A successful hack against a small Ukrainian software company might not sound like a big deal for the rest of us, but within a year of M.E.Doc’s servers being breached in 2017, the NotPetya hack had cost businesses around the world more than $10 billion.
In the same year, the WannaCry attack hit the UK’s National Health Service first and hardest, but within days it had spread to over 150 countries. And when the International Committee of the Red Cross was targeted in 2022, sensitive data related to more than half a million people worldwide was exposed.
The costs associated with this global epidemic of cybercrime rise into the trillions, and this trend is accompanied by an increase in the rate of State-linked online attacks on civilian and humanitarian infrastructure.
The growing scale and sophistication of these challenges mean that narrow, technical solutions to cybersecurity are no longer enough.
Only a collective response will work
Recognition of the gravity of the situation has also driven a shift towards the idea of cyber resilience, rather than cybersecurity, whereby systems and societies are collectively able to react, adapt, and recover when attacks occur.
However, whilst businesses and governments agree on the need for a global approach, their task is made more difficult by the growing fragmentation of the digital domain, driven by rapid technological developments and differences in political posture, regulatory approaches and organisational capacity.
Together, these factors create fault lines that make cyber infiltration more likely, and mean that no one company, government or international body has the ability to fully manage international cyber risks on its own.
Foundations in place
The foundations for the collective, cooperative work needed for comprehensive cyber resilience are already underway, and they were laid at the UN.
In 2015, for example, the General Assembly endorsed 11 voluntary, non-binding norms of responsible State behaviour in cyberspace, and reaffirmed them in 2021.
Cybercrime is a constantly evolving threat.
But in order to realise the potential of these norms, Governments need to identify what qualifies as critical infrastructure, assign responsibility to a competent agency, build up effective cyber capacity within these agencies and create rules around incident reporting and cooperation to ensure that attacks and their spread are properly tracked and addressed.
Another step that governments can take is to bolster their participation in confidence-building measures such as the UN-led Points of Contact directory.
This initiative establishes channels of secure, direct communication on cyber incidents, including those affecting critical infrastructure, to de-escalate tensions, clarify misunderstandings, and promote more effective, collective responses by sharing information and capacity.
Effective cooperation also depends on treating industry, civil society and academia as operational partners.
Initiatives such as the Cybersecurity Tech Accord, the Paris Call, the Internet Governance Forum and the World Economic Forum’s Centre for Cybersecurity already point the way forward, as do inclusive platforms like the UN’s Cyber Stability Conference taking place this Monday and Tuesday – kicking off Geneva Cyber Week.
The coming months will also see the launch of the UN’s Global Mechanism on Information and Communications Technology, which will provide a single permanent track for governments to ensure that steps towards more concrete progress stay on track, to further strengthen confidence building measures and to redouble efforts to improve capacity building across the board.
It is only this kind of concrete, cooperative and collective effort that can truly build cyber resilience across every link in the chain and protect the vital digital infrastructure that today plays such a key role in our lives as individuals, and the future of humanity.
Robin Geiss is the Director of the UN Institute for Disarmament Research (UNIDIR). This is an edited version of an article that appeared on the UNIDIR website and the World Economic Forum website.