The vulnerability of the internet is the vulnerability of modern society. However, security has mostly been an afterthought since the early days of the internet as many market-driven tech companies employed a ‘release now, patch later’ approach. The growing use of cyberspace by state and non-state actors for malicious purposes threatens peace and security, trust in the digital economy and services, and the potential for the digital transformation of societies and economies.
Security risks for citizens, companies, and countries are interrelated. Vulnerabilities used by criminals can easily slide into a military arsenal and vice versa. Thus, effective digital security requires a holistic approach to better tackle the interplays between security, economic development, human rights, as well as sociocultural and infrastructural aspects.
Cybersecurity is the main umbrella public policy issue. Other more specific security-related issue include:
Cybersecurity trends in 2022
- Supply chain will become one of the main targets, especially for state-sponsored attacks.
- Ransomware will move beyond the ‘double ransom’ trend of encrypting and threatening to release stolen data publicly, to the third element of data wiping which we saw some early signals of in Ukraine recently.
- Cloud security will come to focus in the mid-term, due to digitalisation and transformation of the 5G networks into cloud. The question of who is responsible for international cloud security creates a big regulatory gap, especially in case of a major cyber incident in a global commercial cloud service.
- Supply chain resilience will be built on national levels. The USA is moving towards internal solutions on supply chain security (including software); the EU is expected to agree on the NIS2 directive to address vulnerabilities and resilience. Other governments are likely to follow with some regulatory measures, especially in the case of the internet of things (IoT). The international security of supply chains is weak. The Organization for Economic Co-operation and Development (OECD) is an exception with its work on the digital security of products.
- The USA focuses on critical infrastructure, the EU is expected to adopt its new critical infrastructure directive (CER) soon.
- Cyber detente between the USA and Russia is likely to continue on a small scale (signaling), with no substantive breakthroughs. This is due to broader geopolitical tensions between the two countries, especially involving the crisis in Ukraine.
- Concerning the digital relations between the USA and China, cybersecurity has a less prominent position compared to the protection of intellectual property, free flow of data, e-commerce, and others. However, its importance may rise.
- USA–China: Cyberattacks attributed to China will continue; overall relations will likely deteriorate, also due to broader context. However, the USA is slowly decreasing its dependency on China thanks to its new open approach to 5G, which means less reliance on Huawei, and relocating its semiconductor productions from Taiwan Semiconductor Manufacturing Company (TSMC) to US factories.
- The crisis in Ukraine and other hot spots will also have cyber-dimensions and impact.
- ITU World Telecommunications Standardisation Assembly (WTSA-20), which is to be held in Geneva, will have long-term implications on security. Discussions around the proposal for the “New IP protocol” will reflect on the trust architecture and authenticity verification of devices (but possibly also of users), as well as on the concerns about the ability to switch off parts of the future network – for security or political reasons. Debates over the scope of ITU’s mandate in cybersecurity will continue, with proposals to extend it towards privacy and trust, the supply chain and ‘zero trust’ security, and especially the emerging technologies (beyond IoT which ITU already addresses).
- Open standards and software (OpenRAN for 5G, RISK-V for semiconductors, etc) will have a high impact on cybersecurity. For example, the EU, via de-Risk project, plans to use the RISK-V approach in developing systems in the area of high fault tolerance: aviation and space exploration. OpenRAN will, on the other hand, reduce dependence of the telecom providers on a handful of telecom gear providers (Ericsson, Nokia, and Huawei, in particular) and open the path for virtualisation of telecom networks – with the increasing role of the cloud. Open approach, however, will bring in new and different risks, which will come to the focus of international discussions.
- Smart appliances and Internet of Things (IoT) are often the weakest link in the cybersecurity field. This weakness is likely to be addressed by new standards such as Matter which will facilitate interoperability among smart and home devices. Other industry-driven alliances will push towards setting standards for the security of digital technologies – from connectivity to AI.