Finding the Balance Between Infrastructure and Cybersecurity
It seems a day does not pass when a government anywhere in the world does not discuss the threat posed by increasingly malicious cyber activity. Whether such activities are a consequence of state-sponsored action, the increasing prevalence of intentional criminal networks, or the opportunistic acts of “hacktivist” organizations, governments have had to reset and reprioritize their national security policies to offset such threats. In Australia, this has resulted in the government’s release of the Australian Cyber Security Strategy 2020, promoting a vision of “a more secure online world for Australians.”
Governments are now openly speaking about “grey-zone” tactics. These tactics include organized and large-scale cyberattacks, deliberate disinformation and misinformation campaigns and other focused digital acts designed to cause economic or social harm — and they are increasing in sophistication.
Military advisers talk about the likelihood of “kinetic war,” which encompasses a combination of traditional warfare on land, in the air and on the sea and the new domains of digital and space. These environments require significant readjustments in domestic and global policy settings in order to respond to such multidimensional challenges.
The challenges for smaller nations of recasting their policy settings is considerable. With the increasing allure of sovereign-backed infrastructure development, unprepared nations can find themselves beholden to such programs without the necessary governance, capability or responsiveness to adequately manage such initiatives.
In the digital sphere, this can create a situation where such infrastructure could be used for purposes other than what they were intended for.
The Risk of Getting Ahead of Your Skis
The ransomware cyberattack that compromised networks of U.S. Colonial Pipeline’s East Coast petroleum supply chain or the hack on the software running the water supply in Oldsmar, Florida, are perfect examples of such risk exposures. While digital transformation of governments and societies will continue at pace, it must be done in a systematic and controlled basis to ensure that the correct balance of capability and skills are at the forefront of any infrastructure investment.
To address the seriousness of these issues, on May 12, President Joe Biden signed the Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks. While predominantly focused on government networks, the executive order promises to remove the barriers between government and the private sector to share threat information, improve software supply chain security and create a standard to respond to cyber incidents.
Hard to Achieve Uniform Standards
While meritorious in its intent, the implementation of such standards is not straightforward, and many other countries continue to experience challenges in achieving uniform standards.
In Australia, for example, the government’s Information Security Manual (ISM) sets the principles for organizations to protect their systems and information from cyber threats. However, it is not mandatory for Australian government departments and their suppliers to implement these standards.
Some departments have their own information security standards, which may or may not be consistent with the ISM. As the Auditor-General’s Report into the Implementation of the Australian My Health Record System last year identified, “the [department’s] approach to managing shared cybersecurity risks was ‘not appropriate’” and recommended that the department “develop an assurance framework in accordance with the Australian Government Information Security Manual.”
Understanding and assessing a nation’s cybersecurity maturity and capability baseline is an appropriate starting point.
And Even Harder in Infrastructure Aid
With developed Western economies experiencing challenges with their own cybersecurity policy implementation, such challenges are significantly heightened in less-developed economies and ones that may be recipients of sovereign-backed infrastructure development funding.
Policy development, setting standards and the intent of orders and communiques are sometimes a lot easier to discuss than to enact or ensure a culture of compliance.
Achieving common standards of cybersecurity is even harder in the realm of aid and soft loans. Developing countries are eager for assistance with infrastructure, but it comes with little requirement for ongoing governance or policy control. Therefore, how the recipient nation manages and uses the infrastructure is key.
There is a significant shift in how Western states and multilateral organizations are viewing these investments. An increasing emphasis on “capacity-building” is becoming commonplace to ensure that the right balance between infrastructure investment and governance is met.
An example of this priority is the Commonwealth Cyber Declaration. Ratified at the Commonwealth Heads of Government Meeting in 2018, all 54 member states of the Commonwealth agreed to review their cybersecurity maturity and to commit to a program of improvement that addresses the balance between infrastructure and technology development and skills and capability enhancement.
No One Size Fits All
Nonetheless, while the merit of such policies cannot be denied, there is no one-size-fits-all. And many countries struggle with a starting point to improve their cybersecurity maturity. A number of governments, including that of the United Kingdom, have worked with the University of Oxford to develop a model that can assist nations in assessing their cybersecurity maturity.
Having been deployed in over 85 countries, the Cyber Security Maturity Model for Nations (CMM) is now regarded as a leading assessment tool for countries to obtain an accurate picture of their cyber maturity across five dimensions, including: policy and strategy, culture and society, knowledge and capabilities, legal and regulatory frameworks and standards and technology.
The purpose of the model is to provide nations with a roadmap of initiatives designed to improve their cyber maturity, thereby improving their digital capability, skills and resilience.
This is the key balance necessary to ensure that infrastructure is developed in an environment whereby the utmost consideration of governance is paramount.
Not Set and Forget
Nonetheless, successful policy development is not a set and forget approach. An environment of continued reassessment and improvement must be central with any policy development, and governments must adapt and change as the global technology environment continues to also change.
This is the new normal.
Intentional aid programs will, if not now, soon require an evidence base and be specifically responsive to demand rather than suit the ambitions of some nation states. Understanding and assessing a nation’s cybersecurity maturity and capability baseline is an appropriate starting point.