In recent years, a criminal gang pulled off a series of bank robberies without having to walk into any bank. According to International Business Times, the Carbanak crime syndicate — made up of computer hackers from Russia, Ukraine, elsewhere in Europe, and China — used malware to steal around US$1 billion from approximately 100 financial institutions over a two-year period starting in 2013. These thefts continue today, and are part of a global plague of cybercrime with annual costs that are estimated to range from $445 billion to more than $1 trillion.
Although cybercrime is a visible concern for companies and governments in industrialized countries, one of its most pernicious effects is still largely unrecognized: It could hamper the growth of emerging economies around the world. Digitization in most emerging countries has become a key business enabler for public and private organizations. In Middle East countries that are not in the Organisation for Economic Co-operation and Development (OECD), for instance, digital markets are expanding at an overall compound annual growth rate of 12 percent and are expected to be worth $35 billion by 2015. But wherever digitization takes hold, vulnerability to cyber-attack also emerges. It diminishes the confidentiality, integrity, and availability of information that governments, businesses, and individuals alike rely on heavily.
Wherever digitization takes hold, vulnerability to cyber-attack also emerges.
Emerging markets are particularly vulnerable because they tend to have highly concentrated economies — such as the oil and gas sectors in many Middle East countries. The core industries often become attractive targets for saboteurs; for example, two major oil and gas companies in the Middle East, Saudi Aramco and RasGas, have been attacked since 2012. The banking industry is also susceptible; reports on the Carbanak thefts said they affected financial institutions in several emerging markets: Romania, India, China, Russia, Pakistan, Nepal, Morocco, and Bulgaria. (No individual banks were identified.)
There is good reason to believe that such gangs will continue targeting banking systems in the Middle East and Africa, Eastern Europe, Southeast Asia, and Latin America, especially when they discover how exposed these systems can be. To secure their economies, the leaders of these countries must urgently and aggressively promote a national, strategic approach to cybersecurity.
Cyber-attacks, of course, are unavoidable. What matters is how policymakers in emerging markets manage this threat. Too often, their responses are tactical; they approach cybersecurity as a technical issue requiring a technical fix. At the same time, the shortage of home-grown talent creates obstacles to developing essential cybersecurity capabilities. The result is a patchwork that leaves gaps and creates new weaknesses for criminals or hostile states to exploit.
A better approach is to establish a national cybersecurity strategy, undertaken by a lead cybersecurity entity at the highest national level of government, with prominent businesses involved. Such an approach increases the level of protection for all digital ecosystems and makes good use of the presence of large state-owned companies. It also offers an important economic payoff because cybersecurity is a critical enabler of digital expansion. For instance, emerging markets are lagging behind in developing electronic transactions, in large part because of a lack of trust among consumers and vendors.
To achieve a world-class level of cybersecurity, a country needs a strategy that is comprehensive, collaborative, and capabilities-driven:
Comprehensive: Ensuring the cybersecurity of a country is a complex undertaking. A wide array of elements from the public and private sectors, as well as not-for-profits, must be aligned, which requires a large, centrally led effort. This may sound counterintuitive, given that so many organizations now stress decentralization and local initiative, but in the case of cybersecurity, centralization is critical to ensure that national standards are set by an impartial, civil body. Although the exact form of this leadership will vary by country, in each case the central national cybersecurity body should be responsible for defining and supervising the initiative’s agenda. To ensure its impartiality, the central body should be independent of other organizations, such as ministries, councils, or regulatory authorities. It should report directly to the country’s top leaders.
Collaborative: Collaboration between the private and public sectors, between the government and citizens, is vital to defend a country’s digital assets. Although all the people and organizations using a country’s digital networks have a stake in preserving those networks’ security, such a broad level of collaboration is difficult to achieve. Few government agencies and private companies are willing to admit publicly that they have been victims of cyber intrusions, which means vital information that could prevent other attacks isn’t shared.
In many emerging markets, collaboration between the state and significant industries is relatively easy because the two already have close relationships. This collaboration can be expanded in a national cybersecurity context. With the help of sector regulators, a country can establish operational responsibilities for relevant corporate stakeholders. A country also can build cybersecurity programs into its existing state economic programs to develop digital capabilities and human capital.
Meanwhile, it is important to engage and educate citizens so that they understand the basics of cybersecurity and can behave responsibly online; for example, they can learn to recognize hackers’ efforts to “phish” secret information from them by impersonating banks online. Similarly, governments of countries with common interests should push to establish regional bodies to share responsibility for and lessons learned about cybersecurity — after all, cyber-criminals don’t recognize borders.
Capabilities-driven: A strategic approach to national cybersecurity can help build robust capabilities for constructing safe systems – and for defending them from attack. This construction requires well-designed information assurance standards, regular and ongoing measurement and testing of cybersecurity, and the establishment of a security mind-set in the decision making and daily activities of the state, the private sector, and citizens. It can also include scenario-planning (thinking in advance about potential attacks and their impact), a national incident-response plan, and the establishment of threat neutralization and cyberlaw enforcement organizations.
Emerging markets also need to provide incentives to attract people to the cybersecurity industry – incentives that include generous financial packages. They will need to create academic cybersecurity curricula that are consistent with what the public and private sector need, courses that are also in line with national talent development plans. Emerging markets also should fill the talent gap through collaborative programs with international organizations and promote international and regional awareness of cybersecurity by hosting world-class conventions.
Creating and implementing a national cybersecurity strategy is a substantial undertaking — it is more challenging than simply calling in the technical experts. For emerging markets, a casual approach to national cybersecurity could undermine the potential benefits of digitization and prove to be even more costly than clever bank robberies.