This new Future Series report highlights the growing threat from hidden and systemic risks inherent in the emerging technology environment, which will require significant change to the international and security communities’ response to cybersecurity.
The rise of cybersecurity ... and attacks
In under a decade, cybersecurity has emerged as one of the most important systemic issues for the global economy. Collective global spending has now reached $145 billion a year, and is predicted to have exceeded $1 trillion in the period between 2017 and 2021. Incidents and attacks continue to rise, but this is only the tip of a new and growing problem.
Cloudy outlook for technology transformation
The critical technology transformations on which future prosperity relies – ubiquitous connectivity, artificial intelligence, quantum computing and next-generation approaches to identity and access management – will not just be incremental challenges for the security community.
They have the potential to generate new and systemic risks for the global ecosystem, and at this stage, their full impact is not well understood. This suggests the urgent need for collective action, policy intervention and improved accountability for government and business. Without interventions now, it will be difficult to maintain the integrity and trust in the emerging technology on which future global growth depends.
The Future Series
The Future Series was launched to answer a single question: Will our individual and collective approach to managing cyber risks be sustainable in the face of the major technology trends taking place in the near future? It has produced many answers.
Among these is the assertion that the world now faces five major challenges:
- Skills gap. There is already a global capacity shortage in cybersecurity (specialists and throughout the wider workforce), and as new technologies emerge, the skills gap in delivering cybersecurity will widen.
- Fragmented approaches. Emerging technologies are driving an increasing interdependence and entanglement between policy and technology at a time when the global governance of cyberspace is weak.
- New approaches. Existing operational-security capabilities and technologies will not be fit for purpose and so mitigating threat and responding to incidents individually and collaboratively will require new approaches.
- Under-investment. Security is not being considered as an integral component of technology innovations and as such, proper investment isn’t being made into support (knowledge, guidance, research investment) and incentives (market forces, regulation) for developing emerging technologies securely.
- Ambiguous accountability. Shared dependence widens the pool of actors affected by the resilience of a part of the ecosystem, built can also create ambiguity in the accountability for ensuring this resilience.
Five problems, 15 interventions
The report recommends 15 strategic interventions for individual and collective action, without which the global community risks creating an ecosystem that is not resilient to the emerging threat landscape and where cybersecurity could become a barrier to unlocking the full potential of technology and cyberspace.
This suggests the overriding need for a new approach to cybersecurity. It should no longer be seen as being simply an issue of protecting systems and networks, but instead, government and business need to think in terms of assuring the integrity and resilience of the interconnected business and social processes that sit on top of an increasingly complex technology ecosystem.
Understanding the dynamics of digitization as well as its opportunities and challenges –—Urs Rohner, Chairman of the Board of Directors, Credit Suisse Group AG
particularly regarding cybersecurity risks – is a fundamental part of a board’s corporate governance responsibility. Technology-led transformation and investments in cybersecurity must proceed together in this context.
Tech for good, bad and downright villainy
The first generation of AI-enabled offensive tools is already emerging and there is growing evidence of AI being used by attackers.
Deep fakes have already been leveraged to create new cyberattack vectors and voice-mimicking software has been used in major thefts.
Many entities are sharing a growing dependence on a concentrated underpinning infrastructure and set of shared services, including cloud, ISPs, hardware, software and the equipment supply chain.
This is creating an attack surface of high-value shared resources with high probability of attack, and the potential for compromise to have severe and systemic impacts.
A sufficiently powerful and error-corrected quantum computer would solve some of the classical mathematical problems on which cryptography methods rely.
If used maliciously, however, it could break the cryptographic underpinnings of the world’s digital infrastructure, on which the digital economy relies.
As next-generation identity systems emerge, society will develop an increasing dependence on their use in critical applications.
Increasingly sophisticated threat actors will capitalize on the opportunity to exploit vulnerabilities in its component parts and the high-value identity ecosystem is likely to be heavily targeted.
$433bnThe projected growth in collective global cybersecurity spending by 2030.
300%The increase in reported cybercrime since the beginning of the pandemic, according to the FBI.
Eight obstacles to a paradigm shift
- Divergent approaches to tackling cybersecurity will act as a strategic barrier to cross-border data flow and e-commerce
- Cybersecurity costs are increasing
- Yet it is difficult to calibrate the right nature and scale of investment in cybersecurity
- Risks associated with cyberthreats are often opaque
- Regulatory requirements are increasing and are often different between jurisdictions
- Existing approaches to supply-chain cybersecurity assurance don’t work
- The community continues to fail to tackle the problem at source
- There is a lack of credible deterrence
The new approach to cybersecurity
Action at the individual enterprise level alone is no longer sufficient to tackle the range of complex ecosystem-wide challenges that the report identifies. Instead:
The security and technology community need to prioritize a number of interventions to improve their collective response.
This is essential to cybersecurity operations and controlling cyber risk effectively within business and critical national infrastructures.
Industry and government leadership need to develop a set of policy actions that incentivize take-up of security solutions and that underpin greater trust and transparency between different components of the ecosystem.
These include: clarifying issues of liability, reducing friction in current assurance and regulatory models, and promoting international business and trade in data and digital services.
The international community must intervene to ensure that security issues are addressed in such a way that the benefits of emerging technology are inclusive.
Particular note needs to be taken of the needs of developing countries and the need for collective efforts to reduce cross-border cybercrime.
The big if ...
These technologies will transform our world, but only if they are secure and we can give citizens and businesses confidence that they are so. If these interventions are not taken forward the world will be left with a digital ecosystem that is not resilient to the emerging systemic threat and risk landscape and the potential benefits of the global digital ecosystem may not be realized.
What is the World Economic Forum doing on cybersecurity?
The World Economic Forum Centre for Cybersecurity drives global action to address systemic cybersecurity challenges. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors. Here are some examples of the impact delivered by the centre:
Cybersecurity training: Salesforce, Fortinet, and the Global Cyber Alliance, in collaboration with the Forum, provide free and accessible training to the next generation of cybersecurity experts worldwide.
IoT security: The Council on the Connected World, led by the Forum, has established IoT security requirements for consumer-facing devices, safeguarding them against cyber threats. This initiative calls upon major manufacturers and vendors globally to prioritize better IoT security measures.
Paris Call for Trust and Security in Cyberspace: The Forum is proud to be a signatory of the Paris Call, which aims to ensure global digital peace and security, emphasizing the importance of trust and collaboration in cyberspace.
Contact us for more information on how to get involved.