Digital Dividends. The New Cybersecurity Agenda: Economic and Social Challenges to a Secure Internet. world development report BACKGROUND PAPER - PDF

Please download to get full document.

View again

of 17
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report



Views: 11 | Pages: 17

Extension: PDF | Download: 0

Related documents
world development report BACKGROUND PAPER Digital Dividends The New Cybersecurity Agenda: Economic and Social Challenges to a Secure Internet Johannes M. Bauer and William H. Dutton Quello Center, Michigan
world development report BACKGROUND PAPER Digital Dividends The New Cybersecurity Agenda: Economic and Social Challenges to a Secure Internet Johannes M. Bauer and William H. Dutton Quello Center, Michigan State University The New Cybersecurity Agenda: Economic and Social Challenges to a Secure Internet 1 Johannes M. Bauer and William H. Dutton Quello Center, Michigan State University 2 June 2015 Abstract This paper focuses on key economic and social factors underpinning worldwide issues around cybersecurity and, identifies a new agenda for addressing these issues that is being shaped by the Internet and related information and communication technologies, such as social media. All actors in the widening ecology of the Internet require a better social and cultural understanding of cybersecurity issues in order to effectively engage all relevant stakeholders in processes aimed at enhancing cybersecurity. The problems tied to cybersecurity are not new, but as the Internet becomes ever more essential to everyday life and work, and empowers users as never before, there are new social and economic aspects of the challenges to achieving a secure, open and global Internet that require much more focused attention. For years, computer scientists and engineers have recognized that cybersecurity is not merely an engineering and computer science problem, but also an economic and behavioral challenge. But recognition of the fact that cybersecurity cannot be successfully addressed with technical solutions alone, is not sufficient. It is critical that economists and other social and behavioral scientists engage in this area and address the practices of a wider range of actors in local and global arenas who need strategies that provide feasible and practical steps for securing the Internet and the incentives and mindsets to take them. 1 This paper has been written as a briefing document in support of the World Development Report. The authors thank the World Bank and David Satola in particular, for requesting our views, and providing guidance, but we wish to emphasize that the views and opinions expressed in this paper are those of the authors and do not necessarily represent those of the World Bank or any other organization. 1 Introduction Cybersecurity concerns the technologies, processes, and policies that help to prevent and/or reduce the negative impact of events in cyberspace that can happen as the result of deliberate actions against information technology by a hostile or malevolent actor (Clark et al. 2014: 2). Efforts to bolster cybersecurity are facing a growing range of challenges as the Internet continues to play an increasingly central role in the social and economic development of nations across the world. This is true in every nation, but is particularly the case in the rapidly developing nations, where the Internet s role presents a newer and even more empowering potential for their global role (Dutta et al. 2011). The range of problems tied to security in the online world is large and growing, and becoming increasingly acute, even though there have been many efforts over the years to enhance cybersecurity (see Box 1). This is in part due to the growing centrality of the Internet in economic and social development, making it a more valuable target, but is also due to the changing dynamics of the problem, such as the growing number of users who are not only vulnerable to cybersecurity threats, but also increasingly culpable even if not directly engaging in any malevolent online activities, from flaming to cyber-bullying. 2 Attempts to address these problems have had limited success in many cases, and have not been able to stop the innovativeness of attackers to come up with new strategies, and of users to fall victim to these strategies. Moreover, the same advances in the Internet that enable more users to more easily bank and shop online, for example, are also making it easier for more individuals to use the Internet for malevolent reasons, such as in virtually democratizing cybercrime. Box 1. Cybersecurity Incorporates a Range of Separate but Interrelated Issues, including: Spamming, such as sending unwanted s, and spamdexing, such as sending spam aimed at supporting search engine optimization Theft of intellectual property (IP theft), such as illegal downloading of copyrighted music or films; Cybercrime, such as breaking laws designed for the offline world, such as those against theft or fraud, using online tools, such as in fraudulent romance scams; or Webcam image extortions Ransomware, a particular form of malware that disables a computer or an account until a ransom is paid for its removal Destroying or disrupting Internet systems and services, such as through a (distributed) denial-of-service (DoS) attack Vandalism, such as defacing a website Hacking a PC for use as a Web server for phishing, or spam; attacks, to harvest accounts; for bot use, such as click fraud zombie, Distributed DoS zombie, Spam zombie Phishing: sending s or other electronic messages to acquire sensitive information, tricking a person into sending money, opening malware, or falling for a scam or other fraudulent confidence game Spear phishing, by targeting specific individuals with information that fools recipients, such as believing the attacker is a friend, in order to obtain information 2 Users can be partly culpable through such actions as failing to protect their systems, unwittingly exposing them to bots, or not standing up for victims of cyberbullying. 2 Distributing malware, that can install a virus or other malicious code on an unsuspecting user s computer, such as a botnet, worm or Trojan horse Data breaches, such as through loss or theft of computers or electronic storage devices Identity theft, through breaching a computer system or to obtain information enabling the use of a person s identity for fraudulent access to credit card data, bank account, stock or mutual fund account, or reputation hijacking Misuse of social media in ways that can harm users, such as for cyber-bullying, cyber-stalking, and identity theft Insider threats, such as a disgruntled employee or other insider purposely undermining security protocols Cyber espionage, such as government or corporate spying or eavesdropping by illegally gaining access to or computer systems Cyber warfare, attacking the software, data, or physical computing equipment of a nation to disrupt or destroy services or infrastructures; hostage attacks So while concerns over cybersecurity have generated a wide range of initiatives, the problems are persisting, if not growing in frequency and significance. Efforts up to this point have been well conceived, but limited in their impact on the overall problem. Arguably, some issues such as spam have been addressed more effectively, often due to the potential for technical responses to be diffused widely. Yet even in this case, the problem must be constantly addressed: spammers create new ways to reach users, and the incentives behind spamming continue to evolve, such as spamdexing, aimed at optimizing the visibility of a website to search engines. Recognition of these growing problems has led many individuals, communities and institutions to raise the priority of cybersecurity. For example, the launch of the Global Cyber Security Capacity Centre at the University of Oxford was met with worldwide interest, and generated many commitments to participate in tackling a problem that was widely perceived to exist. 3 And there have been many other efforts undertaken by a multiplicity of stakeholders. While there are cases in which these initiatives have had temporary success in reducing particular problems of cybersecurity, they have not been able as yet to have a lasting impact on a wide range of problems that are rapidly morphing into contests ranging from cat and mouse games to cyber warfare. Perhaps the problems would be far greater had cybersecurity initiatives not been championed, but the problems continue and are perceived to be growing worse as the technology is valued more. Not all responses have been effective, such as public awareness campaigns that rely only on fear, and do not provide remedies. 4 Another ineffective response has been to blame others. For example, technical experts in cybersecurity tend to view many actors outside their specialized area as relatively unresponsive to the problem, generating a politics of blaming the users, or blaming commercial enterprises for thinking that increasing security is a strategy for losing customers. Instead, there needs to be a reconsideration of approaches to cybersecurity that are more sensitive to, and aware of the economic and social aspects of the problems, such as why users do not always follow the best practices recommended by the technical security community. 3 [Last accessed May 11, 2015]. 4 See a working paper on the problems with public awareness campaigns: [Last accessed May 17, 2015]. 3 What can be done to support more effective approaches to addressing global and multi-stakeholder actions to enhance cybersecurity for the digital age? Cybersecurity has been high on the agenda of governments, players in the IT industries, and in the many civic groups participating in Internet governance, but paradoxically, the problems are growing and becoming more urgent to address. Because some conventional approaches have not been effective ways of addressing the problem, it is important to challenge conventional wisdom and rethink the ways we address cybersecurity. Outline of this Paper The paper begins with a brief introduction to some new elements in an evolving cybersecurity landscape. While not a new issue, we argue that there are key challenges that are raising its significance around the world. This is followed by a broad overview of the widely distributed costs and benefits across the ever-changing and complex global ecology of actors shaping cybersecurity. With this introduction, the paper discusses the incentives of different actors, which might be a central focus of efforts to address the problem. This is followed by an empirically anchored perspective on the attitudes, beliefs and practices of users, a principal issue arising from the incentive structures and costs and benefits associated with cybersecurity. Based on the changes in the cybersecurity landscape, the distribution of costs and benefits, the need to change incentive structures, and the beliefs, attitudes and behavior of users, the paper identifies approaches to addressing cybersecurity in the digital age suggesting a new agenda for moving forward. The paper ends with a brief summary and conclusion. New Features of the Evolving Cybersecurity Landscape The security of telecommunications has been a problem over the centuries, from the use of carrier pigeons to the coming Internet of Things. The Internet was designed to support the sharing of computer resources, including computers and data over networks, rather than to provide security. But with the rise of the Internet, and its use for more basic activities, such as banking and commerce, recognition of cybersecurity as a key problem for the Internet age has increased, albeit not a new issue (e.g., NRC 1991; NRC 2002; Clark et al. 2014: ix). 5 Technical developments, research, public policy initiatives, and practical steps for users have been evolving over the years to strengthen cybersecurity. For example, the global Internet governance community has focused attention on security issues, and this has led to many regional and national initiatives. These include such organizational innovations as the Internet Corporation for Assigned Names and Numbers (ICANN) forming the Security and Stability Advisory Committee (SSAC) in 2002; development of the European Network and Information Security Agency (ENISA); the creation of national Computer Emergency Response Teams (CERTs), designed to improve the security of a country; and Computer Security Incident Response Teams (CSIRTS), which are typically organized with multiple stakeholders (DeNardis 2014: 90 95). In 2004, the London Action Plan (LAP), an international cybersecurity enforcement network, was founded. Focusing on spam, it grew to include 47 government organizations from 27 countries, 28 private-sector organizations from 27 5 A full range of reports on cybersecurity by the Computer Science and Technology Board of the US National Research Council provides a sense of the history of rising concerns over this issue. See: [Last accessed May 26, 2015]. 4 nations, and six observer organizations. 6 There have also been initiatives mainly driven by business, such as the Messaging Anti-Abuse Working Group (MAAWG), formed by members of the messaging industry to address issues such as spam. And there have been global collaborations, such as the global Forum for Incident Response and Security Teams (, which has enrolled more than three hundred members from all continents. And there have been numerous intergovernmental initiatives such as the Council of Europe s Convention on Cybercrime adopted in 2001, ratified as of April 2015 by 45 countries including six non-european nations. 7 However, the scale and severity of the problems appear to be rising along with the growing centrality and ubiquity of the Internet in an Internet-enabled, hyper-connected world. In parallel with the rise of the Internet, there has been a commensurate growth in cybercrime. Problems with spam continue to be a problem for Internet Service Providers (ISPs) and users (Krebs 2014). Threats to privacy have been growing with the development of social media and big data computational analytics, threats that were dramatically exposed by the revelations of Edward Snowden in Corporate and government networks have been under attack, such as the cyberattack on SONY and larger US retailers such as Target and Home Depot, and alleged attacks on the Internet infrastructure of the Democratic People s Republic of Korea. Nevertheless, efforts to address the problems have not been sufficient to reduce what appears to be a rising array of cybersecurity problems. There are many reasons for the difficulties confronting cybersecurity initiatives. Many key actors, including users, have been slow to adopt practices that could enhance their security online. Motivating a wide range of actors across the globe, including over three billion users, to change the way they do things is not only a technical issue. It also requires an understanding of how each actor views cybersecurity, such as their level of awareness, and how they are incentivized to ignore or adopt practices that could protect themselves and others in the online environment. For example, the provision of cybersecurity is often difficult and costly, which might mean that accepting some level of insecurity is economically rational (Anderson and Moore 2006; Moore, Clayton and Anderson 2009), such as when individuals accept the potential risks of online commerce, or organizations decide to accept the costs of compensating victims rather than impose security precautions that may be perceived as cumbersome or off-putting by customers. Several developments on the cybercrime side also contribute to the potentially wicked nature of the problem. 9 Increasing global connectivity allows criminals to launch attacks using servers and machines in other countries. While controlled remotely by criminals from around the world, the vast majority of malicious messages are sent via US Internet infrastructure, although other highincome countries also rank high. Likewise, the majority of malware is hosted by legitimate 6 See: [Last accessed May 26, 2015]. 7 See [Last accessed May 27, 2015]. 8 [Last accessed May 17, 2017]. 9 The concept of wicked problems is meant to emphasize problems that are exceedingly complex, dynamic, and difficult, if not impossible, to solve. 5 providers such as Amazon, GoDaddy, or OVH Hosting (France), but this is aggravated by business models of ISPs and hosting providers that emphasize anonymous transactions. 10 Anonymity raises another limitation on cybersecurity initiatives, which is the need to balance security with other valued objectives, such as privacy and freedom of expression. One real risk of the push for cybersecurity is the potential to undermine other key values and interests that can be enhanced over the Internet. There is a need to balance these sometimes compatible but sometimes competing objectives, such as the tensions between cybersecurity and surveillance tied to national security (Clark et al. 2014: ). Other things being equal, businesses and individual users in higher income countries are more appealing targets. As incomes in low- and middle-income countries increase, even if these increases are unevenly distributed, users in these countries become more appealing targets as well. Historically, while attacks may have been launched by criminals in countries that have poor income opportunities, they were orchestrated via nodes in countries with good connectivity (the largest number of botnet-infected machines continues to be in the United States). However, as global and regional connectivity improves, we can expect that pattern to change, with an increasing share of malicious activity launched in regions that currently only show weak activity, such as Africa. One key trend in high-income countries is the increasing number of targeted attacks. In 2013, eight incidents each compromised data of more than ten million individuals. A total of 253 major security breaches exposed 552 million identities (Symantec 2014: 13). Similar developments characterized These attacks, such as the compromising of point-of-sales terminals, are difficult for users to avoid. Another growing phenomenon is ransomware, attacks in which users access to information is blocked (e.g., by encrypting it) unless a ransom is paid. With the increasing use of mobile devices and social media, these platforms are used more often to launch attacks. As users in developing countries embrace smartphones, and more transactions take place online, it is only a matter of time before attack activities will also migrate to these regions. Over the past decade, the cybercriminal underworld has developed an increasingly differentiated organization, with specialists emerging in the harvesting of addresses, the development of malware, assembly and leasing out of botnets, market places for stolen data, and multiple ways to monetize illegal transactions (Holt 2012). This division of labor among specialists has increased the sophistication and virulence of attack tools while reducing their price (Franklin et al. 2007). The emergence of online markets for these tools has made them widely available (Holt 2012; Ablon, Libicki and Golay 2014). Combined with the low probability of being caught or prosecuted, given the complexities of international law enforcement in this area, this has improved the ratio of expected rewards to expected costs as seen from a cybercriminal s vantage point. One consequence of these developments has been an increasingly central focus on the role of social and behavioral issues in addressing cybersecurity. Too often, cybersecurity has been left to the computer experts in the computer sciences and engineering, or to the information technology team in an organization. While their technical knowhow and contribution to a secure organization as 10 See CSIS and McAfee (2014) and the blog entry at [Last accessed May 26, well as to a secure, open and global Internet has been and will remain great, initiatives to address growing problems with cybersecurity face several new challenges that require contributions from many more disciplines and actors. These challenges include: 1. A New Range of Actors and Motivations The Internet and related information and communication technologies (ICTs), such as social media, mobile Inte
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks