Continuing, Hathaway challenged the audience to address the challenges of international cooperation in solving today's cyber-security challenges.
In the next four to five years, the world must reverse the lack of investment in cyber-security in the internet or we will pay the price in failed critical national infrastructure.
Melissa Hathaway is president of Hathaway Global Strategies and author of the Cyber Readiness Index. She served as cyber-security expert in the administrations of George W Bush and Barack Obama and is senior Advisor Project on Technology, Security and Conflict in the Cyber Age – Harvard University.
Over the past 25 years, the trend has been to connect to the internet just about everything that can be connected, from databases and shopping portals to industrial control systems and personal wearable devices. And the trend is only accelerating: today the market is worth an estimated US$3.6 trillion, and in fewer than 10 years it will be worth over $32 trillion.
Governments are only just beginning to get to grips with the problem of safeguarding the networks on which we are growing increasingly dependent. In the past few years we have seen notable attacks across the internet including against nuclear power plants, national electricity grids in countries like Ukraine and against critical financial services such as SWIFT.
And these two things are connected, she said. “We are designing wearable and mobile devices that don't have security built into them,” she said. “We have to think how these are going to be isolated, and how they will become infected, so a wearable device can't infect the transportation system or the systems that run our countries.”
Governments are moving to legislate and develop strategies for cyber-security but, she lamented, the global view often comes last.
Countries are not developing common standards, so there is lack of compatibility across national borders. Take for instance data protection: many countries are becoming serious about this issue, driven by breaches and judicial and regulatory activity, but the lack of commonality in something as simple as reporting requirements (48 hours in some countries, 72 in others, possibly 24 in some) means that companies which operate on an international basis have no frame of reference.
“It's hard enough for fortune 500 companies to deal with this – how are medium to small companies going to deal with this? How are we going to detect it? Deal with it? Report it to customers and shareholders? And to regulators?” she said.
Even at the level of individual governments, there is a lack of vision behind the requirements, she argued. If businesses have to generate this data, governments must be geared up to ingest the data: will they have the resources to analyse the data? How will they report the data back to the business community in a way that's valuable to them? How much will this cost government?
“Everyone has to benefit from it otherwise it's a costly exercise. We need to think about this as we bring these into your government's laws,” she said.
For business it's about clarity of regulations. If there is conflict between directives between countries, then which ones should take precedence?
And rather than thinking solely about penalties, governments should also be thinking about creating incentives for business. Tax breaks and grants would encourage them to be proactive in developing cyber-security and data protection systems, otherwise there is the risk that organisations will fail to implement protection and simply take the financial penalties as a cost of doing business.There is, she said, a fundamental misalignment of countries' national security and economic agendas, with the result that very few, if any, countries are cyber ready.