybersecurity” covering topics
such as setting user privileges, malware prevention and
Cybersecurity user education70

Key takeaway: It is critical for enterprises across the Improved authentication: Authentication is critically
private sector to implement best practices throughout important for cybersecurity, and particularly challenging
all operations, and throughout product lifecycles, as a in the internet of things(IoT). Companies should move
foundational step to greater cybersecurity – a difficult beyond insecure passwords to mechanisms such as
challenge in a market that rewards rapid product two-factor authentication or multi-factor authentication
development. that uses other forms of verification like biometric data.
Online services could also enable the use of authentication
The private sector must directly confront the cultural and technologies, including fingerprint and iris scanners, voice
incentive challenges that make many of the cybersecurity and facial recognition, and a variety of technologies, such as
issues so challenging. In short, companies must work to embedded Secure Elements (eSE), that help verify identities
change the default attitudes that exist in order to place a in more secure ways.71 And companies should explore
clear and ongoing emphasis on security. Without addressing new methods of continuous authentication that continually
these cultural and incentive issues, companies will continue reaffirm authentication throughout the time of access –
to ignore basic security best practices.

Global Agenda Council on Cybersecurity 19

something that will become increasingly important with the employee data. In the more traditional areas, e.g., fire,
need to continually re-authenticate IoT devices connected to auto, home, etc., the insurance industry is the marketplace
a network or a system. expert on risk, with centuries of actuarial data on which to
base risk-pricing decisions and to guard insurers against
Preparation for attacks: No one is immune from accepting more risk than they can effectively cover.
cyberattacks. It is critical that companies take steps before
they are attacked. Most importantly, companies must: (1) By contrast, for cyber insurance, the risk profile is far less
examine and enhance their forensic capabilities to determine clear, observable and measureable. Standards are fewer
the scope of an attack, inform affected customers and and actuarial data hardly exists. Threats also come from
entities, and assist law enforcement; (2) develop a business every quarter and create unimaginable consequences
continuity plan to determine whether, how and when to – for example, when intemperate executive emails are
continue or resume business operations after an attack; provided to the press – that can cause considerable
and (3) develop a plan for regaining customer trust after an loss of reputation, customer loyalty and market share.
attack. Waiting to do these things until after an attack has However, no best practice standard exists to guide the
already happened will be too late. insurance industry in gauging risk. Instead, every major
insurer uses its own proprietary scheme of varying degrees
Changing corporate culture on security is not just a one-time of sophistication. Many insurance companies seem to
thing – it is a commitment that must be made repeatedly treat total revenue as the primary differentiating factor for
over the course of a product or company’s lifecycle. categorizing cybersecurity risk. In other words, both a small
Such a cultural shift is not easy, as it requires a significant medical office with voluminous files of intimate personal
investment of financial, time and human resources. During data and an automated car wash chain of equivalent market
the development phase, workers must devote time and value with customer financial records are assessed at the
effort testing and securing existing features when that effort same risk level. While both kinds of data are sensitive,
could be spent iterating new features. Similarly, such an the obvious differences in function, business processes,
investment must be remade continually over the lifecycle regulatory requirements and risk exposures distinguish the
of the product instead of spending time on new products. chances or consequences of a cyber event.
In order to make this change, companies must find a
balance between rapid innovation and ensuring security. Despite these challenges in assessing risk, insurance
Companies must also find a balance between the costs of carriers have begun to heavily promote their cyber
investing in security and the ultimate cost of their products. insurance products and the current insurance marketplace
Additionally, companies with limited resources must find the provides some coverage for certain specific cyber risks,
right balance between innovating new products sustainably such as a data breach. For cyber insurance to succeed, this
and supporting existing devices in the future. This latter model must change. Insurers must take on the challenge of
balancing will be particularly challenging in the industrial realistically evaluating the cyber risks they are underwriting,
IoT, where products may be expected to remain both including accounting for the unique cyber risk factors of
operational and connected for decades. individual enterprises.

One reason why companies have not made such a culture

change previously is that the financial incentives simply
B. Blended Governance
did not support such a change. While some companies,
Key takeaway: It is necessary to experiment with new
such as Apple, have used their investment in security
paradigms for distributed and collaborative governance that
as a product differentiator in selling their iOS products,72
will enable cybersecurity challenges to be addressed jointly
they have done so at a price premium, which serves
by the public and private sectors.
to commoditize and stratify security. Changing these
underlying financial incentives is not something the private
The challenges to cybersecurity underscore again and again
sector can do on its own, which is why blended governance
the critical need for collaboration between the public and
models that encourage collaboration between the public
private sectors. However, many of the existing institutions
and private sectors will be critical.
and mechanisms for collaboration are simply inadequate.
Particularly when addressing complex and quickly evolving
Case Study – Private Sector in Action: Cyber Insurance73
cybersecurity threats, current approaches are often too
slow, too inflexible, or too prone to distrust or dysfunction.
Although cyber insurance is frequently mentioned as a
There are, of course, exceptions, such as governments
mechanism that businesses could use to mitigate cyber
hiring “technologists-in-residence” to bridge technical gaps,
threats, the insurance industry has undertaken the barest of
public-private partnerships such as the World Economic
beginnings in this space. Insurance companies have to this
Forum facilitating cross-sector relationships, fusion centres
point demonstrated little native understanding of the cyber
to coordinate public and private intelligence sharing, joint
risks posed to enterprises, making it difficult for them to offer
research endeavours, and more.74
effective products.
Addressing the next evolution of cybersecurity threats
In order to offer useful products, the insurance industry
requires exploring new paradigms and institutions that
must establish a reliable way to value a company’s cyber
fundamentally retrain and readjust how the public and
and cyber-dependent assets, beginning with data, which
private sectors collaborate, and build stronger and deeper
can include intellectual property, client/customer data and

20 Global Agenda Council on Cybersecurity

connections between them. Such approaches go beyond security seriously may reward companies that take security
traditional multistakeholder governance models to build seriously when purchasing products. By making security a
relationships that are flexible and can be adjusted quickly higher priority in purchasing decisions, consumers will help
and responsively to address evolving challenges and the private sector view prioritizing cybersecurity as beneficial
conflicts.75 Through working collaboratively to solve pressing to their bottom line.
problems, such partnerships can even help build reservoirs
of trust between the public and private sectors that are Case Study – Blended Governance in Action: The
currently lacking. Energy Sector

There is no one-size-fits-all model for such collaboration. The energy sector is often defined by public and private
Instead, effective groups remain sensitive throughout sectors working in close collaboration, making it an
their entire lifecycle to their dynamic contextual and ideal place to address cybersecurity through blended
cultural conditions, the availability of support systems and governance approaches. The energy sector manages critical
resources, and the opportunities for and trade-offs related to infrastructure, making cybersecurity a serious concern.
inclusion, transparency and accountability. Most importantly, There have already been several high-profile cybersecurity
these groups are instrumental and dynamic, changing over incidents, including:
time to adapt to new circumstances and needs, something
that is crucial for groups addressing cybersecurity and its – The 2010 Stuxnet worm that destroyed nearly one-fifth
evolving threats. of Iran’s nuclear centrifuges
– The 2011 “Night Dragon” attack that stole sensitive
Such blended governance approaches will build important competitive information about oil and gas field bids and
bridges between the private sector and governments and operations from international oil companies
society as a whole. For example, operating with greater
– An attack in 2012 on Saudi Arabia’s Aramco that
input from the private sector will better enable governments
damaged 30,000 personal computers in an attempt to
to make critical and targeted investments in cybersecurity
halt all oil production.
that will ultimately help change the cultural and financial
incentives for cybersecurity. These investments include:
The threats against the energy sector are only going to get
– Procurement: Governments can use their procurement worse. According to the Wall Street Journal, “a survey of
powers to help recalibrate private sector approaches to 625 IT executives in the US, UK, France and Germany by
cybersecurity by purchasing from companies that build Intel Security and the Aspen Institute found that 48% said
security into the entire lifecycle of their products and they think it’s likely there will be a cyberattack on critical
services. Not only would this help change private sector infrastructure in the next three years that will result in loss
attitudes but it would also improve the security of public of life.” To date, adversaries have generally been state-
sector systems and services.76 sponsored, but dissident groups and terrorist organizations
continue to seek ways to cause disruption, including attacks
– Research: Governments can fund research into
on energy infrastructure.
vulnerabilities and cybersecurity, which ultimately makes
it easier and less costly for the private sector to commit
The energy sector is up against two major cyber threats.
to best practices and address issues early on in the
The first are vulnerabilities in the information technology
process.
(IT) enterprise systems. These are vulnerabilities in the
– Education: Governments can educate both the private commonly used systems and tools that can affect any
sector about best practice and users about safe commercial enterprise. The approaches for addressing
behaviour and cyber hygiene. these threats, including best practices and cyber hygiene,
are well understood.
Governments have been particularly adept at using
education to advance cybersecurity objectives. For example, The energy sector, also faces threats tailored to the unique
Germany, Finland, the Republic of Korea, Israel, Estonia operational technology (OT) that is critical to energy
and Austria have all developed university programmes in production and transmission. Refineries, power plants,
partnership with the private sector to advance cybersecurity transmission and distribution grids and pipelines all rely on
research and develop a new generation of experts.77 specific software and other control technologies. The best
Similarly, several countries, including the UK, Germany, and ways to protect and defend these specialized systems
France, have all worked with the private sector to develop is not nearly as well understood. Additionally, these OT
educational programmes to help smaller businesses systems are often difficult or expensive to upgrade as
understand cybersecurity threats.78 they are typically designed to run for decades. Updates or
other threat mitigations can require significant coordination
Public-private partnerships with civil society and academia between customers, vendors and others.
can also help educate consumers about cybersecurity.
If consumers are better educated about cybersecurity
and understand the basic steps to help ensure their own
security, they will be more likely to reflect that knowledge in
their purchasing decisions. Consumers who practise cyber
hygiene at the personal level and take their own digital

Global Agenda Council on Cybersecurity 21

C. Regulation and Government In addition to regulation, governments also can alter
behaviour through encouraging the creation and adoption
Leadership of norms. This can happen at the national, regional or global
level:
Key takeaway: Carefully tailored government interventions
can help tip the scales toward greater cybersecurity, but – National and regional norms: Regional and national
such actions must be weighed against the potential impact cybersecurity strategy statements are one mechanism
on innovation. through which governments can reshape norms about
cybersecurity, as an articulation of consensus or
Aside from the financial and educational interventions aspirational principles.82 Some of these cybersecurity
described above, there are additional steps the public strategies are targeted toward readjusting the way
sector can take to bolster cybersecurity practices. Some government agencies relate to each other on issues
approaches, while possible, would be unacceptable: of cybersecurity83 or toward improving public and
establishing a strict liability regime, for example, in private sector information sharing. Others focus
which companies are liable for vulnerabilities in their on cybersecurity as a component of encouraging
code would certainly incentivize companies to invest innovation, entrepreneurship and commercial exchange.
in greater cybersecurity, but it would also significantly For example, the EU’s comprehensive Digital Agenda
reduce investments in innovation, make entire industries includes creating public-private partnerships to address
unprofitable and generally cripple businesses by rendering cybersecurity as part of a broader agenda of achieving a
risk unaffordable. Similarly, mandating back-door access digital single market in Europe.
to encrypted devices and communications, while possible,
– International norms: It can be difficult for norms at the
would fundamentally weaken the security afforded by
international level to reshape behaviour in the absence
systems with encryption, introducing more risks than
of enforcement mechanisms. However, political
security. However, other government interventions can
scientist Joseph Nye has argued that even in the
help the private sector find the right balance between
absence of enforcement mechanisms, countries can
cybersecurity and innovation.
establish effective norms bilaterally or even unilaterally.
According to Nye, bilateral agreements that bar states
One form of government intervention is through the
from attacking certain aspects of the civilian cyber
development of carefully tailored regulations. In fact, there
infrastructure during peacetime could encourage a norm
are already several examples of approaches to regulation,
of self-restraint.84 In some cases, new norms can even
addressing several aspects of cybersecurity:
be unilateral. For example, governments may stockpile
a certain set of undisclosed vulnerabilities in software for
– Data-breach notifications: Several countries have
offensive use, leaving software vulnerable to potential
regulations that require companies to notify customers
attacks were those vulnerabilities to be discovered
after certain kinds of security breaches. In the US, most
by another party. A norm of unilaterally disclosing
states have some form of security breach notification
vulnerabilities instead of stockpiling them would serve
law, and in 2015 the White House proposed a national
to disarm any adversaries who had also discovered
breach notification standard, though it has not yet
that weakness. In turn, a new international norm could
been enacted.79 The EU is reaching the final stages of
emerge in which countries disclose rather than stockpile
finalizing the new General Data Protection Regulation
vulnerabilities.
(GDPR), set to replace the1995 Data Protection
Directive, which will include a 72-hour limit for breach
notifications.80 Government interventions, from regulation and norms
to authentication, often struggle to match the speed of
– Critical infrastructure: The EU has established
innovation and the changing security landscape. Another
provisional rules compelling critical service companies
challenge is that there are often tricky jurisdictional issues
in the key industries of energy, transport, banking,
between a variety of potential government actors. For
financial markets, health and water supply to ensure
example, in the US, several government agencies have
that their digital infrastructure is resilient enough to
already attempted to unilaterally expand their authority
withstand online attacks.81 Similarly, the US National
to cover cybersecurity, including the Federal Trade
Institute of Standards and Technology’s (NIST) Cyber
Commission, the Federal Communications Commission
Security Framework is designed to help organizations
and Department of Homeland Security. For these reasons,
charged with providing the nation’s financial, energy,
blended governance approaches will be critical for helping
healthcare and other critical systems to better protect
governments respond quickly, sidestep jurisdictional issues
their information and physical assets from cyberattack.
within governments and ensure that government action is
The order established a process for identifying high-
informed and balanced by private sector perspectives and
priority infrastructure and required agencies to follow a
expertise. This will be particularly true in order to address the
series of steps to determine the adequacy and ability of
cross-disciplinary nature of cybersecurity in IoT, which will
the agency to address risk.
require a combination of skills and expertise to be brought
– Information sharing: The NIST Cyber Security to bear in the regulatory process. Effective government
Framework directed the US Secretary of Homeland intervention will require a careful balancing between private
Security and the Director of National Intelligence to and public interests and processes, coordination and
consistently share unclassified reports with the private cooperation between various actors and agencies.
sector after cyberattacks.
22 Global Agenda Council on Cybersecurity
Case Study – Government Leadership in Action: such as banking and e-commerce. One example of this is
Authentication public key infrastructure (PKI), which is a system of policies,
procedures and software that helps secure data through the
One example of where governments can advance use of public and private cryptographic keys, enabling both
cybersecurity is through supporting the creation of effective secure communications and authentication.
authentication systems. Governments are already the most
important issuer of credentials in the physical world by National digital ID systems, however, are not without their
issuing documents confirming identity, name, citizenship, risks. The systems often create a linked dossier of sensitive
date of birth and more. Governments can play a similar information about individuals ranging from voting to health
role in the digital world. The development of effective and documents to tax issues. Governments must ensure
efficient digital identity management enables the migration the security of such a vast collection of personal data.
of economic and social interactions online, and strengthens Additionally, governments must be transparent with citizens
trust-based digital services. about how such information is to be used, both nationally
and internationally. A failure to do either of these things will
Several countries and regions have already begun enabling erode trust in the system.
the next generation of services through comprehensive
national authentication and digital ID systems.

– Estonia: Most notably, in 2002, Estonia became one of

D. Independent Security
the first countries to introduce a comprehensive national Organizations
ID system.85 From birth, Estonian citizens are given a
digital birth certificate that is linked to an online health Key takeaway: Independent security organizations can play
insurance account. After citizens turn 15, they apply a critical educational role, helping transform any consumer
for an electronic ID card that provides proof of identity (corporate, institutional, or individual) into a high-information
and enables access to a wide range of government purchaser with respect to cybersecurity, which will reward
e-services, from electronic banking and shopping to and encourage cybersecurity best practices.
encrypted email. These digital tools are increasing
efficiency and are saving the time-equivalent of one In order to change the culture and incentives relating to
working week per person.86 cybersecurity, we need both greater transparency and high-
– Japan: After meetings with Estonian leaders, the information consumers. Independent security organizations
Japanese government announced its own MyNumber can help do both.
National Identification system, which was launched
in January 2016. The government hopes the cards Transparency can be a powerful tool for reshaping the
will help streamline information sharing between culture and incentives on cybersecurity. If companies
governmental agencies administering tax, social security believe they will not be held liable for producing insecure
and disaster mitigation programmes.87 products or services, they have little incentive to secure their
products, particularly if securing the product or services
– India: In 2010, India began creation of a database of incurs high costs. One way to generate accountability
unique IDs that included the fingerprint and iris scans for cybersecurity is through the creation of independent
of all 1.2 billion residents. The country’s leaders say the security organizations focused on cybersecurity. Such an
programme can streamline India’s current bureaucratic organization would test products and services and give
process and help solve development problems by them a seal of approval if they meet certain, independently
ensuring that the benefits of services like welfare verified, criteria.
spending reach the intended recipients. The unique
identities will also allow a sizable population of poor Such a mechanism for introducing accountability to product
Indians to access services like banking.88 development is not revolutionary. Independent testing
– European Union: The EU encourages European laboratories have been used previously to improve the
countries to establish digital ID systems and to also quality of consumer electrical devices. The Underwriters
accept the digital IDs of other countries. The EU’s Laboratories (UL) was established in 1894 as a response to
Digital Agenda for Europe contains rules designed to the notoriously unsafe consumer electric products available
encourage and support the use of digital IDs for more at the time. The UL, as it is known, is now a global safety
efficient electronic interactions between businesses, and certification company that analyses, tests, inspects
citizens and public authorities.89 and validates new products, ensuring they meet a certain
– United States: Instead of creating a single, national uniform level of safety. The UL Certification mark, found on
authentication system, the US government announced a many home electrical appliances, indicates to consumers
partnership with technology companies and civil society that the product has been tested and certified. The same
to promote the use of multiple-factor authentication and kind of approach, a kind of CyberUL, has been suggested
to make it easier for users to enable those protections.90 for advancing cybersecurity accountability.

Many of these digital IDs, including those from Estonia91 Several initiatives are already under way to create various
and the United Arab Emirates92, have built-in public key elements of a CyberUL. For example, in October 2015,
cryptography to help secure online transactions and the noted security expert Peiter Zatko announced plans to
promote the use of the IDs in non-government applications create the Cyber Independent Testing Laboratory (Cyber-

Global Agenda Council on Cybersecurity 23

ITL).93 The goal of the Cyber-ITL is to quantify the security in addition to technical weaknesses. And when attacks
hygiene of pieces of software and to help the consumer succeed, they often have significant human impacts.
understand how safe a piece of software is, much in the Because cybersecurity is inherently concerned with human
same way that a nutritional label describes the calories, fat behaviour, it is important for cybersecurity professionals
or allergens in food.94 The hope is that such information to have non-technical training in the behavioral aspects of
will help consumers, governments and businesses identify cybersecurity. Similarly, training in the management aspects
products with better cybersecurity to make informed of cybersecurity – including economics, anthropology and
decisions. Similarly, the US government recently announced psychology – can help cybersecurity professionals advocate
that the Department of Homeland Security would for resource investments within their organization to
collaborate with UL to develop the Cybersecurity Assurance overcome the incentive and cultural hurdles that often hinder
Program, which will conduct tests on IoT devices to certify investments in cybersecurity. Cybersecurity professionals
their security. responding to an incident may need to coordinate activities
across multiple organizational elements or job functions and
Just as independent product ratings in Consumers Reports interact with vendors, security consultants, law enforcement
help consumers make educated purchasing decisions, so, or other outside actors. These roles require more than pure
too, would a CyberUL. Having high-information consumers technical knowledge, necessitating the development of a
– across sectors – will enable better decision-making; for variety of non-technical skills.
example, when agencies or companies are considering
purchasing from a vendor, they could consult the reviews of Conversely, non-technical managers and employees
an independent security organization. Not only would this increasingly need more training in cybersecurity. Although
improve the quality of purchasing decisions but it would non-technical employees need not become cybersecurity
also incentivize companies to improve their ratings of their professionals, they do need a basic foundation of technical
products and services. knowledge and training. This basic knowledge will help
these employees avoid critical security mistakes, ask
A CyberUL, however, is unlikely to be able to fully identify managers and decision-makers the right cybersecurity
and highlight all cybersecurity gaps in every product. questions and generally support realigning the incentives
Software and network security is extremely complex and that shape cybersecurity decisions.
context-dependent, and the complexity of IoT devices
will only continue to increase as those devices gain more The public and private sectors can work to ensure that
computational power, sensors and network interfaces. In both technical and non-technical employees are given the
a laboratory environment with a limited amount of time, skills they need. Currently, this holistic training is difficult
there are only so many devices and vulnerabilities that can to find. For example, university programmes educating
be tested. Furthermore, it is challenging in a laboratory cybersecurity specialists are overwhelmingly tilted toward
to simulate the real world. For example, it is difficult to the technical dimensions. To address this, the public
simulate attacks by adversaries who may respond in and private sectors should collaborate to develop and
unpredictable ways and it is difficult to recreate the array of support programmes that will address these knowledge
interconnected systems may coexist with a device in the real gaps. Working together, the private sector can identify
world. For these reasons, CyberUL proposals are unlikely the cybersecurity skills that technical and non-technical
to be a panacea. However, they may still help reward and employees need, and the public sector can offer courses
encourage good cybersecurity practices. through public institutions that develop those skills.

E. Holistic Cybersecurity Education

Key takeaway: The public and private sectors should
together build and support educational programmes
that bridge the knowledge gap, enabling cybersecurity
professionals to address both the technical and non-
technical aspects of future cybersecurity challenges and
provide basic cybersecurity training to non-technical
experts.

Bridging the cybersecurity knowledge gap requires

improving the educational programmes for both technical
and non-technical employees. For cybersecurity
professionals, it is important that educational programmes
provide more than just technical education. A recent report
of the National Academies noted that the cybersecurity
workforce needs a wide variety of non-technical skills, in
addition to strong technical training.95 Non-technical training
is critical because much of cybersecurity threat prevention
and response is about human behaviour. Adversaries are
human and they often seek to exploit human weaknesses

24 Global Agenda Council on Cybersecurity

5. Conclusion

The stakes for cybersecurity have never been higher.

With increased data centralization in remote data centres,
expanding reliance on cloud computing, the explosion of
the IoT, and the growth in both the number and severity of
cyberattacks, cybersecurity must be addressed throughout
business, industry, government and civil society.

The challenge of addressing cybersecurity should not, and

cannot, be addressed by the private or public sectors acting
alone or independently. Ultimately, actors across sectors,
industries, backgrounds and experiences will need to work
together in novel ways that may seem difficult given the trust
deficits in today’s security ecosystem.

There are steps that companies and government can

take immediately to reduce the threats, including the
implementation of best practices and cyber hygiene.
However, it is equally important for the public and private
sectors to understand why their counterparts often struggle
to take these steps. This report tries to bridge that gap, to
help the public and private sectors better understand the
systemic challenges each other faces, and then move past
those barriers to change. In order to change the culture and
incentives that make addressing cybersecurity so difficult,
the public and private sectors must work together to rebuild
trust, improve communication, knowledge and information
sharing, and more.

Cybersecurity is a complex, quickly evolving field, and

there is no silver bullet or turnkey solution that will solve all
of these challenges today. Moreover, even if there were,
there is no guarantee that such solutions would be equally
effective against emergent threats. Ultimately, a combination
of these potential solutions will need to be applied and
adjusted over time to address these significant issues.

Global Agenda Council on Cybersecurity 25

Appendix A

Basic Cyber Hygiene Address Space Layout Randomization (ASLR) and

Enhanced Mitigation Experience Toolkit (EMET).
1. Know what is connected to your network 8. Host-based Intrusion Detection/Prevention System to
2. Properly configure key security settings identify anomalous behaviour such as process injection,
3. Properly manage user accounts and settings to limit keystroke logging, driver loading and persistence.
unauthorized access 9. Disable local administrator accounts to prevent network
4. Install timely patches to applications and operating propagation using compromised local administration
systems credentials that are shared by several computers.
5. Automate and monitor the foregoing to keep foundation 10. Network segmentation and segregation into security
cybersecurity posture current zones to protect sensitive information and critical
services such as user authentication by Microsoft Active
Directory.
Drawn from: Center for Internet Security, Cyber Hygiene
Toolkit, https://www.cisecurity.org/cyber-pledge/tools.cfm 11. Multi-factor authentication especially implemented for
remote access or when the user is about to perform
Australia’s 35 Strategies to Mitigate Targeted Cyber a privileged action or access a sensitive information
Intrusions repository.
12. Software-based application firewall, blocking
1. Application whitelisting of permitted/trusted programs, incoming network traffic that is malicious or otherwise
to prevent execution of malicious or unapproved unauthorized, and denying network traffic by default.
programs including DLL files, scripts and installers. 13. Software-based application firewall, blocking outgoing
2. Patch applications, e.g., Java, PDF viewers, Flash, network traffic that is not generated by whitelisted
web browsers and Microsoft Office. Patch or mitigate applications, and denying network traffic by default.
systems with “extreme risk” vulnerabilities within two 14. Non-persistent virtualized sandboxed trusted operating
days. Use the latest version of applications. environment, hosted outside the organization’s internal
3. Patch operating system vulnerabilities. Patch or mitigate network, for risk activities such as web browsing.
systems with “extreme risk” vulnerabilities within two 15. Centralized and time-synchronized logging of successful
days. Use the latest suitable operating system. Avoid and failed computer events with automated immediate
Windows XP. log analysis, storing logs for at least 18 months.
4. Restrict administrative privileges to operating systems 16. Centralized and time-synchronized logging of allowed
and applications based on user duties. Such users and blocked network events with automated immediate
should use a separate unprivileged account for email log analysis, storing logs for at least 18 months.
and web browsing.
17. Email content filtering allowing only business-related
attachment types. Preferably analyse/convert/sanitize
Once organizations have implemented the Top 4 mitigation links, PDF and Microsoft Office attachments.
strategies, first on the computers of users who are most
18. Web content filtering of incoming and outgoing traffic,
likely to be targeted by cyber intrusions and then on all
whitelisting allowed types of web content and using
computers and servers, additional mitigation strategies can
behavioural analysis, cloud-based reputation ratings,
be selected to address security gaps until an acceptable
heuristics and signatures.
level of residual risk is reached.
19. Web domain whitelisting for all domains, since this
5. User application configuration hardening, disabling approach is more proactive and thorough than
the running of internet-based Java code, untrusted blacklisting a tiny percentage of malicious domains.
Microsoft Office macros, and undesired web browser 20. Block spoofed emails using Sender ID or Sender Policy
and PDF viewer features. Framework (SPF) to check incoming emails, and a
6. Automated dynamic analysis of email and web content “hard fail” SPF record to help prevent spoofing of your
run in a sandbox to detect suspicious behavior, organization’s domain.
including network traffic, new or modified files, or 21. Workstation and server configuration management
configuration changes. based on a hardened Standard Operating Environment
7. Operating system generic exploit mitigation with unrequired functionality disabled, e.g. IPv6, autorun
mechanisms, e.g., Data Execution Prevention (DEP), and LanMan.

26 Global Agenda Council on Cybersecurity

22. Antivirus software using heuristics and automated 35. Capture network traffic to/from internal critical-asset
internet-based reputation ratings to check a program’s workstations and servers, as well as traffic traversing the
prevalence and its digital signature’s trustworthiness network perimeter, to perform post-intrusion analysis.
prior to execution.
23. Deny direct internet access from workstations by using From: http://www.asd.gov.au/publications/Mitigation_
an IPv6-capable firewall to force traffic through a split Strategies_2014.pdf
DNS server, an email server or an authenticated web
proxy server. United Kingdom: Reducing the Cyber Risk in 10 Critical
24. Server application security configuration hardening e.g. Areas
databases, web applications, customer relationship
management, finance, human resources and other data 1. Information risk-management regime
storage systems. 2. Secure configuration
25. Enforce a strong passphrase policy covering complexity, 3. Network security
length and expiry, and avoiding both passphrase re-use 4. Managing user privileges
and the use of a single dictionary word.
5. User education and awareness
26. Removable and portable media control as part of
6. Incident management
a data-loss prevention strategy, including storage,
handling, whitelisting allowed USB devices, encryption 7. Malware prevention
and destruction. 8. Monitoring
27. Restrict access to Server Message Block (SMB) and 9. Removable media controls
NetBIOS services running on workstations and on 10. Home and mobile working
servers where possible.
28. User education, e.g., internet threats and spear-phishing From: https://www.gov.uk/government/uploads/system/
socially-engineered emails. Avoid weak passphrases, uploads/attachment_data/file/395716/10_steps_ten_
passphrase re-use, exposing email addresses and critical_areas.pdf
unapproved USB devices.
29. Workstation inspection of Microsoft Office files for
potentially malicious abnormalities, e.g., using the
Microsoft Office File Validation or Protected View
features.
30. Signature-based antivirus software that primarily relies
on up-to-date signatures to identify malware. Use
gateway and desktop antivirus software from different
vendors.
31. TLS encryption between email servers to prevent
legitimate emails being intercepted and used for social
engineering. Perform content scanning after email traffic
is decrypted.
32. Block attempts to access web sites by their IP address
instead of by their domain name, e.g., implemented
using a web proxy server, to force cyber adversaries to
obtain a domain name.
33. Network-based Intrusion Detection/Prevention System
using signatures and heuristics to identify anomalous
traffic both internally and crossing network perimeter
boundaries.
34. Gateway blacklisting to block access to known
malicious domains and IP addresses, including dynamic
and other domains provided free to anonymous internet
users.
Global Agenda Council on Cybersecurity 27
1
ICT Data and Statistics Division, International Telecommunications 15
Hess, Amanda. “Inside the Sony Hack.” Slate, 22 November
Union, “ICT Facts and Figures: The World in 2015.” 2015. 2015 http://www.slate.com/articles/technology/users/2015/11/
https://www.itu.int/en/ITU-D/Statistics/Documents/facts/ sony_employees_on_the_hack_one_year_later.html.
ICTFactsFigures2015.pdf.
16
Ponemon Institute LLC. “2015 Cost of Data Breach Study: Global
2
Koomey, Jonathan. “The Computing Trend That Will Change Analysis.” May 2015. http://nhlearningsolutions.com/Portals/0/
Everything.” MIT Technology Review, 9 April 2012. http://www. Documents/2015-Cost-of-Data-Breach-Study.PDF.
technologyreview.com/news/427444/the-computing-trend-
that-will-change-everything/; Goldman Sachs, “The Internet of 17
Verizon. “2015 Data Breach Investigations Report.” April 2015.
Things: Making Sense of the Next Mega-trend.” Global Investment http://www.verizonenterprise.com/DBIR/.
Research, 3 September 2014. http://www.goldmansachs.com/our-
thinking/ages/Internet-of-things/iot-report.pdf. 18
Ablon, Lillian et al. “Markets for Cybercrime Tools and Stolen
Data.” RAND Corporation. 2014. https://www.rand.org/content/
3
Armbrust, Michael et al., “Above the Clouds: A Berkeley View of dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf.
Cloud Computing,” University of California, Berkeley, 10 February
2009. http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS- 19
Id.
2009-28.pdf; Naone, Erica. “Conjuring Clouds.” MIT Technology
Review, 23 June 2009. http://www.technologyreview.com/ 20
McGoogan, Cara. “Instagram Scam App Stole Passwords from
article/413981/conjuring-clouds/. Users.” Wired UK. 11 November 2015. http://www.wired.co.uk/
news/archive/2015-11/11/malware-infected-instagent-pulled-from-
4
Komorowski, Matt. “A History of Storage Cost (Update).” Mkomo, app-store.
9 March 2014. Web. 25 November 2015. http://www.mkomo.com/
cost-per-gigabyte-update. 21
See Gasser, Urs and David R. O’Brien. “Governments and
Cloud Computing: Roles, Approaches, and Policy Considerations.”
5
ICT Data and Statistics Division, “ICT Facts and Figures”; GSM Berkman Center for Internet & Society, 17 March 2014. http://
Association, “The Mobile Economy Series 2015.” 2015. http:// papers.ssrn.com/sol3/papers.cfm?abstract_id=2410270.
www.gsmamobileeconomy.com/GSMA_Global_Mobile_Economy_
Report_2015.pdf. 22
US Department of Justice, “Mutual Legal Assistance Treaty
Process Reform.” FY 2015 Budget Request. 2015 http://www.
6
Id. justice.gov/sites/default/files/jmd/legacy/2014/07/13/mut-legal-
assist.pdf.
7
Gartner. Gartner Symposium/ITxpo. “Gartner Says 4.9 Billion
Connected “Things” Will Be in Use in 2015.” N.p., 11 November 23
Wong, Gillian. “China to Get Tough on Cybersecurity.” Wall Street
2014. http://www.gartner.com/newsroom/id/2905717. Journal, 9 July 2015. http://www.wsj.com/articles/china-to-get-
tough-on-cybersecurity-1436419416.
8
Gemalto. “2014 Year of Mega Breaches & Identity Theft.” February
2015. http://breachlevelindex.com/pdf/Breach-Level-Index-Annual- 24
Gulyaeva, Natalia and Maria Sedykh. “Russia Enacts Data
Report-2014.pdf. Localization Requirement; New Rules Restricting Online Content
Come into Effect.” Chronicle of Data Protection, 18 July 2014.
9
United Kingdom, Her Majesty’s Government. “Information Security http://www.hldataprotection.com/2014/07/articles/international-eu-
Breaches Survey 2015,” 2015. https://www.gov.uk/government/ privacy/russia-enacts-new-online-data-laws
uploads/system/uploads/attachment_data/file/432413/bis-15-303_
information_security_breaches_survey_2015-executive-eummary. 25
Toor, Amar. “Will the Global NSA Backlash Break the Internet?”
pdf. The Verge, 8 November 2013. Web. 25 November 2015.
http://www.theverge.com/2013/11/8/5080554/nsa-backlash-brazil-
10
Hackett, Robert. “Arrests Made in Connection with JPMorgan germany-raises-fears-of-Internet-balkanization.
Hack, Report Says.” Technology. Fortune, 21 July 2015. Web. 25
November 2015. http://fortune.com/2015/07/21/arrests-jpmorgan- 26
European Commission, “Restoring trust in transatlantic data
chase-hack/. flows through strong safeguards: European Commission presents
EU-US Privacy Shield” 29 February 2016. http://europa.eu/rapid/
11
“Second teenager arrested over TalkTalk data breach.” The press-release_IP-16-433_en.htm?locale=en; European Commission,
Guardian, 30 October 2015. http://www.theguardian.com/ “EU Commission and United States agree on new framework for
business/2015/oct/30/second-teenager-arrested-over-talktalk-data- transatlantic data flows: EU-US Privacy Shield” 2 February 2016.
breach. http://europa.eu/rapid/press-release_IP-16-216_en.htm.
12
“Credit Card Details on 20 Million South Koreans Stolen - BBC 27
Vatis, Michael A. “The Council of Europe Convention on
News.” BBC News. N.p., 20 January 2014. http://www.bbc. Cybercrime,” National Academy of Sciences, 2010. https://
com/news/technology-25808189. http://www.bbc.com/news/ cs.brown.edu/courses/csci1950-p/sources/lec16/Vatis.pdf.
technology-25808189
28
Sanger, David. “Signaling Post-Snowden Era, New iPhone Locks
13
US Office of Personnel Management. “Cybersecurity Incidents.” Out NSA,” The New York Times, 26 September 2014. http://www.
Cybersecurity Resource Center. June 2015. https://www.opm.gov/ nytimes.com/2014/09/27/technology/iphone-locks-out-the-nsa-
cybersecurity/cybersecurity-incidents. signaling-a-post-snowden-era-.html.
14
The identities, and whether the hackers were connected to the 29
Timberg, Craig. “Newest Androids will join iPhones in offering
Chinese government, is still unclear. default encryption, blocking police,” The Washington Post, 18
Nakashima, Ellen. “Chinese government has arrested hackers it September 2015, http://www.washingtonpost.com/blogs/the-
says breached OPM database.” Washington Post. 2 December switch/wp/2014/09/18/newest-androids-will-join-iphones-in-
2015. https://www.washingtonpost.com/world/national-security/ offering-default-encryption-blocking-police/.
chinese-government-has-arrested-hackers-suspected-of-
breaching-opm-database/2015/12/02/0295b918-990c-11e5-8917- 30
Greenberg, Andy. “Whatsapp Just Switched on End-to-End
653b65c809eb_story.html. Encryption for Hundreds of Millions of Users,” Wired, 18 November
2014, http://www.wired.com/2014/11/whatsapp-encrypted-
messaging/.

28 Global Agenda Council on Cybersecurity

31
Stamos, Alex. “User-Focused Security: End-to-End Encryption 40
Australia. Australian Signals Directorate. “Strategies to Mitigate
Extension for Yahoo Mail,” Yahoo Blog, 15 March 2015, http:// Targeted Cyber Intrusions.” February 2014. http://www.asd.gov.au/
yahoo.tumblr.com/post/113708033335/user-focused-security-end- publications/Mitigation_Strategies_2014.pdf.
to-end-encryption.
41
Schneier, Bruce. “Security ROI.” Web log post. Schneier on
32
Curtis, Sophie. “Will WhatsApps really be banned in the UK?” The Security. 2 September 2008. https://www.schneier.com/blog/
Telegraph, 13 July 2015. http://www.telegraph.co.uk/technology/ archives/2008/09/security_roi_1.html.
social-media/11736230/Will-WhatsApp-really-be-banned-in-the-UK.
html; Lomas, Natasha. “UK Gov’t Must Clarify Its Position On End- 42
Hill, Kashmir. “How Do We Deal with Data Breaches?” Forbes. 9
To-End Encryption, Says Parliamentary Committee.” TechCrunch, 1 May 2011. http://www.forbes.com/sites/kashmirhill/2011/05/09/
February 2016. http://techcrunch.com/2016/02/01/uk-govt-must- how-do-we-deal-with-data-breaches/.
clarify-its-position-on-end-to-end-encryption-says-parliamentary-
committee/. 43
Hill, Kashmir. “Sony Pictures Hack Was a Long Time Coming, Say
Former Employees.” Fusion. N.p., 4 December 2014. http://fusion.
33
Perlroth, Nicole. “Security Experts Oppose Government Access net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-
to Encrypted Communication.” The New York Times, 7 July 2015. former-employees/.
http://www.nytimes.com/2015/07/08/technology/code-specialists-
oppose-us-and-british-government-access-to-encrypted- 44
Id.
communication.html; Sanger, David E., and Nicole Perlroth.
“Encrypted Messaging Apps Face New Scrutiny Over Possible 45
Cisco, “Mitigating the Cybersecurity Skills Shortage.” 2015
Role in Paris Attacks.” The New York Times. 16 November 2015. http://www.cisco.com/c/dam/en/us/products/collateral/security/
Web. 25 November 2015. http://www.nytimes.com/2015/11/17/ cybersecurity-talent.pdf.
world/europe/encrypted-messaging-apps-face-new-scrutiny-over-
possible-role-in-paris-attacks.html?_r=0. 46
King, Rachael. “Windows XP in Utilities Could Mean Big Security
Problems.” CIO Journal. The Wall Street Journal, 9 March 2014.
34
“Welcome to CIS Controls.” Center for Internet Security. https:// http://blogs.wsj.com/cio/2014/03/09/windows-xp-in-utilities-could-
www.cisecurity.org/critical-controls.cfm. Several governments and mean-big-security-problems/.
enterprises have identified Critical Security Controls as an important
tool for effective cyber defence. See National Institute of Standards 47
Ziobro, Paul, and Robin Sidel. Target Tried Antitheft Cards.” The
and Technology. “Framework for Improving Critical Infrastructure Wall Street Journal. 20 January 2014. http://www.wsj.com/news/
Cybersecurity.” Cybersecurity Framework. February 2014. http:// articles/SB10001424052702304027204579332990728181278.
www.nist.gov/cyberframework/upload/cybersecurity-framework-
021214-final.pdf; United Kingdom. “Critical Security Controls 48
IDC Research “Worldwide Quarterly Mobile Phone Tracker.” 2015.
guidance” Centre for Protection of National Infrastructure http:// https://www.idc.com/prodserv/smartphone-os-market-share.jsp.
www.cpni.gov.uk/advice/cyber/Critical-controls; European Union.
“Cyber; Critical Security Controls for Effective Cyber Defence.” 49
“Dashboards” Android. 2015. https://developer.android.com/
European Telecommunications Standards Institute. May 2015. about/dashboards/index.html.https://developer.android.com/about/
http://www.etsi.org/deliver/etsi_tr/103300_103399/103305/01.01.0 dashboards/index.html
1_60/tr_103305v010101p.pdf; Symantec, “Internet Security Threat
Report 2015.” International Telecommunications Union, 2015. http:// 50
Apple “App Store.” (accessed 13 December 2015). https://
www.itu.int/en/ITU-D/Cybersecurity/Documents/Symantec_annual_ developer.apple.com/support/app-store/.
internet_threat_report_ITU2015.pdf; Verizon “2015 Data Breach
Investigations Report.” 2015. http://www.verizonenterprise.com/
51
Z Team. “Experts Found a Unicorn in the Heart of Android.”
DBIR/2015/; Atlantic Council and Zurich Insurance Group. “Risk Zimperium Mobile Security, 27 July 2015. https://blog.zimperium.
Nexus: Overcome by cyber risks? Economic benefits and costs of com/experts-found-a-unicorn-in-the-heart-of-android/.
alternate cyber futures.” Atlantic Council. 2015. http://publications.
atlanticcouncil.org/cyberrisks//risk-nexus-september-2015-
52
Dreyfuss, Emily. “Big Android Makers Will Now Push Monthly
overcome-by-cyber-risks.pdf. The California State Attorney General Security Update.” Wired. 6 August 2015. http://www.wired.
recently announced that enterprises not using the Critical Security com/2015/08/google-samsung-lg-roll-regular-android-security-
Controls would be deemed as failing to provide reasonably security, updates/
and subject to appropriate legal action. California Dept. of Justice,
“California Data Breach Report.” Office of Attorney General. February
53
Schneier, Bruce. “Heartbleed.” Schneier on Security, 9 April 2014.
2016. https://oag.ca.gov/breachreport2016. https://www.schneier.com/blog/archives/2014/04/heartbleed.html.

35
“Information Security Management.” ISO 27001. International
54
Greenberg, Andy. “Hackers Remotely Kill a Jeep on the Highway –
Organization For Standardization, n.d. Web. 25 Nov. 2015. http:// With Me In It.” Wired, 21 July 2015. http://www.wired.com/2015/07/
www.iso.org/iso/home/standards/management-standards/ hackers-remotely-kill-jeep-highway/.
iso27001.htm.
55
Castro, Daniel. “How Much Will PRISM Cost the U.S. Cloud
36
“Cloud Security Alliance.” Cloud Security Alliance. N.p., n.d. Web. Computing Industry.” The Information Technology and Innovation
25 November 2015. https://cloudsecurityalliance.org/. Foundation. August 2013. http://www2.itif.org/2013-cloud-
computing-costs.pdf.
Todorov, Dob, and Yinal Ozkan. “AWS Security Best Practices.”
37

Amazon Web Services, November 2013. http://media.

56
Germano, Judith, “Cybersecurity Partnership: A New Era of
amazonwebservices.com/AWS_Security_Best_Practices.pdf. Public-Private Collaboration.” The Center on Law and Security.
October 2014. http://www.lawandsecurity.org/Portals/0/
38
Id. Documents/Cybersecurity.Partnerships.pdf.

39
United Kingdom. Government Communication Headquarters. “10
57
Nicole Perlroth, “Security Experts Oppose.”
Critical 10 Steps to Cyber Security.” 16 January 2015. https://www.
gov.uk/government/uploads/system/uploads/attachment_data/
file/395716/10_steps_ten_critical_areas.pdf.

Global Agenda Council on Cybersecurity 29

58
Ellen Nakashima and Barton Gellman. “As encryption spreads, US 75
Verhulst, Stephen et. al. “Innovations in Global Governance:
grapples with clash between privacy and security.” The Washington Toward a Distributed Internet Governance Ecosystem.” Centre
Post 10 April 2015. https://www.washingtonpost.com/world/ for International Governance Innovation, December 2014. https://
national-security/as-encryption-spreads-us-worries-about-access- www.cigionline.org/sites/default/files/gcig_paper_no5.pdf; Gasser,
to-data-for-investigations/2015/04/10/7c1c7518-d401-11e4-a62f- Urs et. al. “Multistakeholder as Governance Groups: Observations
ee745911a4ff_story.html. from Case Studies” Berkman Center for Internet & Society, 14
January 2015 http://papers.ssrn.com/sol3/papers.cfm?abstract_
59
Harold Abelson et al. “Keys Under Doormats: Mandating insecurity id=2549270.
by requiring government access to all data and communications.”
Computer Science and Artificial Intelligence Laboratory Technical 76
These investments can be substantial; the Obama Administration
Report https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT- 2017 budget proposed spending $3.1 billion simply to start
CSAIL-TR-2015-026.pdf. modernizing the outdated and difficult to secure IT systems
that the government currently uses. Fact Sheet: Cybersecurity
60
Perlroth, Nicole, “Government Announces Steps to Restore National Action Plan.” Office of the Press Secretary, The White
Confidence on Encryption Standards.” The New York Times. 10 House. 9 February 2016. https://www.whitehouse.gov/the-press-
September 2013. http://bits.blogs.nytimes.com/2013/09/10/ office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.
government-announces-steps-to-restore-confidence-on-encryption-
standards/. 77
Radunović, Vladimir and Rüfenacht, David. “Cybersecurity
Competence Building Trends.” November 2015. DiploFoundation
61
World Economic Forum “Recommendations for Public-Private http://www.diplomacy.edu.
Partnership Against Cybercrime.” Cybercrime Project – Future of the
Internet Initiative. January 2016. http://www3.weforum.org/docs/ 78
Id.
WEF_Cybercrime_Principles.pdf.
79
US Government “The Personal Data Notification & Protection Act.”
62
United Nations “Transforming our world: the 2030 Agenda for Press Release. https://www.whitehouse.gov/sites/default/files/omb/
Sustainable Development” Sustainable Development Knowledge legislative/letters/updated-data-breach-notification.pdf.
Platform. 21 October 2015. https://sustainabledevelopment.un.org/
post2015/transformingourworld. 80
“Interinstitutional File: 2012/0011 (COD)” Council of the European
Union http://data.consilium.europa.eu/doc/document/ST-9565-
63
US Department of Homeland Security “Information Sharing.” 2015-INIT/en/pdf.
http://www.dhs.gov/topic/cybersecurity-information-sharing.
81
European Parliament. “MEPs close deal with Council on first ever
64
CERT-UK. “Cybersecurity Information Sharing Partnership (CiSP).” EU rules on cybersecurity.” 12 July 2015. http://www.europarl.
https://www.cert.gov.uk/cisp/. europa.eu/news/en/news-room/20151207IPR06449/MEPs-close-
deal-with-Council-on-first-ever-EU-rules-on-cybersecurity.
65
Andy Greenberg and Yael Grauer. “CISA Security Bill Passes
Senate with Privacy Flaws Unfixed.” Wired 27 October 2015. http:// 82
See World Economic Forum, “Digital Economy and Cyber Security
www.wired.com/2015/10/cisa-cybersecurity-information-sharing- in Latin America and the Caribbean” in Cybersecurity Observatory,
act-passes-senate-vote-with-privacy-flaws/.http://www.wired. “Cybersecurity: Are We Ready in Latin America and the Caribbean?”
com/2015/10/cisa-cybersecurity-information-sharing-act-passes- 2016. https://digital-iadb.leadpages.co/publicacion-cibersecurity/
senate-vote-with-privacy-flaws/ (noting how regional norms on cyber security can improve
cooperation, particularly in responding to cyber threats).
66
Kelly, Samantha Murphy. “Facebook Changes its ‘Move Fast
and Break Things’ Motto.” Mashable. 30 April 2014. http:// 83
“Cyber Security Strategy,” Australian Government, 2011. https://
mashable.com/2014/04/30/facebooks-new-mantra-move-fast-with- www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-
stability/#FWTrQ4zOAsqV. security-strategies-ncsss/AGCyberSecurityStrategyforwebsite.
pdf; “France’s Strategy: Information systems defence and security,”
67
Id. Agence Nationale de la Sécurité des Systémés d’Information, 2011.
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-
68
“Cyber Hygiene Toolkit.” Center for Internet Security https://www. cyber-security-strategies-ncsss/France_Cyber_Security_Strategy.
cisecurity.org/cyber-pledge/tools.cfm; “About.” Center for Internet pdf.
Security http://www.cisecurity.org/about/.
84
Nye, Joseph. “The World Needs New Norms on Cyberwarfare.”
69
Id. The Washington Post, 1 October 2015. https://www.
washingtonpost.com/opinions/the-world-needs-an-arms-control-
70
United Kingdom. Government Communication Headquarters. “10 treaty-for-cybersecurity/2015/10/01/20c3e970-66dd-11e5-9223-
Critical 10 Steps to Cyber Security.” 70cb36460919_story.html.
71
“FIDO Alliance.” FIDO Alliance Home Comments. https:// 85
Hammersley, Ben. “Why you should be an e-resident of Estonia.”
fidoalliance.org/. Wired, 4 February 2015. http://www.wired.co.uk/magazine/
archive/2015/07/features/estonia-e-resident.
72
“iOS Security” Apple. Sept. 2015 https://www.apple.com/
business/docs/iOS_Security_Guide.pdf. 86
“Estonia and Finland become first in the world to digitally sign
international agreement.” Estonian World. 23 December 2013.
73
Analysis based on a forthcoming work by Jane Holl Lute. http://estonianworld.com/technology/estonia-finland-become-first-
world-digitally-sign-international-agreement/.
74
One of the newest of these public-private partnerships is the
US Commission on Enhancing National Cybersecurity, which is 87
“Japan to implement ID cards following Estonia’s example.”
composed of “top strategic, business, and technical thinkers from Estonian World. 24 October 2015. http://estonianworld.com/
outside of Government” who will make detailed recommendations technology/japan-to-implement-id-card-following-estonias-
to Congress and the President. Fact Sheet: Cybersecurity National example/.
Action Plan.” Office of the Press Secretary, The White House.
9 February 2016. https://www.whitehouse.gov/the-press- 88
Sharma, Awol. “India Launches Project to ID 1.2 Billion People.”
office/2016/02/09/fact-sheet-cybersecurity-national-action-plan. The Wall Street Journal. 29 September 2010. http://www.wsj.com/
articles/SB10001424052748704652104575493490951809322.
30 Global Agenda Council on Cybersecurity
89
“Trust Services and eID,” European Commission, 2015
90
“Fact Sheet: Cybersecurity National Action Plan.” Office of the
Press Secretary, The White House. 9 February 2016. https://
www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-
cybersecurity-national-action-plan.
91
Tamkivi, Sten. “Lessons from the World’s Most Tech-Savvy
Government,” The Atlantic, 24 January 2014. http://www.theatlantic.
com/international/archive/2014/01/lessons-from-the-worlds-most-
tech-savvy-government/283341.
92
Al-Khouri, Ali M. “PKI in Government Identity Management
Systems,” International Journal of Network Security & Its
Applications, 2011. http://arxiv.org/pdf/1105.6357.pdf.
93
Hesseldahl, Arik. “Famed Security Researcher Mudge Leaves
Google.” re/code. 29 June 2015. http://recode.net/2015/06/29/
famed-security-researcher-mudge-leaves-google-for-white-house-
gig/.
94
Knake, Robert. “Q&A with Peiter Zatko (aka Mudge): Setting
Up the Cyber Independent Testing Laboratory.” Council on
Foreign Relations. 18 December 2015. http://blogs.cfr.org/
cyber/2015/12/18/qa-with-peiter-zatko-aka-mudge-setting-up-the-
cyber-independent-testing-laboratory/.
95
National Research Council, “Professionalizing the Nation’s
Cybersecurity Workforce: Criteria for Decision-Making, National
Academies Press.” 2013 http://www.nap.edu/download.
php?record_id=18446.

Global Agenda Council on Cybersecurity 31

Acknowledgements
Global Agenda Council on Cyber Security

Chair
Toomas Hendrik Ilves President of Estonia

Vice-Chair
Jean-Paul Laborde Assistant Secretary-General and
Executive Director, Counter-Terrorism
Committee Executive Directorate,
United Nations, New York

Members
Jane Holl Lute President and Chief Executive Officer Council on CyberSecurity USA

Cheri McGuire Vice-President, Global Government Symantec Corporation USA

Affairs and Cyber Security Policy

Jeffrey Moss President DEF CON USA

Christophe Nicolas Senior Vice-President and Founder, Kudelski Group Switzerland

Kudelski Security, and Group Chief
Information Officer

Sundeep Oberoi Global Head Delivery ESRM Tata Consultancy Services India

Troels Oerting Jorgensen Chief Information Security Officer Barclays United Kingdom

Catherine Lotrionte Assistant Professor of Government and Georgetown University USA

Foreign Service

Ali Al Masari Head of Information Protection Saudi Aramco Saudi Arabia

Department

James Stavridis Dean, Fletcher School of Law and Tufts University USA
Diplomacy

Marc Henauer Head of Reporting and Analysis Centre for Information Switzerland
Assurance (MELANI)

John Suffolk President and Global Cyber Security Huawei Technologies People’s Republic
and Privacy Officer of China

William Saito Special Adviser, Cabinet Office of Japan

32 Global Agenda Council on Cybersecurity

 Lee Xiaodong President and Chief Executive Officer China Internet Network People’s Republic
Information Center of China

Herbert Lin Senior Research Scholar for Cyber Stanford University USA
Policy and Security

John Villasenor Senior Fellow Brookings Institution USA

Eugene Kaspersky Chairman and Chief Executive Officer Kaspersky Lab Russian
Federation
Nigel Inkster Director, Transnational Threats and The International Institute for United Kingdom
Political Risk Strategic Studies (IISS)

Dave DeWalt Chief Executive Officer and Chairman of FireEye USA

the Board

When beginning the latest cycle of Global Agenda Councils And, for liaison with universities, we would like to thank
in 2014, the World Economic Forum recognized the need Lyuba Spagnoletto, Head of Communities, Knowledge
to address cybersecurity concerns as they relate to an Networks and Analysis.
increasingly connected world. Council Chair Toomas
Hendrik Ilves and Vice-Chair Jean-Paul Laborde led a In addition to those who served on the council, the World
diverse group of high-level experts in a series of discussions Economic Forum wishes to thank the colleagues without
on the most pressing challenges presented by a full whose support, progress would not have been possible:
spectrum of cyber-risks. This paper presents a summary of
the main themes of the discussions. – Epp Maaten, Adviser on the Information Society of the
Foreign Policy Department of Estonia
We would like to thank three Managing Directors of the – Marc Porret, Laila Ezzarqui and Karine Jeannet, from
World Economic Forum who provided strategic guidance the Office of the Executive Director of the Counter-
and oversight for our work: Terrorism Committee Executive Directorate (CTED) at
the United Nations
– Richard Samans, Head of the Centre for the Global
– Elena Kvochko, Barclays
Agenda
– Anton Shingarev, Kaspersky Labs
– Jeremy Jurgens, Chief Information and Interaction
Officer
We would like to particularly thank colleagues from the
– Jean-Luc Vez, Head of Public Security Policy and
Berkman Center of Internet & Society at Harvard University,
Security Affairs
who prepared the paper:

We would also like to acknowledge the leaders of the – Urs Gasser, Executive Director
Global Challenge on the Future of the Internet initiative, who
– Ryan Budish, Senior Researcher
provided a broader framework for the work of the council:
– David O’Brien, Senior Researcher
– Mark Spelman, Co-Head of the Future of the Internet – Amar Ashar, General Manager of Special Initiatives
Initiative
– Alex Wong, Co-Head of the Future of the Internet Last but not least, we would like to express our gratitude to
Initiative all our partners around the world who joined the meetings
– Alan Marcus, Head of ICT Industries and calls and provided their input on the paper.

With many thanks,

We would also like to recognize the leadership of the
Danil Kerimi, Joseph Losavio and Alexandra Shaw
Network of the Global Agenda Councils:
– Stephan Mergenthaler, Head of Knowledge Networks
and Analysis
– Liana Melchenko, Practice Lead, Knowledge Networks
and Analysis

Global Agenda Council on Cybersecurity 33

The World Economic Forum,
committed to improving the
state of the world, is the
International Organization for
Public-Private Cooperation.

The Forum engages the

foremost political, business and
other leaders of society to shape
global, regional and industry
agendas.

World Economic Forum

91–93 route de la Capite
CH-1223 Cologny/Geneva
Switzerland
Tel.: +41 (0) 22 869 1212
Fax: +41 (0) 22 786 2744
contact@weforum.org
www.weforum.org