Why cyber resilience needs to be concrete, cooperative and collective

Today, some 5.5 billion people – nearly 70% of the world’s population – use the internet. And that use is vital to their lives, with health systems, financial markets, public services and even elections all relying on a complex web of digital infrastructure that now reaches into every corner of the Earth.

This intense global interconnectedness clearly comes with great benefits, but it also brings great risks.

A successful hack against a small Ukrainian software company might not sound like a big deal for the rest of us, but within a year of M.E.Doc’s servers being breached in 2017, the NotPetya incident had cost businesses around the world over $10 billion. The WannaCry attack hit the UK’s National Health Service first and hardest, but within days it had spread to over 150 countries. And when the ICRC was targeted in 2022, sensitive data related to more than half a million people worldwide was exposed.

Though much of the damage is the result of a global cybercrime epidemic whose costs already rise into the trillions, the increasing frequency of state-linked cyber attacks on civilian and humanitarian infrastructure means that the picture is not so straightforward.

On the contrary, today’s cyber domain is characterized by impacts cascading across networks, industries and borders, with an incredibly diverse range of actors affected and involved. The growing scale and the sophistication of these challenges mean that narrow, technical solutions to cybersecurity are no longer enough.

The seriousness of these impacts and the need for a concerted, collective response is clear from the fact that the UN Security Council has, in recent years, repeatedly been briefed on cyber threats to international peace and security.

Recognition of the gravity of the situation has also driven a conceptual shift towards the idea of cyber resilience over cybersecurity. The focus has today moved beyond individual networks and onto the broader and better question of how systems and societies can collectively react, adapt, and recover when successful attacks do occur.

While businesses and governments alike increasingly understand the need for an intersectoral, global approach, their task is made more difficult by the growing fragmentation of the digital domain itself.

This is driven by rapid technological developments and differences in political posture, regulatory approach, and organizational capacity. Together, these factors create faultlines that make cyber infiltration more likely, as seen in the following areas:

Pulling on the fabric of cyber resilience from a variety of different angles, these diverse pressures and structural gaps mean that no one company, government or international body has the visibility, authority or capacity to fully manage international cyber risks on its own. Yet the same fragmentation that makes cooperation so difficult also makes it more urgent than ever.

Of course, collective, cooperative efforts are already underway, and they provide a solid foundation for the cyber resilience architecture we need. But to really make a difference, we need to move beyond negotiation to the concrete work of implementation.

Take, for example, the 11 voluntary, non-binding norms of responsible state behaviour in cyberspace that were endorsed by the UN General Assembly in 2015 and reaffirmed in 2021. To realize the potential of its norms around the protection of critical infrastructure, states need first to identify and designate what qualifies as critical infrastructure, assign responsibility for it to a competent agency, build up effective cyber capacity within such agencies, and create rules around incident reporting and cooperation to ensure that attacks and their spread are properly tracked and addressed.

Another complimentary, concrete step that governments can take is to bolster their participation in confidence-building measures like the global points of contact directory. This initiative establishes channels of secure, direct communication on cyber incidents, including those affecting critical infrastructure to de-escalate tensions, clarify misunderstandings, and promote more effective, collective responses by sharing information and capacity.

This capacity itself is a prerequisite for proper compliance and cooperative assistance, and so it must be built up. This could take the form of skills development for one’s own technical staff, the creation of dedicated cyber incident response teams, support from established companies and public institutions for small and medium-sized enterprises in their own capacity-building efforts, and pooling of knowledge and skills to support less well-resourced countries and regions around the world.

Effective cooperation will also depend on treating industry, civil society and academia as operational partners. Initiatives such as the Cybersecurity Tech Accord, the Paris Call, the Internet Governance Forum and the World Economic Forum’s Centre for Cybersecurity already point the way forward, as do inclusive platforms like UNIDIR’s Cyber Stability Conference and the wider Geneva Cyber Week, both held annually in May.

The coming months will also see the launch of the UN’s Global Mechanism on ICT Security, which will provide a single permanent track for governments to ensure that steps towards more concrete progress stay on track, to further strengthen confidence‑building measures and to redouble efforts to improve capacity‑building across the board.

It is only this kind of concrete, cooperative and collective effort that can truly build cyber resilience across every link in the chain, and protect the vital digital infrastructure that today plays such a key role in our lives as individuals, and our life as a species.