by Colm Murphy, Senior Cyber Security Advisor, Huawei
If you are a member of a board, then financial literacy is expected to manage a healthy balance sheet so surely cyber security and cyber literacy should be just as important?
For most organisations cyber security has become recognized as a central component of risk management. Risk management is in the interests of boards and is in the interests or benefit to everybody in an organization. A recently released report by Gartner, stated that by 2025, 40% of boards aim to have a dedicated board member overseeing a cyber security committee. But I believe that for senior members of an organization, it is not acceptable to effectively delegate the risk of the responsibilities of cyber security. In saying that people need to take responsibility, there is still a need for education and guidance on what is right – supporting board members and corporations to create healthy companies.
The reason for needing guidance is that the pandemic legacy has included new ways of working – whether working from home, managing supply chains or remote business operations, are facing increasing impact. This year alone 23% of businesses have noted an increase in disruption. According to a report by ISACA (23 September, 2021), the types of cyberattack in 2021 include social engineering (14%), advanced persistent threats (10%), ransomware (9%), unpatched systems (8%) and DDoS (8%).
Whilst there is a lot of justified advice encouraging the establishment of ‘good’ practices, we really need to know what cyber security ‘good’ looks like, we need somebody to recommend it or mandate it in some instances and therefore monitor it and regulate it and then manufacturers, service providers and operators all need to play our role. Our expectations that governments and regulators can take the lead in recommending or mandating the standards creates a challenge which the entire industry faces, namely a lack of common language; a shortage of trained talent; and a lack of unified standards. Addressing the issue of cyber literacy is critical to ensure the safe, sustainable development of the industry.
Lack of common language
In order to collaborate across borders in the essentially borderless domain of cyber, we need a common language which includes common definitions and understanding that embrace both the benefits and the challenges of cyber. The fast changing nature of the context of cyber means that it has evolved as part of national strategies either out defense departments or as part of informatization strategies depending on the style of government and stage of economic development. In some cases terms have standardized as a result of multilateral alliances, however most international organizations remain challenged by the variation of terms and understanding as they operate between states. Just five years ago nearly every country was still using its own definition of cyber reflecting often unarticulated concerns regarding a loss of sovereignty in surrendering to a definition used by another state. Definitions ranged from defining the “complete network of all virtual and physical ICT devices that can be the target of evil cyber actors” to only the “Internet and pertinent ICT devices.” Variations continue. Finland doesn’t use the term cyber space and instead refers to the “cyber domain”, and while cyber security is recognized as a strategy for managing cyber threats within cyber space, Austria and Finland limit the definition to the protection of digital information or critical infrastructure. The Czech Republic and Japan meanwhile offers no definition for the term cyber security in its national strategies. By contrast for example, in China, granular definitions reflect the importance of information and therefore cyber definitions and policies recognized that cyber security, information security and cyber warfare should be recognized on the same level.
The International Telecommunications Union (ITU) now provides a broad definition of “cyber security” which is detailed almost to the detriment of enabling a focused understanding. For example it covers the “collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.”
Therefore, in an absence of shared definitions between states and non-state actors including corporations it is perhaps not surprising that stakeholders start to create their own interpretations contributing to an even greater lack of understanding. This is particularly challenging for organizations communicating with stakeholders across a domain that is no longer just about computers but spans all areas of society.
With states utilizing cyber for national prosperity and economic development rather than malicious activity and warfare, another fundamental challenges is the shortage of cyber security skills in the workforce and how the demand is set to increase. The fast changing environment means in addition to traditional computing skills, new skills include specific sector understanding, ethics, governance, international relations plus local cultural skills. This is also an opportunity to promote cybersecurity at all levels, and make the industry more inclusive by addressing the current gender imbalance and thereby enhancing the future development of the talent pool. Gender and cultural diversity can offer a business significant revenue improvements, lower regulatory fines and less risk.
Between 2013 and 2019, the UN recorded a widening gender gap for online users from 11% in 2013 to 17% in 2019, reaching up to 43% in some of the world’s least developed countries (UN (October 2021)). Meanwhile only 15% of STEM graduates are women. Therefore, it is essential that governments, civil society and the private sector come together to support girls’ digital access, skills and creativity.
Lack of Investment in Standards
States and corporations are recognizing that unified standards enable closer collaboration particularly for those engaged in cross-border trade and international investment. Huawei is among the main contributors to the 5G related cyber security solutions and patents but one party alone will not solve the issue of agreement and the call on other companies and governments to work together continues. For example, the benefits of standards such as GDPR and proposed NIS 2 Directive in the EU demand compliance. The lack of unified standards among states is perhaps a reason why related resolutions in multilateral organisations such as the UN have been welcomed by many states, even though there may be apparent conflict with other UN activities relating to international stability. Meanwhile states remain conflicted by calls to engage with multi-lateral or international organizations, especially if the values of the structures are not shared from an ideological perspective. This reluctance may also reflect the early vision of the internet as an ungoverned space. However, as cyber becomes recognized as a multi-faceted domain for commercial and other purposes, the question of how standards and governance continue.
There, investment in cyber security and relevant resources should be considered and viewed as equally important as financial health for any organization. Every actor in the cyber security eco-system has a role to play – manufacturers, service providers, operators, standards organisations, governments and regulators. This includes building cyber literacy capabilities starting from the top of a company or government whether for the purposes of interacting and steering the direction of policy or conducting digitalized business in a way that can be acknowledged as “what good looks like!”
About the Author
Colm is a Senior Cyber Security Advisor working for Huawei’s Global Cyber Security & Privacy Office. He is based in Huawei’s Cyber Security Transparency Center in Brussels. Colm has worked in cybersecurity industry for more than 20 years and has managed a wide variety of cybersecurity related activities in his career, including large-scale security testing programmes, risk-assessments, incident management, digital forensics projects, compliance, certification and cybersecurity training.