Income Gap. Digital Divide. Cyber Security Canyon?

A look at the evidence for global inequalities in cyber security.

In my last post, I looked at the global Income Gap and Digital Divide. I asked why there are, proportionally, more billionaires in San Francisco than people with fixed broadband access in South Sudan.

In this post I’ll ask whether, in addition to an Income Gap and Digital Divide between countries, there is also a Cyber Security Canyon.

How to spot a Cyber Security Canyon

Before we search for a Cyber Security Canyon we should decide what we are looking for.  I propose that it would show up in the data as a significant inequality in the level of cyber security between countries.  By significant, I mean it would be on a similar, or greater, scale, to the inequality of the Digital Divide, where the top countries have internet access rates 5 times better than the lowest ranked countries. 

The chart below illustrates the size of the Digital Divide, using median household income data from Gallup, for the 131 countries they survey, and the corresponding internet access data from the ITU. Liberia is on the far left, with the lowest household income, and Norway is on the far right, with the highest.

If a Cyber Security Canyon exists, the countries on either side of it need not necessarily be the same as those on either side of the Income Gap and Digital Divide.  But it wouldn’t be a surprise if they were. 

The case for a Canyon

So, what evidence for a Canyon can we find?

I think the search gets off to a fruitful start if we begin by considering countries’ cyber security capacity and vulnerabilities. In the next chart, I’ve plotted an indicator of national cyber capacity in green and an indicator of national vulnerability in red. The trend lines are shown with dashes.  The capacity indicator is the ITU’s Global Cybersecurity Index score. For vulnerability, I use the Microsoft malware encounter rate – the percentage of PCs in a country on which Microsoft detects malware in a given time period (Q1 2017 in this case).

Looking first at the national capacity indicator, the lowest income countries have a Global Cybersecurity Index score of around 0.2-0.3. ITU use an ordinal scoring system in which a country with a score of 0.2-0.3 has very basic capacity in some dimensions of cyber security and no capacity at all in others.  By contrast the highest income countries have GCI scores around 0.8-0.9, which equates to having advanced levels of cyber capacity in almost all dimensions. 

When we turn to the malware encounter rate we see the mirror relationship.  In low income countries Microsoft finds malware on around 20-25% of PCs, compared with around 5% in the high income countries. 

The malware infection rates in the lowest income countries are 4 to 5 times worse than those in the highest income countries. The ITU capacity scores for the highest income countries are more than 4 times better than those of the lowest income countries (although that could of course change if ITU changed their scoring system).

This is beginning to look like a Canyon. Because of the main indicator, I’ll call it a Cyber Capacity Canyon.

This is not the Canyon you are looking for

Wouldn’t it be useful if we could neatly conclude that cyber security is four times better in the highest income countries than the lowest?  Of course, life is never that simple.

Most importantly, we still haven’t defined what we mean by better cyber security.  I suggest that in most cases when we dig into what ‘good cyber security’ means we get down to the underlying, and more concrete, concepts of cyber risk and cyber harm. 

Bear with me here…. A country or organisation achieves good (or adequate) cyber security when its control measures are sufficient to reduce its cyber risk exposure to the level of its risk appetite.  Once a country achieves good cyber security it should find in the future that the cyber harm it actually experiences is at or below the level of harm it was willing to accept as the price of being digitally connected.

So, if we are talking about cyber risk or cyber harm when we talk about ‘good cyber security’, then what can our two indicators tell us about them?  Unfortunately, on their own, not as much as we’d like. 

The malware encounter rate can be an indicator of cyber harm, but we would need to find some method of translating infection rates to dollar cyber harm values in a way that works whether the PCs are in Canada or Cameroon.  I’m not aware of such a method.

As for cyber risk, both indicators can tell us something about that, but they are only part of the equation. I’ll explore competing interpretations of cyber risk in a future blog, but for now let’s use a basic formula from many management textbooks:

(Cyber) Risk  =  Threat  x  Vulnerability  x  Impact

Both the Microsoft malware encounter rate and the ITU GCI score are national indicators for the middle term: vulnerability.  They tell us almost nothing about threat or impact and therefore can give us only a very incomplete picture of cyber risk.

When we gather data for cyber risk and cyber harm we may find that there is no Cyber Security Canyon, or that it looks quite different to the Cyber Capacity Canyon we’ve seen so far.  I can only speculate.

Cartoon illustration of what a cyber security canyon between poor and rich countries might look like. Links to the global Income Gap and Digital Divide inequalities.

Can we rely on our indicators?

We need more cyber indicators to capture risk and harm, but can we even be sure the indicators we already have are reliable? 

What I find most striking about the two cyber indicators I’ve used in this blog is the difference in their deviation around the trend line.  The Microsoft encounter rate sticks pretty closely to its trend line, but the ITU’s GCI score deviates noticeably.  In the GCI data we see countries with near identical low incomes where one has almost zero cyber security capacity and the other has a capacity level just short of the most advanced cyber nations.  We don’t find that pattern in the ITU’s internet access data.

Suffice to say the lower deviation in the Microsoft data means it’s the cyber indicator in which I have greater confidence.  However, I appreciate the effort that has gone into producing both data sets over several years and I expect the trend line in the ITU’s data will be confirmed by other capacity review studies.

The need for further research and cyber security capacity building

I feel fairly confident we have found a Cyber Capacity Canyon, but more is needed to explore its geography.  By augmenting ITU’s capacity data with other sources we could be more confident that it is as wide as it looks. By adding other indicators, for example covering threat and impact, we could see if it extends into the territory of cyber risk and cyber harm – meaning we’ve found a Cyber Security Canyon.

Should we wait for this further research before acting?  I think that would be a mistake. We have enough data to know that poorer countries are being left behind in terms of their capacity to protect themselves and their populations.  That alone is enough reason to act now: for their sake and for the sake of the global systems that are connected to them.

Now is the time for international cyber security capacity building.

Income gap. Digital divide.

Why is it easier to find a billionaire in San Francisco than a fixed broadband connection in South Sudan?

Proportionally, more people are billionaires in San Francisco (1 in 11,600) than have fixed line broadband in South Sudan or the Democratic Republic of the Congo.

How did we get here? And what does it mean for cyber security capacity building? Part one of a two part blog.

It now matters where you live: income inequality between countries

It seems obvious today that the country we live in makes a big difference to how much we earn. But that’s a relatively new development. 

Two hundred years ago, where you lived made little difference to your income.  Pretty much everyone lived in what we call extreme poverty and had a life expectancy of around 30 years.  In 1820, a building labourer in Africa could use their daily wage to buy food with enough calories to last them 3 days.  In Western Europe, the daily wage for the same job bought you 12 days of food. Both situations were pretty precarious. What mattered to your income was not where you lived, but what you did: beggar, building labourer or banker.

Jump back to the present and it’s where you live that is the greater determinant of your income.  A building labourer in Africa can now buy 18 days of calories with a daily wage, while their counterpart in Western European (or San Francisco) can buy 163. The former’s life expectancy at birth is 61 and the latter’s is 80.

The recent importance of where you live on your income is shown in the chart below by Our World In Data. Total global income inequality is the top line in green. Its component parts are: income inequality between countries (red); and income inequality within countries (blue). As you can see, around 1930 the country you live in overtook the work you do as the key driver of income.

Global inequality between world citizens and its components 1820-1992

So, the first part of the answer to “how did we got here?” is that geography has started to really matter. Why is that?

The Great Divergence and The Great Convergence

As we saw, in the early 1800s every country was in a similar position in terms of per capita income. Then from the mid to late 1800s Europe, North America and Australia began to experience unprecedented growth and, for a time, left the other regions behind. This has been called the Great Divergence.

The Great Divergence (source: The Economist)

This explosive growth has been accounted for with competing theories ranging from the shameful (slavery) to the inspiring (two industrial revolutions) to the accidental (having coal reserves near major cities).

By 1975 its impact on global income distribution was a divided world. The ‘West’ were earning around $15 a day (in 2011 prices), while ‘The Rest’ were distributed tightly around $0.8 a day – well below the poverty line.

The Great Divergence

All this changed again after 1980. The Great Divergence was followed by the Great Convergence, as India, China and others rapidly narrowed the gap. The animation below shows this catch up until 2011, but it is a trend that continues today. The country we live in is still important for our income, but it is beginning to matter less than it did at its 1980 peak.

Global Income Distribution 1988 to 2011

However, even after the Great Convergence, there remain deep pockets of poverty, especially in Sub Saharan Africa.

The situation in which some countries find themselves – blessed by rich natural resources and cursed by conflicts or weak governance – has been called a poverty trap. South Sudan and DRC exemplify these conditions and it is in these that we find the greatest contrast with San Francisco in terms of both income and internet access.

What you do always mattered: income inequality within countries

Turning now just to America, I’ll admit that the prevalence of billionaires in San Francisco took me by surprise, but the reasons for it are familiar.  America benefitted most from the Great Divergence and invested some of its wealth in world class tech research institutions on its west coast. Those institutions helped start a third (digital) industrial revolution and tech firms clustered around their talent. And a decade of acquisitions by the largest tech players has created some very rich people. 

The world’s c.2,600 billionaires make up about 0.000002% of its population.  Over the past four decades, despite the 2008 recession, they’ve achieved greater proportional income and wealth growth than any other group.

World Inequality Report 2018 – The “Loch Ness Monster” chart

The rapidly rising income of the billionaires is the extreme point in a wider trend: since 1980 income inequality within countries has been rising, both in America and globally (see the blue line on the first chart). This comes after a period of falling inequality from 1910 to 1950.  The better off are once again pulling away from the lowest and middle earners.

‘I know my place’ sketch on The Frost Report, 1966

The digital divide

That was a lot of economics for a cyber blog, but here’s the crunch.  How your country – and even your city – fared in the last two centuries of the Great Divergence and the Great Convergence will significantly influence both your ability to pay for internet access and the price you pay for it.

An assistant professor in Juba, South Sudan, earns $54 a month and would be charged $200 a month for home broadband.  One in San Francisco makes $7,400 and pays $50.  Unsurprisingly, internet penetration in South Sudan is 17% (thanks to mobile) compared with 89% in the US.

As a rule of thumb: the higher a country’s median income, the more people it has online

To compare the US and South Sudan is to look at the extremes, but, as with income, the picture looks a lot more positive in the middle.  There are now over 3 billion people online, 2 billion of them in low and middle-income countries. In 1820, there were only 1 billion people on the planet.

The ITU estimate 48% of the world’s population were online by 2017:

Internet users per 100 people 1996-2017 (source: ITU)

The percentage of a population online – internet penetration – is a crude measure of access.  It ignores the price you pay, the speed of your connection, what proportion of online sites and services you can access, whether you trust them enough to use them, whether there is content in your language and many other potential barriers to benefitting fully from the web.  It also ignores the other ways the internets (plural) might be introducing benefits and risks into your life.  These range from how your military and emergency services communicate, to how money gets transferred, to how your nearest power station produces electricity.

Nonetheless, internet penetration is a good enough indicator to see that participation in the digital era is spreading like the economic waves that lifted first Europe and America and then Asia and Latin America.  Only this time the process is on fast forward and there’s no hitting pause on the remote.

The implications for cyber security capacity building

Thanks for sticking with me through part one of this blog post. In part two I’ll look at whether, in addition to a Income Gap and Digital Divide, there is also a Cyber Canyon.