Cybersecurity capacity building: levelling the field

The digital poverty gap is growing and it’s not going to end well

The gap in global digital access makes for pretty sobering reading. You and I may take uninterrupted, mobile, rapid access to the internet for granted and many of us curse being accessible 24/7 anywhere in the world. But, around half of the world’s population has little or no access to the internet at all and as a result do not enjoy the benefits of digital enablement in the areas of business, trade, education, healthcare, banking, and countless other domains. Put simply, if the digital poverty gap keeps growing it will – despite massive development investments in the real world – accelerate the real-world poverty gap.

In response to this issue, the UN and International Telecommunications Union have pledged to link the ‘unconnected 3.5Bn’ to the internet and to the host of opportunities and accelerants that goes with it.

The problem is that along with all those opportunities and accelerants come a host of new risks. And it is exactly these newly connected users for whom those risks are going to be greatest. This is because as well as lower levels of cyber access, poor countries have far lower levels of cyber security. Analysis of the last three iterations of the Global Cybersecurity Index clearly reveals this growing cybersecurity poverty gap. Countries which scores towards at the bottom of the index in 2017 have largely stayed weak or got weaker, where those at top have reinforced their already high scores. The overall trend is clear:  if your nation is in the upper quartile, your score is either going to stay high or get better. If you are in the lower quartile, that’s where you are destined to stay.

Simply put, the ‘cyber haves’ are getting better, faster, more secure internet and all the benefits it brings, and the ‘cyber have nots’ are, well, not.

So, if we connect the ‘other half’ of the world’s population –  the vast majority in poor communities in Africa and the Indo-Pacific – to the internet it is highly likely that we plunge them into cyber-insecure environments, effectively doubling the number of people highly vulnerable to fraud, identity theft, disinformation, hacking and blackmail.

Of course digital access itself matters. When people lack internet connectivity, they risk being left behind not only digitally but economically, professionally, culturally and socially. But the digital security gap matters too. If we do not intervene in sensitive and sustainable ways to support poor nations with their cybersecurity capacity then, despite the drive to connect the unconnected, we will continue to preside over a widening cyber poverty gap and all the inequalities this brings.

So what can be done? A good start would be to acknowledge that although we know that there is a digital security gap, we don’t fully understand why. Do poorer countries have poor cyber security because of lack of national funding resources? Is it because donors are applying their resources to the wrong places or in the wrong ways? We believe a longitudinal review of why the GCI index ratings have changed over time, and changed differently in different places, would reveal a small number of key ‘digital security poverty drivers’, and help us work out what to do about them.

In advance of a holistic, data-driven analysis, and drawing on the TAG Cyber Security Programme’s global cyber ecosystem development work, we propose, as a start point, three questions for further consideration.

Firstly,  how do we help poor countries keep their home-grown cyber expertise at home? Trained cyber experts carry high value in the labour market, and that market is a global one with obvious potential for brain-drain. How do we help create the career infrastructure needed to incentivise local national experts to stay, long term, in their home countries and help government and the private sector secure the national online environment?

Secondly, how much is this a problem not of capacity or resources but of will? Hitherto unconnected countries are unlikely, by definition, to have been the targets of online attack. So short of simply letting those attacks happen, how can we demonstrate the severity of the risk or the existential nature of the impact of an attack on the national financial, energy or health sectors?  In other words, how can we make cybersecurity a problem worth solving?

Thirdly, how do we overcome institutional resistance to collaboration?  This is a feature of many developing governance environments, but also of developed ones. If it’s hard to get European or American public agencies and private sector partners to align their planning, share their threat intelligence and pool their resources, how can we do that in countries with, at best, nascent political settlements? How do we overcome the political contestation, factionalism, suspicion and knowledge-is-power ethos to help create an enabling environment for what is, by definition, a multi-partner challenge. TAG’s cyber security work in the Balkans, Africa and the Caucasus has proven that it is possible, despite the politics, to get everyone in one room and speaking with one voice. The next challenge is to get everyone acting with one intent.

We at TAG are wrestling with these issues every day, and we’re making progress. But we need a truly global conversation about it, because narrowing the digital access gap while simultaneously increasing the digital security gap is not, for national stability or global equality, going to end well.