October is cybersecurity month, a time to raise awareness, of an issue of growing concern to citizens, businesses, and governments, given the rise and sophistication of cybercrime.
A few decades ago, bank robberies were almost a daily occurrence:
The business case was, so to speak, too good for the robbers. It was too easy to get away with the money from the Banks
In 2022, for the first time in history, Denmark recorded zero bank robberies. But criminals in the digital age are finding new ways to steal, all while cyber-attacks by nation-state actors have become more common and visible.
Today, digital development has taken on a greater dimension, with cyber security risks undermining trust in digital transformation and generating significant economic and social costs. Cybersecurity is becoming a high priority as figures show: estimates of OECD suggest that the cost of digital security incidents ranges between USD 100 billion and USD 6 trillion per year; protecting users from cyber-attacks was the top priority chosen by 30% of the European citizens for the digital decade 2030; cyberattacks in LATAM and the Caribbean increased 600% (10% of cyberattacks on the entire planet) in 2022, counting 360 billion cyberattack attempts, according to Fortinet statistics.
And unlike other investment decisions, the greatest success in cybersecurity protection is silent, when attacks are unsuccessful. This entails the added difficulty of defining what constitutes cyber security success, in order to assist decision making in terms of securing resources to improve resilience, protection, and response. It is not a straightforward return on investment. Cybersecurity is not only about technology, but a political, cultural, and business issue.
Increasing the maturity of the cybersecurity approach in LATAM
This month, Telefónica hosted in Madrid the LATAM CISO Summit 2023, a meeting for companies, cybersecurity leaders and policymakers from Latin America to share experiences and effectively prepare for and address cyber risks. A report on the cybersecurity situation and recommendations for the region was published for the occasion.
Rapid digitalisation is testing the resilience of private and public services and infrastructures, which in turn means that cybersecurity must be integrated into a country’s modernization policy. As a best practice, some countries (e.g. Panama) even set aside between 10% and 20% of the public support budget for each digital transformation project for cybersecurity, to promote cybersecurity by design.
The Latin America region is, worldwide, one of the most vulnerable to cyber-attacks, according to ITU Global security index. But there is a wide spectrum of cybersecurity maturity across countries, as evidenced at the summit.
Lessons learned across Latin America
In 2022, Costa Rica became a showcase and a lesson to increase prevention and security capacity building for all countries: Costa Rica had to declare a state of emergency, when its government agencies fell victim to a ransomware operation from a Russian cybercrime gang, which caused overnight paralysis of critical government services (e.g. customs operations, non-payment of teachers’ salaries, loss of access to patient health records or medical appointments). Interstate security cooperation and assistance requested from a number of countries, including the United States, Spain, and Israel, became a key element in addressing the problems. After this hard learning, Costa Rica is establishing itself as a regional leader in cybersecurity.
In September 2023, in Colombia (and other countries of the region), more than 50 state entities and private companies were hit by a ransomware attack against Internet service provider IFX Networks, with a major impact in public services. This has again highlighted the importance of adequate cybersecurity measures for the resilience of government services, the importance of security clauses in contracts beyond the lowest bidder price approach, and the need for an appropriate legal framework.
Countries and businesses need to accelerate their cybersecurity protection by drawing on examples of good practices, updating their regulatory frameworks and exploring lessons learned in other regions, setting up cybersecurity strategies and independent technical agencies, increasing cooperation among countries and between players by breaking silos, collaborating with private partners and making use of specialised Digital Operation Centres (SOCs/DOCs) to streamline response to crises, investing in capacity building (including human capital), raising awareness and effectively fighting against cybercrime.
A second release of Europe’s cybersecurity regulatory frameworks
Europe is one of the regions with the most mature cybersecurity policies, with cybersecurity strategies, independent cyber agencies with clearly defined technical competencies, regulatory frameworks and cybersecurity guidelines to improve practices, a certification framework, cooperation processes and programmes for innovation, and supporting cyber capacities, deployment and skill development. Based on lessons learnt and on the new cyber threat landscape, Europe is now updating them.
To name a few of the most important future frameworks:
- The NIS2 directive on measures for a high common level of cybersecurity across the Union will apply to companies considered as essential or important in 18 critical sectors, as of 18 October 2024. Transposition into national frameworks is ongoing. It expands the scope of the cybersecurity rules to new sectors and entities, to further improve the resilience and incident response capacities. Closing the gap in supply chain security and increasing coordination of incidents reporting and response remains a challenge.
- Aligned with the NIS2 directive and to be transposed by the same date, the Critical Entities Resilience Directive (CER) lays down obligations on EU Member States to take specific measures, to ensure that essential services for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner. Member States will have to identify the critical entities for the sectors set out in the CER Directive by 17 July 2026.
- The proposal on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act (CRA), with cybersecurity rules towards more secure hardware and software products. Resilience will increase through a better allocation of responsibility for cybersecurity along all the value chain and with harmonised requirements. It will come into force 24 months after its approval.
- The recently approved DORA regulation on digital operational resilience for the financial sector, applicable from January 2025, will also test the water on supply chain protection. It includes provisions on contracts, security standards, management of risks, rights of access, inspection and audit on suppliers, risk and resilience training and awareness-raising for staff and governance structures for security management, among others.
How to move towards global frameworks to fight cyber threats?
One of the oldest experiences in the fight against global crime was the fight against piracy. The second half the 17th century was the Golden Age of piracy. By the 18th century, tolerance for pirates and state-supported raiders, was wearing thin. And European nations reinforced their navies to offer greater protection to merchants and to hunt down pirates. The surplus of qualified sailors provided a large reserve that could also be recruited into the national navies. Without a secure base and with increasing pressure from coordinated naval forces, the pirates lost their momentum.
And, as with the buccaneers of the 17th century, the borderless nature of the digital economy paints a complex legal and operational picture for cybersecurity. International cooperation is at the core of effective prosecution. A collective, collaborative multistakeholder approach is required to find meaningful ways and effective solutions to address cybersecurity concerns and fight against cyber threats and cybermercenaries.
Since May 2021, UN member states have been negotiating an international treaty on countering cybercrime, reviewing the Budapest convention. And as ICC sets in its cybersecurity brief, to increase security, enhancing cooperation to counter cybercrime and implementing rules for responsible state behaviour are essential to reduce cyberattacks.
Let’s act together to make the business case for “piracy” weaker and dismantle the threat actors!
Which are cybersecurity policy concerns for the future?
The field is wide and will be the subject of several posts. To only name a few of the topics to advance towards a free and secure cyberspace:
- Best practices to increase resilience against cyber-attacks, especially ransomware, the most widespread attack.
- Increasing supply chain protection and harmonising frameworks. We’re only as strong as our weakest link.
- Ensuring a greater protection of critical infrastructures and essential services.
- Technologies changing the game in cybersecurity: from Cloud to Artificial Intelligence.
- Cybersecurity on the Edge? IoT and edge-devices creating an interconnected world.
- Improving cyber capacity building, unlocking financial resources, closing the cybersecurity skills gap, and enhancing cybersecurity culture.
- Moving forward towards interoperable frameworks, vulnerability treatment and responsible disclosure, balancing reporting obligations.
- Upholding the multistakeholder approach in the governance against cybercrime.
- The SEC Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, effective in December 2023, for “material” cybersecurity incidents communication and processes description.
- Cyber insurance, the fastest-growing sector in the world’s insurance markets that may impact future cybersecurity landscape.
- The challenge of the rise of cyber-rating agencies, which lack transparency, reliability and robustness and that, unlike financial agencies, are not regulated.