Coronavirus, Cybersecurity and Capacity Building

Healthcare systems face increasing cybersecurity risk, just as we need them to be at their most resilient. International cyber capacity building can help.

For almost everyone alive, the coronavirus is an unprecedented global challenge. Healthcare systems in every country are either stretched to their limit or preparing for that scenario.

In response, governments, development banks and companies are all asking how every aspect of their work can be used to help mitigate the crisis. You see this in the questions they ask their programme managers. And you see it in the emails we’ve all received from every company we’ve ever dealt with – and some we’re sure we haven’t – telling us how they are stepping up to the challenge.

So can the international cybersecurity community help?

The answer, of course, is yes. It must. Healthcare systems around the world are experiencing a spike in cybersecurity risk, just as we need them to be at their most resilient.

This post looks at the reasons why and starts to consider what a policing, foreign policy and capacity building response might look like.

The increased cybersecurity risk to healthcare

The cyber security risk to healthcare systems around the world is rising rapidly because all three components of the risk equation are changing for the worse.

(Cyber) Risk = Threat x Vulnerability x Impact

Cybersecurity Threats are spiking for several reasons. Hospitals have long been a prime ransomware targets. However, since the emergence of coronavirus, criminals have even greater incentives to target them, because they think they are more likely to quickly pay a ransom demand to avoid making a bad crisis worse. Some groups have promised not to target hospitals, but it’s hard to place confidence in the public relations arm of an international criminal organisation.

For more sophisticated actors, targets like the WHO, government health ministries and research companies have valuable information on new drugs and testing kits in the pipeline. Health sectors are also gathering and connecting valuable personal data about health, taxes, insurance details and mobile phone geolocation. The more personal data is in one place the more attractive a target it becomes, especially when it is being moved and processed in a hurry.

From the Threat perspective, we are also seeing the increasing relevance of disinformation opportunities. A global pandemic creates the perfect conditions to turn people against their neighbours and sow the seeds of distrust in governments and political systems.

Turning to Vulnerability, hospital and health care IT staff will be reduced in number due to illness or care giving and distracted by the need to shift to remote working. That remote working in turn creates a greater attack surface to strike against. Even better, for the attacker, many of the staff using either their old or new remote working systems will likely be struggling to implement new security protocols, looking for corners they can cut to save time and very distracted. What better time to send an email pretending to carry some vital piece of information about Zoom or the virus.

Last, but of course not least, we come to Impact. Any disruption could be deadly when there is zero slack in the system. Any staff or wards taken out of action for a day could cost lives. Something on the scale of the Wannacry attack on the NHS would have consequences that are hard to think about, although we must.

Their risk is our risk

We are facing the potential collision of two similar challenges. Global viruses compounding global viruses. Interconnected health systems threatened by interconnected IT systems. Although before being too bleak, we also need to acknowledge that those interconnected IT systems are currently enabling the solutions too: everything from the search for tests and treatments to the complex logistical feats needed to cope with this crisis.

In international cyber capacity building we often talk about why a risk to another countries’ systems is a risk to our own. In this case, that narrative applies to our respective healthcare systems. If a cybersecurity attack was to disrupt the healthcare system of any country it would prolong the global spread of the virus and delay the point at which our own countries can return to normal. Furthermore, when that other countries’ health system is disrupted by the attack, the number of patients will rise and they will need more vital resources – testing kits, PPE, ventilators – to cope. That in turn will increase the cost, and reduce the available supply, for the rest of us. We are all in it together, for better or for worse.

What options do we have?

If their health system risk is our risk, and their risk is going up, then there are really only three main options:

  1. Accept the risk.
  2. Reduce our interconnectedness.
  3. Encourage and help other countries to reduce their risk.

Accepting the risk is always an attractive option. Until the risk is realised and then it very quickly becomes unattractive.

Countries are already pulling hard on the levers that reduce international connections. Travel is discouraged. Domestic production has been retooled to produce face masks and ventilators, so there will be less reliance on imports of these scarce resources. And yet, as things stand today, the scenario I described above, in which a deepening of the crisis in one country would delay recovery for everyone, holds true.

And that brings us to the third option: encouraging and helping other countries to reduce the risk their healthcare systems face as a result of cybersecurity threats. The ways we can do this aren’t just cybersecurity capacity building, but yes that’s coming. Let’s first look at some of the other tools we can deploy.

Reducing the Threat: Foreign Policy and Policing

To work out how to reduce the risk we need only go back to our risk equation. We would need to reduce the Threat, the Vulnerability or the Impact.

If we are to start with the tools we have that aren’t capacity building then the most obvious thing to do is to bring down the Threat.

Many (but not all) attackers are motivated by money or political gain. They are demotivated by disruption to their ‘business’ or political harm. Right now we need those attackers to be as demotivated as they can be. The tools we have in our arsenal to do that include policing and foreign policy.

Many police forces are tied up dealing with public order, but there are still cyber crime units that can make life for international criminals especially uncomfortable right now.

To deter politically motivated actors we need a foreign policy toolbox. Fortunately, the international community has been gradually building one over the past decade. We have established that international law applies online as it does offline. Furthermore, we have agreed at the UN a norm of responsible government behaviour that you don’t target hospitals. Just as the police can make life uncomfortable for criminals, so our politicians and policy makers can make life uncomfortable for those who disrupt the healthcare response for political gain.

A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operations of critical infrastructure to provide services to the public

UN Group of Government Experts report (2015)

Reducing Vulnerability and Impact: Cyber Capacity Building

Reducing vulnerability and impact is where international cyber capacity comes in.

It is never too late to start improving a healthcare system’s cyber readiness and reducing its vulnerabilities. The sort of activities that are needed include identifying critical systems, assessing the current protective measures and processes, exercising what you would do if the national hospital IT system was attacked, patching, patching, patching etc.

Admittedly now is a terrible time to choose to start doing these things, because they all require staff availability and right now healthcare systems around the world are desperately short of that. But, if an attack could be just around the corner, then there will never be a better time to start. Now is the time.

Of course it’s easy to say “now is the time” from the comfort of my self isolation in London. I’m not in a health ministry in Mexico or a hospital in Hanoi having worked 48 hours without rest. However, I think I can conceive of the scale of the challenge and I know that things on this scale have been done before.

It’s been done before

In the midst of the 2014 ebola crisis in Liberia, USAID and Department of Defence built out an internet network across Liberia and Sierra Leone in 3 months. A secure, reliable internet network was considered mission critical and they made it happen.

By its own assessment, the Ebola Connectivity Response Initiative (ECRI) had significant shortcomings and there have been criticisms of how personal citizen data was managed and used (which are relevant again today). However, that does not alter the fact that in the face of a viral health threat, the international community mobilised a rapid deployment of ICT assistance, supporting overworked local staff in crisis conditions. And that was in response to an African epidemic, not a pandemic, that resulted in 2 deaths in the US.

The need then was for international ICT assistance to build out an internet network. The need now is for international ICT assistance to secure the world’s most critical health care system networks, where we can see they have obvious vulnerabilities and weak recovery mechanisms.

For some this will be a health challenge. For some a development challenge. For some a national security challenge. For some it will be a policing challenge. For some it will be a human rights challenge. Let’s not let those distinctions get in the way. Instead it can be an opportunity to draw on the resources and experience of all of these communities.

Tough but doable

I am under no illusions as to how big the challenge is. Nor how comparatively small the budgets are that we are used to working with.

Furthermore, the pool of experts we can deploy is constrained. And it will be hard to use the most commonly played card in our deck – flying out international experts to provide advice and training – when airports are closed.

Nonetheless, I think we could scale up and find new solutions if there is the will to do so. The question is what: priority will this be given, especially when the immediate domestic challenges are so pressing?

Even if we don’t commit to pre-emptive capacity building, I suggest we still think about how we would collectively respond to a major incident affecting a critical countries’ healthcare system. At that point the priority would be incident response, but even in the midst of that there will still be the need for capacity building.

GFCE Annual Meeting 2019

The GFCE’s 2019 Annual Meeting was its first in Africa. It marked the start of its regional outreach and the launch of a new online portal.

The 2019 GFCE Annual Meeting (#GFCEAM2019) was held on 8-10 October at the African Union commission’s headquarters in Addis Ababa.  Six months on, this post is a look back on what it was like to be there, the meeting’s significance and what it led to.

A quick recap of GFCE Annual Meetings

For those new to the Global Forum on Cyber Expertise, it is an international forum where any country or organisation interested in international cyber security capacity building can come to share knowledge, coordinate their projects and find new partners and support.  As I write, it has 104 member and partner countries, companies and international organisations.

The GFCE’s origins lie in the Global Conferences on Cyberspace, which began in 2011.  In 2015, this series of international policy discussions spun off the Global Forum on Cyber Expertise to focus on capacity building.  Every year since, the GFCE has held its Annual Meeting in a different city.

Timeline of GFCE Annual Meetings and Global Conference on Cyberspace

Impressions of the GFCE Annual Meeting 2019

My perspective on the 2019 Annual Meeting will be a little different to others, because I was part of the GFCE secretariat team organising it.  As an organiser, you miss a lot of the conversations that happen in the margins.  Those are so important that some people go to international conferences just to do business in the corridors and never step foot inside a single session in the programme.

Nonetheless, as an organiser you get to speak to a lot of people about what they are hearing.  One of the main topics of conversation I picked up on was just how productive people felt it was to be meeting at the Africa Union.

Being at the AU and having so many African delegations present – 35 in total – gave the conference a sense of purpose and a feeling that we were discussing capacity building with the right people: those who were working with projects on the ground and who wanted to take home ideas they could implement.

The African Union venue itself was an impressive modern conference facility that combined the grandeur of the UN without its fussiness. Taking selfies was positively encouraged!

Delegates at the GFCE Annual Meeting 2019 at the African Union

Structure of the conference

For those not there, I think it’s worth briefly summarising the programme.

Day one was filled with workshops organised by volunteers from the GFCE’s working groups and task forces.  For example, one workshop brought together people who had drafted national cyber security strategies to present to delegates who were drafting them at the moment and those interested in the process.  At the end of the workshop representatives from five countries, most of whom had previously no involvement with the GFCE, expressed interest in finding partners who could help them with the strategy setting process.

Day two was the plenary day, with speeches, roundtable discussions of the GFCE’s future direction and a choice of half hour presentations from members on their initiatives or research.

Day three was for working group and task force meetings.  These groups are the place where members come together to agree and implement work plans that move forward or improve international cyber capacity building.

The first GFCE Annual Meeting in Africa

This Annual Meeting had several firsts for the GFCE.  Arguably the most of important of which was that it was the first one to deliberately reach out to, and invite, all the countries in a continent.

The seed for this was planted at the 2018 Annual Meeting in Singapore. At a session on projects in Africa, the room looked at a map of projects in the region.  They discussed how they were concentrated in a few countries and how a large portion of the continent had experienced no direct projects at all.

A map of international cyber security capacity building projects in Africa as of 2018.
Heat map of international cyber capacity building projects in Africa discussed at GFCE AM 2018

Several people suggested that instead of talking about this in Singapore, we should instead be talking about it in, and with, Africa. Some excellent principals underlie this: try to talk with countries, not about them; and try not to ask country representatives to come to you, when you could go to them.

After the 2018 meeting in Singapore, the Africa Union Commission offered to host the GFCE in 2019.  Several donors then stepped forward to sponsor the travel of delegations from every African country, should they choose to accept the invitation. 

The feedback from African delegates was very positive and several are now in the process of becoming GFCE members.

The first GFCE Annual Meeting with a day of workshops

Another first for a GFCE Annual Meeting was that we devoted a day to community-organised workshops.  This was highlight of the conference for many people.

The workshops ensured the conference served a practical purpose.  They also kick started practical, action-orientated conversations among the delegates for the rest of the conference.

The first GFCE Annual Meeting with a clearing house session

The 2019 Annual Meeting was the first to have a clearing house meeting.  This was focused on Sierra Leone and attended by Minister Swaray, Minister of Information and Communication.

At Minister Swaray’s request, the GFCE had earlier held several months of conference calls and email discussions with everyone running cyber capacity building projects in Sierra Leone. These were to understand all the projects in Sierra Leone and, also, who might be able to contribute more to meet the countries requirements in the next phase of its capacity building.

By the time of the Annual Meeting, this clearing house effort had already resulted in at least one new project – national cyber risk assessment support from the UK Home Office – and moves towards new collaborations. 

At the Annual Meeting itself, Minister Swaray held a meeting with 17 partners who were already working with Sierra Leone or were interested in doing so.  He set out the countries’ priorities and the attendees discussed how they could each respond.

Sierra Leone's Minister Swaray meets international capacity building partners at the GFCE Annual Meeting 2019
Sierra Leone’s Minister Swaray meets international capacity building partners at the GFCE Annual Meeting 2019

The test of whether that clearing house process worked is whether it led to anything afterwards.  I’m pleased to say it has.  At the US’s suggestion, Sierra Leone has joined STOP.THINK.CONNECT and is using its public awareness campaign materials.  The Council of Europe and EU are providing further advice on cybercrime legislation.  I believe other concrete offers of support are in the pipeline, either as a result of or informed by that meeting.

When Minister Swaray returned to Freetown he briefed the Cabinet on the meeting, as an example of how international partner coordination can work.

The first GFCE Annual Meeting with an online knowledge portal

The final first of the Annual Meeting was that it launched a new online portal for sharing information on international cyber security capacity building projects, tools, publications and events: www.CybilPortal.org.

The Portal has a full-time manager and an international oversight committee.

Having written before about the GFCE effort to map all cyber capacity building projects, I’m pleased to say that the Cybil Portal has now uploaded all the projects in the GFCE database: over 570 now. It is adding new features and improving every month.

Logo of the GFCE Annual Meeting 2019

What next for the GFCE and Africa?

The bottom line is that the GFCE’s first Annual Meeting in Africa was a real success.  What we need to do now is help convert promising conversations into concrete capacity building collaboration, coordination and activity.  That will be a task for the working groups, with support from the GFCE secretariat.

We also need to maintain the momentum of the GFCE process in Africa.  There was a lot of interest in holding annual regional GFCE meetings on the continent.  The question now is when and where?  The front runner idea is to choose a conference that already brings together many on the continent and hold a GFCE meeting in the margins.  SMART Africa came up several times as an option.

What do you think?

Updating the cyber capacity building network

Improving the map of cyber security capacity building.

In a previous post, I promised updates on the Global Forum on Cyber Expertise (GCFE) effort to map all international cyber security capacity building projects.  That includes all the projects that have finished, all that are running now and even some that are at the planning stage.  That’s a lot of projects!  At least a thousand, I estimate.

Only by having a clear view of all cyber capacity building projects can people properly coordinate their activities and make use of what has gone before.  The mapping effort will also contribute to transparency and should provide useful material for research, which in turn will improve future capacity building.

The good news to report is that since my last post the GFCE has doubled the number of projects in its database to over 500.  Information on all these projects is steadily being uploaded to a new GFCE knowledge sharing site: www.cybilportal.org.

While that upload continues you can still search all 500+ projects at www.capacitylabs.org/projects.  That temporary site has a new, more mobile friendly, landing page. Plus, the original desktop layout.  Plus, a new animated data visuals page.  What more could you want?  No really, tell me what more you’d like to help you explore the data and I’ll pass it on to the Cybil Portal team to consider as a user request for the new site.

Updating the cyber capacity building network map

In my previous post, I showed how the project data could be repurposed to create an explorable network diagram of the international cyber capacity building community.  For this post, I’ve repeated that network mapping, adding the latest project information.  This is what the network looks like now:

International cyber security capacity building network as at October 2019.
The international cyber capacity network mapped with 500 projects

As before, you can explore the network here.

So, what has changed?  The most notable difference is that the largest node in the network is no longer the UK (as a funder) but the International Telecommunications Union (as an implementer). The behind-the-scenes reason for this is that the ITU gave an intern the task of identifying every project they had run and sending that information to the GFCE.  This resulted in the number of their projects in the database increasing from 9 to 147.  That is more than any other organisation has submitted or, as far as we know, has run.

Reaching an accurate picture

In this early phase of data collection we should anticipate big changes in the network diagram, as batches of missing projects are uploaded in bulk.  However, sometime next year I expect us to have gathered all the big handfuls of old projects.  At this point the diagram should settle to a (fairly) complete and accurate picture of the international cyber capacity building network.  Any changes to the diagram after this point will reflect real time changes in the partnerships between countries and organisations as they happen. 

I expect the settled network to only change slowly, but these changes may nonetheless reveal some interesting trends, such as new countries or regions – for example central Africa – appearing in the community network for the first time.  Or the gradual emergence of new themes of capacity building.

Mapping the network can change the network

Even better than simply tracking projects, this mapping effort is directly influencing whether new countries enter the capacity building community and thereby benefit from international support. 

At the GFCE 2018 Annual Meeting, a workshop on Africa looked at a map of projects on the continent – using the GFCE database – and saw that many countries had not yet been part of any project.  There were large blank spaces in the map, especially in central Africa.  These countries were not part of the community network.

The conclusion of the conversation that meeting started was that the GFCE should do more to connect with those countries not in the network.  For example, by holding a meeting in Africa.  That in turn led to the Africa Union Commission kindly offering to host the 2019 Annual Meeting in Addis Ababa this October. 

Five different organisations worked together to offer sponsorship for two officials from every AU member to attend the Annual Meeting.   The result was that 35 African countries joined the conference to discuss and collaborate on cyber capacity building.  How that event went will be the subject for a future post.

Keep watching this space

If you have read this far then it may mean you are one of the people whose life this project database is meant to make a little bit easier.  Your work life that is. I make no big claims as to what project mapping can do for your personal life.

If you are one of those people then please do check out the Cybil Portal, the data visualisation demo site or the explorable network diagram on this blog and let me know what you think and how we can make them better. 

Why is cyber security blue? The cybersecurity visuals challenge.

Ideas from colour psychology have led us into feedback loops that turned cyber security as blue as the sea. We can escape if we rise to the challenge.

The Hewlett Foundation thinks it’s time to improve how we communicate and visualise cyber security. I agree.  To find fresh ideas, the Foundation has launched a Cybersecurity Visuals Challenge, rewarding artists with substantial grants for creative solutions.

Having more modest financial means than the Hewlett Foundation, I thought I would make a small contribution to the Cybersecurity Visuals Challenge effort with this blog. 

As I’ve mentioned before, I think it helps us improve things in the future if we first know how we got where we are today.  In that spirit, I want to use this post to take a long view look at the question…

… why is cyber security blue?

Cyber security is as blue as the sea

Before diving into the answer, I wanted to first check cyber security really is blue.  A quick google image search for “cyber security” soon confirms that it is. Or to be more precise, cyber security has an average RGB colour value of Red:111, Green:135 and Blue:152.

A screenshot of image search results for cyber security.  Blue is the dominant colour.  The Cybersecurity Visuals Challenge will help us explore other ways of visualising cyber security.
Image search results for “cyber security”

Repeating this rigorously scientific (!) image search experiment on other ‘blue things’ we find that cyber security is nearly as blue as the sea.  Only with more hoodies and fewer seals.

Image search results for “sea”

So cyber security is blue. But why?

The birth of Colour Theory

You’ve probably heard the myth that Isaac Newton discovered gravity when an apple fell on his head. Unfortunately, I have no fruit-based explanation as to why he discovered that light could be split into a rainbow of colours using a glass prism.  What I can tell you is that having made this discovery, he proposed that every colour in this rainbow could be formed by mixing three primary ones: red, yellow and blue.  From this idea, modern Colour Theory was born.

A hundred years later and some academics were still claiming that Newton had got it wrong.  His critics said all colours were a mix of darkness and light.  Blue, for example, was the first colour to emerge from darkness when you add a little light.

Johann Wolfgang von Goethe was one of those critics. But the reason we should be interested in him is not his argument with Newton, but because he introduced a new topic to the field of Colour Theory: psychology. 

Goethe thought we all share psychological associations between colours and concepts.

Blue gives us an impression of cold… The appearance of objects seen through a blue glass is gloomy and melancholy.

Johann Wolfgang von Goethe (1810)

Importantly, the concepts Goethe had in mind were very abstract and mostly related to feelings.  We are still a long way from concepts as concrete as cyber security.

A colour revolution

We jumped a hundred years from Newton to Goethe and now we jump two hundred more to reach our next key character: Faber Birren

After WWII, America’s government and industry were open to big, bold ideas. Into this fertile ground, Faber Birren planted the idea that colour had a more powerful influence over individuals, societies, organisations and brands than Goethe or anyone else had previously suggested.  He also proposed that colour’s psychological associations were much more concrete than the emotional associations that Goethe had in mind.  Birren said we associate colours with very precise concepts such as intelligence, arrogance, modernity and remorse. 

Birren was described as a colour revolutionary and America’s management class loved his theories.  The US Navy hired him to colour coordinate everything it owned: every item, structure and piece of clothing.

Working with DuPont, Birren designed a safety colour code for industry: all fire safety equipment should be red; all equipment for handling materials should be yellow; and so on. The American National Standards Institute adopted his code and then it spread across the globe.

It is no coincidence that skips, hazmat suits and diggers are all yellow.  Faber Birren made them so. 

Skips, hazmat suits and diggers are all yellow because of Faber Birren

Applying Colour Theory to Cyber Security

We might suspect that cyber security is blue because security is blue.  But I don’t think that’s the case. 

Other fields of security – home security for example – are not blue.  And a consensus that security is blue was only reached as recently as this decade.  In previous decades, writers in marketing and the psychology of colour said that security was black. Or grey. Or orange. Or brown. Or pink. Or green. Or, yes, blue. 

I think the word security is a red herring. The key actually lies with the word TRUST.

Faber Birren claimed that trust was one of the concepts we associate with blue and everyone since has repeated this thesis. In contrast, Birren said nothing (that I have found) about security and this left the field wide open for people to describe it as being any of the half a dozen colours I just listed.

So how did we get from Birren’s belief, in the 1940s, that trust is blue to cyber security being blue today?

The story of blue: from trust to cyber security

To understand the final part of the story of why cyber security is blue, we should first recall a time before it was.  Until only a few years ago cyber security had no dominant colour association.  Yes, black and blue have been in the cyber aesthetic since the start, but for a long time red and yellow were just as prominent. Other colours – including green, brown and pink – were in the mix too.

Colour in the early years of cyber security : War Games (1983), Symantec Website (1998), CERT Conference (2002), The Cuckoo’s Egg (2005)

Around 2003, internet use took off and, soon after, cyber security began to rise steadily up business and foreign policy agendas.

My theory is that during this cyber growth spurt (2003-2010), the companies, organisations and influencers involved felt the need for cyber security to have a stronger, clearer visual identity.  They had the motivation and budgets to ask brand managers, graphic designers and creative agencies to come up with the ‘right look’ for the fast-growing number of cyber security brands, services, products, articles and events.

By coincidence, just as this was happening, these same branding and creative experts were being shown research that told them the ‘right look’ essentially meant the ‘right colour’.  In 2006, The Institute of Colour Research pushed out a widely quoted research paper that claimed people make a subconscious judgment about a product within 90 seconds of initial viewing and that between 62% and 90% of that assessment is based on colour alone. It was a powerful return of Birren’s message: colour is king.

Creatives tasked with choosing the ‘right look’ for cyber security – and therefore the ‘right colour’ – had a safe choice to make: blue.  Thanks to Birren’s influence they could confidently tell their clients that everyone agreed blue was the colour of trust.  Even better they could point to the fact that it was because of this that IBM changed its own logo and brand to blue in 1972 – earning it the nickname Big Blue. That in turn created another association in the public’s mind between safe, reliable IT and the colour blue.  All the stars were aligned.

In the 1970s, no IT manager ever got fired for choosing Big Blue. During cyber security’s growth spurt, no creative ever got fired for designing a blue cyber security visual.

Feedback loops

In a field with a relatively small pool of visual products it wouldn’t have taken long for blue to become so prevalent that a tipping point was reached. When an aesthetic becomes dominant, a professional creative who doesn’t follow it isn’t just avoiding the safe option, they are consciously choosing a risky one. Their client is expecting the dominant aesthetic and only a few will want to swim against the tide. There is every chance the client will ask their creative to resubmit something more conventional, at their own expense.

Meanwhile, an army of amateur DIY creatives were churning out micro products (presentations, office posters, community flyers, blogs…) with even less desire or ability to create something unique. They used the images on the first page of google and unintentionally fed a feedback loop that pushed anything non-standard down the search results.

And thus we reach today, swimming in a sea of cyber blue.

Are we stuck with blue forever?

As we’ve seen, cyber security was once colours other than blue and it could be again.

A girl looks at blue cyber security posters thinking there must be a better way to visualise cyber security.    Hewlett Foundation's Cybersecurity Visuals Challenge. #CyberVisualsChallenge.
Our cyber security visuals are tired of being blue

Within the capacity building community green is quite common.  It is associated with the environment, from which many analogies for the internet as a global commons are drawn.  And with health care: the source of analogies used in State Department capacity building training materials. 

CyberGreen – which helps countries fight DDOS – are obviously on team green. As are FIRST, the Forum of Incident Response Teams. In 2005, when the rest of the cyber world started going blue, FIRST bucked the trend by changing their logo from pink/blue to green.

But why stop at green? There is a rainbow of opportunity out there that I hope Hewlett’s Cybersecurity Visuals Challenge will help us explore. 

Maybe then we can turn our attention to the hoodies.

Income Gap. Digital Divide. Cyber Security Canyon?

A look at the evidence for global inequalities in cyber security.

In my last post, I looked at the global Income Gap and Digital Divide. I asked why there are, proportionally, more billionaires in San Francisco than people with fixed broadband access in South Sudan.

In this post I’ll ask whether, in addition to an Income Gap and Digital Divide between countries, there is also a Cyber Security Canyon.

How to spot a Cyber Security Canyon

Before we search for a Cyber Security Canyon we should decide what we are looking for.  I propose that it would show up in the data as a significant inequality in the level of cyber security between countries.  By significant, I mean it would be on a similar, or greater, scale, to the inequality of the Digital Divide, where the top countries have internet access rates 5 times better than the lowest ranked countries. 

The chart below illustrates the size of the Digital Divide, using median household income data from Gallup, for the 131 countries they survey, and the corresponding internet access data from the ITU. Liberia is on the far left, with the lowest household income, and Norway is on the far right, with the highest.

If a Cyber Security Canyon exists, the countries on either side of it need not necessarily be the same as those on either side of the Income Gap and Digital Divide.  But it wouldn’t be a surprise if they were. 

The case for a Canyon

So, what evidence for a Canyon can we find?

I think the search gets off to a fruitful start if we begin by considering countries’ cyber security capacity and vulnerabilities. In the next chart, I’ve plotted an indicator of national cyber capacity in green and an indicator of national vulnerability in red. The trend lines are shown with dashes.  The capacity indicator is the ITU’s Global Cybersecurity Index score. For vulnerability, I use the Microsoft malware encounter rate – the percentage of PCs in a country on which Microsoft detects malware in a given time period (Q1 2017 in this case).

Looking first at the national capacity indicator, the lowest income countries have a Global Cybersecurity Index score of around 0.2-0.3. ITU use an ordinal scoring system in which a country with a score of 0.2-0.3 has very basic capacity in some dimensions of cyber security and no capacity at all in others.  By contrast the highest income countries have GCI scores around 0.8-0.9, which equates to having advanced levels of cyber capacity in almost all dimensions. 

When we turn to the malware encounter rate we see the mirror relationship.  In low income countries Microsoft finds malware on around 20-25% of PCs, compared with around 5% in the high income countries. 

The malware infection rates in the lowest income countries are 4 to 5 times worse than those in the highest income countries. The ITU capacity scores for the highest income countries are more than 4 times better than those of the lowest income countries (although that could of course change if ITU changed their scoring system).

This is beginning to look like a Canyon. Because of the main indicator, I’ll call it a Cyber Capacity Canyon.

This is not the Canyon you are looking for

Wouldn’t it be useful if we could neatly conclude that cyber security is four times better in the highest income countries than the lowest?  Of course, life is never that simple.

Most importantly, we still haven’t defined what we mean by better cyber security.  I suggest that in most cases when we dig into what ‘good cyber security’ means we get down to the underlying, and more concrete, concepts of cyber risk and cyber harm. 

Bear with me here…. A country or organisation achieves good (or adequate) cyber security when its control measures are sufficient to reduce its cyber risk exposure to the level of its risk appetite.  Once a country achieves good cyber security it should find in the future that the cyber harm it actually experiences is at or below the level of harm it was willing to accept as the price of being digitally connected.

So, if we are talking about cyber risk or cyber harm when we talk about ‘good cyber security’, then what can our two indicators tell us about them?  Unfortunately, on their own, not as much as we’d like. 

The malware encounter rate can be an indicator of cyber harm, but we would need to find some method of translating infection rates to dollar cyber harm values in a way that works whether the PCs are in Canada or Cameroon.  I’m not aware of such a method.

As for cyber risk, both indicators can tell us something about that, but they are only part of the equation. I’ll explore competing interpretations of cyber risk in a future blog, but for now let’s use a basic formula from many management textbooks:

(Cyber) Risk  =  Threat  x  Vulnerability  x  Impact

Both the Microsoft malware encounter rate and the ITU GCI score are national indicators for the middle term: vulnerability.  They tell us almost nothing about threat or impact and therefore can give us only a very incomplete picture of cyber risk.

When we gather data for cyber risk and cyber harm we may find that there is no Cyber Security Canyon, or that it looks quite different to the Cyber Capacity Canyon we’ve seen so far.  I can only speculate.

Cartoon illustration of what a cyber security canyon between poor and rich countries might look like. Links to the global Income Gap and Digital Divide inequalities.

Can we rely on our indicators?

We need more cyber indicators to capture risk and harm, but can we even be sure the indicators we already have are reliable? 

What I find most striking about the two cyber indicators I’ve used in this blog is the difference in their deviation around the trend line.  The Microsoft encounter rate sticks pretty closely to its trend line, but the ITU’s GCI score deviates noticeably.  In the GCI data we see countries with near identical low incomes where one has almost zero cyber security capacity and the other has a capacity level just short of the most advanced cyber nations.  We don’t find that pattern in the ITU’s internet access data.

Suffice to say the lower deviation in the Microsoft data means it’s the cyber indicator in which I have greater confidence.  However, I appreciate the effort that has gone into producing both data sets over several years and I expect the trend line in the ITU’s data will be confirmed by other capacity review studies.

The need for further research and cyber security capacity building

I feel fairly confident we have found a Cyber Capacity Canyon, but more is needed to explore its geography.  By augmenting ITU’s capacity data with other sources we could be more confident that it is as wide as it looks. By adding other indicators, for example covering threat and impact, we could see if it extends into the territory of cyber risk and cyber harm – meaning we’ve found a Cyber Security Canyon.

Should we wait for this further research before acting?  I think that would be a mistake. We have enough data to know that poorer countries are being left behind in terms of their capacity to protect themselves and their populations.  That alone is enough reason to act now: for their sake and for the sake of the global systems that are connected to them.

Now is the time for international cyber security capacity building.

Income gap. Digital divide.

Why is it easier to find a billionaire in San Francisco than a fixed broadband connection in South Sudan?

Proportionally, more people are billionaires in San Francisco (1 in 11,600) than have fixed line broadband in South Sudan or the Democratic Republic of the Congo.

How did we get here? And what does it mean for cyber security capacity building? Part one of a two part blog.

It now matters where you live: income inequality between countries

It seems obvious today that the country we live in makes a big difference to how much we earn. But that’s a relatively new development. 

Two hundred years ago, where you lived made little difference to your income.  Pretty much everyone lived in what we call extreme poverty and had a life expectancy of around 30 years.  In 1820, a building labourer in Africa could use their daily wage to buy food with enough calories to last them 3 days.  In Western Europe, the daily wage for the same job bought you 12 days of food. Both situations were pretty precarious. What mattered to your income was not where you lived, but what you did: beggar, building labourer or banker.

Jump back to the present and it’s where you live that is the greater determinant of your income.  A building labourer in Africa can now buy 18 days of calories with a daily wage, while their counterpart in Western European (or San Francisco) can buy 163. The former’s life expectancy at birth is 61 and the latter’s is 80.

The recent importance of where you live on your income is shown in the chart below by Our World In Data. Total global income inequality is the top line in green. Its component parts are: income inequality between countries (red); and income inequality within countries (blue). As you can see, around 1930 the country you live in overtook the work you do as the key driver of income.

Global inequality between world citizens and its components 1820-1992

So, the first part of the answer to “how did we got here?” is that geography has started to really matter. Why is that?

The Great Divergence and The Great Convergence

As we saw, in the early 1800s every country was in a similar position in terms of per capita income. Then from the mid to late 1800s Europe, North America and Australia began to experience unprecedented growth and, for a time, left the other regions behind. This has been called the Great Divergence.

The Great Divergence (source: The Economist)

This explosive growth has been accounted for with competing theories ranging from the shameful (slavery) to the inspiring (two industrial revolutions) to the accidental (having coal reserves near major cities).

By 1975 its impact on global income distribution was a divided world. The ‘West’ were earning around $15 a day (in 2011 prices), while ‘The Rest’ were distributed tightly around $0.8 a day – well below the poverty line.

The Great Divergence

All this changed again after 1980. The Great Divergence was followed by the Great Convergence, as India, China and others rapidly narrowed the gap. The animation below shows this catch up until 2011, but it is a trend that continues today. The country we live in is still important for our income, but it is beginning to matter less than it did at its 1980 peak.

Global Income Distribution 1988 to 2011

However, even after the Great Convergence, there remain deep pockets of poverty, especially in Sub Saharan Africa.

The situation in which some countries find themselves – blessed by rich natural resources and cursed by conflicts or weak governance – has been called a poverty trap. South Sudan and DRC exemplify these conditions and it is in these that we find the greatest contrast with San Francisco in terms of both income and internet access.

What you do always mattered: income inequality within countries

Turning now just to America, I’ll admit that the prevalence of billionaires in San Francisco took me by surprise, but the reasons for it are familiar.  America benefitted most from the Great Divergence and invested some of its wealth in world class tech research institutions on its west coast. Those institutions helped start a third (digital) industrial revolution and tech firms clustered around their talent. And a decade of acquisitions by the largest tech players has created some very rich people. 

The world’s c.2,600 billionaires make up about 0.000002% of its population.  Over the past four decades, despite the 2008 recession, they’ve achieved greater proportional income and wealth growth than any other group.

World Inequality Report 2018 – The “Loch Ness Monster” chart

The rapidly rising income of the billionaires is the extreme point in a wider trend: since 1980 income inequality within countries has been rising, both in America and globally (see the blue line on the first chart). This comes after a period of falling inequality from 1910 to 1950.  The better off are once again pulling away from the lowest and middle earners.

‘I know my place’ sketch on The Frost Report, 1966

The digital divide

That was a lot of economics for a cyber blog, but here’s the crunch.  How your country – and even your city – fared in the last two centuries of the Great Divergence and the Great Convergence will significantly influence both your ability to pay for internet access and the price you pay for it.

An assistant professor in Juba, South Sudan, earns $54 a month and would be charged $200 a month for home broadband.  One in San Francisco makes $7,400 and pays $50.  Unsurprisingly, internet penetration in South Sudan is 17% (thanks to mobile) compared with 89% in the US.

As a rule of thumb: the higher a country’s median income, the more people it has online

To compare the US and South Sudan is to look at the extremes, but, as with income, the picture looks a lot more positive in the middle.  There are now over 3 billion people online, 2 billion of them in low and middle-income countries. In 1820, there were only 1 billion people on the planet.

The ITU estimate 48% of the world’s population were online by 2017:

Internet users per 100 people 1996-2017 (source: ITU)

The percentage of a population online – internet penetration – is a crude measure of access.  It ignores the price you pay, the speed of your connection, what proportion of online sites and services you can access, whether you trust them enough to use them, whether there is content in your language and many other potential barriers to benefitting fully from the web.  It also ignores the other ways the internets (plural) might be introducing benefits and risks into your life.  These range from how your military and emergency services communicate, to how money gets transferred, to how your nearest power station produces electricity.

Nonetheless, internet penetration is a good enough indicator to see that participation in the digital era is spreading like the economic waves that lifted first Europe and America and then Asia and Latin America.  Only this time the process is on fast forward and there’s no hitting pause on the remote.

The implications for cyber security capacity building

Thanks for sticking with me through part one of this blog post. In part two I’ll look at whether, in addition to a Income Gap and Digital Divide, there is also a Cyber Canyon.

The shoulders we stand on: the start of cyber security capacity building

Cyber security capacity building started a decade and a half ago. Fortunately, somebody took a snapshot.

“The longer you can look back, the farther you can look forward”

Winston Churchill

Graham Greene and I once held the same job title: British political officer in Sierra Leone. He went on to sell 20 million copies of his 24 novels and was twice shortlisted for the Nobel Prize in Literature.  I write this blog.

We did not actually do the same job: he was an intelligence officer and I was a diplomat. Nonetheless this started me thinking about who had come before me and what advice they would give if they were still around.

It is in this spirit that I’ve begun my new role in the Global Forum on Cyber Expertise (GFCE) secretariat, by looking back. I wanted to know where international cyber capacity building began.  What I’ve learnt is that it has its roots in the mid-2000s.  And fortunately somebody at the time had the foresight to take a snapshot.

When did cyber security capacity building start?

I am not so foolish as to try to put a definitive date on the origin of either cyber security or international cyber capacity building.  At least not yet. So instead I’ll start with a recap of four significant milestones:

In 1971, Bob Thomas wrote a programme that hopped between terminals on ARPANET (a precursor to the internet) and left the message: “I’m the Creeper: catch me if you can.”

In 1988, Robert Morris committed the first crime to be successfully prosecuted under the US Computer Fraud and Abuse Act. His Morris Worm disrupted 10% of the internet through a security experiment that turned into an unintended DDOS attack. The US government responded by establishing the first computer emergency response team (CERT/CC) at Carnegie Mellon University. Morris went on to become an MIT professor and multi-millionaire.

In 2002, the ITU Plenipotentiary in Marrakesh passed Resolution 130 giving ITU a mandate for “building confidence and security in the use of ICTs”. In the same year, NATO included the need for capacity building in its report, “Vulnerability of the Interconnected Society”.

In 2007, the ITU launched the Global Cybersecurity Agenda, with capacity building as one of its five strategic pillars. This emerged from the World Summit on the Information Society (WSIS), which pointed the way towards capacity building.

So, if we were to search for a start date to international cyber security capacity building we might reasonably begin looking between 2002 and 2007. 

It is our good fortune that during this period somebody was mapping the international cyber landscape. Even better, they wrote a book about it.

The hunt for project zero

“A story has no beginning or end: arbitrarily one chooses that moment of experience from which to look back or from which to look ahead.”

Graham Greene

Michael Portnoy and Seymour Goodman are my unsung heroes of cyber capacity building mapping.  In 2008, they wrote Global Initiatives to Secure Cyberspace: An Emerging Landscape.  A new copy from Amazon will cost you £113 ($145). I think it’s worth every penny (cent). Although I must confess to having bought a second hand copy.

What Portnoy and Seymour’s book gives us is a 176-page snapshot of international collaborative efforts to improve cyber security in the mid-2000s.  Very few of the international cyber initiatives they found were capacity building projects, but by sifting through those that were we can further narrow the window for their start.

Continue reading “The shoulders we stand on: the start of cyber security capacity building”

Mapping the cyber security capacity building network: it just got easier

Doctors shocked by this one trick to visualise the international cyber capacity building network!

Okay, okay, by “doctors” I mean some people with PhDs and when I say they were “shocked” it might be fairer to say they were pleasantly surprised. But there really is a new shortcut to mapping the network of actors involved in international cyber security capacity building. And if you’ve read this far I hope you’ll find it useful.

What makes this new shortcut possible is an effort by the Global Forum on Cyber Expertise (GFCE) to collect information on international cyber security capacity building projects. This is making available new data sets and a project mapping tool that can simplify the task of visualising our community network to just a few clicks.

I’ve been lucky enough to be part of the team developing the GFCE’s project mapping tool. However in this personal blog I’d like to do something a little different. Instead of looking at the relationships between projects I’ll be using the same data – available to all – to look at the network of relationships between capacity building actors.

A simple network

To see a very simple network, with only implementers and the countries or regions they are helping, we can use the network chart in the GFCE’s project mapping tool. With the tool open, hover your mouse over the top right hand corner of the network and click the expand icon that appears. It should open a new page that looks like this…

The international cyber security capacity building network containing just implementers and host countries.
A simple network of implementers and the countries/regions they help

A richer network

To explore the network in greater detail I used a free visualising programme called Gephi and a plugin developed by the Oxford Internet Institute called sigma js. With these we now have a network that looks like this…

Continue reading “Mapping the cyber security capacity building network: it just got easier”

Hello World!

And so it begins. My first blog, to accompany my first twitter account @TheRobCollett.

After two and a half years running international cyber security programmes for the UK, I’ve moved to a new role as Senior Advisor and UK liaison to the Global Forum on Cyber Expertise.

To accompany this new chapter in my professional life I’m starting this personal blog to share thoughts on cyberspace, the internet and capacity building. And possibly cats too. I haven’t decided about the cats.