Future Series: Cybersecurity, emerging technology and systemic risk

This new Future Series report highlights the growing threat from hidden and systemic risks inherent in the emerging technology environment, which will require significant change to the international and security communities’ response to cybersecurity.

In under a decade, cybersecurity has emerged as one of the most important systemic issues for the global economy. Collective global spending has now reached $145 billion a year, and is predicted to have exceeded $1 trillion in the period between 2017 and 2021. Incidents and attacks continue to rise, but this is only the tip of a new and growing problem.

The critical technology transformations on which future prosperity relies – ubiquitous connectivity, artificial intelligence, quantum computing and next-generation approaches to identity and access management – will not just be incremental challenges for the security community.

They have the potential to generate new and systemic risks for the global ecosystem, and at this stage, their full impact is not well understood. This suggests the urgent need for collective action, policy intervention and improved accountability for government and business. Without interventions now, it will be difficult to maintain the integrity and trust in the emerging technology on which future global growth depends.

The Future Series was launched to answer a single question: Will our individual and collective approach to managing cyber risks be sustainable in the face of the major technology trends taking place in the near future? It has produced many answers.

Among these is the assertion that the world now faces five major challenges:

The report recommends 15 strategic interventions for individual and collective action, without which the global community risks creating an ecosystem that is not resilient to the emerging threat landscape and where cybersecurity could become a barrier to unlocking the full potential of technology and cyberspace.

This suggests the overriding need for a new approach to cybersecurity. It should no longer be seen as being simply an issue of protecting systems and networks, but instead, government and business need to think in terms of assuring the integrity and resilience of the interconnected business and social processes that sit on top of an increasingly complex technology ecosystem.

The first generation of AI-enabled offensive tools is already emerging and there is growing evidence of AI being used by attackers.

Deep fakes have already been leveraged to create new cyberattack vectors and voice-mimicking software has been used in major thefts.

Many entities are sharing a growing dependence on a concentrated underpinning infrastructure and set of shared services, including cloud, ISPs, hardware, software and the equipment supply chain.

This is creating an attack surface of high-value shared resources with high probability of attack, and the potential for compromise to have severe and systemic impacts.

A sufficiently powerful and error-corrected quantum computer would solve some of the classical mathematical problems on which cryptography methods rely.

If used maliciously, however, it could break the cryptographic underpinnings of the world’s digital infrastructure, on which the digital economy relies.

As next-generation identity systems emerge, society will develop an increasing dependence on their use in critical applications.

Increasingly sophisticated threat actors will capitalize on the opportunity to exploit vulnerabilities in its component parts and the high-value identity ecosystem is likely to be heavily targeted.

Action at the individual enterprise level alone is no longer sufficient to tackle the range of complex ecosystem-wide challenges that the report identifies. Instead:

The security and technology community need to prioritize a number of interventions to improve their collective response.

This is essential to cybersecurity operations and controlling cyber risk effectively within business and critical national infrastructures.

Industry and government leadership need to develop a set of policy actions that incentivize take-up of security solutions and that underpin greater trust and transparency between different components of the ecosystem.

These include: clarifying issues of liability, reducing friction in current assurance and regulatory models, and promoting international business and trade in data and digital services.

The international community must intervene to ensure that security issues are addressed in such a way that the benefits of emerging technology are inclusive.

Particular note needs to be taken of the needs of developing countries and the need for collective efforts to reduce cross-border cybercrime.

These technologies will transform our world, but only if they are secure and we can give citizens and businesses confidence that they are so. If these interventions are not taken forward the world will be left with a digital ecosystem that is not resilient to the emerging systemic threat and risk landscape and the potential benefits of the global digital ecosystem may not be realized.