Follow the leaders: How governments can combat intensifying cyber security risks

Against a backdrop of escalating geopolitical and geo-economic tensions, one of the biggest threats nations face today is from state-sponsored cyber warfare. From election interference to the alleged attempted theft of sensitive COVID-19 vaccine research to power-supply cut offs for nearly a quarter-million people, state-sponsored cyber attacks are infiltrating the critical infrastructure of countries around the world.

Not just state actors but also no state actors today have more technical prowess, motivation, and financial resources than ever before to carry out disruptive attacks on a country’s critical infrastructure. Any attack on critical infrastructure in one sector of a country can lead to disruption in other sectors as well. An attack on a country’s telecommunications, for example, may disrupt electronic payments.

But this is just part of the problem. Today, individuals and businesses are more dependent than ever on digital connectivity in virtually every aspect of their existence. Most people cannot imagine going even a few hours without access to the internet. Globally, an estimated 127 new devices connect to the internet every second. Any disruption in digital connectivity is considered an obstacle in the path of progress.

Owing to the COVID-19 pandemic, our dependence on all matters digital has increased dramatically. With remote working having become integral to our economies and the medical response, the rising dependence of citizens and businesses on everything digital is only going to continue.

With every new device, user, and business that connects to the internet, however, the threat of cyber attacks increases. If a government cannot provide secure and trusted digital connectivity, societies can’t prosper and economies won’t thrive.

Principal elements of a comprehensive national cyber security strategy

These are the five elements of successful national cyber security strategies:

  • a dedicated national cyber security agency (NCA)
  • a National Critical Infrastructure Protection program
  • a national incident response and recovery plan
  • defined laws pertaining to all cybercrimes
  • a vibrant cyber security ecosystem

 

National incident response and recovery plan

Cyber attacks are inevitable, so every government needs to develop a national incident response and recovery plan to mitigate the effects of cyber incidents and improve recovery time. Our study found that the best-in-class plans focus on six important elements:

Clearly defined reporting procedure for citizens and businesses. Best-in-class countries clearly define to whom their citizens and businesses should report cyber incidents. For example, in the United Kingdom, the National Cyber Security Centre (NCSC) is a single point of contact for all businesses—and, increasingly, citizens—to report cyber incidents. In the back end, it is critical to build a centralized repository across government an entity that captures data related to all cyber incidents in the country. This will enable governments to gather insights and intelligence and respond more effectively to cyber incidents.

Active monitoring for cyber threats. In addition to passively recording all reported cybercrimes, governments must actively monitor the internet for cyber threats. For example, 24 hours a day, seven days a week, the US National Security Operations Centre monitors security threats entering the United States and combines network patterns with existing national-security intelligence to assess threats.

Multiple sources of threat intelligence. To supplement traditional sources of threat intelligence, best-in-class governments establish additional channels. For instance, in 2013 the United Kingdom launched the Cyber Security Information Sharing Partnership, which features a platform where the government and the private sector can share threat intelligence quickly and confidentially.

Proactive efforts to combat cyber threats. Best-in-class countries use data from both active and passive sources to initiate actions to combat cyber threats facing the country. For example, the NCSC in the United Kingdom launched the Active Cyber Defence initiative to tackle cyber threats in an automated and scalable manner. If a threat such as malicious content is detected on a website, the NCSC proactively blocks it across the entire country and works with the hosting company to take it down.

Standardized severity-assessment matrix. The benchmark countries classify each cyber incident based on its severity in terms of loss of life, national security, public confidence, type of victim, and interdependence, among other dimensions. The hacking of a major bank may be classified as a high-severity incident, while the hacking of a small business may be classified as a low-severity incident. A standardized matrix provides all incident respondents with a common language for cyber incidents of different severity levels.

Robust mobilization plan to respond effectively to cyber incidents. In conjunction with the severity-assessment matrix, each country should develop a robust mobilization plan that defines which government entities should respond to a cyber incident and what role each should play. The responding agencies typically vary depending on the severity level of the incident. In the event of a low-severity incident, such as a small enterprise being hacked, the local police might respond and the NCA might share guidance on its portal for the benefit of other small and midsize enterprises. However, in the event of a national emergency, such as the targeting of a power grid, multiple government entities are expected to respond—including the police, energy-sector regulators, intelligence agencies, and the NCA itself. Depending on the consequences of the attack, there may also be a requirement for political leadership.

Framework of cyber security laws

As governments develop cyber security laws to prevent, investigate, and take actions against cybercrimes, they should focus on two success factors:

Robust substantive and procedural cyber security laws. Governments need to decide which aspects of cyber security they want to legislate and which aspects they want to provide guidance on without necessarily imposing any legal penalties. One good option while developing national cyber security laws is to embrace the guidelines laid out by the Budapest Convention an international treaty governing cyber laws agreed upon by more than 60 countries.

McKinsey