Cyber insecurity is now a global risk no different from the warming climate or forced displacement. Is such insecurity a business risk or a “public bad”?
Crimes in cyberspace, by one estimate, now cost the global economy $445 billion a year. Cyber insecurity is now a global risk no different from the warming climate or forced displacement. Is such insecurity a business risk or a “public bad”? If the security of digital infrastructure is viewed as a business risk, who should mitigate it? Should states be responsible for the integrity of networks and data within their territories, failing which they will be classified as “risky” to do business in in the digital economy? Were cyber insecurity treated as a “public bad”, governments could justifiably conclude that vulnerabilities in one device or platform affect an entire ecosystem, and create a liability regime that shifts the burden on the private sector.
These issues are important to ponder as the Digital India programme and demonetisation encourage the rapid adoption of digital payments technologies. It is not only difficult to assess the “risk” of transacting in the digital economy, but also determine who such risks should be absorbed by. For instance, a high-end device may be able to offer security on the back of its tightly controlled supply chain, but what if an end user, by opening the door to a hidden exploit, compromised its operating system?
Three crucial trends will decisively influence the future of cyber security — the centralisation of data, the arrival of connected devices, and the rapid adoption of digital payments technologies. Centralised control over data can make access to databases easier and more vulnerable to attacks. The Internet of Things (IoT) ecosystem is set to explode, with more than 24 billion devices expected to be connected to the Internet by 2019. The sheer scale, size and diversity of the IoT environment makes risk difficult to measure.
Perhaps the most important factor is the scale and speed at which digital payments have been adopted across the spectrum of transactions. Payment gateways work the same for all users irrespective of the volume or commodities/services transacted, but they are accessed on devices that vary greatly in their ability to protect data. How would insurers gauge the risk inherent in such a diversified market? Consider then, these key questions and conundrums.
First, if cyberspace is a global commons, will the socialisation of “bad” follow the “privatisation of profits”?
Unlike the environment, the oceans or outer space, digital spaces are not discovered — they are created. Cyber insecurity has been made out to be a global threat but the fact remains that the economic gains from securing digital spaces still accrue to a few countries and corporations. Do developed markets have a common but differentiated responsibility to secure digital spaces? If it is the responsibility of all, can developing countries also get a share of the economic gains from electronic commerce?
Cyber insecurity has been made out to be a global threat but the fact remains that the economic gains from securing digital spaces still accrue to a few countries and corporations.
Second, cybersecurity is a private service — how can we make it a public good?
Digital spaces are common to all, but the provision of their security is increasingly guaranteed by the private sector. This is in stark contrast to governance models in emerging markets, where the state underwrites law and order. How can the public and private sectors work together to provide this common good?
Third, India is moving towards security by identity, but many advanced economies believe security comes through anonymity. Are we on the wrong side of history?
Encryption is becoming the norm in advanced economies, as a result of which data is increasingly out of the reach of law enforcement agencies. On the other hand, India has moved towards biometric identification programmes that place a premium on identity. The “Aadhaar impulse” is driven by a requirement to target beneficiaries effectively, but without strong data protection regulations, the digital economy would be less than secure.
Fourth, if cash-based systems, ATMs and payment gateways are increasingly vulnerable to cyber-attacks, are “distributed ledger technologies” going to make governments adopt cryptocurrencies?
Blockchain and other technologies that “crowdsource” the authentication of online transactions using bitcoins are more difficult to target, because they are by their very nature, distributed ledgers. Will the increasing insecurity of the fintech ecosystem push us towards cryptocurrencies?
Fifth, cyber security is an expensive proposition in advanced economies, where the most sophisticated instruments are also assumed to be the safest. How can India apply its famed “frugal innovation” in this space, and protect the user while providing affordable access to the Internet?
The ICT supply chain in India is only as strong as its weakest link: the end user. If the user is from rural India, with a limited understanding of the devices and transactions she accesses, her device is a point of vulnerability. If the device itself is “low-end”, which places a premium on cost over security, this forms a lethal mix that endangers the security of all users in the ecosystem. India cannot afford a false separation between access and security in digital spaces, as the qualitative nature of access will determine ICT security for a billion people.
Sixth, who determines the risk of transacting on the Internet, and how?
If transactions in cyberspace will invariably carry an element of risk, who will guarantee them? The buyer, seller or intermediary? As in the case of shipping, will we see a form of cyber-insurance applied to cover the risk of malicious attacks online?
Developments in cyber security leads one to surmise that economies will soon be subject to a risk-assessment based on the integrity of their networks. Risk-based assessments offer predictive value and guarantees of stability to businesses, but they should not perpetuate inequities that exist offline.
Limited means to enhance cybersecurity in developing economies should not set back investments in the digital economy, which in turn create a vicious cycle rendering the overall ecosystem insecure. The international community must articulate ways in which such risks can be mitigated, and facilitate access in emerging markets to technology and finance that generate investments in cybersecurity.
This commentary originally appeared in Hindustan Times.