Contents:
Since 2020, the Covid-19 pandemic has re-shaped the way in which we all live and work. In February 2022 another context came forth to drive change, especially in the (cyber)security market – the Russia-Ukraine conflict.
This war, like the pandemic, is clearly driving the growth of the cybersecurity market, which is already expected to reach USD 376.32 billion by 2029 from USD 155.83 billion in 2022, with a CAGR of 13.4 percent throughout this period. I actually expect a further 12-15 percent increase in that number, so the market will be closer to 15-16 percent CAGR.
Under these circumstances, I want you to think about an important question: are politicians taking cybersecurity seriously? Let’s have a closer look at the role of cybersecurity in world politics.
Are Politicians Taking Cybersecurity Seriously?
The overall investment in cybersecurity is increasing. Additional security procedures at the state, municipal, and private levels are appropriately promoted by governments in the EU and the US. Because of the present security scenario, organizations are beginning to invest more resources and reassess their cybersecurity strategy, even if IT security was not a priority when funds for 2022 were allocated.
Is Biden ready for cyberwar?
The cybersecurity strategies that the US adopts at a national level seem to be increasing across multiple sectors. The US Department of State has recently launched the Bureau of Cyberspace and Digital Policy (CDP) in an attempt to address cybersecurity issues.
This initiative is just as ambitious as the adoption of GDPR, the world’s strictest privacy and security law, which, despite being designed and ratified by the European Union (EU), imposes duties on companies anywhere that target or collect data about EU citizens.
Their main objective will be to handle “the national security challenges, economic opportunities, and implications for US values associated with cyberspace, digital technologies, and digital policy”, as well as to “advance policies that protect the integrity and security of the infrastructure of the Internet, serve US interests, promote competitiveness, and uphold democratic values”.
Infrastructure (electricity, energy, water supply, manufacturing, transportation, healthcare), an essential domain in the case of cyber – and real, for that matter – war, is also being reinforced. The Operational Technology Cybersecurity Coalition is a new industry group that strives to coordinate efforts to strengthen industrial control system security in order to boost key infrastructure components’ resilience.
Other initiatives too, such as the United States’ Industrial Control Systems Cybersecurity Initiative, show how the US government is pressing for a greater focus on critical infrastructure security.
In addition, President Biden has given the National Security Agency (NSA) greater authority to strengthen the cybersecurity of US federal government computer networks that are relevant to national security. The White House has also proposed, among other initiatives,
- new requirements for reporting ransomware payments,
- a revamp of federal government software procurement standards, and
- plans to create a roadmap for quickly patching recognized, exploited vulnerabilities in federal systems.
The measures taken by US politicians are all solid, and I’m positive that they will help strengthen their cybersecurity at a national level and combat both state and non-state-sponsored cyber threats more effectively. However, there’s no point in denying that Russia has formidable cyber skills. In the context of a (cyber)war with the Bear, the US shouldn’t stop here and there are obvious underlying signs that the US company infrastructure is nowhere near ready for a cyberwar at the moment.
Is Boris Johnson ready for cyberwar?
The UK government declared, at the end of last year, that they intend to become a “global cyber power” in 2022. In a statement from the National Cyber Security Center (NCSC), they mentioned that “this means more diversity in the workforce, leveling up the cyber sector across all UK regions, expanding our offensive and defensive cyber capabilities, and prioritizing cyber security in the workplace, boardrooms, and digital supply chains.”
The UK government plans to boost financing for law enforcement in the fight against cybercrime, spend more on the National Cyber Force, and expand the research capacity of the security assurance agency NCSC.
An important focus of the United Kingdom’s government, like other countries’ (China, Canada, India, Japan, France), was the orientation toward the obtaining of AI capabilities in accordance with broad-scope national AI strategies, which are then supplemented by additional policy instruments or other technical papers addressing AI’s specific uses.
All these measures come on top of a previous set of basic technical controls that help organizations protect themselves against common online security threats – the Cyber Essentials. To get certified, business owners must identify their position regarding insurance, boundary firewalls and Internet gateways, IT infrastructure configuration, device locking, security update management, user access control and administrative accounts, password-based authentication, and malware protection.
The Cyber Essentials scheme is a great roll-out and one that should actually be adopted by the wider EU group. Despite the scheme, it is my view that cybersecurity awareness throughout the UK is still lower than what we see in mainland Europe, although it is rising. Compliance is particularly difficult for small and medium-sized organizations to manage.
Nevertheless, UK politicians do seem to understand that a cyberwar can be waged on multiple “fronts”. UK, together with other European countries and the US, stands for “open – or alternatively, market-driven – standards that offer security, privacy, and interoperability.” The opposition is represented by Russia and China, who are all about obtaining a centralized control.
As The Guardian notes, quoting John Edwards, a UK information commissioner, “a new era of security had begun where instead of blacking out windows, people needed to maintain vigilance over their inboxes” and ramp up cybersecurity strategies.
With the present level of cyberattacks against the UK, it is clear that strategy and defense execution are still far from adequate.
Is the EU ready for cyberwar?
In general, the EU is obviously aware of the looming threat of cyberwar – given the actual war going on in Europe for the last three months.
Critical infrastructure, such as hospitals, electrical systems, and transportation, were identified as a priority even before the start of the Russia-Ukraine war.
The bloc is pushing for greater standardization amongst European cybersecurity legislation and regulations. According to the European Union’s cybersecurity agency, standards are essential in terms of strengthening security and ensuring that cybersecurity measures are aligned across member states.
These efforts are carried out by ENISA, the EU’s cybersecurity agency, which collaborates with the European Commission and European standards agencies such as ETSI, CEN, and CENELEC.
The new directive called NIS2 is a notable initiative. NIS2 establishes the standard for cybersecurity risk management procedures and reporting requirements in all sectors covered by the regulation, including energy, transportation, health, and digital infrastructure.
The amended directive is an attempt to eliminate inconsistencies in cybersecurity regulations and cybersecurity implementation between member states. To that end, it establishes minimum regulatory framework regulations and structures for effective collaboration among appropriate authorities within every member country. NIS2 also revises the list of industries and activities that have cybersecurity duties and includes both solutions and sanctions to guarantee compliance.
What about Asian governments?
Asian countries also claim to be focused on the security and resilience of main information infrastructures, including operational technology, industrial control systems, supervisory control and data acquisition systems, as well as essential industries like telecommunications and finance.
They understand the necessity of adopting cyber resilience at the individual, societal, national, and global levels, but they still need to define cyber resilience and describe the goals, measurements, and routes (particularly policies, programs, and technologies) that will lead to enhanced resilience.
Although India, for example, lacks a comprehensive cybersecurity law, IBM is preparing a multi-million-dollar investment to help companies plan for and manage the rising threat of cybercrime across the Asia Pacific (APAC) region. The culture and mental approach in parts of the region makes the task very difficult to undertake.
China is a better example. After considering factors that can threaten the country’s critical infrastructure (CII) like:
- “The harm to the business continuity of CII caused by interruptions in the supply of products and services;
- […] Risks of theft, disclosure, damage, illegal use, or cross-border transfer of core data, important data, or large amounts of personal information;
- Risks of influence, control, or malicious use of CII, core data, important data, or large amounts of personal information by foreign governments, or cybersecurity risk caused by foreign listing; and
- Other factors that may endanger CII security and national data security”.
China (or, more specifically, the Cyberspace Administration of China) announced the New Measures for Cybersecurity Review (the “New Measures”).
If national security will or may be damaged, the “New Measures” require CIIOs (critical information infrastructure operators) who purchase network products and services and network platform operators who conduct out data processing operations to submit for cybersecurity review.
When acquiring a network product or service, CIIOs are required to assess any national security risk that may occur as a result of its use. Any “core network equipment, important communications product, high-performance computer or server, mass storage equipment, large database or application, network security equipment, cloud computing service, or any other network product or service that has an important influence on any critical information infrastructure’s security” is referred to as a “network product or service.”
Control is much more efficient than trust in the Chinese regime, which makes it very efficient in gaining initial uptake in protection.
The Role of Cybersecurity in World Politics
Despite the different approaches taken by various countries in terms of cybersecurity, politics, and the approaching cyberwar, it’s obvious that cybersecurity has solidified its spot as one of the top national security challenges of the 21st century.
Certainly, different communities interpret “security” in cybersecurity differently. On a fundamental level, digital technology security is based on risk management techniques created by computer professionals to help make computers and computer networks more reliable. Yet, recent major cybersecurity incidents, including the attacks on healthcare institutions, show that cybersecurity is also very much about protecting people and their interests, not just information security. I believe this is critical when faced with a global cyber conflict.
However, cybersecurity keeps evolving as a politically relevant issue and it does that at the junction of rapid advances in technology, political and strategic use of these instruments by state and non-state actors, and various state and private sector efforts to describe appropriate responsibilities, legal perimeters, and proper norms of conduct.
Keeping the Guard Up
With the actual war that’s going on between Russia and Ukraine and all the news about cyberattacks we hear on a daily basis, it’s clear that a world cyberwar is, on many levels, already here.
One of the most serious risks nations face today is state-sponsored cyber warfare, which is developing against the sharp increase in geopolitical and geoeconomic tensions.
State and non-state actors now have greater technical expertise, motives, and economic ability than ever before to disrupt a country’s essential infrastructure. An attack on key infrastructure in one part of a country can cause major problems in other areas.
Moreover, individuals and organizations are now more than ever reliant on digital communication, in almost every area of their lives. Every second, an estimated 127 new devices connect to the internet globally, so any interference in telecommunications technology can be perceived as a major impediment to innovation and a setback to all types of everyday activities (business, banking, healthcare etc.).
Here are a few national cybersecurity strategies that I think every government should adopt to make sure the state they lead stays as safe as possible:
- clearly define rules governing all cybercrimes;
- develop a national incident response and recovery strategy;
- create/cement a dedicated national cybersecurity agency and a national critical infrastructure protection program;
- boost research and innovation.
A thorough retaliation program might also be a strong deterrent in the future cyberwar and it certainly cannot be excluded.
Wrapping Up
So… are politicians taking cybersecurity seriously?
Short answer is that cybersecurity is on the menu, but it’s not the main dish, even though we eat it every day. Cyber or information technology is part of everything you consume today, whether it’s healthcare, energy, air traffic, or food production, but it’s not a popular topic in politics and hence it gets less attention than it deserves. Thus, I’d still be inclined to say no. Biden is not ready for a real cyberwar with Russia. Boris Johnson has a lot of good initiatives coming out of the UK, but they are struggling for a foothold in actual usage and the EU has a good baseline on data protection but lacks guidance on how to actually execute it.
The more granular answer will be that when it comes to the role of cybersecurity in world politics, we see that some states are more prepared than others to face the cyberwar to come. Cybersecurity is receiving more and more attention at the international level and is being included in the mechanisms of (major) state competition and cooperation, both as a trigger and a result.
Clearly, the United States’ recent moves have strengthened its position as a key player in the future cyberwar. If the other Western states are to have a chance, they must also catch up. I don’t think, looking at the entire map at this point, that the West is ready for a cyberwar with Russia – or China for that matter.
It’s mandatory for every government to understand that wars are fought on many fronts today and that cyberattacks on critical infrastructure can have effects just as devastating as battlefield combats (yes, human casualties included).