Welcome to New America, redesigned for what’s next.

A special message from New America’s CEO and President on our new look.

Read the Note

Close

internet services arabic

Securing Digital Dividends

Table of Contents

Part III: Challenges and Solutions

Mainstreaming cybersecurity in development will face major challenges. Here we outline what some of these challenges might be and offer a set of actions that could directly contribute to overcoming them.

Chapter 6: Major Challenges to Mainstreaming

This chapter describes the current set of barriers to better integrating cybersecurity into development projects and programs. As the international community wrestles with these challenges, it must consider several key stumbling blocks that can be identified and removed to clear the path to greater integration of cybersecurity in international development. Here we outline the nature of four prominent, identified challenges.

Challenge 1: Reticence from development donors

Donors—organizations and individuals that fund development projects—are a large and influential part of the broader development community. Donors come in all shapes and sizes, from entrepreneurs looking to break into emerging markets, private philanthropists, and philanthropic organizations to bilateral, government-run and government-funded aid agencies and massive development banks, like the World Bank. These donors wield influence through carrots, like the promise of more money as a reward for good practice, and sticks, like loan cancellations and loan conditions. While donors most often work with recipients of the investment or loan to tailor a project or program to fit the recipients’ needs, donors do, nonetheless, have a great deal of agenda-setting and steering power. For this reason, generating greater understanding of the importance of cybersecurity to safeguard and enable the investments of the donor community is crucial. In this section, we will explore obstacles to doing so.

The first, and perhaps primary, challenge to mainstreaming cybersecurity in development revolves around the use of metrics to define and track success or failure in cybersecurity capacity building. The donor community’s focus on metrics poses two specific challenges to the cybersecurity capacity building community.

First, the donor community’s reliance on metrics to steer investment means that the cybersecurity capacity building community will need to create an empirically convincing argument that an absence of better cybersecurity leads to demonstrably worse outcomes. Second, in the event that the need to integrate cybersecurity into development is empirically convincing, the cybersecurity community more broadly has yet to develop truly useful measurements to evaluate cybersecurity and cybersecurity capacity building interventions. Lacking these metrics, it becomes difficult to craft meaningful, empirically driven arguments for what capacity development interventions produce the most positive outcomes. Better outcome-oriented metrics are needed to identify and communicate these good practices, whether government policy interventions, corporate policies, or technological interventions. This is a challenge in cybersecurity, as the field is still in the process of developing reliable metrics and the environment changes rapidly with updates in technology. But as Sami Saydjari notes, “cybersecurity can be effectively measured using risk,” and “good metrics predict risk,” allowing engineers and others to mitigate it.1

As Pawlak notes, “there is no single good model for security in cyberspace.”2 This reality is acknowledged by the Digital Dividends report, which notes that, “In the areas of cybersecurity, there are few obvious policy recommendations, and in these areas—perhaps more than others—governments can play a role in developing effective policies.”3 This maturing process is one that the development community has experienced in other areas and is well placed to assist the cybersecurity capacity building community with the growing pains. For Pawlak, “the exchange of good (and bad) practices between individual countries and regional organizations may help streamline ongoing efforts.”4 While Pawlak is right, there is an additional opportunity for the cybersecurity capacity building community to take its cues from the development community in terms of both how good practices are spread and by mirroring the empirical rigor that goes into proving the efficacy of those practices. Dutton et al. suggest a number of metrics that may be usable for these purposes which could describe things like end-user security, cybersecurity capacity, its outcomes, and reliability.5 The results of their study suggests that cybersecurity capacity building is a “worthwhile investment,” but more work is still needed on this subject.6 By better incorporating empirics in the day-to-day of cybersecurity capacity building, the practice will begin to better resemble the good practices of international development more broadly.

In addition to this metric challenge, Sandra Sargent, a cybersecurity expert at the World Bank, has outlined two prevailing myths that exist in the donor community that she suggests are major barriers to a higher degree of buy-in from leaders in this community.7

The first myth is that cybersecurity is all about security in the traditional military sense. Sargent suggests that instead, cybersecurity should be communicated as about the economy, governance, citizens, companies, banks, hospitals, lives, growth, and development. In order to dispel this myth in the development community, more work is needed to develop standardized and comparable data sets and robust analytical work showing the cost-benefit of investments into cybersecurity versus the costs of not investing.

The second myth is that the donor community is not well equipped to deal with the issue of cybersecurity. To Sargent, this is false because the donor community has cross-disciplinary expertise needed to address the pan-societal challenges posed by cyber risks. The donor community also has worldwide coverage, country presence, and in-depth knowledge of the local conditions needed to reach the most disadvantaged and least prepared to manage cyber risk. In addition, the donor community has the financial resources that can close gaps in cyber readiness if applied in a coordinated manner, and the use of international frameworks and agreements to bring greater collaboration and consensus. In order to dispel this myth in the donor community, there is a need for greater coordination of activities at a country level and a need for a standard set of tools and mechanisms for cybersecurity capacity building.

Communicating the benefit of cybersecurity is a challenge that plagues the cybersecurity community even outside the context of development. In the context of development, as the World Bank notes, “much of the benefit of the internet is unmeasured.”8 Compounding this shortcoming, the benefit of better cybersecurity is potentially unmeasurable, as greater cyber risk management results in an absence of activity, much of which is not actively blocked, but is instead never seen. The development donor community is slowly beginning to realize the risk posed by a lack of cybersecurity, which represents a risk to lending portfolios, a capacity building opportunity, and a crucial component of future progress, but a great deal of work is still required to communicate the need to community more broadly.

Challenge 2: Helping aid recipients spend wisely

At first blush, breaking through the reticence of recipients may seem less imperative than creating buy-in at the donor level. However, in modern times, the recipients of development assistance are (rightly) highly influential in identifying where and how to spend development dollars. While aid recipients are increasingly aware and interested in investing in cybersecurity, three primary challenges prevent them from doing so:

  • The complexity and technological nature of cybersecurity and risk management sometimes leaves aid recipients unsure where to start,
  • The perception that internet access and cybersecurity are competing for political attention and finances, and
  • Cost.

The first challenge, overcoming the feeling on the part of recipient countries that cybersecurity is overwhelmingly technical and complex, is perhaps the most pressing challenge, but also the one potentially simplest to solve. In many lower-income parts of the world, the appetite for cybersecurity has grown tremendously, but oftentimes it is unclear to these countries where to start.9 Cybersecurity maturity models are a tool often used by capacity builders in an effort to help demystify cybersecurity and provide a guide for how to improve cybersecurity capacity maturity. These models are a step in the right direction, but lack certain elements that could be most useful to countries in dealing with limited budgets and in the earlier stages of cybersecurity capacity development. Current iterations of these models, like Oxford’s Cybersecurity Capacity Maturity Model,10 the Potomac Institute’s Cyber Readiness Index,11 and the Australian Security Policy Institute’s Cyber Maturity in the Asia-Pacific Region report,12 focus primarily on measuring the existing cybersecurity maturity or capability of a given country. They can then be used to help craft strategies and can be used to measure progress.

While useful, these models leave a gap in the market for information that has been requested from developing governments: an outline of what cybersecurity capacities to prioritize for development and when. This type of diagnostic framework could help countries not only understand their level of cybersecurity maturity, but also the broader local ICT context and where the best areas of strategic focus might be. Existing models often provide tiers for development, but they do not map to the ICT maturity of a given country. A complement to these existing models should focus on answering this question of what to prioritize and when. Such a framework should focus on providing a toolkit for the measurement of general ICT maturity across society—from economic to social to governance—matching these stages of maturity to and understanding of a country’s threat landscape to identify core cybersecurity needs. For example, if a country has focused predominantly on creating greater access to the internet but has not taken steps to digitize their financial sector, they need not focus on building incident response capacity in their financial sector but should instead focus on raising public awareness and education.

A second major barrier lies in the narrative around ICT access versus security. For many in both development institutions and lower-income countries, a limited budget for ICT projects means access and security are often pitted against one another as competing interests for funding. This is true in a literal sense: it costs money to deploy new fiber optic infrastructure and it costs money to fund a CSIRT; the funding for these two types of activities comes from the same pot of money. However, increased access to and reliance on ICT for greater swaths of life without ensuring the trust and reliability of ICT is likely to yield suboptimal development outcomes. Furthermore, a country that demonstrates a commitment and plan for improving cybersecurity is likely to attract increased lending or grants for ICT connectivity. Factoring in cybersecurity will reduce the risk to lending that has ICT dependencies and increase the strength of a development impact case through increased trust, greater resilience, and reduced harm.

The third major barrier for project recipients is related to the last, and that is the cost of improving cybersecurity. Again, this challenge presents two layers. First, in part due to shortfalls in metrics and in part due to the nebulous notion of “improving cybersecurity,” it is difficult to accurately and reliably cost out the price of doing so. Second, in an environment of very scarce economic resource—the circumstances in most lower-income countries—high cost for activities or investments that are unlikely to yield immediate, visceral impacts can be prohibitive. We discuss this particular challenge in more detail in Challenge 3.

Box 5

Speaking the Language of Development

Although the language used in much of the development community and the cybersecurity capacity building community is the same, the presence of a great number of terms of art, particularly in the development community, can lead to breakdowns in understanding. Indeed, development discourse’s “buzzwords and fuzzwords” have been the subject of an entire book.13 As Cornwall and Eade note, language matters for development. Development terms are often passwords “to funding and influence” in the community, and development lingo is rife with “contested terms,” just as the terms cybersecurity and information security are contested at the international level.14 Fortunately, development and aid agencies around the world have developed glossaries of development terms, in an effort to minimize misunderstandings.15

One highly contested term in the development community is that of “security”. In some parts of the world, like Latin America, the word security (seguridad or seguranca) is not universally positive. Indeed, in these and other parts of the world, security does not necessarily refer to the security of the citizens, but instead to the security of the state, which can actually threaten the security of individuals. In addition, apart from securitization concerns on the part of recipients, some in the development community view security as inherently political and development as necessarily apolitical, while tacitly acknowledging some politicization. Indeed, the term cybersecurity is an inherently political term globally. Information security, which encompasses broader security considerations, like the control of online content, is preferred by some parts of the world to cybersecurity, which describes a more narrow focus on computer and network security.

Nonetheless, while the term cybersecurity has likely reached a path-dependent point in discourse about managing cyber risk, changing the way that cybersecurity is described could go a long way in changing the perception of securitization. At the end of the day, cybersecurity is about building trust in the technologies and managing new risks borne out of them.

Challenge 3: Balancing with other development equities

The challenge of balancing cybersecurity with other development equities is twofold. First, many issues under the development umbrella battle for attention. This phenomenon is perhaps illustrated best by the 17 different Sustainable Development Goals. Mainstreaming, rather than merely prioritizing cybersecurity in development will help manage this attention issue.

However, development funding is not bottomless and the presence of different offices, focuses, and equities even within individual donor institutions creates a highly competitive funding environment. Often, the activities of donor institutions are driven by the way these institutions raise their money for projects, as outlined above. Donor institutions—both bilateral and multilateral—must argue compellingly to raise their money. This reality means that issues that get the most development attention outside of these institutions—and are therefore most likely to obtain funding—receive the most budgetary attention. These other equities, which are largely summed up by the 17 SDGs, include things like ending poverty and delivering clean water to all. Policymakers seeking to mainstream cybersecurity in development must understand that, while cybersecurity often contributes to the attainment of development goals, it is not always that primary contributor and sometimes other equities will justly receive greater attention and funding.

Challenge 4: Building cybersecurity capacity in the development community

Integrating cybersecurity talent into the development community is necessary to equip the community with the expertise to implement cybersecurity capacity building projects on the ground and mainstream cybersecurity in their programs at a strategic level. Nonetheless, some in the development community are resigned to seeking external help via contracts. While the expertise needed certainly exists in law firms which can help with contract issues and consultancies that can help navigate complicated sub-project pitches, profit motive can lead to advice that encourages less efficient or effective spending.

As one development professional noted, “As a development group, we will never be the leads on cybersecurity. We rely on cybersecurity partnerships for actual implementation.”16 Whether or not major development agencies and donors need to or could retain operational cybersecurity expertise is debatable. The benefits are numerous—in-house expertise is likely to be cheaper in the long run and can develop institutional knowledge and programmatic expertise—but the short-term cost of bringing expertise into these organizations and retaining it may be prohibitive. However, even if we are to accept that operational cybersecurity expertise will not and perhaps should not be housed in development organizations, there is little doubt that one major role of large donor institutions remains providing aid recipients “with the tools to make informed development decisions for lasting impact.”17 In order to continue playing this role in the digital age, donor institutions will necessarily require some kind of cybersecurity advisory capacity. This being the case, recruiting cybersecurity talent into the development community writ large poses two general challenges, which are worth highlighting here.

First, the cybersecurity industry has a talent shortage. The Center for Cyber Safety and Education estimates that the global cybersecurity workforce gap will reach 1.8 million workers by 2022.18 Globally 66 percent of professionals believe that there are too few cybersecurity workers in their department.19 Reasons for this shortage are numerous and include explanations like, “qualified personnel [are] difficult to find,” “requirements [are] not understood by leadership,” “business conditions can’t support additional personnel,” and “security workers are difficult to retain.”20 This labor shortage means that finding good workers in the private sector can be expensive. Indeed, the average salary of an information security worker in North America is US$120,000 per year.21

The second is an often-overlooked challenge: The vast majority of in-government cybersecurity expertise resides in somewhat opaque areas of government like law enforcement, intelligence, and the military. Juxtapose that opaqueness with the notion that development assistance rightly requires a great deal of transparency and the compounding effect of the labor shortage cited above. Because the development community generally avoids working with security partners from these communities, the provision of leading in-country government experts—should they exist—for development projects poses a challenge. However, in many countries, past military service members are an increasingly important and prominent part of the cybersecurity workforce and are a pool from which development organizations could acquire expertise.

With these general workforce challenges noted, it is also important to acknowledge that the skills needed in donor institutions differ slightly from the skills that most technical cybersecurity professionals possess. Whereas cybersecurity expertise needed to support programs and implementation is likely to mirror the conventional description of a cybersecurity worker—someone with a technical background and experience in a security operations center (SOC) or CSIRT—the skills needed to create informed customers are not necessarily operational security skills. Technical and policy nuance is needed, as is the capacity to weed out snake-oil solutions.

Chapter 7: The Way Forward

Understanding the compatible, complementary, and sometimes competing equities of the two communities is paramount for bridging the gap between them. However, a simple understanding is not enough to truly push the issue forward. Indeed, we recommend a two-pronged approach to mainstreaming cybersecurity in development. This approach will involve not only cultivating interest and buy-in from the donor and recipient communities, but in developing more tools to position the development community to succeed once high-level buy in is achieved.

For this reason, a strategy to mainstream cybersecurity in development can neither focus exclusively on strategic, top-down approaches (e.g. statements from heads of development agencies) nor only on operational, bottom-up approaches (e.g. building awareness and expertise in the operational development community). When orchestrating strategic shifts, one must always prepare the operational environment for success. We recommend the following actions:

  1. Reframe cybersecurity in the context of development to focus on “security for” as well as risk management, resilience, sustainability, and trust.
  2. Build a library of credible and politically useful information on the impact of cybersecurity and cyber insecurity on development.
  3. Demystify cybersecurity for aid recipients.
  4. Bring more of the right cybersecurity expertise into donor institutions.
  5. Create and implement digital risk impact assessments for development projects and programs.

A number of common themes are spread throughout the recommendations, of which one is the need to build an expert field. While field-building is critical, the field need not be built in a day, nor from scratch. Indeed, one of the keys to building the field will be to generate engagement from established authorities on development practice, many of whom reside in leading academic institutions. A key challenge that we hope to address gradually through these recommendations is this: Why haven’t leading development economists—the Agarwals, Easterlys, and Stiglitzs of the world—gravitated to this topic and field?

These recommendations are designed to address five key considerations in an effort to make them as actionable and impactful as possible:

  • What actions are needed to achieve this recommendation;
  • What successful implementation looks like;
  • How to make this happen, or at least some initial steps;
  • Why this activity has not happened yet; and
  • Who could lead these efforts.

While the recommendations are able to stand alone and progress in any of them would likely yield progress overall, they are complementary and progress on all of them is most likely to maximize progress on the whole. None of this is easy. If it was, it likely it would have already been done. While we acknowledge this is an uphill battle, we do our best to provide a detailed explanation of how interested actors, mostly in policy-making positions, might go about implementing these recommendations.

Recommendation #1: Reframe cybersecurity in the context of development

Cybersecurity, in the context of international development, has a narrative problem. According to one former development worker, the simple inclusion of the word “security” will likely scare some development parties away.22 For another current development worker, the usual framing of cybersecurity as security from a given threat is unlikely to convince the development community of the importance of cybersecurity.23 A refreshed approach to how the cybersecurity community discusses cybersecurity in the context of development to change the narrative around cybersecurity is a necessary step towards creating more buy-in at the top levels of the development community.

In 1998, noted international relations scholars Margaret Keck and Kathryn Sikkink conducted a deep analysis of historical issues that have been reframed and around which the discourse changed. Citing prominent examples like human rights in Latin America in the 1970s and 80s, the Anglo-American abolitionist movement in the middle of the nineteenth century, and others, the authors suggest that the most powerful way to change narratives is for “transnational advocacy networks” to create a “boomerang pattern” to influence states and international organizations.24 A transnational advocacy network is a group of “relevant actors working internationally on an issue, who are bound together by shared values, a common discourse, and dense exchanges of information and services.”25 A boomerang pattern is essentially the process of building a broad network of advocates—from international institutions and states to NGOs and companies—to put pressure on an actor or community from different angles to change behavior.

For Keck and Sikkink, an effective boomerang pattern is created through the development of a coherent transnational advocacy network that deploys four main tactics (see Figure 4) in their efforts at persuasion, socialization, and pressure: information politics, symbolic politics, leverage politics, and accountability politics.26

Figure 4: The Four Political Tactics27

Tactic Explanation
Information Politics “The ability to quickly and credibly generate politically usable information and move it to where it will have the most impact.”
Symbolic Politics “The ability to call upon symbols, actions, or stories that make sense of a situation for an audience that is frequently far away.”
Leverage Politics “The ability to call upon powerful actors to affect a situation where weaker members of a network are unlikely to have influence.”
Accountability Politics “The effort to hold powerful actors to their previously stated policies or principles.”

In order to successfully reframe cybersecurity and change this discourse around the issue in the development sphere, interested parties—like cybersecurity policymakers in foreign affairs ministries, the corporate sector, and nonprofits—must identify or create a transnational activist network and develop the capacity to leverage the four political tactics.

Here we outline two ways in which the cybersecurity capacity building transnational activist network must align their framing. In subsequent recommendations, we provide guidelines for how to develop the capacity to leverage information politics and symbolic politics (Recommendation #2) and how these recommendations would lead to the ability to employ leverage and accountability politics.

Operationalizing Recommendation #1

Actions:

  • Shift the narrative to “security for” instead of “security from;”
  • Reframe cybersecurity in the developing context around risk management, sustainability, resilience, and trust;
  • Provide more opportunities for the cybersecurity and development communities talk to one another.

What does success look like?

The cybersecurity community adopting these framings in their engagement with the development community so that the development community adopts them as well.

Why is this feasible?

Because reframings of this nature have successfully taken place in other fields, though they take place due to concerted efforts and take time

How do we make this happen?

Leadership from key national governments; recruitment of private sector actors; funding and support for key nonprofits and academic institutions.

Why hasn’t it happened yet?

This has only recently emerged as an international priority and there has been a lack of leadership and coordination of the transnational advocacy network. There are also constituencies, like the defense sector, that have an interest in talking about and framing the issue in other ways

Who could lead these efforts?

Civil society.

Action 1.1: Shift the discourse to “security for” not “security from”

The first narrative to align involves changing the framing of cybersecurity as “security from” to “security for” in the context of international development. For parts of the development community, when they hear cybersecurity, they think of building military capacity and cybersecurity as a means to combat threats from mysterious intelligence agencies, militaries, or non-state criminal cartels. While good cybersecurity practice certainly does try to insulate against these threats, the reductive rather than constructive framing does not correlate well to the sensibilities of the development community. Instead, a constructive framing of cybersecurity as an enabler for certain development outcomes will engender greater interest on the development side.

Cybersecurity and development are not alternatives and they cannot be sequenced. Cybersecurity enables development and development is what rationalizes security. Patryk Pawlak and others have done excellent work drawing out the impact of cyber insecurity on human development and human rights.28 In the development context, cybersecurity is for consumer protection, for financial sector stability, for the reliable delivery of e-government services, and for safeguarding privacy and basic human rights. It is crucial that cybersecurity leaders in government, civil society, academia, and industry begin to talk this way in their engagement with the development community.

Action 1.2: Reframe cybersecurity around risk management, resilience, sustainability, and trust

As Klimburg and Zylberberg noted in 2015, “the idea of connecting the term ‘cyber security’ with the term ‘development’… is contentious.”29 This holds as true in 2018 as it did in 2015 and necessitates a second major narrative shift that must take place involving the framing of cybersecurity itself. When members of the general public hear the word cybersecurity the implicit notion is that society, an organization, or an individual could eventually attain complete cybersecurity and the end goal of “cybersecurity” is to become “cybersecure.” As Microsoft cybersecurity researcher Troy Hunt notes:

Security is not a boolean proposition. It’s not “secure” versus “insecure,” “safe” versus “unsafe.” rather it is a spectrum of controls that all contribute to an overall security posture. There is no “fully”, there is no “completely”; every system—every single one—has weak points and a sufficiently well-equipped and determined adversary will find them.30

It is the nature of software that vulnerabilities exist. It is the nature of the humans who rely on these technologies that we will not always create the best passwords or adhere to the good practices.

These realities mean that there will always be risk to using ICT. When risk will always be present, a better framing than “security” is “risk management” or “resilience.” This framing is sensible because it is both the way that corporations and large organizations have begun to frame cybersecurity, and because these terms, risk management and resilience, are common and normalized in the development community.

Action 1.3: Provide greater opportunities for the cybersecurity and development communities talk to one another

Crucial to mainstreaming cybersecurity in development is physically bringing the two communities together more often to coordinate, share experience, and cross-pollinate ideas. In doing so, interested stakeholders should work to identify and highlight mutual incentives for working together in the development-cybersecurity narrative, like increasing the efficacy and resilience of good development and reducing the risks for private investors.

Such meetings will become increasingly crucial to apply tools like those discussed in Recommendations #2, #3, and #5 as they are developed.

Recommendation #2: Build a library of credible and politically useful information to present to key development decision makers.

Key to changing discourse to mainstream cybersecurity in development is convincing director-level individuals at development organizations to spend the money necessary. The purpose of this recommendation is to build a body of knowledge pointed at convincing these individuals in key donor organizations the importance of cybersecurity. Identifying and convincing high-level members of the development community enables leverage politics and accountability politics. In order to build more recognition from this portion of the community, cybersecurity advocates must build a library of credible and politically useful information to present to key decision makers. Our research suggests that the two most powerful and useful categories of material are: (1) statistical studies examining on the impact of cybersecurity on development outcomes, and (2) case studies that portray the positive and negative impacts of cybersecurity on development outcomes through storytelling.

Operationalizing Recommendation #2

Actions

  • Enable and encourage deep empirical studies on the impact of cybersecurity on development;
  • Build a library of examples of impacts and case studies.

What does success look like?

The development of a digital risk and development field, as evidenced by empirical studies on the impact of cybersecurity on all relevant SDGs and academic literature more generally, as well as more articles covering the impact of cyber insecurity on development outcomes. Because these intermediate actions are intended to provide a strong argument to development donors on the importance of cybersecurity, ultimately success is measured in investment dollars in cybersecurity capacity development by donor institutions.

Why is this feasible?

Governments and other funders already provide funding for methodological support and research. However, this giving is not coordinated and generally arrives in small amounts.

How do we make this happen?

The key is in unlocking enough money to build interest around the subject that might entice high profile researchers and journalists to take up the cause. There are a number of ways to raise this money:

  • Governments continue investing in themselves through standard mechanisms and encourage private investment;
  • Governments invest more money to these causes;
  • Governments engage with philanthropies to become more engaged in this topic;
  • Appeal to sovereign wealth funds interested in dampening systemic risk;
  • Highlight the market value of this research and risk analysis for private companies looking to expand their presence in emerging markets;
  • Emphasize the cost-benefits of leveraging donor funds to manage risks by providing seed or matching funding.

Why hasn’t it happened yet?

Governments and other funders currently provide funding for methodological support and research. However, this giving is largely uncoordinated and generally arrives in small amounts. In addition, some actors are unwilling to act against their own perceived interest (whether recipients who have had things go wrong or corporations who are keen to gloss over the shortcomings).

Who could lead these efforts?

Public and private donors, think tanks, academia.

Action 2.1: Enable and encourage deep statistical studies on the impact of cybersecurity on development, using the Sustainable Development Goals as a roadmap

A series of statistical studies measuring the correlation of cybersecurity capacity to development outcomes is needed to bridge this gap. In soliciting this work, it is important to remember that the development community’s goals extend beyond simply growing GDP and that GDP growth has been largely eschewed by the community as a reliable sole indicator of economic development. In addition, while economic development is important, it is not the only pillar that the community seeks to develop. The SDGs provide a roadmap for the focus of these studies. Individual studies exploring the correlation between cybersecurity capacity and each of the relevant SDGs should be commissioned.

While nonprofits, government agencies, and corporations may hold some capacity to conduct these studies, they will hold the most clout if they originate from well known sources in the development community. Most often, these well known and respected sources reside in academia. Research grants must be made available by governments and philanthropic organizations to enable this work, and cybersecurity advocates should leverage existing networks to reach and work with influential scholars to develop such studies.31 Fostering engagement with these leading development thinkers and their understudies is critical to growing a sub-field of development economics examining the relationship between development and cybersecurity.

Action 2.2: Build a library of case studies and examples of the positive and negative impact of cybersecurity on key development outcomes

Hard, quantitative data is not the only kind of empirical evidence that lends authority to good practices and arguments. Indeed, more examples of the harms of cyber insecurity are valuable material for champions of cybersecurity within the development community. But in addition to these anecdotes of harm, advocates need case studies that clearly demonstrate good cybersecurity in development and present the costs and benefits coherently. At least one capacity building institution is currently working on developing a “harm model” to address some of these concerns.

While case research on the topic can certainly take place in think tanks and academia, perhaps the best storytelling ability and the furthest reach resides in journalism. For this reason, governments and philanthropic organizations should join forces to create an independent fellowship program to fund journalists to go to lower-income countries and report on how cybersecurity impacts the development of economies, governance, and society more broadly. Precedent for these types of fellowships exist in the form of programs like the International Reporting Project, which can provide a template for implementation.32 The GCSCC’s existing portal infrastructure could be leveraged to gather these case studies, but it must be acknowledged that the case studies described in this recommendation differ significantly from those compiled by the GCSCC to date.33

Recommendation #3: Demystify cybersecurity for aid recipients

Also key to mainstreaming cybersecurity in development is providing tools to enable recipients of development assistance to fold cybersecurity into their development projects. Due to the influence of aid recipients in setting the programmatic and project priorities and agenda, to truly integrate cybersecurity in the development agenda, recipient countries will need to prioritize cybersecurity for investment. This challenge is compounded by the notion that different ministries are often responsible for different parts of the big cybersecurity questions in different governments. For example, sometimes the ministry of defense is most relevant, while other times, the ministry of justice or the ICT ministry is most active. Each one of these ministries has different priorities and while some ministries may understand the broader challenge, this does not necessarily indicate understanding on the part of the whole government. As we have seen in many higher-income parts of the world, often a whole-of-government approach is needed to address major cybersecurity capacity challenges.

To help these actors and governments better understand the challenge and steps to address cybersecurity in their local context, we recommend investment in the identification of good practices in both cybersecurity and cybersecurity capacity building as well as creation of a toolkit to measure levels of ICT maturity and match those levels of maturity to optimal cybersecurity capacity development.

Operationalizing Recommendation #3

Actions

  • Continue working to identify “good practices” that are backed by rigorous empirical study;
  • Convene a multistakeholder working group to develop a toolkit for recipient countries to more easily prioritize actions.

What does success look like?

A high-level multistakeholder expert group that is working off the back of empirical research to identify good practices and the creation of a toolkit for use in recipient countries. Ultimately, success rests in better decisions made at the recipient level with regard to how to invest scarce development assistance.

Why is this feasible?

There are models, like the High-Level Expert Groups (HLEGs) convened by the OECD to develop empirically driven good practices in development in the form of the HLEG on the Measurement of Economic Performance and Social Progress.

How do we make this happen?

  • Unlock money to provide grants to enable empirically driven research projects to identify good practices
  • Key governments apply pressure to the OECD to convene a HLEG on the good practices in managing digital risk in development

Why hasn’t it happened yet?

This is a relatively novel problem. There currently is not an academic field that maps to these problems. Furthermore, those who have been tasked with identifying and spreading good practices have not been held to account.

Who could lead these efforts?

The GFCE, OECD, and academia.

Action 3.1: Identify “good practices” that we can empirically prove work

A current shortcoming that plagues the cybersecurity capacity building community is the lack of clearly articulated good practices for cybersecurity (the technical and operational good practices) and cybersecurity capacity building (policy and other interventions that seek to increase the cybersecurity capacity of recipients). Current good practices rely heavily on gut feeling, anecdote, and groupthink. In many cases, these practices, when presented to development practitioners, do not meet certain thresholds for empirical soundness.34 The cybersecurity capacity building community must take steps to address this problem. While it is true that groups like the Center for Internet Security, the U.S. Department of Commerce’s National Institute of Standards and Technology, and the International Standards Organization have produced cybersecurity frameworks, a great deal of work is needed to both test the validity of the recommended interventions and translate them into the local context for recipient countries.

In addition to encouraging more data-driven guidance for cybersecurity good practices, cybersecurity community awareness of and participation in key dialogues in the development community around the use of metrics and identification of good practices in capacity development is crucial. One such dialogue is the OECD’s High-Level Expert Group (HLEG) on the Measurement of Economic Performance and Social Progress.35 These conversations hold value for the cybersecurity community in two ways. First, they are an opportunity to raise the importance of cybersecurity in development. Second, and perhaps as crucially, they provide visibility into good practice in capacity development, which could provide insight for those attempting to gather good practices in cybersecurity capacity building. Programs like the HLEG are important opportunities for the cybersecurity community to engage with the development community.

Finally, the cybersecurity capacity building community must identify capacity building interventions that they can empirically prove have the desired impact. The Global Forum on Cyber Expertise (GFCE) project on global good practices is a step in the right direction for the articulation of cybersecurity capacity building good practices.36 However, arguably this forum and others are simply exacerbating the groupthink problem with good practices, as the majority of collection focuses on what people and organizations are doing rather than answering the more difficult question of whether any of this is actually working or will continue to work as the technology and environment changes. Any process to identify and communicate good practices in cybersecurity and cybersecurity capacity building needs to be backed by evidence or empirics. Small, data-driven experiments and projects, like the work of CyberGreen to identify good practices in DDoS prevention and mitigation must be enabled on a broader scale.37

Ultimately, the GFCE would be a good hub for these activities, though the institution is under-resourced and may lack some of the methodological capacity to do so on its own. Thus, moving forward, in order to mainstream these practices in development, the OECD may be the best organization to shepherd a working group to develop good practices in managing digital risk in development, in association with the GFCE. Member governments should apply pressure to the OECD to create such an HLEG to run in parallel with or follow the ongoing HLEG on empirically driven good practices in development, which is due to culminate with a final report, to be released in late November 2018.

Action 3.2: Develop a toolkit to enable bottom-up agenda setting

The cybersecurity capacity building community needs to create toolkits to enable informed consumption on the part of aid recipients and facilitate bottom-up agenda setting. Key organizations should develop a multi-stakeholder consultative process to develop such a toolkit.

Where current tools aimed at this goal—like the maturity models mentioned earlier in this report—focus on highlighting the cybersecurity capacity of countries, a different kind of toolkit is needed. This toolkit should focus on measuring the ICT maturity of a country (rather than cybersecurity maturity) and identify primary threats to important assets then use these factors to identify priority cybersecurity competencies. These cybersecurity benchmarks should be closely tied to good practices in cybersecurity. Such a framework should build on existing resources, including ones developed for other fields, like the Nottingham Strategic ICT toolkit project,38 and cybersecurity-specific ones, like the Cyber Readiness Index.39

This type of framework serves two primary purposes. First, it gives potential ministers in charge of implementing ICT and cybersecurity projects and policies a menu of benchmarks to work towards. Second, it provides guidance on how to prioritize which benchmarks are most important given the local context, an important aspect currently missing from other frameworks and models.40 Certain cybersecurity capacities are necessary in some, but not all, contexts. While it is important to move all countries towards better cybersecurity, these improvements will happen incrementally. Put simply, different countries will need to prioritize or give more urgent attention to building cybersecurity capacities that meet their current needs.

Whereas the OECD emerges as a logical host for the expert group on managing digital risk in development, the host and sponsor of this multistakeholder process is less clear. Candidates include the GFCE, which may be well suited, as well as the World Bank itself, other UN agencies, a coalition of willing bilateral aid agencies, and existing nongovernmental organizations like the Internet Governance Forum.

Recommendation #4: Bring more cybersecurity expertise into donor institutions

Integrating cybersecurity expertise in donor institutions will be crucial to mainstreaming cybersecurity in development. However, getting the precise nature of this cybersecurity expertise right is important. Donor institutions do not require deep technical experts. Instead they need what amounts to consultants who can work in recipient countries to help turn aid recipients into more informed customers of ICT and cybersecurity products. This will only be possible if key individuals at the director level and above are convinced of the importance of cybersecurity to deliver on their goals and are willing to advocate for more in-house expertise (see Recommendation #2).

Operationalizing Recommendation #4

Actions

  • Explore short-term solutions like fellowships.
  • Leverage funding mechanisms to create long-term cybersecurity portfolios in major financial institutions.

What does success look like?

Ultimately, success in this project comes in the form of cybersecurity capacity building experts (as described above) in all donor institutions. In large institutions, like the World Bank, the presence of cybersecurity expertise in either (a) each of the thematic practice areas or (b) regional units is necessary.

Why is this feasible?

The Israeli government is leading the way by providing a fund and seconding an employee into the InterAmerican Development Bank to focus on cybersecurity. More national governments could follow suit in other regional development banks, as well as globally focused institutions like the World Bank and the International Monetary Fund.

How do we make this happen?

Key funding governments and private organizations need to pressure donor institutions to spend money on improving the state of cybersecurity expertise in those institutions. This could include placing limited conditions on IDA contributions (in the case of governments) and the creation of cybersecurity-themed trust funds in groups like the World Bank’s DFi.

Why hasn’t it happened yet?

As with many of the previous recommendations, the novelty of cybersecurity contributes to this problem. In addition, like any set of large institutions, major development institutions are bureaucratic structures that can take a great deal of time to change. While some in these structures have been advocating for this exact change for years, it has not yet taken hold.

Who could lead these efforts?

Donor governments and private donors

Development donors, who in large part help craft projects and programs, must recruit, develop, and retain the internal expertise to make sure that recipients of aid money are informed customers when it comes to the use of technology and are able to identify risks and take steps to manage them. In at least one major development finance institution, the existence of a stable, long-term (five or more years) portfolio triggers the ability to hire more staff. Thus, if cybersecurity’s profile rises in the development community, this challenge could resolve itself. However, there are levers policy and decision makers can pull to both infuse donor institutions with more cybersecurity expertise in the short-term and develop longer term portfolios.

Action 4.1: Explore short-term solutions like fellowships and secondments

In the sorter term, development institutions should explore the potential of fellowships following the model of the Presidential Innovation Fellowship in the U.S., or the Agentes de Innovacion in Mexico, designed to bring more technological expertise into areas of public service, as well as expert secondments from donor governments. A successful fellowship program would need to be funded by a public or private donor and link fellows directly to full-time staff or offices with institutional knowledge. Linking to staff or an office has two benefits: it enables a fellow to better navigate a complex bureaucracy and institutionalizes any lessons learned or activities undertaken by the fellow beyond the fellow’s term. The benefit of fellowships is that they are cheap in comparison to creating a long-term portfolio, as described below. In addition, a roster of available experts could be compiled to ease the burden of finding short-term contractors, fellows, or secondees. A common roster serving several institutions would reduce the time to find expertise in the market and facilitate the experts’ understanding of the framing of their mission (cybersecurity and development).

Action 4.2: Leverage funding mechanisms to create long-term cybersecurity portfolios in major donor institutions

To create more long-term, sustainable programs, public and private funders should leverage funding mechanisms like trust funds and donation conditions. The establishment of cybersecurity themed multilateral or public-private trust funds at major financial institutions would provide the sustained funding needed to begin hiring the right experts. It is crucial that the money not only be made available, but also that it is spent wisely. Spending on the creation of a cybersecurity specific team may lead to stovepiping of the issue in a manner more akin to prioritization as described in Chapter 2. Instead of creating a separate cybersecurity practice, the ultimate goal for major donor institutions should be to create a system or team that places digital risk advisors on every implementation team, like the World Bank’s CPF and SCD teams.

Recommendation #5: Create and implement digital risk impact assessments for development projects and programs

A key vehicle for mainstreaming issues like environmentalism, social impact, and human rights in development has been the creation and implementation of impact assessments. These movements and impact assessments provide a model for cybersecurity to emulate. However, as suggested in Recommendation #1, framing is crucial. Rather than securitizing the assessments, they should focus on identifying digital risk.

Operationalizing Recommendation #5

Actions

Create and implement digital risk impact assessments for development projects and programs.

What does success look like?

As with human rights before it, success in this endeavor would result in the use of digital risk impact assessments in all development projects incorporating an element of ICT in their programming.

Why is this feasible?

Precedent for this type of impact assessment exists in other areas that represent cross-cutting or systemic risk, like human rights and the environment.

How do we make this happen?

The creation of a working group to identify frameworks for cybersecurity impact assessments based off of HRIAs, environmental impact assessments, and other existing impact assessments.

Who could lead these efforts?

The World Bank, the World Economic Forum, the GFCE, the Global Commission on the Stability of Cyberspace

The development community long ago learned how to address risks to the environment, human rights, and social welfare. Digitization presents new risks that can both worsen existing risks and pose novel ones of its own. Therefore, models from the past could be adapted and applied to the context of cyber risk management. This risk framework should be geared towards assisting beneficiaries of development spending to better understand and manage the risks of digitization on a project by project basis. Taking cues from both HRIAs and the World Bank’s Environmental and Social Framework, digital risk impact assessments (DRIA) should draw on good practices in digital risk management and mitigation and be customizable to different industries and projects. As with the toolkit proposed in Recommendation #3.2, a DRIA should draw on existing models and tools.

The exact shape of a DRIA framework should be developed through a multistakeholder working group housed in an existing institution like the GFCE, the Global Commission on the Stability of Cyberspace, the World Economic Forum, or the Internet Governance Forum.

Citations
  1. Sami Saydjari. 2018. “Engineering Trustworthy Systems“. McGraw-Hill. (Forthcoming).
  2. Patryk Pawlak. 2014. “Riding the Digital Wave – Introduction.” EU Institute for Security Studies. December. p15. source
  3. World Bank. 2016. “World Development Report 2016: Digital Dividends.” World Bank. January. p224. source
  4. Patryk Pawlak. 2014. “Riding the Digital Wave – Introduction.” EU Institute for Security Studies. December. p15. source
  5. William H. Dutton, Sadie Creese, Ruth Shillair, Maria Bada, and Taylor Roberts. 2017. “Cyber Security Capacity: Does It Matter?” Quello Center. Working Paper No. 2938078. March 23. p8-16. source
  6. William H. Dutton, Sadie Creese, Ruth Shillair, Maria Bada, and Taylor Roberts. 2017. “Cyber Security Capacity: Does It Matter?” Quello Center. Working Paper No. 2938078. March 23. p21. source
  7. Sandra Sargent. 2017. “World Bank Donor Perspective on Cyber Security.” Commonwealth Telecommunications Organisation. source
  8. World Bank. 2016. “World Development Report 2016: Digital Dividends.” World Bank. January. p69-70. source
  9. Interview with the author. Conducted October 2018.
  10. Global Cyber Security Capacity Centre. 2017. “Cybersecurity Capacity Maturity Model for Nations (CMM).” University of Oxford. February 9. source
  11. Melissa Hathaway. 2015. “Cyber Readiness Index 2.0.” Potomac Institute for Policy Studies. November. source
  12. Fergus Hanson, Tom Uren, Fergus Ryan, Michael Chi, Jack Viola, and Eliza Chapman. 2017. “Cyber Maturity in the Asia Pacific Region 2017.” Australian Strategic Policy Institute. December 12. source
  13. Andrea Cornwall and Deborah Eade. 2010. “Deconstructing Development Discourse: Buzzwords and Fuzzwords.” Practical Action Publishingsource
  14. Andrea Cornwall and Deborah Eade. “Deconstructing Development Discourse: Buzzwords and Fuzzwords.” Practical Action Publishing. p2. source
  15. See, for example: Department for International Development. 2013. “Glossary of terms used by the Department for International Development.” UK Department for International Development. August 13. source US AID. 2014. “Glossary of ADS Terms.” USAID. April 30. source J. Brian Atwood. 2012. “Development Co-operation Report 2012: Lessons in Linking Sustainability and Development. OECD Publishing.  source Wolfgang Sachs. 2010. “The Development Dictionary n. A Guide to Knowledge as Power.” Zed Books. source
  16. Interview with the author. Conducted October 2017.
  17. World Bank. 2017. “Our Work.” World Bank. source
  18. The Center for Cyber Safety and Education. 2017. “2017 Global Information Security Workforce Study.” Frost & Sullivan. p2. source
  19. The Center for Cyber Safety and Education. 2017. “2017 Global Information Security Workforce Study.” Frost & Sullivan. p3. source
  20. The Center for Cyber Safety and Education. 2017. “2017 Global Information Security Workforce Study.” Frost & Sullivan. p4. source
  21. The Center for Cyber Safety and Education. 2017. “2017 Global Information Security Workforce Study.” Frost & Sullivan. p6. source
  22. Interview with the author. Conducted October 2017.
  23. Interview with the author. Conducted October 2017.
  24. Margaret E. Keck and Kathryn Sikkink. 1998. “Activists Beyond Borders: Advocacy Networks in International Politics.” Cornell University Press: Ithaca, NY.
  25. Margaret E. Keck and Kathryn Sikkink. 1998. “Activists Beyond Borders: Advocacy Networks in International Politics.” Cornell University Press: Ithaca, NY. p2.
  26. Margaret E. Keck and Kathryn Sikkink. 1998. “Activists Beyond Borders: Advocacy Networks in International Politics.” Cornell University Press: Ithaca, NY.
  27. Margaret E. Keck and Kathryn Sikkink. 1998. “Activists Beyond Borders: Advocacy Networks in International Politics.” Cornell University Press: Ithaca, NY. p16.
  28. Pawlak, Patryk. 2014. “Riding the Digital Wave.” EU Institute for Security Studies. December. source
  29. Alexander Klimburg and Hugo Zylberberg. 2015. Cybersecurity Capacity Building: Developing Access. Norwegian Institute of International Affairs. p45. source
  30. Troy Hunt. 2018. “Is India’s Aadhaar System Really ‘Hack-Proof’? Assessing a Publicly Observable Security Posture.” troyhunt.com. January 11. source
  31. Such scholars include the likes of Kaushik Basu at Cornell University, Olivier Blanchard and Esther Duflo at Massachusetts Institute of Technology, Paul Collier at Oxford University, Paul Krugman at the City University of New York, WIlliam Easterly and Paul Romer at New York University, Justin Yifu Lin at Peking University, Martin Ravallion at Georgetown University, John Ruggie and Amartya Sen at Harvard University, and Joseph Stiglitz and Jeffrey Sachs at Columbia University.
  32. International Reporting Project. “About the IRP.” International Reporting Project. source
  33. Global Cyber Security Capacity Centre. “Cybersecurity Capacity Portal – Case Study.” University of Oxford. source
  34. For one example of a study on evidence-based practice in the development community, see: USAID. 2016. “Strengthening Evidence-Based Development: Five years of better evaluation practice at USAID 2011-0216.” USAID. March. source
  35. OECD. “High Level Expert Group on the Measurement of Economic Performance and Social Progress.” OECD. source
  36. GFCE. “Global Good practices identified by the GFCE community.” Global Forum on Cyber Expertise. source
  37. Cyber Green. “What We Do.” Cyber Green. source
  38. The University of Nottingham. “Strategic ICT toolkit.” University of Nottingham. source
  39. Melissa Hathaway. 2015. “Cyber Readiness Index 2.0.” Potomac Institute for Policy Studies. November. source
  40. It should be noted that teams associated with both the Cyber Readiness Index and the Oxford Maturity Model work with countries to tailor local strategies using their respective tools as frameworks. However, both of these tools require additional hands-on expertise and are of limited utility to policymakers in recipient countries on their own.

Close

Part III: Challenges and Solutions

View as PDF

Table of Contents

Close

Securing Digital Dividends