Enterprise leaders need tools for making decisions on how best to prepare for emerging risks.
It has become increasingly clear that the way things were done when it came to cyber security must change, says the World Economic Forum (WEF).
Titled, The Future Series: Cyber 2025, the report highlights the growing threat from hidden and systemic risks inherent in the emerging technology environment, which will require significant change to the international and security communities’ response to cybersecurity.
In under a decade, cybersecurity has emerged as one of the most important systemic issues for the global economy.
Collective global spending has now reached US$145 billion a year and is predicted to have exceeded US$1 trillion in the period between 2017 and 2021. Incidents and attacks continue to rise, but this is only the tip of a new and growing problem.
Put together with the assistance of Oxford University, the report shows a picture of increased complexity, pace, scale, and interdependence.
The emerging technology environment will overwhelm many of the risk mitigations that are currently deployed. Without interventions now, it will be difficult to maintain the integrity of and trust in the emerging technology on which future global growth depends.
Managing cyber risk within organisations is already a major leadership challenge. The costs for enterprises are increasing – building and maintaining cybersecurity capability is expensive, and the return on investment is uncertain.
The risks associated with cyberthreats are often opaque, and it is difficult to calibrate the right nature and scale of investment in cybersecurity. Regulatory requirements are increasing and are often different among jurisdictions, and there is a risk that divergent approaches to tackling cybersecurity will act as a strategic barrier to cross-border data flow and e-commerce. Current approaches to supply-chain cybersecurity assurance are broken: Friction is being introduced by the need to provide security attestation, which does not necessarily give the level of assurance required, thus diverting resources away from more effective cybersecurity capacity investments. These challenges are exacerbated by the continued failure of the community to tackle the problem at source.
Many incidents are caused by a small number of cybercrime groups that face limited consequences for their actions. There is still a lack of credible deterrence. There must now be a paradigm shift in the approach to cybersecurity.
Enterprise leaders need to think in terms of assuring the integrity and resilience of the interconnected business and social processes that sit on top of an increasingly complex technology environment – rather than cybersecurity being simply an issue of protecting systems and networks. Organisations need to keep abreast of how new technologies will affect their exposure to cyber risk and ensure that the necessary mitigations are put in place to keep risk within a tolerable and sustainable level.
Ensuring that organizations have the visibility and insight to do this is a major challenge. Action at the individual enterprise level alone will not, however, be enough to tackle the range of complex ecosystem-wide challenges that were identified in the report.
The conclusion of the Future Series is that the emerging cybersecurity risks will not be a simple continuation of current challenges, and incremental progress will not be sufficient to address them. The nature of the change in the technology environment is such that growing systemic risks will emerge, for which new collective action will be required:
- First, the security and technology community needs to prioritise a number of interventions to improve the collective response that will be essential to cybersecurity operations and controlling cyber risk effectively within business and critical national infrastructures. These are described below.
- Second, industry and government leadership need to drive a set of policy actions that incentivise take-up of security solutions, and that underpin greater trust and transparency between different components of the ecosystem: to clarify issues of liability; to reduce friction in current assurance and regulatory models; and to promote international business and trade in data and digital services.
- Finally, interventions are required from the international community to ensure that security issues are addressed in such a way that the benefits of emerging technology are inclusive, with particular regard to the needs of developing countries and the need for collective efforts to reduce cross border cybercrime.
The analysis considered four representative transformative technologies that will contribute to the changing dynamics of cyberspace:
- Ubiquitous connectivity
- Artificial intelligence (AI)
- Quantum computing; and next-generation approaches to identity and access management.
The report doesn’t claim that this is the complete set of technology innovations that will define the future, nor that they illustrate all of the risks faced. However, the technologies chosen are sufficiently representative to illuminate the range of risk that the community is likely to face in the next 5–10 years.
Key interventions recommended to address the systemic issues in government and industry leadership to enable the management of cyber risks in the near future includes:
- New education, guidance and governance tools are required for enterprise leadership to address the security impact and risk associated with the use of emergent technology within their organizations and in the wider operational environment. This is essential in order to enable leaders to promote an agenda of increased and meaningful security, and to ensure solutions are developed that protect organisations and better prepare leaders for when significant incidents occur.
- Enterprise leaders need tools for making decisions on how best to prepare for emerging risks. Greater transparency over incidents and their impacts will improve leaders’ collective response. The increasing entanglement of businesses and supply-chain interdependencies – as well as the growing regulatory and related security attestation processes – is creating an urgent need to deliver a mechanism for ensuring trustworthy and reliable systemic nature of the risk and also to govern the management of it.
- There needs to be a convening of security and business experts to establish how the quantum cryptography issue will affect end-to-end distributed business processes and who should take responsibility for mitigating the risk. Capacity in the workforce will need to be developed to ensure that new approaches to operational defence can be delivered across the ecosystem.
- Existing cybersecurity skills and education programmes need to be reviewed and enhanced to ensure that they reflect the impact of emerging technologies. These need to be made available globally. The technical and security community needs to promote security standards that can help ensure interoperability throughout the enterprise functions, including not only technology standards but also regulatory standards. This is true for all systems but is most pressing in the digital identity environment due to its heterogeneous and distributed nature, and the need to ensure trust and privacy throughout the systems.
- Global interoperability trust standards for next generation digital identity systems are required that enable projection of trusted identity and personal privacy across heterogeneous systems and jurisdictions in order to support trade. Future Series: Cybersecurity, emerging technology, and systemic risk
- Organisational cybersecurity behaviours to underpin confidence across different components of the ecosystem. This is most pressing in areas where there is increasing shared reliance on infrastructure, such as major cloud and shared service providers. This will require the identification of gaps in incentive models and interventions to address them.
- New and internationally applicable methods for security attestation are required to make governance cost-effective and meaningful. Standard-of-care models will need to be developed to support this and to underpin general confidence in supply chains.
- Business will need to work with regulators and policymakers to consider and promote clear responsibility and liability models. These need to be able to operate across international boundaries in order to support trade and reduce unnecessary friction.
- Regulations and attestations need to reflect the dynamic real-time nature of the underlying technology and risk environment.
If these collective actions cannot be taken forward, the global community risks creating an ecosystem that is not resilient to the emerging threat landscape, where cybersecurity could become a barrier to unlocking the full potential of technology and cyberspace.