Welcome to New America, redesigned for what’s next.

A special message from New America’s CEO and President on our new look.

Read the Note

Close

internet services arabic

Securing Digital Dividends

Table of Contents

Part I: The Case for Action

The cybersecurity challenge in the developing world is of increasing importance. Cyber insecurity can challenge or even unwind progress in growing economies, improving governance and enhancing the quality of life of individuals more broadly. Given the pervasiveness of ICT to development, cybersecurity should be mainstreamed across the development community. In this part, we outline the case for cybersecurity in development and explain why mainstreaming cybersecurity across the development community will lead to better outcomes.

Chapter 1: Cybersecurity in Development

In 2016, the World Bank’s World Development Report (WDR) Digital Dividends, a cardinal document in the development community that is often used to drive the strategy of the community as a whole, explicitly acknowledged the importance of cybersecurity as a concern for international development. For the first time in a WDR, the importance of managing digital risk was enumerated, as the report noted, “some of the perceived benefits of digital technologies are offset by emerging risks.”1 Today, 80 percent of World Bank projects have information and communications technology (ICT) as a fundamental component, and this number is only likely to increase in the future.2 Despite recognition from the World Bank, donor institutions and the development community are not doing enough to address risks stemming from increased reliance on ICT. Likewise, many in the developing world have embraced digital technology, but not always in its most secure form.

Digital risk in lower- and middle-income countries is not new and was recognized by some early on. In fact, to help manage these risks, a burgeoning cybersecurity capacity building community emerged in the early 2010s. Patryk Pawlak of the EU Institute for Security Studies describes the work of this community—cybersecurity capacity building—as “an umbrella concept for all types of activities (e.g. human resources development, institutional reform or organizational adaptations) that safeguard and promote the safe, secure and open use of cyberspace.”3 For the better part of a decade, the focus of this activity has been on strengthening national capabilities, developing collective capability, and facilitating international cooperation and partnership in cybersecurity.4

The work of this community is integral to better and more sustainable development. Good cybersecurity enables growth in the users and uses of ICT. This increased use in turn helps to grow economies and wealth, increase transparency, and enable easier communication and greater information transfer. However, as the Internet Society (ISOC) notes, “Diminishing trust is a challenge to the Internet. To protect the opportunities of the Internet, we have to counter diminishing trust.”5 The diminishing trust cited by ISOC is driven by poor cybersecurity. The Internet Governance Forum’s (IGF) Best Practices Forum on Cybersecurity report further outlines why poor cybersecurity leads to diminished trust and ultimately diminishes the effectiveness of ICTs for development:

Poor cybersecurity threatens the growth of ICTs and Internet Technologies. Poor cybersecurity exposes organisations and individuals to risks and attacks, and opens doors for ill-meaning parties to spy on actors or meddle with democratic affairs. In a more indirect way, a perception of insecurity creates distrust in ICTs and the Internet and a diminishing adoption of new technologies. Poor cybersecurity will reduce the use and effectiveness of these technologies, and thus limit the opportunities to help achieve the SDGs.6

Policymakers around the globe, and particularly in lower and middle-income countries, are “facing an important challenge today: How to fully embrace the digital revolution while, at the same time, ensuring the safety and security of their citizens.”7

Later in this chapter, we provide examples for how cyber insecurity can impact development outcomes. More work is needed to identify the ways in which cyber insecurity stunts economic growth, leads to institutional instability, and decreases human security, but reliance on ICT for large swaths of society, the economy, and governance is unsustainable without acknowledging and managing the risks associated with the use of computers and computer networks. Lower- and middle-income countries, and by extension development projects, are not intrinsically immune to these risks.

Global cybersecurity incidents like the WannaCry and NotPetya ransomware outbreaks catalyzed heightened interest and investment in many resource-rich, higher-income countries. However, in much of the lower-income world—the part of the world where the digital economy is growing nearly two times as fast as in the higher-income world, the part of the world where developments in e-government and e-governance could have an outsized impact on the quality of human life—the importance of managing new risks of digitization has often been overlooked and could threaten to undo these advances.

Cybersecurity helps achieve sustainable development outcomes and the SDGs

The benefits of digital development have been the subject of entire reports. Here, rather than focusing on digital development writ large, we will explore how cybersecurity enables the sustainable and resilient delivery of development outcomes and—in some cases—delivers development outcomes on its own.

As the U.K.’s Department for International Development (DFID) notes, “digital technologies have the potential to revolutionise the lives of the poor, unlock development and prosperity, and accelerate progress towards global goals.”8 However, the 2016 WDR acknowledges that, although “digital technologies have boosted growth, expanded opportunities, and improved service delivery… their aggregate impact has fallen short and is unevenly distributed.”9 For the World Bank, the “emerging risks” associated with digital technologies may offset some of the “perceived benefits.”10

The Sustainable Development Goals (SDGs) provide a set of goals around which the development community coalesces.11 Digital development and ICT for development (ICT4D) are means through which many of these ends are pursued. Among these goals are efforts like attaining zero hunger, quality education, gender equality, decent work and economic growth, reducing inequality, building strong peace and justice institutions, as well as building resilient industry, innovation and infrastructure. What these goals have in common is that they all seek to improve human security, institutional stability, and economic stability and growth.

Technology can aid in the attainment of every SDG. But in order to fully reap the immense benefits of connectivity and digitization, the technology that underpins it must be secure and the people that use it must understand how to do so responsibly and securely. At the end of this report, we offer a table outlining the SDGs, some notable targets, and how good cybersecurity contributes to the goals and targets. For those interested, this chart can be found in the appendix. Instead of going through this exhaustive list here, we focus on how cybersecurity and insecurity impacts three crucial pillars of development: (1) the economy, (2) governance, and (3) human security, using the SDGs as a framing device where appropriate.

The economy

There is a good economic case for cybersecurity. Sustainable Development Goal #1, end poverty, targets to halve the number of humans living in poverty by 2030 and reduce inequality of economic opportunity.12 Similarly, SDG #8 on promoting “inclusive and sustainable economic growth, full and productive employment and decent work for all” strives to “Achieve higher levels of economic productivity through diversification, technological upgrading and innovation, including through a focus on high-value added and labour-intensive sectors.”13 The internet has been called the “great transformer” and is viewed by many in all corners of the globe as a great enabler of economic growth and prosperity. According to one study by McKinsey, the internet “contributed 7 percent of [GDP] growth over the past 15 years and 11 percent over the past five.”14 The same study found that “Internet ecosystem maturity related to rising living standards,” and that “the internet drives business transformation and economic modernization.”15 However, a June 2014 study from the Center for Strategic and International Studies suggests that cybercrime results in a loss of .2 percent of GDP.16In order to foster consumption and encourage businesses to leverage the internet and other communications technologies, stakeholders must trust the systems they are using. Good cybersecurity supports economic growth by preserving the trust in and therefore the benefits of digitization and IT systems.

Sustainable Development Goal #10 strives to “reduce inequality within and among countries.”17 As much as technology could reduce economic inequality and enhance trade, bad cybersecurity can exacerbate existing inequalities. Cyberattacks affecting digital commerce, critical sectors, and government agencies threaten to undo advantages gained through digitization. As the IGF cybersecurity report notes,

Effective cybersecurity is essential ‘to engage fully in the increasingly cyber-dependent [sic] trade and commerce. Robust cybersecurity frameworks enable individuals, companies and nations to realise the full potentials of the cyberspace, without fear or reservation, promoting cross-border delivery of services and free flow of labour in a multilateral trading system.’18

Because evidence of cyber insecurity leads to mistrust in the ICT environment of a country, cyber insecurity puts lower-income countries at a disadvantage on trade and foreign investment. How, for example, can lower-income countries competitively offer services and platforms in the global market if they are deemed insecure? How can developing countries attract foreign direct investment if the ICT environments are perceived as risky? The gap between cybersecurity haves and have-nots could create further obstacles to more evenly distribute the benefits of digital inclusion.

Finally, on the economic front, Sustainable Development Goal #9 seeks to “Build resilient infrastructure, promote inclusive and sustainable industrialization and foster innovation,” because efficient infrastructure generates employment and wealth and can drive economic growth.19 These infrastructures include ICT infrastructure, but also things like transportation and manufacturing infrastructure. Although not specifically in the lower- or middle-income context, the 2017 outbreak of the WannaCry ransomware attack clearly demonstrated the capacity of actors to disrupt digitized sectors, disrupting transportation systems, ports, and many others.20

Governance

The internet has the potential to be used for both good and ill. If it is insecure and used for ill, it could undermine good governance. Sustainable Development Goal #16 aims to “Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels.”21 Nascent technologies and techniques—like digital hashing, blockchain, and cloud computing—hold great potential for reducing corruption and creating accountability structures for public institutions. Relatedly, SDG #11 strives to “Make cities and human settlements inclusive, safe, resilient and sustainable.”22 The rise of electronic governance (e-governance) and government (e-government) as well as the potential for big data to drive better policy decision-making has led to greater efficiency in the delivery of services, tallying votes, collecting and utilizing information on the citizenry to craft better policies, and more.

The potential of ICT to help achieve these goals is unquestioned. However, as with economic growth, strengthened governance institutions and services based on technological interventions must be underpinned by trust in those technologies. India’s experiment with biometric and digital identification provides a clear case study in the potential for bad security to undermine the delivery of good governance and government services. Because so much personal data is stored in one place, the digital ID data set has become a frequent target for identity thieves and other criminals.23 The result is that a project intended to enhance India’s ability to govern may result in more and new problems for the same people whose lives it intended to improve.

Human security

Security, including cybersecurity, has traditionally been the purview of foreign offices and ministries of defense. However, cybersecurity is as much about human security as any other kind of security. A myriad of SDGs seek to address human security concerns. From ensuring the delivery of better healthcare (SDG #3) and ending hunger (SDG #2) to the delivery of critical utilities like water, sanitation, and energy (SDGs #6 and #7), ICT and digitization can deliver improved human security. Digitization in sectors like healthcare, agriculture supply chains, power delivery, and water and sanitation is yielding immediate dividends and improving the lives of millions around the world. However, as technology enables these improvements to reach more and more people, those same people become increasingly dependent on their reliable delivery. And yet, it is becoming increasingly easy to disrupt services like these via cyber means. In digitizing these services, decision makers are creating new dependencies, which, if disrupted, could lead to not only net-zero outcomes, but potentially net negative outcomes.

As alluded to above, no sector was immune to the WannaCry ransomware and the healthcare sector in the United Kingdom was very publicly disrupted.24 In addition, the world has witnessed at least two instances where cyber vulnerabilities were exploited to cut off power to entire regions during cold winter months.25

More people will be coming online, and they will be doing different things with it and coming from different perspectives and backgrounds, we need to ensure that the internet and connected technologies continue to provide the value it has provided to date. Put simply, as the network expands we need to do more to ensure it is secure.

These three pillars demonstrate that there is not only a good argument for greater attention to cybersecurity from those who work in development, but an imperative. Cybersecurity is not just about state on state cyberwar, it is about the economy, good governance, and human security.

Chapter 2: Mainstreaming Cybersecurity

Lower- and middle-income countries are not immune to cyber risk. Take, for example, one of the most high profile data breaches in the last five years, the Bangladesh Bank heist. Sometime between February 4th and 5th, a suspected nation-state, advanced persistent threat actor (APT) used Bangladesh Bank’s networks and credentials to request upwards of US$851 million from various other financial institutions.26 Bangladesh is not the only lower- or middle-income country to fall prey to a cyber attack in recent years. Indeed, Ecuador, the Philippines, and Vietnam all experienced similar incidents with their banking sectors. The novel risks are not confined to the financial sector, however. This exposure is evidenced by the targeting of the Ukrainian power grid successively in December 201527 and December 201628 as well as the spate of ransomware attacks that disrupted government services around the world, most notably in India.29

One trait that all of these countries have in common is that development donors and global financial institutions assisted in spreading internet use and bringing key sectors of their economies and government services online. Throughout this process of building better access and digitizing society, more could have been done to help these countries manage heightened and novel risks posed by increased use of information and communications technology, and development institutions should play a key role in building this cybersecurity capacity. In an era where APTs present challenges to defenders even in higher-income and more cybersecurity-advanced parts of the world, middle- and lower-income countries are no less at risk.

In his seminal 1957 piece, “Technical Change and the Aggregate Production Function”, Massachusetts Institute of Technology economist Robert Solow proved that technical change correlates strongly with increased production. Over the course of the next few years, technology came to be seen as the driver that international development could rely on to grow lower-income economies and pull countries out of poverty. Today, this mentality persists, and since the early 1990s, the prevailing technological driver has been information and communication technology (ICT). But the use of ICT for development (ICT4D) creates new risks that have, until recently, gone understudied, misunderstood, and unarticulated. As these risks and the measures needed to manage them clarify, so too does the imperative of folding these measures into development practice underpinned by ICT.

Indeed, among the nine principles contained in the globally recognized guidelines for international development practitioners, “Principles for Digital Development,” addressing privacy and security is a top concern.30 Since 2010, and as ICTs increasingly drive development outcomes, the need for more and better cybersecurity capacity building has only grown as nearly all pillars of society—from the economy to governance to social interaction—are or can be touched by ICT. Global trends only project this phenomenon accelerating, and projections suggest that nearly all sectors will be fundamentally affected, if not transformed, by new technologies in the next 20 years. These trends—increasing digitization of key industries and services, more and more internet users, and the rise of increasingly numerous and sophisticated cyber threats—signal that it is time to pay more attention to managing the risks of digitization in the developing world. In short, the time has come to fold cybersecurity in international development.

Thus, the call to build better cybersecurity capacity is not new. As early as 2010, the United Nations Group of Governmental Experts on developments in the field of information and telecommunications in the context of international security recognized the importance of building the cybersecurity capacity of nations around the world and particularly in lower-income countries.31 However, while digital development certainly exists, the work of the cybersecurity community exists largely separately from that of the development community. The goal of this report is to provide a roadmap for bringing these two communities (which we outline in greater detail later in this report) closer together to enable both to achieve their goals in a resilient and sustainable manner. This requires mainstreaming cybersecurity in development.

What does mainstreaming mean?

Despite recognition from the World Bank in 2016, except for a few select cases, cybersecurity has hardly been incorporated in development. Thus, the question remains: how exactly should cybersecurity be folded into international development? In the past, the development community has incorporated or focused on emerging issues as they percolated to the surface in one of two ways: prioritization or mainstreaming.

Prioritization is about identifying a key issue for the breadth of the development community to focus on. Prominent examples of prioritization from the last decade include the goals outlined in the Millennium Development Goals (MDGs)32 or Sustainable Development Goals (SDGs),33 like achieving universal primary education, reducing child mortality, or conserving the oceans. Priorities are often identified by leading development institutions, like the World Bank, and communicated to the broader community through strategy documents like the MDGs or SDGs. In most past cases, prioritization takes an existing development focus and elevates it for critical attention.

Mainstreaming seeks to fold a new issue into existing development practice as a new equity or consideration in the practice of the community. In contrast to prioritization, mainstreaming is most relevant in the context of an emerging issue that has the potential to cut across many or all areas of development or presents a novel risk to progress in development but may not yet receive requisite focus from the community. Perhaps the most notable examples of mainstreaming have occurred in the past two decades in the form of women’s rights and human rights. Women’s rights and human rights were mainstreamed in part because of the nearly universal recognition that these fundamental rights are instrumental to creating the type of world that we want and agreed to with the UN Charter. While cybersecurity may lack some of the intrinsic qualities of these two rights movements, it is nonetheless foundational. ICT and digital technologies pervade society and provide the opportunity to improve the state of fundamental rights. But if they are left insecure, they stand to threaten progress on securing not only these rights, but also the future of the economy and good governance. Although undoubtedly different in character, mainstreaming cybersecurity in development could draw lessons from these processes.

Cybersecurity in development faces a similar challenge to that of early ICT4D efforts in the form of limited resources and competing equities. To some, “using limited development assistance funds to finance ICT4D projects” is a misuse of resources “when in some countries, clean water and sanitation, and electricity seemed more pressing” for the local people.34 While this argument misses the point that ICT could enable more efficient delivery of other development outcomes and has become somewhat antiquated, it is nonetheless emblematic of a broader challenge. A paucity of data and good metrics to support the importance of cybersecurity—and ICTs more broadly—to development is an important element behind this skepticism.

For all its positives, the development community is still plagued with challenges and cannot be seen as a monolith. Indeed, one of the most vexing challenges facing the development community is the rampant siloing of issues. This stove-piping manifests in the ways development organizations—from bilateral and multilateral aid agencies to on-the-ground organizations—organize. The World Bank, for example, is divided into 13 separate “groups”, each of which take lead for a given pillar of development or sector of society. Introducing cybersecurity as a new issue or priority would likely spawn a cybersecurity stovepipe, when the reality is that it should cut across existing issues and priorities.

Later in this report, we build a framework and recommendations to begin mainstreaming cybersecurity across all development practice.

Box 2

Lessons from Another Field: Mainstreaming Human Rights in Development

Human rights and cybersecurity are undeniably different fields. Although it lacks some of the intrinsic and visceral aspects that human rights possess as an issue, mainstreaming cybersecurity can draw an important lesson from the experience of mainstreaming human rights in development.

The mainstreaming of human rights in development was the result of a concerted effort on the part of the human rights movement to “operationalize the relevance of human rights to various fields of development.”35 The breakthrough was precipitated by two important shifts in approach.

The first was a shift of emphasis from the “right-holder” approach—expanding human rights opportunities for individuals—to the “duty-bearer” approach—ensuring that states and non-state actors understand, respect, protect, and fulfill human rights obligations. This introduces a large and long-standing challenge for the ICT industry, which is unlikely to reach a resolution in the near term.

The second was a shift from a violations approach—where the emphasis was on identifying and punishing human rights violators—to a policy approach, which “demands developing new tools to bring human rights concerns into forward-looking policy-making processes,” like Human Rights Impact Assessments (HRIAs).36

In fact, the creation and implementation of HRIAs was the most obvious manifestation of the mainstreaming of human rights. In 2005, UN Secretary General Kofi Annan appointed noted international relations scholar and the force behind the MDGs, John Ruggie, the Special Representative on the issue of human rights, transnational corporations, and other business enterprises. Ruggie’s mandate included “identifying and clarifying standards of corporate responsibility and accountability with regard to human rights.”37 In development, human rights impact assessments require six essential elements:

  • A normative human rights framework,
  • Public participation,
  • Equality and non-discrimination,
  • Transparency and access to information,
  • Accountability mechanisms, and
  • Inter-sectoral approach.38

A good template for measuring the digital risk impact of development projects and programs does not exist right now, but such assessments for corporations, lending institutions, and other development actors—underpinned by similar essential elements as HRIAs—could be an important tool to drive forward the conversation about the impact of cybersecurity on development outcomes. Cybersecurity risk management, and frameworks to enable it, has become a standard practice in many private and government sectors. These frameworks could be adapted and transferred into the development community.

A digital risk impact assessment would differ from existing frameworks and models insofar as rather than measuring the cybersecurity capacity of a recipient country, a digital risk impact assessment would provide a framework for identifying what risks the use of ICT for a development project exacerbate as well as novel risks posed by digitization in that particular project.

Citations
  1. World Bank. 2016. “World Development Report 2016: Digital Dividends.” World Bank. January. p3. source
  2. Sandra Sargent. 2017. “World Bank Donor Perspective on Cyber Security.” Commonwealth Telecommunications Organisation. source
  3. Pawlak, Patryk. 2014. “Riding the Digital Wave – Introduction.” EU Institute for Security Studies. December. p6. source
  4. Pawlak, Patryk. 2014. “Riding the Digital Wave – Introduction.” EU Institute for Security Studies. December. p12. source
  5. Internet Society. 2017. “A policy framework for an open and trusted internet.” Internet Society. March. source
  6. Internet Governance Forum. 2017. “IGF 2017 – Best Practice Forum on Cybersecurity.” Internet Governance Forum. source.
  7. Internet Society. 2017. “A policy framework for an open and trusted internet.” Internet Society. March. source
  8. Department for International Development. 2018. “Digital Strategy 2018-2020: Doing Development in a Digital World.” Department for International Development. January. p7. source
  9. World Bank. 2016. “World Development Report 2016: Digital Dividends.” World Bank. January. p2. source
  10. World Bank. 2016. “World Development Report 2016: Digital Dividends.” World Bank. January. p3. source
  11. United Nations. 2017. “The Sustainable Development Goals Report 2017.” United Nations. source
  12. United Nations. “Sustainable Development Goal 1.” United Nations. source
  13. United Nations. “Sustainable Development Goal 8.” United Nations. source
  14. James Manyika and Charles Roxburgh. 2011. “The great transformer: The impact of the Internet on economic growth and prosperity.” McKinsey Global Institute. October. p3. source
  15. ibid.
  16. Center for Strategic and International Studies. 2014. “Net Losses: Estimating the Global Cost of Cybercrime.” Center for Strategic and International Studies. June. source
  17. United Nations. “Sustainable Development Goal 10.” United Nations. source
  18. Internet Governance Forum. 2017. “IGF 2017 – Best Practice Forum on Cybersecurity.” Internet Governance Forum. source
  19. United Nations. “Sustainable Development Goal 9.” United Nations. source
  20. Claus Herbolzheimer and Max-Alexander Borreck. 2017. “Time for Transportation & Logistics To Up Its Cybersecurity As Hackers Put It On Target List.” Forbes. June 28. source
  21. United Nations. “Sustainable Development Goal 16.” United Nationssource
  22. United Nations. “Sustainable Development Goal 11.” United Nations. source
  23. Shelley Singh. 2018. “How safe is Digital Intia?” The Economic Times. January 14. source
  24. Lily Hay Newman. 2017. “The Ransomware Meltdown Experts Warned About is Here.” WIRED. May 12. source
  25. Andy Greenberg. 2017. “‘Crash Override’: The Malware That Took Down a Power Grid.” Wired. June 12. source
  26. Michael Corkery. 2016. “Hackers’ $81 Million Sneak Attack on World Banking.” New York Times. April 20. source
  27. Robert M. Lee, Michael J. Assante, and Tim Conway. 2016. “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case.” E-ISAC. March 18. source
  28. Kim Zetter. 2017. “The Ukrainian Power Grid Was Hacked Again.” Motherboard. January 10. source
  29. India Today. 2017. “WannaCry did hit India and even central govt portal. So why did Centre downplay the ransomware attack?” India Today. June 19. source
  30. Principles for Digital Development. “Principles.” Principles for Digital Development. source
  31. United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. 2015. “Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.” United Nations. July 22. p11. source
  32. United Nations. “Millenium Development Goals.” United Nations. source
  33. United Nations. “Sustainable Development Goals.” United Nations. source
  34. Dorothea Kleine and Tim Unwin. 2009. “Technological Revolution, Evolution and New Dependencies: What’s New about ICT4D?” Third World Quarterly. Vol. 30, No. 5. p1049. source
  35. World Bank. 2013. “Human Rights Impact Assessments: A Review of Literature, Differences with other forms of Assessments and Relevance for Development.” World Bank. February. p1. source
  36. ibid.
  37. United Nations. 2005. “Secretary-General Appoints John Ruggie of United States Special Representative on Issue of Human Rights, Transnational Corporations, Other Business Enterprises.” United Nations. July 28. source
  38. World Bank. 2013. “Human Rights Impact Assessments: A Review of Literature, Differences with other forms of Assessments and Relevance for Development.” World Bank. February. pXI. source

Close

Part I: The Case for Action

View as PDF

Table of Contents

Close

Securing Digital Dividends