The need for a World Cybersecurity Organization

The industry is incapable of coping with cybersecurity problems

The preferred way for market-driven economies is to let the industry cope with and solve its own challenges. In the case of cybersecurity, enough evidence exists to suggest the industry has not and will not be up for this challenge.

Unfortunately, insufficient incentives exist to design products with cybersecurity in mind. Products sell because of functionality and benefits, not security and safety. Security does not lead to increased sales, only increased costs. Security therefore comes low on the priority list.

Although there is no clear upside in building a cyber-secure product, one can argue for protection against potential downside. Hacked or compromised products will invariably lead to potentially high repair costs, brand damage, lost revenue and/or time, management reshuffling and other overhead costs. However, these lurking dangers take a backseat position in most smart product budgets.

Sadly, when vulnerabilities are exploited, they quickly vanish from the public mind like traces in the sand at the beach, and the financials repair costs are often negligible. In 2014, Target lost 40 million credit cards number. Its share price at the time the breach was made public lay around $60 per share. Being one of the worst breaches ever, the attack took its toll on the management team, but the market and share price stayed more or less untouched, just to continue its growth to more than $70 one year later. The management at Target is now part of management teams elsewhere. A more recent (Sept. 2017) attack at Equifax, where lack of basic patching of servers caused almost 150 million peoples’ identity to be compromised and for sale, will probably go through a similar cycle.

We cannot expect help from end users

End users simply do not to pay a premium for security, the same way car buyers do not pay extra for a safer car — they expect their car to be safe anyway.

Requiring end users to ensure their connected devices always stay updated is futile and dead on arrival. Any ideas or regulations in this direction must be stopped before it takes wing. If your Tesla happens to have a serious bug in its braking system in 10 years’ time when the warranty has expired, it must be the responsibility of Tesla to either decommission the car through its software or to fix the brakes. It cannot be left a user responsibility.

Political initiatives and interests

As long as cyber incidents had limited economic and social impact, politicians around the world saw no need take cybersecurity seriously. However, as cybersecurity is gaining public attention due to the digital world making its impression in daily life (e.g., fatalities from self-driving cars, interference in elections, etc.), politicians in the largest economies are starting to see the light of a new day.

The U.S. has several initiatives going, ranging from two new pending acts — the IoT Cybersecurity Improvement Act and the Cyber Shield Act — to the May 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure to National Institute of Standards and Technology’s latest proposal for standardization.

The EU is seeking to upgrade its European Union Agency for Network and Information Security (ENISA) to a stronger EU Cybersecurity Agency, expecting to develop cybersecurity frameworks and certification schemes. Its naïve hope is that companies will voluntarily find it in their interest to follow these recommendations.

Except for the IoT Cybersecurity Improvement Act, which is aimed at regulating government IoT purchases to require a minimum of built-in cybersecurity in the hope that the governmental purchasing arm is so strong it can move the industry’s thinking, all other initiatives are either voluntary or so vague that they will have no practical implications on the industry. The reason for the deflated initiatives lies in the fact that authorities do not want to impair their own economic region’s business prospects and their ability to compete by imposing extra costs. Recession is a bigger threat to losing voters than poor cybersecurity!

Last year, China introduced its Cybersecurity Law of the People’s Republic of China, which serves as another protectionist lever against international influence, but also imposes strong security measures on companies wanting to do business in China.

The cybersecurity dilemma

The world’s largest economies realize the need for stronger measurements for cybersecurity. The dilemma for the EU and U.S. is that they prefer the industry to come up with a solution. But as the industry is failing at this, these nations are now faced with the challenge of how to impose stricter controls without negatively impacting the competition. China can and will continue to operate in its own protectionist way, seeking to knock two birds with one stone.

However, these three economic bastions face the same cybersecurity threat. They all have a common enemy in adversaries seeking to exploit digital vulnerabilities for economic and sometime dogmatic gain. The people in these economies will be better off if the digitized world becomes safer and more secure. Cyber vulnerabilities surely are of value to nations in their quest for more power, but these vulnerabilities can quickly be turned against themselves, serving as an effective deterrent. The speed of bits and knowledge travel fast, and no borders can stop them. Adversaries on the world stage probably don’t care if it is the EU, U.S. or China they hurt, or whether they are paid in bitcoins or U.S. dollars.

The time has come to discuss a new international organization to take on cybersecurity. World Cybersecurity Organization where art thou?

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.