-
12:00
¥ £$
Securing the Modern Economy: Transforming Cybersecurity
Through Sustainability
by Megan StifelApril 2018
-
i
Executive Summary
Headlinesremindusdailythatouruseoftechnologyisfraughtwithopportunity
andrisk.Theadventoftheinternetandotherinformationandcommunicationstechnologieshasfosteredeconomicgrowth,modernizedindustry,andsimplifieddailylife.Atthesametime,consumersfeellesssecureintheirengagementsonline,whichiscontributingtoagrowingdistrustoftechnology.Cybersecurity,orinformationsecurity,areeffortsundertakentoensuretheconfidentiality,integrity,andavailabilityofinformation.Consideredbroadly,cybersecurityincludesarangeofsocietalpolicies,fromeducationandconsumerawarenesstoinsuranceprograms,corporategovernance,andinternationalrelations.Maintainingpublictrustintechnologyreliesinsignificantpartonallstakeholdersprioritizingcybersecurity.
Weakdevicesecurityandconstrainednetworkmanagementpracticesrecentlyenabledadistributeddenial-of-service(DDoS)attacktoknockoutportionsoftheinternetontheU.S.EastCoast.In2016,organizations’fraudlosesincreasedover60asaresultofconsumeraccounttakeoversfacilitatedbypasswordcompromises.1Theseoutagesandlosesdemonstratethatthecurrentcybersecuritycomplianceandriskmanagementmodelsallowfortoomuchshort-termfocusthathasnotandcannotbuildthetypesofresilienttechnologiesnecessarytosupportlong-termpublicconfidenceandsustaintheeconomicgrowththatdevelopmentandadoptionofinterconnectedthings,alsoknownasthe“InternetofThings,”orIoT,canfoster.KnowninsecuritiestogetherwiththousandsmoredevicesformingtheInternetofThingscreateatickingtimebombthatrisksacalamityofpublicconfidencethatcouldunderminethemoderneconomyanddemocraticinstitutions.Ifwewanttoavoidthispublictrustdisaster,wemustadoptasustainableapproachtocybersecurity.
Governments,industry,andcivilsocietygenerallyagreethattheinternetandinformationandcommunicationstechnologies(ICTs)areasharedresourceandauniqueecosystem.Theyalsoincreasinglyrecognizethatcybersecurityisacommongood.Assuch,inadditiontoacybersecuritymoonshottoimprovethesecurityoftheinternetecosystem,wemustalsolooktoeffectivesocietalapproachesthatemploycommongoodstosuccessfullymanageecosystems.Sustainabilityisonesuchsuccessfulapproach.Sustainablecybersecurityisanapproachinwhichstakeholders’interactionswiththeICTecosystemareunderstoodanddeliberate,andwhereeachparticipantunderstandsitsresponsibilityasastewardtorespectandprotecttheecosystemtopreserveitsfutureuse.
Whileallanalogiesultimatelybreakdown,elementsofsustainabilitymanagementareparticularlyrelevanttocybersecurity.Tobegin,companiesthatadoptsustainabilitygovernancepracticesaremoresuccessfulthanthosethatdonot.Thus,contrarytothecommonperceptionthat“doinggood”cutsinto“doingwell,”adoptingsustainablepoliciescanaddtoanorganization’sbottomline.Thisisalsothecaseforimplementingcybersecuritybestpractices.Moreover,ICTsunderpinalmosteverymodern-day
1RSAEbook,2017ConsumerCybersecurityConfidenceIndex,at2(lastvisitedApril12,2018),https://www.rsa.com/content/dam/pdfs/5-2017/rsa-consumerconfidenceindex-ebook.pdf.
-
ii
transaction,fromthedeliveryofelectricityandwatertobanking,shopping,manufacturing,andcorrespondence.Asisincreasinglyapparent,failuretoensuretheconfidentiality,integrity,authenticity,oravailabilityoftheinformationfacilitatingtheseactivitiescanresultincriticalfailuresforassociatedandunrelatedinformation,devices,andactions.Thesefailuresriskreputation,income,assets,andtheverylongevityoftheorganizationasagoingconcern.Asaresult,likesustainability,cybersecurityisbecominga“C-suite”issue.Justaspastbusinessoperationsmayhavecontributedtoclimatechangeandothertraditionalsustainabilitychallenges,manyoftoday’scybersecurityissuesaretheresultofbusinesspracticesthatfailedtoadequatelyconsiderthebroaderimplicationsofaparticulardecision.
Thesustainabilitymovementandcybersecurityalsohaveincommonthe
opportunitiesandchallengesofinteroperabilityandscale.Sustainabilitypolicyemergedfromtheneedforglobalcollectiveaction.Inrecentdecades,largegroupsofstakeholdersacrosstheworldhaveadoptedsustainabilitypoliciesandprogramstotremendouseffect.Similarly,ICTinteroperabilityhasfosteredanever-expandingglobalmarketplaceandstrongeconomicgrowth.ButthatmarketplaceandassociatedgrowthareatriskfromgrowingdistrustofICTsdueinparttotheirinadequatesecurity.Sustainingcybersecurityinthemoderneconomymeansbeingintentionalaboutinteroperabilityandthebusinesschoicesthatshouldbemadetosecurelyenableit.
Noteworthy,too,isthecriticalrolecybersecurityplaysincoresustainability
practices.Aswithmostoperationstoday,informationandcommunicationstechnologiesincreasingly,ifnotcompletely,supporttraditionalsustainabilityactionsasidentifiedbytheUnitedNationsGlobalCompact10Principlesandthe17SustainableDevelopmentGoals.Inadditiontooperationaltrackingandcompliancetoachievedesiredobjectives,thesesustainabilitypoliciesandprocessesalsoenableorganizationstobemoretransparentabouttheirdecisions.Furthermore,thecybersecuritynexustothesenowcommonplacebusinesspracticessuggestsorganizations’existingsustainabilityprocessesandpolicieslikelyprovideafoundationuponwhichtoincorporateandscaleenhancedapproachestocybersecurity,includinggreatertransparency.Enhancedtransparencyenablesbothsupplyanddemandsidetounderstandaproduct’sprovenanceandcontributestomarketforcesformoresecureproducts.
Finally,sustainablecybersecuritycanenhancenationalsecurity.Theprivatesector
ownsandoperates80-90percentofallICTs;theyalsoresearchandbuildthem.Assuch,effortstomanagetheuseofICTsmustaccountforallstakeholders,whichcanlimittheeffectivenessofmultilateralagreementsaroundthemisuseofICTs.IftheprivatesectorbuildsandusesICTsinamoresustainablemanner,theabilityfornationstatestomisusethembecomesmoredifficult,decreasingthelikelihoodandbenefitsofmisuse.Thus,thinkingsustainablyaboutcybersecuritymayultimatelyconstrainnationstatemisuseofICTs.Inaddition,totheextentthatlaxsecurityandprivacypoliciesacrosstheecosystemhavefacilitatedthecurrentmisuseofICTstounderminedemocracy,collectiveactiontobettersecuretheseassetsshouldberecognizedasareinforcementtodemocracyandabuttressagainstfurtherattacksthroughICTs.Sustainablecybersecuritysupportsandenablesstabledemocracies.
-
iii
Throughsustainablecybersecuritypractices,stakeholdersaroundtheworldcanbe
intentionalastheyparticipateinandcontributetothemoderneconomy,whetherindevelopingproductsandservices,runningahousehold,operatingcriticalinfrastructure,orformulatingnationalpolicies.Asaresult,incorporatingelementsofsustainabilitymanagementintocybersecuritywillhelpreframeperceptionsofcybersecurityfromfear,uncertainty,anddoubttoamoreproactivemindsetofopportunity,transformation,anddynamism.Thisshift,weassert,willinturnleadtoimprovedcybersecuritypracticesbyallstakeholdersandultimatelyamoresecure,resilient,andenduringICTecosystemtosupportthemoderneconomy.Throughthiscollectiveeffort,allstakeholderscanhavegreaterconfidenceandtrustthatinformationandcommunicationstechnologieswillsecurelysupporttoday’sinnovationsbeyondtomorrow.
Thepaperconcludeswithasetofpriorityactionseachstakeholdergroupcantake
collectivelytoimprovecybersecurity.InthecomingmonthsPublicKnowledgewillconveneaseriesofdiscussionsaroundtheconceptofsustainablecybersecurity,thelegalandpolicyconstraintstoimplementingsuchanapproach,andtheincentivesthatcouldspurrapidtransitiontosustainablecybersecurity.
-
1
Introduction
Increasingly,data,information,andthedevicesthatprocessthemaredrivingthe
globaleconomyandenablingitsgrowth.Thedigitaleconomy,asubsetoftheoveralleconomy,issettoexperienceexponentialgrowthduetothedevelopmentandadoptionofinterconnectedthings,alsoknownasthe“InternetofThings,”orIoT.Thisnewgrowthfollowsadecade(2006-2016)inwhichthedigitaleconomygrewataratefasterthantheoveralleconomy,5.6percentcomparedto1.5percentperyear.2Theincreaseindataanditscriticalroleintheglobaleconomyhasledseveral,includingWhiteHouseCybersecurityCoordinatorRobJoyceandtheEconomist,toanalogizedatatooil.3Joycefurthernotedthat,incontrasttolimitedresourceslikeoil,cleanair,andwater,whenmeasuredbythenumberofdevicesconnectingtoit,theinternetis,atthistime,unlimited.
Unfortunately,thereisanevolvingriskthatthreatenstoday’sinternetandthe
economicandsocialgoodthatitsupports.Thatthreatisgrowingglobalmistrustofinformationandcommunicationstechnologies(ICTs),whichareabroadcollectionofinterconnecteddevices,includingbutnotlimitedtothecolloquialinternet.The2018RSAPrivacyandSecurityreportfoundthat78percentofrespondentslimittheamountofpersonalinformationtheyputonlineorsharewithcompanies.4A2015PewResearchCenterstudypresagedonereasonforthispractice:inadditiontoconcernsabouteconomicsectorsthatAmericansassociatewithdatacollectionandmonitoring,“Americansalsohaveexceedinglylowlevelsofconfidenceintheprivacyandsecurityoftherecordsthataremaintainedbyavarietyofinstitutionsinthedigitalage.”5Andin2016,theNationalTelecommunicationsInformationAdministrationreportedthatlackoftrustininternetprivacyandsecuritydetersconsumersfromengagingincertainelectronictransactionsandothere-commerceactivities.6
2SeeBUREAUOFECONOMICANALYSIS,InitialEstimatesShowDigitalEconomyAccountedfor6.5PercentofGDPin2016,BEA.GOV(March15,2018),https://blog.bea.gov/2018/03/15/initial-estimates-show-digital-economy-accounted-for-6-5-percent-of-gdp-in-2016/.3SeeTHEECONOMIST,TheWorld’sMostValuableResourceIsNoLongerOil,ButData,ECONOMIST.COM(May6,2017),https://www.economist.com/news/leaders/21721656-data-economy-demands-new-approach-antitrust-rules-worlds-most-valuable-resource.4SeeRSA,2018RSAPRIVACY&SECURITYREPORT7(2018),https://www.rsa.com/content/dam/en/e-book/rsa-data-privacy-report.pdf.5MaryMadden&LeeRainie,AMERICAN’SATTITUDESABOUTPRIVACY,SECURITYANDSURVEILLANCE3(PewResearchCentered.,2015),http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/;seealsoCENTREFORINT’LGOVERNANCEINNOVATION,2017CIGI-IpsosGlobalSurveyonInternetSecurityandTrust,CIGIONLINE(lastvisitedApr.2,2018),https://www.cigionline.org/internet-survey.6SeeRafiGoldberg,LackofTrustinInternetPrivacyandSecuritymayDeterEconomicandOtherOnlineActivities,NTIA(May13,2016),https://www.ntia.doc.gov/blog/2016/lack-trust-internet-privacy-and-security-may-deter-economic-and-other-online-activities.
-
1
Thesestudies,pairedwithneardailydatabreachesandothersecurityheadlines,remindusthatthecurrentapproachtocybersecurity--thoughincreasinglymoreappropriatelyfocusedonriskmanagementandlessoncompliance--isstillinsufficienttosecurethemoderneconomy.Itis,inaword:unsustainable.Inadditiontotheriskspresentedbyconsumer-gradeIoT,7thegrowingprevalenceofsmartcitiesandconnectedcriticalinfrastructurefurtherincreasesthedangerscurrentcybersecuritypracticesposetothelongevityofthebroaderecosystem.Addthetrustchallengesof“fakenews”andthegrowthofartificialintelligenceandtheopportunitiesforstrategicfailuregrowexponentially.
Inshort,wefaceatickingtimebombasIoTemergesacrosseconomiesthereby
significantlyexpandingknowncybersecuritychallenges,andtoday’smodelfordealingwiththesedevelopmentsunderestimatestheirdangerandunder-investsinprotection.Wethereforebelieveafundamentalshiftinapproach,fromshort-termmarketsignalstosustainability,isessentialtominimizethelikelihoodofacalamityofpublicconfidencethatcouldunderminethemoderneconomyanddemocraticinstitutions.SustainablecybersecurityisanapproachinwhichinteractionswiththeICTecosystemareunderstoodanddeliberate,andwhereeachparticipantunderstandsitsresponsibilityasastewardtorespectandprotectittopreserveitsfutureuse.Transitioningtoasustainability-styleapproachtocybersecuritywillrequirethemostpowerfulsocietalinstitutionstoshiftcoursewithoutdelayandinparallel,andincludescommitmentsfrom(1)businessestorevisemanagerialapproachestobetterallocateinvestmentstrategiesandassessprofitabilitymeasurements(internalizeexternalities);(2)governmentstoevolvenationalstrategies;(3)insurerstoshiftincentivesthroughnewunderwritingparameters;(4)educationalinstitutionstomodernizecurricula;and(5)consumerstolearntherelevantelementsofcybersecurityandbuildthemintodailylife.
Thispaperproposesthatincorporatingelementsofsustainabilitymanagementinto
cybersecuritywillhelpreframeperceptionsofcybersecurityfromfear,uncertainty,anddoubttoamoreengagingmindsetofopportunity,transformation,anddynamism.Thisshift,weassert,willinturnleadtoimprovedcybersecuritypracticesbyallstakeholdersandultimatelyamoresecure,resilient,andenduringecosystemtosupportthemoderneconomy.8Wereachthisconclusionbyoutliningseveralkeyaspectsofsustainabilityandconsideringtheirrelevanceandapplicationinthecontextofcybersecurity.Thepaperconcludeswithalistofpriorityactionseachstakeholdergroupcantakecollectivelytoimprovecybersecurity.
7MaliciousactorswillincreasinglyusecompromisedIoTdevicestolaunchglobalautomatedattacks.SeeThePresident’sNationalSecurityTelecommunicationsAdvisoryCommittee,NSTACReporttothePresidentonInternetandCommunicationsResilience1(Nov.16,2017),https://www.dhs.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20President%20on%20ICR%20FINAL%20%2810-12-17%29%20%281%29-%20508%20compliant_0.pdf.8SeeMariaBada,JasonR.C.Nurse,andAngelaSasse,CyberSecurityAwarenessCampaigns:Whydotheyfailtochangebehavior?,GLOBALCYBERSECURITYCAPACITYCENTRE(Sept.15,2016),https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/csss2015_bada_et_al.pdf.
-
2
Traditional approaches to cybersecurity are insufficient for the
modern economy.
Securitychallengeshaveconfronteduserssincetheearliestdaysofinterconnectednetworks.Networkadministratorsinitiallyusedcompliance-basedapproachestoaddressthesechallenges,whichrequiredadministratorstocompleteaseriesoftasks,oftenchecklists,tocomplywithestablishedsecurityrequirements.However,scalingcompliancetoincreasinglycomplexandexpansivenetworksthatincludenotonlycomputersbutalsomobileandothersmartdeviceshasbecomeincreasinglylesseffectiveinsecuringinterconnectednetworks.Inrecentyears,inordertohelpprioritizetheassetsmostcriticaltoanorganization’soperations,theapproachtocybersecurityhasbeguntoshiftfromcompliancetoriskmanagement.Whileriskmanagementcanbeeffectiveinreducingsecurityriskstoenterprisenetworks,itcanbelessusefulinguidingorganizations’decisionsaboutthesecurityofprogramsanddevicesthatmightformorconnecttothosenetworks,particularlyfororganizationswhoseofferingshavesuddenlybecome“connected.”Aneffectiveapproachtocybersecuritymustexpandthecurrentunderstandingofthecybersecuritylifecycletoincludeinputsthatcanaffecttheoperationofthenetworkandthenetworkstowhichitconnects.
Today’seconomyrunsondata,andfortoolongaprimaryfocushasbeenon
connectingandcollectingitwithoutappropriateconcernforprotectingit.Anumberoffactorshavecontributedtothepresentstate.First,inadequateeducationandtraining–suchasteachinginformationsecurityinonlynarrowfields,ifany–havecontributedtopoorhardwareandsoftwaredesignanddevelopmentprocedures9andweaknetworkarchitectureandprotection.Next,businessdecisionstobefirst-to-marketratherthansecure-to-markethavefloodedthemarketplacewithproductssufferingfromknownvulnerabilitiesandlittleornoupdatability.Finally,consumershavemadechoiceswithinsufficientknowledgeandunderstandingofproductandservicesecurityandprivacyfeatures,forcingthemtobeartoomuchresponsibilityforthesecurityoftheirdataandthedevicesthatgenerateit.10
Theconsequencesofthisshort-termapproachtocybersecurityappearregularlyin
newspapersaroundtheworld.Themostcriticalofcomputerhardwarewasfordecadesvulnerabletoacutesecurityweaknesses;11multiplegovernmentsandorganizationshavehadsensitiveconsumerpersonaldataandproprietarycorporateinformation
9SeeBrendenI.Koerner,InsidetheCyberattackthatShockedtheUSGovernment,WIRED(Oct.23,2016,5:00PM),https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/.10SeegenerallyTHECOUNCILOFECON.ADVISORS,THECOSTOFMALICIOUSCYBERACTIVITYTOTHEU.S.ECONOMY(CouncilofEconomicAdvisors,Feb.2018),https://www.whitehouse.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf.(“CEAReport”).
11SeeMichaelLines,Meltdown/Spectre:TheFirstLarge-ScaleExampleofa“Genetic”Threat,DARKREADING(Feb.20,2018,10:30AM),https://www.darkreading.com/vulnerabilities---threats/meltdown-spectre-the-first-large-scale-example-of-a-genetic-threat/a/d-id/1331071?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple;seealsoBradChacos&MichaelSimon,MeltdownandSpectreFAQ:HowthecriticalCPUflawsaffectPCsandMacs,PCWORLD(Feb.22,2018,7:14AM),https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html.
-
3
compromised;12andindustrialcontrolsystemsandothercriticalinfrastructurehavebeenunlawfullyaccessedbycriminalsandnationstateactors.13Morerecently,poorlysecuredIoThasbecomeaforcemultiplierformaliciousactorswhocontinuetoexpandthescaleandimpactofdistributeddenial-of-service(DDoS)attacks.14
Stakeholdermisconceptionsaboutmarketinterestinsecuritycapabilities
exacerbatetheresultsofsociety’ssuboptimalchoices.Forexample,arecentstudyofcommunicationsserviceproviders(e.g.,telecommunicationscarriers)andpurchasers(e.g.,enterprisessuchascorporations)foundthatenterpriseswerewillingtopaya15percentpremiumtosupportcompliancewithsecureinternetroutingpractices(theprocessoftransmittingpacketsovertheinternet).15Thesamestudyrevealedthatserviceprovidersunderestimatedthevaluetheircustomersplaceonsecurityandhighlightedthatproviders’securitypostureisacharacteristictodistinguishcompetitors.16Thisdisconnecthighlightstheneedforadditionalanalysisofenterpriseandconsumerwillingnesstopaymoreforbettersecurity,andnotjustintheconnectivityandtransmissioncontext.Atthesametime,itbegsthequestionofwhetherornottheyshouldhaveto.Securityisafactofdoingbusiness.Doingitrightshouldnotalwayshavetocostenterprisecustomersandindividualconsumersmore.Buttodate,doingitwronghas–perhapsmostsignificantlyinriskingpublictrustinICTs.
Togetherwiththesemisperceptions,currentmarketincentivesdonotsupport
adequatecybersecurityinvestmentandfunding.17Often,theorganizationalvictimofmaliciouscyberactivitycouldhaveavoidedorreduceditsimpactbyinvestingincybersecurityduringprocurement,employeetraining,andnetworkdesignandmanagement,tonamebutafeweffectiveapproaches.“Whenmarketincentivesencouragemanufacturerstofeaturesecurityinnovationsasabalancedcomplementtofunctionalityandperformance,adoptionoftoolsandprocessesthatresultinhighlysecureproductsiseasiertojustify.”18Thegovernment,institutionalinvestors,andotherrelevant
12SeeMichaelAdams,WhytheOPMAttackIsFarWorseThanYouImagine,LAWFARE(Mar.11,2016,10:00AM),https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagine;seealso,THEUNITEDSTATESDEP’T.OFJUSTICE,USChargesThreeChineseHackersWhoWorkatInternetSecurityFirmforHackingThreeCorporationsforCommercialAdvantage,JUSTICE.GOV(Nov.27,2017),https://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations.13SeeTHEUNITEDSTATESDEP’T.OFJUSTICE,SevenIraniansWorkingforIslamicRevolutionaryGuardCorps-AffiliatedEntitiesChargedforConductingCoordinatedCampaignofCyberAttacksAgainstU.S.FinancialSector,JUSTICE.GOV(Mar.24,2016),https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged;seealso,JosephBerger,ADam,SmallandUnsung,IsCaughtUpInAnIranianhackingCase,NEWYORKTIMES(Mar.25,2016),https://www.nytimes.com/2016/03/26/nyregion/rye-brook-dam-caught-in-computer-hacking-case.html.
14SeeDanGooden,USserviceprovidersurvivesthebiggestrecordedDDoSinhistory,ARSTECHNICA(Mar.3,2018,4:24PM),https://arstechnica.com/information-technology/2018/03/us-service-provider-survives-the-biggest-recorded-ddos-in-history/.15See451RESEARCH,MANRSPROJECTSTUDYREPORT7(CommissionedbyInternetSociety,Aug.2017),https://www.routingmanifesto.org/wp-content/uploads/sites/14/2017/10/MANRS-451-Study-Report.pdf.16Id.at10.17SeegenerallyCEAReport,supranote10.18THESECRETARYOFCOMMERCEANDTHESECRETARYOFHOMELANDSECURITY,AREPORTTOTHEPRESIDENTONENHANCINGTHERESILIENCEOFTHEINTERNETANDCOMMUNICATIONSECOSYSTEMSAGAINSTBOTNETSANDOTHER
-
4
stakeholdersmustemphasizethatinvestmentincybersecurityintheearlystageofaproductorservicedevelopment,aswellasinnetworkarchitectureandmanagement,aremorecosteffectivethanattemptingtoboltitonjustbeforegoingtomarket,orfailingtoaddressitatall.19
Inadequatecybersecuritypracticesbygovernmentsandnon-governmental
organizations(NGOs)presentaparticularlypressingconcerngiventhecriticalrolesofsuchorganizationsintheecosystemandininfluencingpublicperceptionsoftrust.20Insecurenetworksrisknotonlybecomingpartoftheproblem,butalsothetarget.Criminalsandnationstatescantakeadvantageofvulnerabilitiesinnetworksto,forexample,buildabotnet,21whichcanbedirectedatanynumberofinternet-connecteddevices,fromhomerefrigeratorstosmartfactoriestomedicaldevices,regardlessofthesetargets’proximity.Givenchallengesinattributingcyberactivity,poorcybersecuritypracticesbygovernmentsinparticularcanpotentiallyexacerbatetheconsequencesandfurthererodepublictrustinICTs-if,forexample,agovernmentweretotakeactionabroadinresponsetomaliciousactivityenabledbyapoorlyconfiguredsystemthathasbeencompromisedbyactorsoperatinginathirdcountry.Andyet,duetotheincreasinglyprevalentroleICTsplayinallaspectsofsociety,thesameconcernsaboutunintendedconsequencescouldbesaidforalmostallstakeholders’cybersecurityactions.22
Furthermore,theeffectsofthecurrentunsustainableapproachtoICTsecurity
threatennotonlystrongdigitaleconomies,butalsonascentones.FailuretotrustandadoptICTs,dueinparttotheirinsecurity,riskscountriesrealizingthebenefitstheseemergingdigitalpopulationscouldexperienceinthemoderneconomy.Atthesametime,authoritarianregimesexploitinsecureICTsandtheireffectstodeveloplegalsystemsthat
AUTOMATED,DISTRIBUTEDTHREATS:DRAFTFORPUBLICCOMMENT23(Jan.5,2018),https://www.ntia.doc.gov/files/ntia/publications/eo_13800_botnet_report_for_public_comment.pdf.(“InternetResilienceDraftReport”).19Seeid.at33-34;seealso,RobertHawk,DevSecOps:TheImportanceofBuildingSecurityfromtheBeginning,DARKREADING(Mar.9,2018,10:30AM),https://www.darkreading.com/endpoint/devsecops-the-importance-of-building-security-from-the-beginning/a/d-id/1331210?_mc=sm_dr&hootPostID=4af20634b103363ab773998659c63368;Leigh-AnneGalloway,ASecureDevelopmentApproachPaysOff,DARKREADING(Mar.2,2018,10:30AM),https://www.darkreading.com/application-security/a-secure-development-approach-pays-off/a/d-id/1331154?ngAction=register&ngAsset=389473.20See,e.g.,DanteDisparte,CitiesHeldForRansom-LessonsFromAtlanta'sCyberExtortion,FORBES(Apr.2,2018,9:30AM),https://www.forbes.com/sites/dantedisparte/2018/04/02/cities-held-for-ransom-lessons-from-atlantas-cyber-extortion/#54f4d935996b;AjayBhalla,BhaskarChakravorti,&RaviShankarChaturvedi,The4DimensionsofDigitalTrust,ChartedAcross42Countries,HARVARDBUSINESSREVIEW,https://hbr.org/2018/02/the-4-dimensions-of-digital-trust-charted-across-42-countries(Feb.19,2018).
21See,e.g.,UNITEDSTATESDEP’T.OFHOMELANDSECURITY,THEINCREASEDTHREATTONETWORKINFRASTRUCTUREDEVICESANDRECOMMENDEDMITIGATIONS(NationalCybersecurityandCommunicationsIntegrationCenter,Aug.30,2016),https://cyber.dhs.gov/assets/report/ar-16-20173.pdf;UNITEDSTATESDEP’T.OFHOMELANDSECURITY,BindingOperationalDirectiveBOD-16-02,ThreattoNetworkInfrastructureDevices(DHSSept.27,2016),https://cyber.dhs.gov/assets/report/bod-16-02.pdf.22SeeDannyPalmer,Ransomwareforrobotsisthenextbigsecuritynightmare,ZDNET(Mar.9,2018,7:47AM),http://www.zdnet.com/article/ransomware-for-robots-is-the-next-big-security-nightmare/.
-
5
undermineprivacyinthenameofsecurity.Thesegovernmentalpoliciescantakemanyforms,fromuncheckedaccesstocommunications’metadataandcontenttodatalocalizationandsourcecoderequirements,anyoneofwhichcanunderminesecurityandprivacyandtherebypublictrustininformationandcommunicationstechnologies.Stakeholders’failuretoaddressICTsecuritychallengesthroughouttheecosystemmaycostemergingdigitaleconomiestheopportunitytoseethetrueeconomicandsocialbenefitsinterconnectioncanbring.
Evenwellintentionedregulatoryeffortsthatdirectlyandindirectlyimprove
cybersecurity,e.g.,theGeneralDataProtectionRegulation(GDPR),canfallshort.23Althoughtheresultsoftheseeffortsarenotyetcalculable,thisvariedregulatorylandscapepresentschallengesfororganizationsoperatinginternationallyandhighlightsthelimitationsnationalandregionalregulatoryregimesfaceintrulyenhancingcybersecurityonaglobalscale.
TheseshortfallsandlimitationsevidenceaneedforamoreholisticapproachtoICT
securityandprivacy.Publicandprivateorganizationsandconsumersshouldcollaboratetoidentifybestpracticesandframeworksthattranscendboundaries,nationallaws,andculturestocreateacohesiveICTsecurityagendatosustainthemoderneconomyintothefuture.AnenduringapproachshouldviewthesecurityofICTsandassociatedprivacyenhancementsascriticaltotheirsustainability,andthusthesustainabilityofthemoderneconomy.AsPaloAltoNetworksCEO,MarkMcLaughlin,hascautioned,“Thelifeofthedigitalageisliterallyatriskifwedon’tadvancesecurityprevention.”24
Recent developments portend a more holistic approach to
cybersecurity.
Inrecentmonths,inpartasaresultofgrowingdistrustinICTs,25manycybersecurityfirms,amongotherorganizations,arebeginningtoextolthebroaderimportanceofcybersecurity,anditisnotjusttosellmoregoodsandservices.Rather,theyrecognizethatcybersecurityisessentialtothemoderneconomy,andthatweaksecurityiserodingpublictrustinthetoolsthatenableit.Inlate2017,acybersecuritycompanyCEOremarkedthat“whatcybersecuritycompaniesknowshouldbeapublicgood.”26Thisbeliefreflectsthatofagrowingnumberofpublicandprivateorganizationswhodescribecybersecurityasasharedresponsibility.Intermsquitesimilartoenvironmental
23LincolnKaffenberger,EmanuelKopp,&ChristopherWilson,CyberRisk,MarketFailures,andFinancialStability,Int’lMonetaryFundWorkingPaper185(2017),at17,30(“Theregulatoryregimeshouldencourageongoingvigilancebyboardsandseniormanagementtobuildresiliencethroughinvestmentincybersecuritywhilegivinginstitutionsflexibilitytoaddresstherisksinthewaytheyseeasoptimal.However,actionsbyindividualcountries—andbyfinancialsectorparticipantsalone—willnotbesufficient.”).24SeeDavidNeedle,PaloAltoNetworksCEO“NextGenSecuritySolutionsMustRestoreTrust”,RSACONFERENCE(Mar.3,2016),https://www.rsaconference.com/blogs/palo-alto-networks-ceo-nex-gen-security-solutions-must-restore-trust.25See,e.g.,StephanieJohnson,PaloAltoNetworksAcademy:ProtectingLifeintheDigitalAgeOneStudentataTime,PALOALTONETWORKS(Feb.26,2018,1:00PM),https://researchcenter.paloaltonetworks.com/2018/02/palo-alto-networks-academy-protecting-life-digital-age-one-student-time/(“Cybersecurityisessentialtomaintainingtrustinourdigitalwayoflife.”).26Needle,supranote24.
-
6
stewardship–afieldknownforitssustainabilitypractices,arecentreportfortheInternetSocietynotedthe“valueofcontributingtotheoverallsecurityoftheinternetcommunity”27inhighlightingthebenefitsofimplementinginternetroutingbestpractices.
Publicrecognitionoftheneedforcollaborativeactionstoimprovecybersecurityextendswellbeyondcybersecurityfirms.Atthe2018WorldEconomicForum(WEF),WEFannouncedtheGlobalCentreforCybersecurity.Itsfociincludeestablishinganindependentlibraryofcyberbestpractices;helpingpartnerstoenhanceknowledgeoncybersecurity;workingtowardsanappropriateandagileregulatoryframeworkoncybersecurity;andservingasalaboratoryandearly-warningthinktankforfuturecybersecurityscenarios.
Afewweekslater,atthe2018MunichSecurityConference,severalmultinationalcorporationsannounced10principlesintheCharterofTrustforaSecureDigitalWorld.Theseprinciplesrangefromeducationandsecuritybydesigntotransparencyandresponse.28Thepressreleaseemphasizestherolesofgovernmentsandcompaniesintakingdecisiveaction:“[t]hismeansmakingeveryefforttoprotectthedataandassetsofindividualsandbusinesses;preventdamagefrompeople,businessesandinfrastructures;andbuildareliablebasisfortrustinaconnectedanddigitalworld.”29
IntheUnitedStates,inMarch2018,severalbusinessesformedtheCoalitionto
ReduceCyberRisk,which“aimstoenhancecybersecurityandsupporteconomicgrowthbypartneringacrossindustryandwithgovernmentsaroundtheworldtostrengthenandalignapproachestoimprovingcybersecurityriskmanagement.”ThatsamemonthtwotradeassociationsformedtheCounciltoSecuretheDigitalEconomy,whichwill“pursuesecuritymitigationasintenselyasdigitalinnovation.[TheCouncil]willdetermineadistinctsetofprioritiesandindustryinitiatives,workinginpartnershipwiththepublicsectorbothintheU.S.andglobally.”30
Atthe2018annualRSAcybersecurityconference,34technologyandsecuritycompaniesannouncedtheCybersecurityTechAccord.CompaniessigningtheTechAccordcommittoequalprotectionforcustomersworldwide.Theseprotectionsincludemountingastrongerdefenseofcustomers,regardlessofthemotivationforattacksonline;refrainingfromassistinggovernmentslaunchcyberattacksandprotectingagainsttamperingandexploitationofproductsandservicesthroughdevelopment,design,anddistribution;buildingcapacitytoempowerdevelopersandtechnologyuserstobetterprotectthemselves;andactingcollectivelythroughformalandinformalpartnershipswithindustry,civilsociety,andsecurityresearchestoenhancesecurityinformationsharingandvulnerabilitydisclosure.31
27451Research,supranote15at10.28SeeSIEMENS,CharterofTrust(2018),https://www.siemens.com/press/pool/de/feature/2018/corporate/2018-02-cybersecurity/charter-of-trust-e.pdf.29Id.30USTelecomandITILaunchCounciltoSecuretheDigitalEconomy,USTELECOM.ORG(Feb.23,2018),https://www.ustelecom.org/news/press-release/ustelecom-and-iti-launch-council-secure-digital-economy.31https://cybertechaccord.org.
-
7
Theinsurancemarketisalsobeginningtobroadenitsapproachtoassessingcyberrisk.Inearly2018,AllianzGlobalCorporate&Specialty(AGCS)announcedapartnershipwithglobalriskconsultingfirmAonPLCandtechnologycompaniesAppleandCisco.AGCSwillofferdiscountedcyberinsurancepoliciestocompaniesthatsubmittoariskassessmentanduseidentifiedtechnologyproducts.Theeffortdemonstratesthebroadershiftincybersecurityfromcompliancetoriskmanagement,whichextendsriskevaluationbeyondtheinsured’snetworkoperationstoitsengagementswiththeecosystemtoaddresssecurity“moreholistically.”32
Governments,too,areincreasinglycallingforgreatercybersecurityactionforthe
collectivegood.Thesecallsechosustainabilitymanagementpracticessuchasreducingpollutionandframingresponsiblebusinessdevelopmentchoicesasinvestments.Forexample,inimplementingExecutiveOrder13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,theU.S.NationalTelecommunicationsandInformationAdministrationseekstodevelopapathwaytoward“anadaptable,sustainable,andsecuretechnologymarket.”Italsocalledoncompaniesnotonlytoavoidcarryingmaliciousinternettraffic,butalsotomakepublicsuchdecisions.Similarly,the2015JapaneseCybersecurityStrategyconciselyobserves:
[i]nbringingproductsandservicesinwhichhighlevelsecurityisassuredasaqualityfeaturetothemarket,andinmakingmanagementdecisionsfornewbusinesscreation,cybersecurityknowledgehasbecomeabasiccompetencyrequired
for enterprise senior executives. For the enhancement of
Japan’ssocio-economic vitality as well as sustainable development,
it is necessarythat more enterprise senior executives will grasp
such societal changesprecisely, and raise awareness of
cybersecuritymeasures not as inevitable“cost” of business but as an
“investment” for more
progressivemanagement.33Morerecently,theWhiteHouseCouncilofEconomicAdvisorsstatedplainly
that“[c]ybersecurityisacommongood…[that]weakcybersecuritycarriesacostnotonlytothefirmitselfbutalsotothebroadereconomythroughthenegativeexternalitiesimposedonthefirm’scustomersandemployeesandonitscorporatepartners.”34Sufficetosay,nascentbutexponentialgrowthinIoTwilllikelycompoundtheseexternalitiesabsentasignificantshiftinstakeholderbehavior.
Toaddressthesechallenges,severalorganizations,bothpublicandprivate,arecallingforacybersecuritymoonshotalongthelinesofthegovernment-ledeffort
32AllisonGrande,AppleCiscoPartnerwithInsurersforNovelCyberCoverage,Law360(Feb.6,2018,10:40PM),https://www.law360.com/articles/1009760/apple-cisco-partner-with-insurers-for-novel-cyber-coverage.33THEGOV’T.OFJAPAN,CYBERSECURITYSTRATEGY12,14-15(Sept.4,2015),https://www.nisc.go.jp/eng/pdf/cs-strategy-en.pdf.34CEAReport,supranote10at21.
-
8
thatculminatedinthefirstlunarlanding.35Whilepotentiallyahelpfulmotivatingframe,therearealsolimitationstothemoonshotconceptinthecontextofcybersecurity,inpartbecauseitisacontinuouscombinationofactions.Forexample,giventheimpactofMoore’slawandotherinnovationattributesofthesetechnologies,willacybersecuritymoonshoteverbecomplete?Howdoesacybersecuritymoonshotaccountfortheroleofconsumers?Andhowdoesitaddresssupportingelements,suchastheneedtoexpandandenhancecybersecurityeducation?
Sustainable cybersecurity to secure the modern economy.
Inadditiontoacybersecuritymoonshot,stakeholders–governments,corporations,educators,andconsumers–needtoreframetheirapproachtocybersecuritytooneofsustainability.Sustainabilityacknowledgesrolesforarangeofstakeholdersandrecognizestheneedtomanageandengagetodayinordertoensurethesameorbetteropportunitiestomorrow.Sustainabilityencompassessupplychainmanagement,interoperabilityandscalability,consumerengagement,andinsomeareasregulatorycompliance.Inthecontextofcybersecurity,itcouldtransformcorporateandconsumerperceptionsfromcostsoftimeandmoneytosavingsandfeatures,andmeaningfullytranslatetheseattributestothemarket.
Gainingrecognitioninthemid-90s,themodernsustainabilitymovementdeveloped
toenableorganizationstooptimallyoperationalizetheirinteractionswithpublicgoods.36Today,thefieldofsustainabilitymanagementseekstointegrateanunderstandingof“thephysicaldimensionsofsustainability”intoroutinemanagementdecision-making.Thefieldteachestomorrow’sCEOstomanagetheirorganization’swaste,useofenergy,water,andotherrawmaterialstoensuresustainabilitythroughoutsupplychains,andtobeawareofthefinancialrisksposedbyenvironmentalaccidents,pollution,andclimatechange.37Sustainabilitymanagement“continuestostudyconservationandpollution,butnowencompassesafarbroadersetofconcernsandhascometoincludethebuiltenvironment,management,andthetransitiontosustainablecities.”38
35See,e.g.,ShaunWaterman,Whatisa“cybermoonshot”anyway?,CYBERSCOOP(Oct.19,2017),https://www.cyberscoop.com/cyber-moonshot-accenture-gus-hunt/;SeanMorgan,CallforaCybersecurity“Moonshoot”DominatesFirst-EverGovernmentIgnite,PALOALTONETWORKS(Oct.27,2017),https://researchcenter.paloaltonetworks.com/2017/10/gov-call-cybersecurity-moonshot-dominates-first-ever-federal-ignite/.36See,e.g.,RebeccaTuhus-Dubrow,“Sustainability”isolderthanyouthink,BOSTONGLOBE.COM(Dec.7,2014),https://www.bostonglobe.com/ideas/2014/12/07/sustainability-older-than-you-think/qCjnEzwtxmBjxebceg8OzL/story.html(“Sustainabilityisabouthavingavisionforthefuture.Andenvironmentalismisaboutdealingwithproblemsthathaveledusuptothepresentday.It’saboutthepastandthepresent.AndIthinksustainabilitysays,OK.Wescreweditallup.Weknowthatemissionsareabigproblem,weknowthatwaterpollutionisaproblem....Nowwhat?”).37StevenCohen,TheEvolutionofSustainabilityEducation,HUFFPOST(May22,2017,8:25AM),https://www.huffingtonpost.com/entry/the-evolution-of-sustainability-education_us_5922d872e4b0e8f558bb282e.38
Id.
-
9
ForBlackRock,alargeinstitutionalinvestor,“sustainabilitymeanslong-termthinkingineveryrespect,whetheritbereducingourenergyconsumption,contributingtocommunitiesorbuildingbetterfinancialfuturesforourclients.Itisaboutresponsibledecision-making.”39BlackRock’sCEO,LarryFink,observedthatsocietyexpectsresponsibledecision-making:“[t]oprosperovertime,everycompanymustnotonlydeliverfinancialperformance,butalsoshowhowitmakesapositivecontributiontosociety.Companiesmustbenefitalloftheirstakeholders,includingshareholders,employees,customers,andthecommunitiesinwhichtheyoperate.”40BlackRockseesincreasingsocietalexpectationsthatcorporations“serveasocialpurpose.”41
Thisresponsibledecision-makingapproachbenefitsshareholdersinadditionto
society.Indeed,analysisofFortune500companiesmakesclearthatsustainablecompaniesaresuccessful,oftenverysuccessful,companies.Thus,contrarytocommonperceptionsthatsustainabilitytakesawayfromcompanies’profits,infact,sustainablecompaniesaremoresuccessfulthantheirpeersthathavenotadoptedsustainablepractices.42Thereasonsforthissuccessarebeyondthescopeofthispaper.However,inmostCEOs’andorganizationalleaders’evaluationofpriorities,whetherrecognizedbytheseleadersornot,thereisoneelementthatenablesorrisksalloftheothers:cybersecurity.Yet,recentresearchindicatesthatfinancialbenefitscanalsoresultforcompaniesthatadoptresponsiblecybersecuritypractices.43Sustainablecybersecurityisessentialtoachievingshareholdervalueandasocialpurpose.
Beyondprofitability,organizationsshouldbegintoframetheircybersecurity
activitiesinasustainablewayforseveralreasons.Tobegin,ICTsunderpinalmostevery
39BLACKROCK,BlackRockResponsibility:EnvironmentalSustainability,BLACKROCK(lastvisitedMar.12,2018),https://www.blackrock.com/corporate/en-us/responsibility/environmental-sustainability.40BLACKROCK,LarryFink’sLettertoCEO’s:ASenseofPurpose,BLACKROCK(lastvisitedFeb.21,2018),https://www.blackrock.com/corporate/en-us/investor-relations/larry-fink-ceo-letter.41Id.42See,e.g.,CarlyFink&TeniseWhelan,TheComprehensiveBusinessCaseforSustainability,HARVARDBUSINESSREVIEW(October21,2016),https://hbr.org/2016/10/the-comprehensive-business-case-for-sustainability;Eccles,Iannou&Serafeim,THEIMPACTOFCORPORATESUSTAINABILITYONORGANIZATIONALPROCESSESANDPERFORMANCE19(HarvardBusinessSchool,Nov.2014),http://www.hbs.edu/faculty/Publication%20Files/SSRN-id1964011_6791edac-7daa-4603-a220-4a0c6c7a3f7a.pdf.(“Overall,wefindevidencethatfirmsintheHighSustainabilitygroupareabletosignificantlyoutperformtheircounterpartsintheLowSustainabilitygroup.Thisfindingsuggeststhatcompaniescanadoptenvironmentallyandsociallyresponsiblepolicieswithoutsacrificingshareholderwealthcreation.Infact,theoppositeappearstobetrue:HighSustainabilityfirmsgeneratesignificantlyhigherstockreturns,suggestingthatindeedtheintegrationofsuchissuesintoacompany’sbusinessmodelandstrategymaybeasourceofcompetitiveadvantageforacompanyinthelong-run.Amoreengagedworkforce,amoresecurelicensetooperate,amoreloyalandsatisfiedcustomerbase,betterrelationshipswithstakeholders,greatertransparency,amorecollaborativecommunity,andabetterabilitytoinnovatemayallbecontributingfactorstothispotentiallypersistentsuperiorperformanceinthelong-term.”).43SeeAymanSayed,WhySecurity-DrivenCompaniesAreMoreSuccessful,DARKREADING(Mar.7,2018,10:30AM),https://www.darkreading.com/operations/why-security-driven-companies-are-more-successful/a/d-id/1331173;StevenChabinsky,TheTop12PracticesofSecureCoding,SECURITYMAGAZINE(Jan.1,2018),https://www.securitymagazine.com/articles/88600-the-top-12-practices-of-secure-coding;ScottJ.Shackelford,TimothyL.Fort,&DanuvasinCharoen,SustainableCybersecurity:ApplyingLessonsfromtheGreenMovementtoManagingCyberAttacks,2016U.ILL.L.REV.1995,2020(2016).
-
10
moderndaytransaction,fromthedeliveryofelectricityandwatertobanking,shopping,manufacturing,andcorrespondence.Assuch,organizationsdevelop,transmit,andhaveaccesstovastamountsofinformation,includingverysensitivedataintheformofproprietaryandpersonallyidentifiableinformation.Asisincreasinglyapparent,failuretoensuretheconfidentiality,integrity,authenticity,oravailabilityofaspectsofthisinformation–actionsmostcommonlydescribedascybersecurityorinformationsecurity–canresultincriticalfailuresforassociatedandunrelatedinformation,devices,andactions.Thesefailuresriskreputation,income,assets,andtheverylongevityoftheorganizationasagoingconcern.44Leftunchecked,poorcybersecuritycanalsothreatenICTsthemselves.“Eventhough[ICTs]arenotanaturalresource–likeair,land,sea,orspace–theycanberuinedbeyondusebycarelessactions.Infact,astheirfoundationisnotnatural,butessentiallybuiltonhumantrust,cyberspaceandtheinternetmaybefarmoresensitivetolong-termpollutionanddisruption.”45
Asaresult,likesustainability,cybersecurityisslowlybutincreasinglybecominga
“C-suite”issue.Justaspastbusinessoperationsmayhavecontributedtoclimatechangeandothertraditionalsustainabilitychallenges,manyoftoday’scybersecurityissuesaretheresultofbusinesspracticesthatfailedtoadequatelyconsiderthebroaderimplicationsofaparticulardecision.Rushingproductswithknownvulnerabilitiestomarketinordertobefirstratherthansecure-to-markethasresultedinanecosystempopulatedwiththousandsofvulnerableconsumerdevicesandindustrialcontrolsystems.46Andlikeothersustainabilityissues,theexternalitiesofvulnerabledevicesandapplications,whetherembeddedinhomesecuritycamerasorcriticalinfrastructure,canhavesignificant,iflatent,consequences,particularlywhenmaliciousactorsexploitmorethanonevulnerabilityatonceoraspartofabroadercampaign.47
Thesustainabilitymovementandcybersecurityalsohaveincommontheopportunitiesandchallengesofinteroperabilityandscale.Sustainabilitypolicyemergedfromtheneedforglobalcollectiveaction.Inrecentdecades,largegroupsofstakeholdersacrosstheworldhaveadoptedsustainabilitypoliciesandprogramstotremendouseffect.48
44SeeDuneLawrence,ALeakWoundedThisCompany.FightingtheFedsFinishedItOff,BLOOMBERG(Apr.25,2016),https://www.bloomberg.com/features/2016-labmd-ftc-tiversa/;PROONCALLTECHNOLOGIES,3CompaniesthatWentoutofBusinessDuetoaSecurityBreach,ProOn-CallBusiness(Nov.6,2014),https://prooncall.com/3-companies-went-business-due-security-breach/.45JasonHealey,ANONSTATESTRATEGYFORSAVINGCYBERSPACE29(FrederickKempeetal.eds.,AtlanticCouncilStrategyPapersNo.8,2017).46RobertLemos,IoTSecurity,EasytoCompromise,NotSoEasytoFix,SYMANTEC(Oct.23,2017),https://www.symantec.com/blogs/corporate-responsibility/iot-security-easy-compromise-not-so-easy-fix;LucianConstantin,CriticalBluetoothFlawPutsOver5BillionDevicesatRiskforHacking,FORBES(Sept.12,2017,9:23AM)https://www.forbes.com/sites/lconstantin/2017/09/12/critical-bluetooth-flaws-put-over-5-billion-devices-at-risk-of-hacking/#72abf0c868b1.47SeeLilyHayNewman,TheBotnetthatBroketheInternetIsn’tGoingAway,WIRED(Dec.9,2016,7:00AM),https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/.48SeeUNITEDNATIONSGLOBALIMPACT,2017UNITEDNATIONSGLOBALCOMPACTPROGRESSREPORT25(UNGlobalImpact,2017),https://www.unglobalcompact.org/docs/publications/UN%20Impact%20Brochure_Concept-FINAL.pdf.
-
11
Similarly,ICTinteroperability,ensuringthatproductsworkregardlessofthecountryornetworktowhichtheyconnect,hasfosteredanever-expandingglobalmarketplaceandstrongeconomicgrowth.Yet,asdiscussedthroughoutthispaper,thatmarketplaceandassociatedgrowthareatriskfromgrowingdistrustofICTsdueinparttotheirinadequatesecurity.Inordertostrengthenthattrust,organizationsacrosstheecosystemmustdotheirpart.Sustainingcybersecurityinthemoderneconomymeansbeingintentionalaboutinteroperabilityandthebusinesschoicesthatshouldbemadetosecurelyenableit.49
Noteworthy,too,isthecriticalrolecybersecurityplaysincoresustainability
practices.Aswithmostoperationstoday,informationandcommunicationstechnologiesincreasingly,ifnotcompletely,supporttraditionalsustainabilityactionsasidentifiedbytheUnitedNationsGlobalCompact10Principlesandthe17SustainableDevelopmentGoals.50CybersecurityisessentialtoachievingeachofthesePrinciplesandGoals.Forexample,climateactioncannotbeassessedwithoutgatheringdataandanalyzingit.Identifyingthesecurityvulnerabilitiesinsuchscientificcollectionandassessmentisnosmallundertaking.Yetensuringtheintegrity,authenticity,andavailabilityofsuchdatafromnumerouscollectionpointsiscriticaltodevelopingeffectiveoptionstoaddressthechallenge.Relatedly,supplychainmanagement,acrosscuttingissuecriticaltoensuringbusinessoperations,alsodependsupontheintegrity,authenticity,andavailabilityofrelevantinformation.ShortofbecomingauniversalGoalinitself,implementingsustainablecybersecuritypracticescouldbeasupplementtoGoalNine:“Buildresilientinfrastructure,promoteinclusiveandsustainableindustrialization,andfosterinnovation.”
Furthermore,thecybersecuritynexustothesenowcommonplacebusinesspracticessuggestsorganizations’existingsustainabilityprocessesandpolicieslikelyprovideafoundationuponwhichtoincorporateandscaleenhancedapproachestocybersecurity.51Inadditiontooperationaltrackingandcompliancetoachievedesiredobjectives–environmentalimpactor,inthefuture,secureandstablecode–thesesustainabilitypoliciesalsoenableorganizationstobemoretransparentabouttheirdecisions.Thistransparencyhashelpedinvestorsandconsumerstomakemoreinformeddecisionsandbetterevaluatecompetitors.Metricsaboutthesespoliciesandtheirresultsaresovaluabletoinvestorsthatsomestockexchangesnowrequirethemintheformofenvironmental,social,andgovernance(ESG)integratedreports.52
49SeeJohnsonsupra,note25.50SeeUNITEDNATIONSGLOBALCOMPACT,The10PrinciplesoftheUNGlobalCompact,UNGLOBALCOMPACT.ORG,https://www.unglobalcompact.org/what-is-gc/mission/principles(lastvisited,Apr.2,2018);Seealso,UNITEDNATIONSGLOBALCOMPACT,HowYourCompanyCanAdvanceEachoftheSDGs,UNGLOBALIMPACT.ORG,https://www.unglobalcompact.org/sdgs/17-global-goals.(LastvisitedApr.2,2018).Consideralsothatassessingthenumberofdisplacedpersonsduetoconflictalsorequiresaccurateandavailabledata;insomesituationsthatdatamustalsobekeptconfidentialfromcontrollingregimesthatmaybetargetingcertainpopulations.51SeeJosephMarks,DHSToScrutinizeGovernmentSupplyChainForCyberRisks,NEXTGOV(Feb.14,2018),http://www.nextgov.com/cybersecurity/2018/02/dhs-scrutinize-government-supply-chain-cyber-risks/145998/;KristinGoodwin&PaulNicholas,DEVELOPINGANATIONALSTRATEGYFORCYBERSECURITY13(Microsoft,Oct.2013),https://www.microsoft.com/en-us/cybersecurity/default.aspx.52SeeChristopherP.Skroupa,ESGReportingReshapesGlobalMarkets,FORBES(Apr.24,2017),https://www.forbes.com/sites/christopherskroupa/2017/04/24/esg-reporting-reshapes-global-
-
12
Asimilarapproachtotransparencyaboutcybersecuritypoliciesandpracticescouldhavemeaningfulimpact.“Greaterawarenessanduseoftransparencytoolsandpractices[will]allowboththesupplysideanddemandsidetounderstandwhatgoesintoIoTproducts,generatemarketforcesforbettersecuritythroughtransparency,andincreaseassurancesthatnoknownvulnerabilitiesareshippedwithproducts.”53Wherecurrentlysecuritiesexchangesrequireorganizationstoprovideinformationonmaterialcybersecurityissues,inthefuture,duetoincreasingregulationsaroundcybersecurity,companies’cybersecuritypublicreportingobligationswillexpand.Asintegratedreportingmatures,ratherthaninclusionofcybersecurityactivitiessimplyfulfillingareportingrequirement,inlightofitsstrategicimportancetotraditionalESGelementsoutlinedabove,cybersecurityshouldbecomeanintegratedreportingcornerstone.54
Intheinterim,organizationsshouldbuilduponrecenteffortstowardgreater
transparencyaboutcybersecurity.Inadditiontothecoalitionsandcentersdescribedabove,somecompanies,includingIntel,alreadydiscusstheirsecurityandprivacypracticesinthebroadercontextoftheirpublicpolicywork.Intelnotesthat“trustintheglobaldigitaleconomyiscontingentuponprovidingrobustsecurityandahighlevelofprivacyprotection.”55AndtheU.S.governmenthasbeguntosharedetailsaboutsecurityvulnerabilitiesinitsnetwork.56Furthermore,overtheyears,computerhardwaremanufacturershavetakenstepstomakephysicalproductionmoresustainablebyextendingthelifespanandrecyclabilityoftheirproducts,57whichfurthersuggests–inadditiontotherecentlyannouncedefforts–thatthetechnologysectormaybeagoodstartingpointandpartnerinextendingsustainabilitypracticestoincorporatecybersecurity.
markets/#71bdf9ff5d5e;seealsoTimothyF.Slaper&TanyaJ.Hall,TheTripleBottomLine:WhatIsItandHowDoesItWork?,INDIANABUSINESSREVIEW(Spring2011),http://www.ibrc.indiana.edu/ibr/2011/spring/article2.html;seegenerallyGlobalReportingInstitute,https://www.globalreporting.org/information/about-gri/Pages/default.aspx.53SeeInternetResilienceDraftReport,supranote18at26,28.
54Theintegratedreportshowshowareductioningreenhousegasimpactsprofitability,logistics,thesupplychain,thevaluechain,etc.SeeSkroupa,supranote52.55IntelPublicPolicy:SecurityandPrivacy,https://www.intel.com/content/www/us/en/policy/policy-security-privacy.html(lastvisitedFeb.23,2018);seealsoIntel2016CorporateResponsibilityReport,https://www.intel.com/content/www/us/en/corporate-responsibility/corporate-responsibility.html(lastvisitedFeb.23,2018).56SeeLetterfromSenatorRonWydentoChristopherC.Krebs,DepartmentofHomelandSecurity(Sept.21,2017),https://www.wyden.senate.gov/imo/media/doc/letter%20to%20DHS%20Regarding%20NPPD's%20Kaspersky%20BDO.pdf.57SeeNathanielBullard&AdamMinter,TheUpsidetoAmerica’sGadgetInfatuation,BLOOMBERG(Dec.29,2017,12:00PM),https://www.bloomberg.com/view/articles/2017-12-29/the-upside-to-america-s-gadget-infatuation(“CompaniessuchasHPInc.andDellInc.areleadingthewaywithdesignsthatextendthelifespanofdevicesandenablerecyclerstoextractmaterialsaffordably.That'sgoodnewsforconsumers,andevenbetternewsfortheenvironment.”);seealso2017ImpactReportat19,SUSTAINABILITYCONSORTIUM(lastvisitedApr.17,2018),https://www.sustainabilityconsortium.org/impact/impact-report/(“Thecomputercategoryinparticularhasbenefitedfrombroadlyadoptedeco-certifications,likeENERGYSTAR(c)andEPEAT,whichhashelpeddrivesectormanufacturerstofocusonthekeysustainabilityissueswithintheirownoperationsandtheirsuppliers.”).
-
13
Nascenteffortsarealreadyunderwaytoincreasetransparency,raiseconsumerprivacyandsecurityawareness,andfosterdemandforbetterproductsandservices.AgroupoftechnologysecurityandcorporateaccountabilityexpertstogetherwithConsumerReportsaredeveloping“TheDigitalStandard”tocreateadigitalprivacyandsecuritystandardtohelpguidethefuturedesignofconsumersoftware,digitalplatformsandservices,andinternet-connectedproducts.58Establishedsoftwaredevelopmentbestpracticesandeffortstodevelopasoftwarebillofmaterialsalsosupportaninformedmarketplace.Justasconsumersnowlooktoingredientlabelsandbusinesspracticesaroundenvironmentalimpactandchildlaborbeforebuyingproducts,greatertransparencyandawarenessaboutentities’cybersecuritypracticesthrougheffortssuchastheDigitalStandardwillbettereducateconsumers,whowillbegintodemandproductsthatputsecurityfirst.59Attendanttothisdemand,andalsoelementsoftheStandard,areimprovedinformationpoliciesandpracticesthatclearlyconveytothenetworkoperator,deviceowner,andenduser,inplainlanguagethattheaveragepersoncancomprehend,whatdatathedeviceiscollectingandtowhatpurposesthedatawillbeput.60
Astheinternetaddshundredsifnotthousandsofnewdeviceseveryday,itispast
timefortheorganizationsdevelopingthemandthepurchasersthatbuythemtoagreetheymustbedevelopedandmaintainedinassecureamanneraspossible.Inthefuture,organizationsthatcompeteonsecuritycanreapmanyofthesamebenefitsasorganizationsthatadoptedsustainabilitypractices,perhapsmostimportantlygrowingtheeconomybydoingwellanddoinggood.Theeconomyofthefuturedependsonproductsandservicesthatcompetebothonsecurityandfunctionality.
So,too,doesournationalsecurity.The2018DirectorofNationalIntelligencethreat
assessmenthighlightsquitesuccinctlytheurgencytoact:“[t]hepotentialforsurpriseinthecyberrealmwillincreaseinthenextyearandbeyondasbillionsmoredigitaldevicesareconnected—withrelativelylittlebuilt-insecurity—andbothnationstatesandmalignactorsbecomemoreemboldenedandbetterequippedintheuseofincreasinglywidespreadcybertoolkits.”61
Foryearsseniormilitaryandintelligenceleadershaverecognizedtheimportanceof
sustainabilitytonationalsecurity.62Farfromalimitationinthecontextofnationalsecurity,here,too,asustainableapproachtocybersecurityhasmerit.Inevaluatingthenationalsecurityimplicationsofframingcybersecurityasasustainabilityissue,severalfactsmust
58SeegenerallyTheDigitalStandard,https://www.thedigitalstandard.org.59SeeInternetResilienceDraftReport,supranote18at19.60Id.at24(“Customer-supportedprofilesappropriateforhomeandindustrialapplicationswouldprovideasignaltothemarketthatthecustomerswillpreferIoTdevicesthatmeetthebaseline.Theprofileswouldalsoprovideimmediateopportunityforproductdifferentiation.”).61DanielR.Coats,WORLDWIDETHREATASSESSMENT5(OfficeoftheDirectorofNationalIntelligence,Feb.13,2018),https://www.dni.gov/files/documents/Newsroom/Testimonies/2018-ATA---Unclassified-SSCI.pdf.(emphasisadded).62See,e.g.,BenjaminSchneider,DefenseSecretaryHagelreaffirmsclimatechange,sustainabilityarecentralmilitaryconcerns,ENVIRONMENTALDEFENSEFUND(Nov.24,2013),https://www.edf.org/blog/2013/11/24/defense-secretary-hagel-reaffirms-climate-change-sustainability-are-central.
-
14
bekeptinmind.Tobegin,theprivatesectorownsandoperatesbetween80-90percentofallICTs;theyalsoresearchandbuildthem.Next,effortstomanagetheuseofICTsmustaccountforallstakeholders,whichiswheremultilateralagreementsaroundthemisuseofICTsfacesignificantlimitations.IftheprivatesectorbuildsandusesICTsinamoresustainablemanner,theabilityfornationstatestomisusethembecomesmoredifficult,decreasingthelikelihoodandbenefitsofmisuse.63Thus,thinkingsustainablyaboutcybersecuritymayultimatelyconstrainnationstatemisuseofICTs.
Inaddition,disagreementsoverthemanagementofresourcescontributetomany
nationalsecuritythreats.64Inthiscase,theresourcecouldbeconsideredthe(mostly)openinternetandtheICTswithwhichitinteroperates.Forsomegovernmentstheinternetisatooltoadvancedemocracyandeconomicdevelopmentwhile,fromanauthoritarianviewpoint,itisathreattoregimestabilitythatmustoperateunderstrictcontrolssetbythestate.IfoneassessesthatlaxsecurityandprivacypoliciesacrosstheinternetecosystemfacilitatedinpartthecurrentmisuseofICTstounderminedemocracy,voluntaryandwherenecessarytailoredregulatoryactionsthatincorporatesustainabilityprinciplescanbettersecuretheseassets.SucheffortsshouldberecognizedasreinforcementstodemocracyandabuttressagainstfurtherattacksthroughICTs.Sustainablecybersecuritysupportsandenablesstabledemocracies.
Conclusion
Despiteitsknowninsecurities,theriseoftheInternetofThingsandourincreasingdependenceonit,togetherwithgrowingdistrustininformationandcommunicationstechnologies,necessitateafundamentalreformulationofthesocietalapproachtocybersecurityinorderforthedigitalagetocontinueitsexponentialgrowth.“‘Cybersecurity’onitsownhasnotimehorizon,noeasywaytomaketradeoffsbetweentoday’sneedsandthoseofthefuture.Sustainability,wantingfuturegenerationstohaveanInternetthatisasrich,open,andsecureastheonetoday,istheeasiestwaytoaddresstheseissues.”65Treatingcybersecurityasasustainabilityissuewillbuildupontheadaptive
63ConsiderrecentactionbytheChinesegovernmenttomitigateclimatechange.Inthepastthegovernmentpursuedeconomicgrowthatthecostoftheenvironment;facedwithrisingdeathtollsandotherdomesticimpacts,thegovernmentradicallychangedcourseandbegananaggressiveefforttolimitpollution.See,e.g.,Kearns,Dormido&McDonald,China’sWaronPollutionWillChangetheWorld,BLOOMBERG(Mar.9,2018),https://www.bloomberg.com/graphics/2018-china-pollution/?cmpId=flipboard;YanzhongHuang,WhyChina’sGoodEnvironmentalPoliciesHaveGoneWrong,THENEWYORKTIMES(Jan.14,2018),https://www.nytimes.com/2018/01/14/opinion/china-environmental-policies-wrong.html.64Seee.g.,DanielR.Coats,WorldwideThreatAssessmentoftheUSIntelligenceCommunity13(OfficeoftheDirectorofNationalIntelligence,May11,2017),https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf;JamesR.Clapper,WorldwideThreatAssessmentoftheUSIntelligenceCommunity13-14(OfficeoftheDirectorofNationalIntelligence,Feb.25,2016),https://www.dni.gov/files/documents/Newsroom/Testimonies/HPSCI_Unclassified_2016_ATA_SFR-25Feb16.pdf(“Extremeweather,climatechange,environmentaldegradation,relatedrisingdemandforfoodandwater,poorpolicyresponses,andinadequatecriticalinfrastructurewillprobablyexacerbate—andpotentiallyspark—politicalinstability,adversehealthconditions,andhumanitariancrisesin2016.”).65
Healey,supranote45at36-7.
-
15
andscalablenatureofthesustainabilitymovement.Independently,theseoperationalapproacheshaveevolvedalongsiderapidtechnologicalinnovation,demonstratingtheirimportanceandendurance;bringingthemtogetherwillfurtherstrengthentheireffectiveness.
Fromthisexpansiveviewpoint,onecanbegintoenvisionwhatsustainable
cybersecuritymeans–itismorethanjustactionstakenbydevelopersandmanufacturersofhardwareandphysicalgoodscompanies.IncorporatingsustainablecybersecuritymanagementpracticesthroughouttheinternetandICTecosystemenablesallstakeholderstodotheirparttoenhancetheecosystem’ssecurityandreinforcetrustinit.Throughsustainablecybersecuritypractices,stakeholdersgloballycanbeintentionalastheyparticipateinandcontributetothemoderneconomy,whetherindevelopingproductsandservices,runningahousehold,operatingcriticalinfrastructure,ordevelopingnationalpolicies.Throughthiscollectiveeffort,allstakeholderscanhavegreaterconfidencethatinformationandcommunicationstechnologieswillsecurelysupporttoday’sinnovationsbeyondtomorrow.
-
16
OperationalizingSustainableCybersecurity
Whatfollowsareprioritizedbutnotexhaustiveactionsstakeholdersacrosstheinternetecosystemcantakeandworktowardtobuildandsustainamoreresilientnetworkofnetworks,onethatprotectsthesecurityandprivacyofthedatadrivingthemoderneconomy.
Forproductmanufacturers:
o
Followingsecuresoftwaredevelopmentbestpractices,e.g.,SoftwareAssuranceMarketplace;OWASP
o
Publishingasoftwarebillofmaterialsthatdetailstheproductdevelopmentprocess
o Establishingaproduct’susage,lifespan,andend-of-lifemanagement
▪ UsingtheManufacturerUsageDescriptionSpecification ▪
Updatingpurchaserswhenaproductexceedsitssupportedlife ▪
Offeringdiscountedupgradestoreducepopulationofinsecure
products ▪
Ensuringwhereappropriateproductsfailsafetosafe/securemode
o Sellingproductsthataresecurebydesignwithnoknowndefects o
Developingvulnerabilitymanagementandpatchdisseminationpoliciesand
processes,includingautomaticupdateswhereappropriate o
Participatingininformationsharingandanalysisorganizations o
Educatingworkforceaboutcybersecurity,includingapplicationoutsidethe
workenvironment
Forenterprisenetworkoperators:
o
UtilizingtheNISTCybersecurityFramework–identify,protect,detect,respond,recover
o
Includingthesupportingpoliciesandprocedures,e.g.,incidentresponseplan
o
Requiringasoftwarebillofmaterialsforpurchasesofinternet-connecteddevices
o Validatingtheintegrityofhardwareandsoftware o
Developingpatchmanagementprocessestoensureproductsremainupto
date o Maintainingleastprivilegeacrossthenetwork o
Securingaccesstoinfrastructuredevices o
Segregatingnetworksandfunctions o
UsingDomainMessageAuthenticationReportingandConformance(DMARC) o
ImplementingBestCommonPractice38&84-ingressandegressfiltering o
Participatingininformationsharingandanalysisorganizations o
Educatingworkforceaboutcybersecurity,includingapplicationoutsidethe
workenvironment
-
17
Forcivilsocietyandconsumers:
o Educatingthemselvesaboutcybersecurity o
Practicinggoodcyberhygiene
o Backingupdata o Installingupdateswheninformedbymanufacturers o
Usingstrongpasswordsandnotreusingthem o
Usingtwo-factorauthentication o
Reducingopportunitiestobeavictimofsocialengineering o
Usingwebbrowsersthatfilterbaddomains
o Reinforcinggoodhygienewithfriendsandfamily o
Investinginproductswithrobustsecurity,asevidencedby,forexample,the
DigitalStandard o
Holdingaccountableorganizationsthatfailtoadequatelydevelopandsecure
productsbyusingtheircompetitors,whereavailable
Forgovernments:
o
Leadingbyexampleinprocurement,enterpriseoperations,personnelandnationaleducation,andresearchanddevelopment
o
Conveningstakeholderstobuildcybersecuritycapacityinternationally o
Supportingandparticipatingininternationalstandardsorganizations o
Improvingincentivesforstakeholderstoimplementsustainable
cybersecurity,includingbyreevaluatingliabilityframeworks o
Collaboratingtoinvestigateandwheneverpossibleprosecutecriminal
misuseofICTs o
RefrainingfromactivitiesthatunderminepublictrustinICTs
Next steps
Weproposetofacilitateandparticipateinaseriesofmultistakeholderconversationsaboutthispaperandtheactionsitoutlines.Agendaitemsfortheseconversationsinclude:●
Arethesetherightactionsfortheseactors?What’smissing? ●
Whatarethelegaland/orpolicychallengeslimitingtheseactions’implementation?
● Whatincentivescouldspurbroaderadoptionoftheseactions? ●
Whichactionswouldmakeusefulcasestudies?
SustainabilityPaperCoverFINALSecuring the Modern
Economy--Transforming Cybersecurity Through
Sustainability_FINAL_4.18.18_PK
