The economics of cybersecurity

12 Jun 2017 11:00h - 13:00h

Event report

[Read more session reports from WSIS Forum 2017]

The session focused on the concepts of externalities, adverse information, and market failures that are associated with cybersecurity. The panellists acknowledged that companies do not necessarily provide support for older software versions, thus leaving them vulnerable. Vulnerable systems have led to massive data breaches around the world and have undermined the concept of safety and security online. Around 1.3 billion breaches took place last year with most of them taking place in the USA. Up to $500 billion per year is the economic cost of these data breaches. While 93% of these data breaches are easily preventable, the lack of safety standards and correct mechanisms to address them, continue to hinder the process.

The issue of lack of awareness among users was addressed by Mr Michael Kioy (Web Officer, ITU). He added that the user does not always have access to complete information which leads to a software patch not being applied to vulnerabilities, enough though they are available in the marketplace. The global Internet report published by the Internet Society pointed out that people have modified their online behaviour due to lack of trust. People avoid clicking on links even if they are sent by someone they trust. The panellists added that if people are scared of using the Internet, this would lead to an economic loss.

Mr Richard Hill (President, Association for Proper Internet Governance) added that the lack of standards and enforcement are attributed to the externalities that exist within the industry. If the companies are not held liable for data breaches, they also have no incentive to make the platforms safer for their users. Since ensuring safer environments involves additional investments, companies cut them out to create cheaper software and gain a competitive edge over their competitors. Ms Marília Maciel (Digital Policy Senior Researcher  DiploFoundation) focused on the proposal published by Microsoft which emphasised the need for a Digital Geneva Convention to address cybersecurity challenges. The proposal from Microsoft calls on governments to play a much bigger role given the economic cost of cyber-attacks on businesses online. At the same time,  Maciel stressed on the need for harmonisation of the process and the need for civil society actors to stay engaged in the process. She added that civil society might need support and capacity building programmes to enable valid contributions. Maciel further acknowledged the growing participation of governments in multistakeholder and bilateral meetings to address cybersecurity issues. Governments should incentivise companies to address cybersecurity threats. Governments should also have proper mechanisms in place to hold companies liable when security breaches take place.

The panel addressed the issue of Distributed Denial of Service attacks (DDOS) and how the Internet of Things (IoT) provides a much bigger threat by further extending the issue. For example, Hill noted how default passwords of routers and IoT-enabled bulbs can easily be hacked and used to carry out a DDoS attack. This could be easily averted by generating random and secure passwords for every device. The panel agreed that both private companies and governments have to pay more attention to addressing cybersecurity challenges and should focus on platforms that will enable discussions, leading to solutions.

 

by Krishna Kumar Rajamannar