• In every country, knowhow about truly strong cybersecurity is held and protected by governments.
  • Given the increasing threat from and sophistication of cyberattacks on businesses, however, that must change.
  • Here's how corporates and governments should take the first steps towards each other to build stronger cyber defences all round.

Cyberattacks continue to be reported as a key business risk. In the recent World Economic Forum's Regional Risks for Doing Business 2019 report, survey respondents in six of the world’s 10-largest economies identified cyberattacks as their number one risk.

However, as distinct from other risks such as fiscal crises or energy price shocks, cyberattacks have a clear mitigation: cybersecurity. Yet despite a decade of rising spending, respondents do not have confidence in their ability to deliver sufficiently strong cybersecurity to mitigate the risk. Why is this?

One critical reason is a lack of knowledge and understanding about cybersecurity within even the largest commercial organizations. But how can this be, now that almost every organization has appointed a chief information security officer (CISO), and when perhaps (at least in the pre-COVID era) the world’s most intensive conference circuit allows the constant sharing of experience and best practice between them? The answer is that in every country, knowledge about how to deliver strong cybersecurity – cybersecurity that can really be trusted to mitigate the risk of cyberattacks – remains closely held within a tight government and national security community.

State craft

Governments have long had to protect their most sensitive systems against cyberattacks – often mounted by governments in other countries. And of course there is a mirror image: governments have experience of trying to mount cyberattacks on their rivals. Their approaches to defending their most critical systems are thus rooted in both critical necessity and practical experience. Those approaches are typically quite different from cybersecurity practices in the private sector.

It is widely believed that measures for defending the most sensitive government systems – for example, those holding classified secret information – are simple but impractical. Surely the systems are “air gapped” – not physically connected to less trusted systems, such as the internet? While this was once true, governments have since developed sophisticated bodies of practice and guidance on how connections between sensitive and untrusted systems can be delivered in ways that provide strong protection against cyberattacks.

The top 10 risks according to business leaders around the world
The top 10 risks according to business leaders around the world
Image: World Economic Forum 2019 Regional Risks for Doing Business report

In general, government agencies such as the US' NSA or the UK’s GCHQ have shared widely their cybersecurity expertise through forums such as the National Institute of Standards and Technology (NIST). But the connection of sensitive to untrusted systems – typically referred to as “cross domain solutions” – remains a poorly trodden frontier where knowledge is not widely shared, even among government services. Indeed, until recently, in most countries much of the information was classified and export-controlled. But with increasing political realisation that protecting often commercially-held critical infrastructure and services is today just as important as protecting military and diplomatic secrets, many governments are, in principle, now open to sharing their knowledge.

Few commercial cybersecurity professionals, however, know that this body of knowledge exists. Since it sits at the heart of how spies protect themselves from other spies, perhaps this is not surprising. Perhaps it is equally unsurprising that when the topic is communicated, incomprehension is perpetuated by language that can be prohibitive. Just as commercial security services are unfamiliar with government experience, so government services are frequently unfamiliar with the realities of today’s enterprise environment. Such differing starting points between the two communities means that communication is a barrier even when it is attempted.

Not all these strong security approaches originating from government services are yet practical for mainstream deployment; after all, only recently have products embodying these approaches started to become available to mainstream buyers. But commercial organizations need to assess these approaches against those promoted by incumbent technology vendors (who are, of course, far from being disinterested parties) and then work with start-ups and other innovators to develop the new products and capabilities they need.

Public-private partnerships have been central to the development of cybersecurity over the past decade, through the sharing of threat information between commercial organizations and historically secretive government agencies. The opportunity now exists for a new era of public-private partnership, for a new realm of information sharing.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security - to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future - to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.

Commercial organizations will need to push their government partners to share information about how the latter achieve strong cybersecurity for their most sensitive systems, and they will need to devote time to learning and assimilating unfamiliar material. On their part, governments have a number of responsibilities to make the sharing process effective and productive.

Taking responsibility

First, governments need to talk more openly about topics which have historically only been shared within a small community. There is a cultural element here for historically secretive organizations, and the parallels with threat intelligence sharing are clear: specific programmes and initiatives are required to open up public-private dialogue in an area where there has historically been little or none.

Second, governments need to understand that while many of their practices and experience may be relevant to commercial organizations, not all are. In particular, commercial organizations will be far more interested in protecting against attacks that affect business continuity – for example, protecting against ransomware – than they are in measures specific to the protection of secrets.

And thirdly, government security services need to recognize that the language they use internally fails to resonate with the commercial world, and that mutual incomprehension can be expected. The first job is to build partnership: to discover common terms and starting points that will enable effective communication, while identifying the critical differences that need to be navigated. For conversations in this area, even the most “obvious” assumptions are worth challenging.

Twenty years ago, no one outside government needed to know these high-security approaches. But in a world where businesses report cyberattacks as their number-one risk, it is unreasonable to expect businesses to defend against those attacks without a full understanding of their options. Ten years ago, awareness of cyber risk was low: public-private partnership for threat intelligence sharing has dramatically changed that and brought cyber risk to the top of the corporate agenda. With a new public-private partnership focused on the strong cybersecurity measures that can effectively mitigate the risk of cyberattacks, over the coming decade we can start to drive that risk back down.