As more industry leaders, non-governmental organizations, and international institutions invest in ICT for development projects, corresponding cybersecurity capacity building initiatives are popping up within these ventures. But are the expected cybersecurity programs actually ever materializing, and if not, why?
Technology is changing the focus of development assistance. In 2005, when 68% of Americans were online, only 2.7% of the Economic Community of West African States (ECOWAS) population used the internet. A decade later, however, this number had risen to 31% across the region, and with the internet came new opportunities. From 2000 to 2012, as internet use in Africa grew faster than in any other continent, this boom was followed by increased ICT development aid to the area. These projects have clear benefits: they make the internet cheaper and more accessible, improve quality of service by ensuring faster, more reliable networks, and allow governments to boost their citizen services through digital process upgrades. However, these investments also unearth new risks.
Particularly in West Africa, the sharp rise in internet access coupled with issues like the region’s difficulty dealing with the subject’s complexity, limited trained talent and technical expertise, lacking legal frameworks, and general unawareness has made the rise of cybercrime we have come to expect from increased connectivity particularly pervasive and harmful. In order to guard against these risks, ICT investments must be accompanied with necessary cybersecurity capacity building efforts, yet, this doesn’t appear to always be the case.
Take, for example, the World Bank’s work with ECOWAS countries. Over the past decade, the international organization invested more than $400 million through eight ICT projects across the region. These efforts represent varied initiatives, with some (such as the recent West Africa Regional Communications Infrastructure Project) aimed at improving affordable access to internet and others (like the Ghana Skills and Technology Development Project) designed to better train national workforces to adapt to technological developments. The corresponding loans, disbursed directly to national governments but often coordinated through ECOWAS structures, are carefully monitored through reports with metrics designed to evaluate progress, successes, and failures.
Unfortunately the focus on cybersecurity has not been as impressive, especially in terms of follow-through. Of these eight projects, only four mention cybersecurity activities in their opening proposition documents. And three of these seem to have lost their capacity building promises along the way: mention of cybersecurity disappeared from each of their project evaluation documents. While this subject absence in final and intermediary reports isn’t authoritative– they could have been left out simply by accident or for the sake of brevity– this observation poses at least a two-pronged problem: First, why are only half of ICT development projects considering cybersecurity within their work? Second, is something happening to the cybersecurity efforts they are pledging to work on?
Ascribing ‘blame’ in such circumstances misses the point. The World Bank itself simply acts as an agent of big lender nations, and responds to the requirements of its clients, the nations to whom it lends. The issue, to which there is no simple answer, is that there remain many in the international system who do not yet see cybersecurity as a top priority for investment, and as program implementation progresses focus on it is allowed to slip.
What we are increasingly realizing, however, is that economic development depends more and more on information systems, and those information systems are inherently insecure. Against that background, it is simply not enough to help developing countries and their populations better access and use the internet. To be sustainable, development lenders must also consider the cybersecurity implications of their investments and encourage recipient countries to properly incorporate cybersecurity capacity building into projects—as the World Bank has been doing. But even then, the job isn’t done. To be as effective as possible, economic development underpinned by ICT must ensure cybersecurity initiatives aren’t lost along the way. A first step towards mainstreaming cybersecurity in development? Help developing countries better understand the risks posed by increased digitization and how to manage that risk and express the economic and societal impact of cyber insecurity. At this point, more empirical research is needed to help generate this understanding in both the developing and developed parts of the globe.