The role of cybersecurity and data security in the digital economy

+ 1. Summary

The economic cost of information and technology asset security breaches in 2020 was a staggering USD 4-6 trillion, equivalent to about 4-6% of global GDP. Data security and cybersecurity each seek to maintain the confidentiality, integrity and availability of information assets. Most cyberattacks are financially motivated. Typically, a threat actor will infiltrate the target system and then employ malware to extract information assets, withdraw funds, demand a ransom, or carry out other misdeeds.

Strengthening cybersecurity requires coordinated action. The ITU has a cybersecurity capacity building programme for developing countries. At least 114 national governments have adopted cybersecurity strategies and 118 have established national Computer Security Incident Response Teams (CSIRTs). Many have set up cybersecurity agencies and some have established sector CSIRTs to protect critical infrastructure. Many are updating criminal laws and strengthening enforcement. The Council of Europe Convention on Cybercrime, which promotes international harmonization in the investigation and enforcement of cybercrimes, has been joined by 45 member states and 22 states in Africa, the Americas, and the Asia-Pacific.

In addition, national and international standards organizations have developed cyber risk management frameworks. Enterprises are also increasingly establishing their own internal CSIRTs. Public and private institutions have increased the focus on awareness and education. Developed countries are investing to close the global cybersecurity skills gap of needed workers.

+ 2. Considerations while reading this brief

• Which challenges related to cybersecurity and the digital economy are most prominent in your market, both a) in general and b) for underserved groups such as women and low-income people?

• Do cybersecurity and data security regulations in your country address:
  • Digitization: The application of cybersecurity and data security regulation to the digital economy?
  • Inclusivity: The specific cybersecurity and data security challenges faced by women, low-income people, and/or other underserved groups?

• Which entities are responsible for the regulation of cybersecurity and data security? Are responsibilities clear, and are mechanisms in place to avoid regulatory arbitrage? If not, how could this be improved?

+ 3. Nature and importance of data security and cybersecurity

Securing the confidentiality, integrity and availability of information assets

The terms data security and cybersecurity are often used interchangeably because both seek to protect information assets (valuable data and information)⁴ and secure technology assets (hardware, software, systems, servers, networks and other electronic containers that collect, process, transport, store and retrieve information assets). The distinction is subtle, with data security emphasizing direct protection of information assets themselves and cybersecurity emphasizing securing technology assets as a means to protect information assets.

Both data security and cybersecurity seek to maintain the confidentiality, integrity and availability of an organization’s information assets. In this context, confidentiality means ensuring access to information assets is limited to authorized persons and systems; integrity means ensuring information assets remain in the condition intended by the owner; and availability means ensuring reliable access to information assets by authorized persons and systems. These three security pillars are known as the CIA triad.

A security incident is an event that compromises the integrity, confidentiality or availability of information assets, a data breach is a security incident that results in disclosure of confidential data to an unauthorized person, and a cyberattack is an unauthorized attempt by a threat actor to compromise information or technology assets. Security threats to information and technology assets today are wide-ranging and evolving.

The growing importance of information and technology assets

Public and private enterprises are amassing massive and growing volumes of information assets as individuals are also increasingly creating, collecting, sharing and consuming data. Enterprises and individuals rely increasingly on information and technology assets to provide or procure goods, services and information. Enterprises and individuals are also entrusting their information to other enterprises or individuals at growing rates. In both high-income and developing countries, individuals are embracing digital technologies. The percentage of developing country households with a home computer grew from 15.6% in 2005 to 36.1% in 2019, while mobile phone subscriptions per 100 people grew three-fold globally and four-fold in low- and middle-income countries between 2005 and 2020. Moreover, in 2020, the number of registered mobile money accounts grew by 12.7 per cent globally to 1.21 billion accounts – double the forecasted growth rate.

The increasing threat of security breaches

As developing country enterprises become increasingly reliant on information and technology assets, they face similar security threats to their counterparts in developed countries. For example, there have been multiple security incidents related to digital financial services, such as unauthorized third-party access to corporate information systems gained by luring unsuspecting employees to disclose user login information in Ghana, Kenya, Tanzania, Uganda and Zambia, an outage during a system upgrade in Zimbabwe, and a malicious denial-of-service attack in Kenya. More broadly, one cybersecurity firm reported 24 million malicious software incidents in Africa in 2016, and in the same year, Ghana’s financial sector alone was reported to experience more than 400,000 incidents related to malicious software. Traditional infrastructure assets in developing countries also are increasingly reliant on information and technology assets, such as for the monitoring and management of electricity grids. Cyberattacks on such assets are increasing, for example disrupting electricity supply in Ukraine in 2015 and 2016 and in South Africa in 2019.

The economic cost of security breaches

The global direct monetary losses from cybercrime in 2020 were estimated to have nearly doubled to USD 945 billion from USD 522.5 billion in 2018, while spending on cybersecurity in 2020 was expected to exceed USD 145 billion, together comprising 1.3% of global GDP. In 2017, cybercrime cost Africa an estimated USD 3.5 billion in direct losses.

These estimates exclude indirect costs to victims such as opportunity cost, downtime, lost efficiency, brand disparagement, loss of trust, intellectual property infringement, and damage to employee morale. They also exclude systemic costs such as supply-chain impacts on upstream suppliers and downstream customers. The full economic cost of cybercrime, including direct, indirect, and upstream systemic costs, has been estimated at three times its direct cost – putting 2020 total global cost near USD 4 trillion, about 4% of global GDP. This figure aligns with estimates that annual all-in global cybercrime costs will be USD 6 trillion in 2021.

Developing country enterprises face outsized cybercrime losses, such as the USD 81 million Bangladesh Bank heist in 2016. This followed similar earlier incidents in Ecuador, India, Poland, Russia, Taiwan and Vietnam.

+ 4. Threats and motives

Threat actor motives

It has been estimated that 70% of security incidents in 2020 were financially motivated and organized crime was behind 80% of data breaches. However, some threat actors, known as hacktivists, are motivated by political, socio-cultural or religious ideology. In June 2011, hacktivists attacked MasterCard’s website, causing it to crash, in protest of the blocking of payments to WikiLeaks. Others are motivated by vanity, revenge, outrage, or other non-financial objectives. State-sponsored threat actors may pursue geopolitical or military objectives through cyber espionage, interfering with foreign elections or sabotaging public services to undermine the political stability of adversaries.

Threat actor methods

Threat actors often combine a series of actions to pursue their objectives. The first step is usually to infiltrate the target system by gaining unauthorized access to information or technology assets. Sometimes access is gained by using technologies to penetrate firewalls designed to prevent unauthorized access. One example is the March 2017 data breach of Equifax, the global credit reporting agency, exposing personal data of 147 million consumers. Equifax was initially hacked through a consumer complaint web portal. The hackers exploited a security vulnerability allowing them to obtain usernames and passwords to access further systems and pull data out of the network.

Increasingly, threat actors gain access through social engineering, convincing insiders to unwittingly enable intrusions. The most common form of social engineering is phishing attacks whereby a perpetrator is disguised as a trusted party (including spear phishing, which is targeted and personalized to individual insiders). One study found social engineering was employed to support infiltration in 92% of data breaches in 2020.

In a distributed denial of service (DDoS) attack, the threat actor obtains unauthorized access to third-party computers. The threat actor then commandeers the compromised systems, using them as zombies or bots, to launch an attack on the targeted network resource. By releasing a flood of incoming messages or connection requests to the targeted system, the threat actor forces it to slow down or crash, denying service to legitimate users or systems. DDoS attacks often have non-financial motivations.

Once gaining access, threat actors typically employ malware (malicious software used to extract information assets) and may withdraw funds or demand ransom payments (using malware known as ransomware). The European Agency for Cybersecurity (ENISA) reported that malware was Europe’s top cybersecurity threat from January 2019 through April 2020. One study found that malware was employed to locate, access, and capture data in a majority of 2020 data breaches. The same study found that denial of service hacking was involved in almost 60% of all security incidents.

+ 5. Public and private countermeasures to strengthen cybersecurity

Strengthening cybersecurity requires coordinated action by international institutions, governments, enterprises, civil society, and individuals.

International cooperation and coordination

The long reach and fast pace of the digital ecosystem transcends borders and enables bad actors to act anonymously and quickly, adversely impacting vast swaths of humanity. International institutions are stepping in to facilitate cooperation on cybersecurity matters. The UN first addressed the topic in the World Summit on the Information Society (WSIS), held in Geneva in 2003 and Tunis in 2005. These sought to increase Internet access in the developing world, develop a global culture of cybersecurity, and increase cooperation among countries on cybercrime. At the 2003 Geneva summit, the International Telecommunication Union (ITU) was designated as facilitator for WSIS cybersecurity actions to build confidence and security in the use of Information and Communications Technologies. The ITU has established a cybersecurity programme that offers developing countries capacity building support. The UN Office of Counter-Terrorism has also established a cybersecurity programme.

National government initiatives in cybersecurity

Digital technologies have disrupted legacy public safety frameworks, which are often not fit-for-purpose to protect against cyberattacks. Legal and policy reforms and implementing activities are required in every country to meet ever-growing cybersecurity challenges.

A national cybersecurity strategy

Facing these challenges, many governments have adopted a national cybersecurity strategy, which is an action plan to improve security and resilience of national infrastructure and services. These strategies reflect high-level, top-down approaches to cybersecurity that establish national objectives, priorities, and timelines.

The first national cybersecurity strategy, the US Government’s National Strategy to Secure Cyberspace, was released in February 2003 after the 11 September 2001 terrorist attacks on the World Trade Center. Cybersecurity plans with more limited focus were adopted in Germany and Sweden in 2005 and 2006. The world’s second broad national cybersecurity strategy was published by Estonia in 2008 following a severe cyberattack in 2007.

The approach of adopting national strategies has now gained significant traction. The European Union Agency for Cybersecurity (ENISA) has recommended cybersecurity strategies for all EU member states since 2012 and maintains extensive resource materials on national cybersecurity strategies. In 2018, the ITU co-published a Guide to Developing a National Cybersecurity Strategy with the World Bank and other institutions. At least 114 countries have adopted or are in the process of adopting a national cybersecurity strategy, including 17 in sub-Saharan Africa, 18 in the Americas, 11 Arab states, 21 in the Asia-Pacific, 6 in the Commonwealth of Independent States, and 41 in Europe.

A dedicated agency for cybersecurity

Many countries have established standalone national cybersecurity agencies to provide leadership. Such agencies can direct development of cybersecurity policy and coordinate implementation across all sectors. They may also serve as the official government voice and point of contact in case of cybersecurity incidents. Based on data for 198 economies, the World Bank recently found that standalone cybersecurity agencies had been established in 86% of high-income countries, 65% of upper-middle-income countries, 66% of lower-middle-income countries, and 24% of low-income countries.

National, regional, and sectoral incident response teams

To prepare for security incidents, organizations have established computer security incident response teams (CSIRTs), also known as computer emergency response teams (CERTs). To coordinate preventive measures and incident responses across the national territory, governments have established or designated national CSIRTs (nCSIRTs) with specified cybersecurity responsibilities.

Because it is external to its constituency, an nCSIRT typically has limited authority to access or implement security measures within the information and technology assets of its constituents. Its focus is on coordination of response, analysis of threats and incidents, and other forms of support. The UN has recommended that member countries establish nCSIRTs and support and facilitate cooperation among nCSIRTs across borders. The ITU has conducted nCSIRT assessments for 79 countries, helped 14 countries establish or enhance their nCSIRT, and confirmed that at least 118 countries had established nCSIRTs by March 2019.

In some industries, sector CSIRTs enable public and private sector stakeholders to join forces to address risks, threats, and other challenges that are unique to a particular sector. A key focus of sector CSIRTs is protecting critical infrastructure essential for society and the economy to function and protecting national security. A country’s critical infrastructure may include information and technology assets used for energy, transportation, finance, banking, healthcare, food, water, other essential supply-chains, and critical government activities. The United States Department of Homeland Security (US DHS) has identified 16 sectors for critical infrastructure. Under national laws, operators of critical infrastructure may be legally required to comply with enhanced security standards and procedures and establish incident recovery plans to mitigate harm and foster resiliency after a cybersecurity incident. These activities may be coordinated through a sector CSIRT. US DHS continues to monitor and update laws and regulations as it sees gaps in the existing legal framework. For example, when the Colonial Pipeline was hacked, US DHS issued two cybersecurity directives governing pipelines.

Cooperation and coordination also occur among nCSIRTs, sector CSIRTs, and individual enterprise CSIRTs internationally through the Forum of Incident Response and Security Teams (FIRST). FIRST’s current membership includes 585 CSIRTs in 98 countries.

Some nCSIRTs have banded together regionally to enhance their efforts dealing with cross-border cyberattacks, such as the Asia Pacific Computer Emergency Response Team (APCERT), which includes 33 nCSIRTs from 23 economies across the region. Other similar organizations include AfricaCERT, with nCSIRTs and other members in 26 African countries, and OIC-CERT, under the remit of the Organization of Islamic Cooperation, with nCSIRTs and other members in 30 countries. ENISA supports cooperation among European CSIRTs.

Updated criminal laws and law enforcement capabilities

Developing fit-for-purpose criminal laws and law enforcement capabilities is essential to cybersecurity efforts. Updated substantive criminal laws are needed when legacy criminal laws do not cover acts committed in the digital ecosystem. Many governments have begun to analyse and update national laws to close gaps. Common offences that may be added are:

• Unauthorized access to information or technology assets (hacking);

• Unauthorized monitoring of communications;

• Unauthorized interception or alteration of information assets;

• Unauthorized interference with an information system; and

• Misuse of devices and software.

Cybercrime laws may also address more traditional crimes, such as fraud, forgery, and intellectual property infringement, when they occur in the digital ecosystem. New restrictions on online content (such as child pornography) or online behaviour (such as cyberstalking or cyberbullying) have also been added.

Law-enforcement agencies also need new criminal procedures, powers, and tools to investigate and prosecute cybercrime. These include computer forensics capabilities in investigations, procedures to preserve and seize electronic evidence, and mechanisms to promote cooperation of the private sector in threat identification and investigations.

Law enforcement against cybercrime also faces jurisdictional challenges due to its inherently borderless nature. Perpetrators can act quickly and from any location, using compromised third-party technology assets to mask their identity. For example, the 2017 WannaCry ransomware attack impacted 200,000 computers in 150 countries. A harmonized approach to cybercrime legislation and enforcement can facilitate investigative and enforcement efforts across jurisdictions.

The Council of Europe’s Convention on Cybercrime, which entered into force in 2004 and is known as the Budapest Convention, is the only binding international treaty on crimes committed via the Internet and other computer networks. Its main objective is to pursue a common criminal policy against cybercrime by adopting appropriate legislation and fostering international cooperation. It addresses network security violations, computer-related fraud, copyright infringement, and child pornography. It also defines powers and procedures for officials to search computer networks and intercept communications. Originally conceived as a European treaty, the Budapest Convention has been joined by 45 of 47 Council of Europe member states and 22 non-members from Africa, the Americas, and the Asia-Pacific. It remains open for other states to join.

The African Union adopted a Convention on Cyber Security and Personal Data Protection in June 2014. It will not enter into force until ratified or acceded to by 15 countries and has only been signed by 14 countries and ratified by 8. Meanwhile, six African countries have joined the Budapest Convention. The Organization of American States (OAS) has not adopted a cybersecurity treaty. It addresses cybersecurity in the Americas through the Inter-American Committee against Terrorism (CICTE), a Cyber Security Program, and through technical assistance and training, policy roundtables, crisis management exercises, and exchange of best practices. Ten OAS members have joined the Budapest Convention. The Association of Southeast Asian Nations (ASEAN) has also not adopted a cybersecurity treaty. In April 2018, the heads of state issued a statement on cybersecurity cooperation. One ASEAN member, the Philippines, has joined the Budapest Convention.

By December 2016, some 132 countries were following the model of the Budapest Convention, including the 67 parties to the treaty.

Private sector role in cybersecurity

Government efforts to improve cybersecurity require a robust and vibrant ecosystem to succeed. In the market-based systems of many national economies, significant responsibility for cybersecurity falls on public and private enterprises. Most have a strong self-interest – and contractual and legal duties – to adopt and implement reasonable security procedures and practices. Directors and officers have a duty to creditors and shareholders to preserve and protect business assets and to exercise due care in securing information and technology assets. Many enterprises now have a chief information security officer (CISO).

Various national and international standards organizations have developed cyber risk management frameworks to guide enterprises in securing information and technology assets. These frameworks prescribe processes for enterprises to identify their information and technology assets; identify threats and vulnerabilities to those assets; assess risk of loss (as a function of probability and impact); and prescribe security controls to reduce risk to an acceptable level. Security controls include management, operational, and technical measures to protect the confidentiality, availability, and integrity of information and technology assets. Under all the frameworks, risk management is iterative and evolving.

Individual enterprises are also increasingly establishing their own internal CSIRTs to provide services and support to the enterprise in assessing, managing, and preventing cyberattacks and coordinating incident responses. Such internal teams have a clear mandate and knowledge to perform hands-on incident management activities within an organization’s information and technology assets.

Education, support, and resources for cybersecurity

Humans are the weakest link in cybersecurity, so public awareness and education are essential elements of effective cybersecurity. Public or private enterprises have good reasons to provide security awareness training to employees: to prevent security incidents, build a culture of security, strengthen technology defences, instil customer confidence, ensure compliance, be socially responsible, and improve employee wellbeing. Yet, many enterprises continue to underinvest in training. A 2020 survey of 3,500 workers in Australia, France, Germany, Japan, Spain, the United Kingdom, and the United States found that many were still unaware of fundamental best practices. Governments and enterprises also have good reasons to increase consumer awareness and education on cybersecurity. Private enterprises increasingly consider educating consumers as good business.

Capacity building is also vital. A 2019 study found a global skills gap of 4 million fewer cybersecurity professionals than needed. Developed countries are supporting training programs through public and private universities. For example, the US National Institute of Standards and Technology established an initiative to advance an integrated ecosystem of cybersecurity education, training, and workforce development. Similarly, the Australian Government established and funded Academic Centres of Cyber Security Excellence at two universities to encourage students to study cybersecurity and increase the number of cybersecurity graduates. ENISA is considering similar efforts. Governments in developing countries often lack sufficient financial resources to support cybersecurity capacity development comprehensively. However, developing countries such as Mauritius and Egypt have demonstrated high levels of commitment towards building a robust cybersecurity framework as reflected in the Global Cybersecurity Index (GCI). The ITU has also provided extensive technical support for CSIRTs, but the international community has so far not provided sufficient funding to train cybersecurity professionals in developing countries.

+ 6. Emerging issues

Work-from-home leads to new vulnerabilities

The COVID-19 pandemic and resulting lockdowns changed how many people perform basic life activities such as working, shopping, and attending school. The shift from working in an office to working remotely from home introduced and exposed cybersecurity vulnerabilities. Home computers often lack the security protocols found in the office. Firms that use third-party vendors to monitor and address cyber threats may find that these solutions do not extend seamlessly to remote work.

Cybercriminals have exploited these gaps. The US Federal Bureau of Investigation reported the number of cyberattack complaints in 2020 increased by 400% from pre-COVID rates, reaching as many as 4,000 per day. One cybersecurity vendor reported more attacks on corporate networks in the first half of 2020 than in all of 2019. The use of ransomware increased significantly. These new vulnerabilities will require enterprises and other organizations to adapt and to educate employees on how to avoid and minimize threats while working remotely.

Blockchains and cryptocurrencies

A blockchain is a type of database that employs distributed ledger technology (DLT), a decentralized network infrastructure that enables simultaneous access, validation, and record updating in an immutable manner across multiple locations. By eliminating the need for any one centralized authority, the blockchain is potentially more resilient to tampering, fostering trust and making it a potentially useful and strong cybersecurity technology.

Cryptocurrency is a form of digital currency that relies on blockchain technology to track value and record transactions without any clearing authority. Cryptography enables transaction participants to remain anonymous. Cryptocurrency exchanges face potential regulation to prevent money laundering and other illegal activities and to ensure traders report profits and pay taxes to authorities. But so far, the law has not kept up and cryptocurrencies and transactions in those currencies are largely unregulated. They have become a preferred payment medium for cybercriminals. Industry experts believe this contributed to a 311% increase in ransomware payments from 2019 to 2020.

Central bank digital currencies (CBDCs) are another type of digital currency that rely on DLT, but are issued by a nation’s central bank, similar to the issuance of paper currency. Because of the security and reliability of the underlying DLT, CBDCs could reduce the cost and increase the efficiency of transactions, allowing immediate settlement of transactions that previously took days. Unlike cryptocurrencies, CBDCs are not meant to be anonymous, and the immutable record of transactions created by DLT raises potential privacy concerns. In October 2020, the Bahamas launched the world’s first CBDC, known as the “Sand Dollar.” One year after the launch, usage was still low, but increased public education and awareness efforts were planned.

+ 7. Additional resources

Cybersecurity model frameworks

• US Department of Homeland Security, Cybersecurity Strategy, 2018

• Australia Cyber Security Strategy 2020

• Budapest Convention on Cybercrime

• EU Cybersecurity Act

Further reading

• Recommendation of the Council on Digital Security of Critical Activities, OECD, 2021

• Cybersecurity Policy Framework, A practical guide to the development of national cybersecurity policy, Microsoft, 2018

• Guide to Developing a National Cybersecurity Strategy, ITU, 2017

• Combatting Cybercrime, Tools and Capacity Building for Emerging Economies, World Bank, 2017

Organisations

• Information Society and Action against Crime Directorate of the Council of Europe

• Cybersecurity & Infrastructure Security Agency (CISA)

• ITU (Cybersecurity page)

• National Cybersecurity Alliance

• United States Department of Homeland Security (Cybersecurity page)

• European Union Agency for Cybersecurity (ENISA)

• Payment Card Industry Security Standards Council

• Cloud Security Alliance

• McAfee Resource Library

• Microsoft Cybersecurity

• Cybercrime Magazine

+ 8. References

For the full list of references, please download the PDF of the brief in English or in French.