Conclusion

Although the lights went out again in parts of Ukraine in December 2016,¹ December 2017 saw the lights (and heat) stay on. The 2015 and 2016 incidents served as a major wake-up call for policy makers. In response to the challenges facing their rapidly digitizing infrastructure—and specifically in response to the 2015 attack on their power grid—Ukraine adopted a National Cybersecurity Strategy to help identify how to create “the conditions that ensure safe cyberspace and its use.”² Working with partner governments, Ukraine built a National Cybersecurity Coordination Center. Working with a Cyber Defence Trust Fund through the North Atlantic Treaty Organization (NATO), the Ukrainian government was able to “enhance the country’s technical capabilities” to “counter cyber threats.”³

What you have here is an example of proof that an impact can be made. But in a way Ukraine is fortunate. Many in the West view Ukraine as region of strategic importance and are therefore willing to invest heavily in securing its critical infrastructure from foreign adversaries. Not every country is so lucky. Indeed, military investment is both less likely to flow to countries of lower strategic importance and less likely to focus on securing digital systems not deemed critical for national defense but that may be nonetheless critical for broader development objectives. If this work is left to militaries, development will be selective and uneven, creating problems that undermine the achievement of development goals and could be avoided. If lower- and middle-income states continue to be neglected or neglect investing in cybersecurity they risk undoing and undermining much of the progress and potential that digital technology promises for improving the conditions of their people. Against this backdrop, several key findings emerge.

First, the community implementing digitization and connectivity projects exists quite separately from the community attempting to develop the capacity to ensure the reliability, resilience, and trustworthiness of these newly implemented digital systems and the internet more broadly. Bridging the gap between these two communities will be critical for managing the present and future risks to the development of lower- and middle-income countries.

Second, and relatedly, concepts of cybersecurity and cyber risk management must be mainstreamed in the development community. Bridging the gap between the cybersecurity capacity building community and the development community will help deliver this outcome, but other steps could and should be taken to equip the development community for success in helping their beneficiaries better manage cyber risks.

Third, some of the reluctance to mainstream cybersecurity in international development on the part of donors is well founded. Other development equities will at times legitimately outweigh the need for investment in cybersecurity. In addition, the cybersecurity capacity building community could do more to prove the value of its interventions through empirical examinations of good practices in cybersecurity capacity building.

Fourth, more needs to be done to demystify cybersecurity for aid recipients, who play a major role in deciding how to invest development funds. A framework is needed to help decision and policy makers understand what cybersecurity capacity building activities to prioritize and when. Cybersecurity maturity models, like the Oxford Global Cyber Security Capacity Center’s, are a step in the right direction but were not originally intended to provide such a decision-making framework.

This report has tried to illuminate key reasons why cybersecurity should be mainstreamed in international development, key challenges to doing so, and key steps to overcome those challenges. This work, however, is just a start and one of the crucial findings of this report is simply that a great deal more research is needed. Understanding the impact of cyber insecurity on development is critical to building a strong case that major development funders and implementers should heed the warnings of the cybersecurity community and bake cyber risk management considerations into their projects from the beginning.