Photo by Katie Moum on Unsplash
Cybercrime is global, but the response isn’t. Governments in the west are slowly waking up to the importance of cybersecurity, and are (equally slowly) helping businesses to safeguard data and home users to protect their homes from cyberattack.
Look outside Europe and the US, though, and the picture is radically different. African countries, in particular, are underprepared for the impact of cyberattacks, and lack the governmental expertise to deal with them.
This is an issue for citizens of these countries, but also for us in the west. Poorly prepared countries act as safe havens for cybercriminals, and hackers (some of them state-sponsored) can use these countries to stage cyberattacks that directly impact users in the west.
Cybercrime: a global view
Though you wouldn’t know it from the press coverage, large cyberattacks don’t just affect the west.
Africa, for instance, actually has a huge problem with cybercrime. Recent reports from Botswana, Zimbabwe and Mozambique show that companies are increasingly falling victim to cybercrime. The global WannaCry malware attack of May 2017 hit South Africa hard, and companies in that country typically lose R36 million when they fall victim to an attack.
This situation is mirrored across the global south. It is made worse by the fact that developing nations do not have governmental policies for dealing with cyberattacks. This makes companies and home users in these countries particularly vulnerable. It also means that hackers can route their activities through these countries, which have neither the technical nor the legal expertise to catch them, let alone punish them.
Though government policies on cybercrime vary widely across the globe, many of the largest attacks of recent years rely for their success on their global reach. The Mirai Botnet, for instance, managed to infect IoT devices across a huge range of territories and countries, and this global base made it incredibly difficult to stop. Attacks like this have made the IoT one of the largest concerns among security professionals today.
Given this context, it is time for governments – in all countries and at all levels – to do more when it comes to managing cyber risk.
The approach that governments take to dealing with cyber risk is a critical factor in the success of these programs. Too often, governments take a ‘hands off’ approach, issuing advice to citizens and businesses about how to avoid falling victim to an attack, and then expecting them to protect themselves.
This approach is somewhat similar to the one governments take to smoking: tell citizens it is bad for you, and they will stop doing it. And if they don’t, they are only harming themselves. This approach does not work when it comes to cyberattacks, because they often rely on millions of computers being poorly secured. Managing cybersecurity, in fact, is more like managing road safety: rules must be put in place, and these rules must have consequences if they are not followed.
At the moment, both in the west and elsewhere, this is difficult for governments to implement. That’s because tech is an incredibly fast-moving sector, with new companies and new services appearing all the time. Legislators, often with little knowledge of emerging technologies, are not capable of passing laws quickly enough.
To make matters worse, there are no industry-wide standards for security, and this leads to huge differences in the vulnerability of different providers in the same sectors. There are plenty of examples of this: the security Issues of public WiFi are well known, and security researchers like Gary Stevens, CTO at HostingCanada.org, have raised concerns about the often overlooked security vulnerabilities of some popular web hosts. “As more people are able to bring their website online, the threat surface grows exponentially thanks to cheap hosts,” Stevens said in an email interview. “My research consistently shows that discount web hosts, which everyone loves to buy from, have an average uptime of less than 96.5%.”
With excessive downtime equated with increased security risks, Stevens pointed out that anything below 99% was considered unusable for business. “Even something as basic and boring as your choice of web host can set you up for a malware infection.”
Helping the average user
There is another approach, though, and one that could be very effective in reducing cybercrime. It involves dealing with cybersecurity in a similar way as governments respond to outbreaks of infectious diseases like the flu or measles.
This metaphor is a very useful one, because the most common forms of cyberattack operate in a very similar way to infectious diseases. They will infect people (or computers) whose defenses are compromised, and then use this as a base to spread out and cause havoc.
With this approach in mind, it becomes very clear how governments can easily do more to protect citizens against cyberattacks. They could pay for mass-information campaigns, for instance. Something as simple as a poster on the bus, reminding people to update the software on their phones, would go a long way to protecting these same people against cybercrime.
Some local governments are beginning to realize this. New York has recently started providing this kind of support to its residents, for instance. The program aims to teach the average user some basic skills, like how to spot and get rid of a malware infection, and helps them to recognize phishing scams and other forms of common cyberattack.
Stopping more sophisticated attacks is more difficult, of course, but even this will be a lot easier if there is a level of consciousness and technical expertise among the general population.
Behavior and security
Treating cybersecurity as a social problem, rather than a technical or personal one, could be a highly effective way forward for governments. Programs like these require no great technical expertise within government institutions, and can be expected to have major impacts on the rates of cybercrime.
At the broadest level, governments should aim to change the way that people act online. In the same way that citizens had to be taught how to reduce the spread of infectious diseases in the early 20th century, the early 21st century requires that we all learn new ways of behaving.
Harnessing these behavioral principles could be a powerful way of reducing society-wide vulnerability to cybercrime, and would be cost-effective for governments.