Cyber Security

While cyberspace continues to enable tremendous commercial, humanitarian, and national security opportunities, it also breeds an expanded threat landscape of massive complexity. As innovation and new vulnerabilities emerge apace, responses to novel problems have remained reactive. A joint report by the Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative and Emergent Futures Lab challenges this moribund thinking by developing three Alternate Cybersecurity Futures, scenarios to provide insight into what the future may look like and how policy can move from adaptation to critically urgent evolution. These futures are meant to spark a strategic dialogue and we hope others will expand upon and between them.

This report proposes an innovative focus on cybersecurity incentives for the investment community. Investors in innovation and technology-driven companies have a responsibility to ensure that cybersecurity is given priority in the early stages of product development. By ensuring cybersecurity from the outset – including features like security-by-design and security-by-default – investors can increase the likelihood of company success in the long term, promote more durable technology and improve overall cyber resilience. This report proposes principles for investors that will raise their internal cybersecurity awareness and offers a complete framework enabling investors to assess the cybersecurity preparedness of their target company.

The concept of granting digital access to users based on proper identification has been the very core of how people access online services since the emergence of the public internet in the 1980s. The power of confirming an identity and being granted access to services of value has attracted billions of users to the internet, and as society moved to this parallel universe, so have other parts of it, namely fraudsters, con men and organized crime. In the past six years, USD 112 billion has been stolen through identity fraud, equating to USD 35,600 lost every minute. The more services are offered to the general public—with additional features for convenience and usability that rely on the internet—the wider the window of opportunity for attackers. Javelin Strategy Research expects fraud related to the creation of new online accounts to rise as much as 44 percent by 2018, increasing losses from USD 5 billion to USD 8 billion in a matter of four years. While consumer personal information has been compromised on an ongoing basis for years, the massive data breaches of 2017 removed all doubt: Criminals clearly have access to the very information that many banks, companies and other businesses use to grant their users remote access to services. Even social security numbers, which are considered highly private and sensitive personal information, were exposed for hundreds of millions of consumers in 2017. Recent data breaches have been a resounding wake-up call to the fact that new methods are needed to validate our identities online. In an era where personal information is no longer private, and passwords are commonly reused, stolen or cracked with various tools, the traditional scheme of accessing data and services by username and password has repeatedly shown to be inadequate.

States have taken a variety of approaches to securing their digital domains. These policy approaches share a significant commonality: success depends on collaboration between the public and private sectors.
However, effective collaboration is uniquely difficult in the domain of cybersecurity. Cyberthreats are complex, with an ever-expanding and exposed surface for malicious actors to exploit. Each new innovation brings with it new and sometimes unexpected vulnerabilities.
Despite these challenges, advancing cyber resilience requires the public and private sectors to collaborate in new and innovative ways. This Playbook is recommended for use by the public and private sectors, together, as a tool to facilitate discussions on building the institutions, frameworks, policies, norms and processes necessary to support collaboration in this vital space.