The Role of Diplomacy in IT SecurityStudy Reviews Nations' Cybersecurity Policy, Performance
As the world's population continues to grow, and more people gain access to the Internet, what does the future of cybersecurity look like? Microsoft's Paul Nicholas attempts to envision that future.
Key findings: Nations where the government has ratified international cyber-agreements have lower incidents of malware infection, and those countries with the lowest cyber-risks have on average more personal computers in use, higher health expenditure per capita, regime stability and greater broadband penetration.
"What really drove us to look at this is that you have about 70 percent of the world's population living in countries that are still making major investments in [information and communications technology]," says Nicholas, Microsoft senior director of global security strategy and diplomacy, in an interview with Information Security Media Group [transcript below].
"That's driving a really dramatic shift in terms of what the future of cyberspace looks like," he says.
In the study, countries identified as "maximizers" were the furthest ahead in adopting cybersecurity policies. A maximizer, according to the study, would have ratified the Budapest Convention or the Council of Europe Cybercrime Convention; secondly, they're part of the London Action Plan, a voluntary agreement to help reduce spam; and third, they have lower piracy rates.
"Some policies create more of a compliance checklist," Nicholas says. "Did you do this? Did you do that?
"These policies, we think, actually generated capabilities that were a little more agile and innovative in terms of: We're going to, number one, make reducing cybercrime an important area of focus, and, two, we're going to create capabilities that will grow over time to be able to go out and actually target resources to reducing cybercrime."
In the interview, Nicholas:
- Reviews the top findings of the study;
- Explains how nations fit into three categories of adopter: maximizers, aspirants and seekers;
- Discusses how national approaches to reduce cybercrime can be applied at the enterprise level.
Nicholas has been Microsoft's senior director for global security strategy and diplomacy for more than seven years. A former assistant director and senior systems analyst at the Government Accountability Office, Nicholas served as a director of critical infrastructure protection and cybersecurity in the Bush White House.
ERIC CHABROW: Before we get to the study, please take a few moments to explain why Microsoft needs a senior director for global security strategy and diplomacy. What does the job entail?
PAUL NICHOLAS: What we found over the years is that governments have lots of questions about cybersecurity and my team works specifically with engineers, attorneys and others to engage with governments to address the full range of security concerns related to cybersecurity, critical infrastructure and information-sharing challenges, and we found that it's been a really effective way to have those very in-depth conversations about how we go solve problem "X."
Top Findings of Study
CHABROW: What did you study and what are the top findings of the study?
NICHOLAS: We set out to try to understand several key things. The first one was: what role did non-technical factors have in cybersecurity? Two, what was the impact of cybersecurity policies in terms of driving outcomes, meaning better cybersecurity? And three, was it possible by combining these two things to try to create a model that would give us some beginnings of a predictive model for cybersecurity at a national level?
More Computers, Lower Cyber-Risk
CHABROW: One of the findings shows that countries with the lowest cyber-risks had on average more personal computers in use per capita, higher health expenditures per capita, regime stability and greater broadband penetration. Why is that the case? What lessons do you take from that?
NICHOLAS: It was really interesting to us. When we looked at that, you would think that because of the increased broadband and greater number of machines, those countries might be less secure just because they had more to secure. We actually found that was kind of the opposite. We think that's generally driven because those countries [are] probably using more automatic update [and] anti-malware-related issues.
But the real interest for us was looking specifically at the policy indicators. We built a model that looked at 80 different indicators across 105 countries, and out of that constructed this model of 34 that were mathematically relevant. When we got in and pulled that apart, we found, for example, that countries that fell into this first category we called "maximizers," [and they] had three really interesting things in common. One, for the most part, over 50 percent of them tended to have ratified the Budapest Convention or the Council of Europe Cybercrime Convention. Secondly, almost 50 percent of them were part of the London Action Plan. This is a voluntary agreement to help reduce spam where private sector and governments try to bring down spam rates in their country. The third part was they tended to have a lower piracy rate than the other two categories, which came in around 42 percent, still high but better than some of the other categories we'll talk about.
What was interesting to us on the two policy fronts is that those policies were essentially generative in terms of, when you become part of the cybercrime convention you actually have to increase criminal penalties, build law enforcement capabilities and build things that actually go and reduce cyber-risks by helping to reduce cybercrime. We think that there's something there to be further explored in terms of how effective those types of policies are.
CHABROW: When you say there's something there to be explored, can you be a little more specific, please?
NICHOLAS: Some policies create more of a compliance checklist. Did you do this? Did you do that? These policies, we think, actually generated capabilities that were a little more agile and innovative in terms of, "We're going to, number one, make reducing cybercrime an important area of focus, and, two, we're going to create capabilities that will grow over time to be able to go out and actually target resources to reducing cybercrime." We think there's actually something in that space in terms of, how do you build policies that actually result in capabilities that drive the outcome you're trying to get to?
CHABROW: These are for individual nations developing policies?
NICHOLAS: That's correct. What really drove us to look at this is that you have about 70 percent of the world's population that's living in countries that are still making major investments in ICT, or essentially they're still in the process of coming online according to the World Economic Forum. That's driving a really dramatic shift in terms of what the future of cyberspace looks like. [You] probably heard by now that we're trending toward about four billion people online by the year 2020.
Included in our report we actually went through and did a more detailed mapping of what that world looks like. You see a world where the U.S. has over 270 million people online and China has about 760 million people online and India comes in around 300 million. You see these really interesting changes in where users are and you also see real dramatic shifts in terms of where Internet access is. You see a lot of saturation in northern Europe and continued growth in Asia Pacific, Africa and Latin America. These things factor into [the idea that] all of these countries are going to have to build policies, and so that was really our driver. How do we start a debate and a dialogue around measuring cybersecurity and trying to link it to performance over the long term?
CHABROW: When you talk about that they have to build policies, are you saying that each of these countries that are maturing are going to have to develop cybersecurity policies that, perhaps, are similar to ones of countries that are members of these treaties?
NICHOLAS: Essentially, yes. When I talk to customers around the world, everyone is in the process of essentially building a national cybersecurity strategy, reforming their current cybersecurity strategy, or trying to understand if they have an appropriate legal construct for cybersecurity.
I was at the Munich Security Conference, for example, and it was really interesting to hear the European Union and representatives from other parts of the world talk about their challenges in building cybersecurity policies and trying to create the right framework that would give them a risk management capability over the long term.
The Role of Governments
CHABROW: Most cybersecurity policies in the U.S. would be private industry-based. In fact, that's a big debate going on in Congress now about how much of a role U.S. government should take in that. Where does that kind of thinking play in this around the world?
NICHOLAS: Excellent question. One of the big challenges we had when we built the model [was] there were some things we couldn't actually measure. For example, when we rolled the report out, we had several questions about, "How did you measure public/private partnership?" Or, "How did you measure risk management capabilities in countries?" Our answer was in this version of the model, we couldn't actually do that. That's part of the reason [why] we really want to have a broader debate about the model and a dialogue. It's easy to go in and look at tried-and-true indicators like RND expenditures or certain economic development indicators, but we don't really have a normalized indicator for two of ... the most critical variables in this space, that being public/private partnership and risk-management capabilities. We're really trying to figure that part out.
CHABROW: Where do you go in trying to figure this out?
NICHOLAS: [What] we're actually starting to do is having an engagement with academics and policy makers around the world to figure out how we could get at this. Is there a way that we can factor this into the model for future work in this space?
Takeaways for IT Security Practitioners
CHABROW: A lot of our listeners are IT security practitioners defending end-user organizations. Does the study present anything to them?
NICHOLAS: I think so. When you think about cybersecurity from an enterprise level, there are a couple of things that there are parallels for. Enterprise security is bigger than the technical measures of, "How good are my firewall configurations and how good is my patch-management capability?" It gets to a broader sense of the awareness and preparedness levels of my people and what's the broader policy construct of my enterprise. While we didn't target the report at that, I think people who are in those roles could use this to help to inform their thinking in that space.
CHABROW: Why is that important?
NICHOLAS: The important thing is cybersecurity is not just a technical matter anymore. It really moved into the space of policy and people, and we have to figure out how the technical policy and people factors all work together. Somehow, we have to find a way of measuring that effectively to understand long-term performance.