Reports
Published: 16 November 2020

Future Series: Cybersecurity, emerging technology and systemic risk

Unless action is taken now, by 2025 next generation technology, on which the world will increasingly rely, has the potential to overwhelm the defences of the global security community. Enhanced cybersecurity is the only means by which this challenge can be addressed, but the approach to cybersecurity needs to be overhauled before the industry finds itself in any fit state to tackle the threat.

This new Future Series report highlights the growing threat from hidden and systemic risks inherent in the emerging technology environment, which will require significant change to the international and security communities’ response to cybersecurity.

The rise of cybersecurity ... and attacks

In under a decade, cybersecurity has emerged as one of the most important systemic issues for the global economy. Collective global spending has now reached $145 billion a year, and is predicted to have exceeded $1 trillion in the period between 2017 and 2021. Incidents and attacks continue to rise, but this is only the tip of a new and growing problem.

The days of fragmented security are behind us. Security must be more proactive and future-proof if we are to out-innovate the attackers.

—Nikesh Arora, Chief Executive Officer and Chairman, Palo Alto Networks, USA

Cloudy outlook for technology transformation

The critical technology transformations on which future prosperity relies – ubiquitous connectivity, artificial intelligence, quantum computing and next-generation approaches to identity and access management – will not just be incremental challenges for the security community.

They have the potential to generate new and systemic risks for the global ecosystem, and at this stage, their full impact is not well understood. This suggests the urgent need for collective action, policy intervention and improved accountability for government and business. Without interventions now, it will be difficult to maintain the integrity and trust in the emerging technology on which future global growth depends.

There must now be a different approach to cybersecurity. Our current approach is unsustainable.

—Ken Xie, Founder, Chairman of the Board and Chief Executive Officer, Fortinet

The Future Series

The Future Series was launched to answer a single question: Will our individual and collective approach to managing cyber risks be sustainable in the face of the major technology trends taking place in the near future? It has produced many answers.

Among these is the assertion that the world now faces five major challenges:

  • Skills gap. There is already a global capacity shortage in cybersecurity (specialists and throughout the wider workforce), and as new technologies emerge, the skills gap in delivering cybersecurity will widen.
  • Fragmented approaches. Emerging technologies are driving an increasing interdependence and entanglement between policy and technology at a time when the global governance of cyberspace is weak.
  • New approaches. Existing operational-security capabilities and technologies will not be fit for purpose and so mitigating threat and responding to incidents individually and collaboratively will require new approaches.
  • Under-investment. Security is not being considered as an integral component of technology innovations and as such, proper investment isn’t being made into support (knowledge, guidance, research investment) and incentives (market forces, regulation) for developing emerging technologies securely.
  • Ambiguous accountability. Shared dependence widens the pool of actors affected by the resilience of a part of the ecosystem, built can also create ambiguity in the accountability for ensuring this resilience.

Five problems, 15 interventions

The report recommends 15 strategic interventions for individual and collective action, without which the global community risks creating an ecosystem that is not resilient to the emerging threat landscape and where cybersecurity could become a barrier to unlocking the full potential of technology and cyberspace.

This suggests the overriding need for a new approach to cybersecurity. It should no longer be seen as being simply an issue of protecting systems and networks, but instead, government and business need to think in terms of assuring the integrity and resilience of the interconnected business and social processes that sit on top of an increasingly complex technology ecosystem.

Understanding the dynamics of digitization as well as its opportunities and challenges –
particularly regarding cybersecurity risks – is a fundamental part of a board’s corporate governance responsibility. Technology-led transformation and investments in cybersecurity must proceed together in this context.

—Urs Rohner, Chairman of the Board of Directors, Credit Suisse Group AG

Tech for good, bad and downright villainy

Artificial intelligence

The first generation of AI-enabled offensive tools is already emerging and there is growing evidence of AI being used by attackers.

Deep fakes have already been leveraged to create new cyberattack vectors and voice-mimicking software has been used in major thefts.

Ubiquitous connectivity

Many entities are sharing a growing dependence on a concentrated underpinning infrastructure and set of shared services, including cloud, ISPs, hardware, software and the equipment supply chain.

This is creating an attack surface of high-value shared resources with high probability of attack, and the potential for compromise to have severe and systemic impacts.

cybersecurity, cyberthreat, attack vectors, infrastructure
Ubiquitous connectivity is creating an attack surface of high-value shared resources with high probability of attack.
Image: World Economic Forum

Quantum computing

A sufficiently powerful and error-corrected quantum computer would solve some of the classical mathematical problems on which cryptography methods rely.

If used maliciously, however, it could break the cryptographic underpinnings of the world’s digital infrastructure, on which the digital economy relies.

Digital identity

As next-generation identity systems emerge, society will develop an increasing dependence on their use in critical applications.

Increasingly sophisticated threat actors will capitalize on the opportunity to exploit vulnerabilities in its component parts and the high-value identity ecosystem is likely to be heavily targeted.

  • $433bn
    The projected growth in collective global cybersecurity spending by 2030.
  • 300%
    The increase in reported cybercrime since the beginning of the pandemic, according to the FBI.

Eight obstacles to a paradigm shift

  • Divergent approaches to tackling cybersecurity will act as a strategic barrier to cross-border data flow and e-commerce
  • Cybersecurity costs are increasing
  • Yet it is difficult to calibrate the right nature and scale of investment in cybersecurity
  • Risks associated with cyberthreats are often opaque
  • Regulatory requirements are increasing and are often different between jurisdictions
  • Existing approaches to supply-chain cybersecurity assurance don’t work
  • The community continues to fail to tackle the problem at source
  • There is a lack of credible deterrence

The new approach to cybersecurity

Action at the individual enterprise level alone is no longer sufficient to tackle the range of complex ecosystem-wide challenges that the report identifies. Instead:

The security and technology community need to prioritize a number of interventions to improve their collective response.

This is essential to cybersecurity operations and controlling cyber risk effectively within business and critical national infrastructures.

Industry and government leadership need to develop a set of policy actions that incentivize take-up of security solutions and that underpin greater trust and transparency between different components of the ecosystem.

These include: clarifying issues of liability, reducing friction in current assurance and regulatory models, and promoting international business and trade in data and digital services.

The international community must intervene to ensure that security issues are addressed in such a way that the benefits of emerging technology are inclusive.

Particular note needs to be taken of the needs of developing countries and the need for collective efforts to reduce cross-border cybercrime.

The big if ...

These technologies will transform our world, but only if they are secure and we can give citizens and businesses confidence that they are so. If these interventions are not taken forward the world will be left with a digital ecosystem that is not resilient to the emerging systemic threat and risk landscape and the potential benefits of the global digital ecosystem may not be realized.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security - to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future - to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.