Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data...
Transcript of Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data...
![Page 1: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/1.jpg)
12:00
¥ £$
Securing the Modern Economy: Transforming Cybersecurity
Through Sustainability
by Megan StifelApril 2018
![Page 2: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/2.jpg)
i
Executive Summary Headlinesremindusdailythatouruseoftechnologyisfraughtwithopportunity
andrisk.Theadventoftheinternetandotherinformationandcommunicationstechnologieshasfosteredeconomicgrowth,modernizedindustry,andsimplifieddailylife.Atthesametime,consumersfeellesssecureintheirengagementsonline,whichiscontributingtoagrowingdistrustoftechnology.Cybersecurity,orinformationsecurity,areeffortsundertakentoensuretheconfidentiality,integrity,andavailabilityofinformation.Consideredbroadly,cybersecurityincludesarangeofsocietalpolicies,fromeducationandconsumerawarenesstoinsuranceprograms,corporategovernance,andinternationalrelations.Maintainingpublictrustintechnologyreliesinsignificantpartonallstakeholdersprioritizingcybersecurity.
Weakdevicesecurityandconstrainednetworkmanagementpracticesrecentlyenabledadistributeddenial-of-service(DDoS)attacktoknockoutportionsoftheinternetontheU.S.EastCoast.In2016,organizations’fraudlosesincreasedover60asaresultofconsumeraccounttakeoversfacilitatedbypasswordcompromises.1Theseoutagesandlosesdemonstratethatthecurrentcybersecuritycomplianceandriskmanagementmodelsallowfortoomuchshort-termfocusthathasnotandcannotbuildthetypesofresilienttechnologiesnecessarytosupportlong-termpublicconfidenceandsustaintheeconomicgrowththatdevelopmentandadoptionofinterconnectedthings,alsoknownasthe“InternetofThings,”orIoT,canfoster.KnowninsecuritiestogetherwiththousandsmoredevicesformingtheInternetofThingscreateatickingtimebombthatrisksacalamityofpublicconfidencethatcouldunderminethemoderneconomyanddemocraticinstitutions.Ifwewanttoavoidthispublictrustdisaster,wemustadoptasustainableapproachtocybersecurity. Governments,industry,andcivilsocietygenerallyagreethattheinternetandinformationandcommunicationstechnologies(ICTs)areasharedresourceandauniqueecosystem.Theyalsoincreasinglyrecognizethatcybersecurityisacommongood.Assuch,inadditiontoacybersecuritymoonshottoimprovethesecurityoftheinternetecosystem,wemustalsolooktoeffectivesocietalapproachesthatemploycommongoodstosuccessfullymanageecosystems.Sustainabilityisonesuchsuccessfulapproach.Sustainablecybersecurityisanapproachinwhichstakeholders’interactionswiththeICTecosystemareunderstoodanddeliberate,andwhereeachparticipantunderstandsitsresponsibilityasastewardtorespectandprotecttheecosystemtopreserveitsfutureuse. Whileallanalogiesultimatelybreakdown,elementsofsustainabilitymanagementareparticularlyrelevanttocybersecurity.Tobegin,companiesthatadoptsustainabilitygovernancepracticesaremoresuccessfulthanthosethatdonot.Thus,contrarytothecommonperceptionthat“doinggood”cutsinto“doingwell,”adoptingsustainablepoliciescanaddtoanorganization’sbottomline.Thisisalsothecaseforimplementingcybersecuritybestpractices.Moreover,ICTsunderpinalmosteverymodern-day
1RSAEbook,2017ConsumerCybersecurityConfidenceIndex,at2(lastvisitedApril12,2018),https://www.rsa.com/content/dam/pdfs/5-2017/rsa-consumerconfidenceindex-ebook.pdf.
![Page 3: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/3.jpg)
ii
transaction,fromthedeliveryofelectricityandwatertobanking,shopping,manufacturing,andcorrespondence.Asisincreasinglyapparent,failuretoensuretheconfidentiality,integrity,authenticity,oravailabilityoftheinformationfacilitatingtheseactivitiescanresultincriticalfailuresforassociatedandunrelatedinformation,devices,andactions.Thesefailuresriskreputation,income,assets,andtheverylongevityoftheorganizationasagoingconcern.Asaresult,likesustainability,cybersecurityisbecominga“C-suite”issue.Justaspastbusinessoperationsmayhavecontributedtoclimatechangeandothertraditionalsustainabilitychallenges,manyoftoday’scybersecurityissuesaretheresultofbusinesspracticesthatfailedtoadequatelyconsiderthebroaderimplicationsofaparticulardecision.
Thesustainabilitymovementandcybersecurityalsohaveincommonthe
opportunitiesandchallengesofinteroperabilityandscale.Sustainabilitypolicyemergedfromtheneedforglobalcollectiveaction.Inrecentdecades,largegroupsofstakeholdersacrosstheworldhaveadoptedsustainabilitypoliciesandprogramstotremendouseffect.Similarly,ICTinteroperabilityhasfosteredanever-expandingglobalmarketplaceandstrongeconomicgrowth.ButthatmarketplaceandassociatedgrowthareatriskfromgrowingdistrustofICTsdueinparttotheirinadequatesecurity.Sustainingcybersecurityinthemoderneconomymeansbeingintentionalaboutinteroperabilityandthebusinesschoicesthatshouldbemadetosecurelyenableit.
Noteworthy,too,isthecriticalrolecybersecurityplaysincoresustainability
practices.Aswithmostoperationstoday,informationandcommunicationstechnologiesincreasingly,ifnotcompletely,supporttraditionalsustainabilityactionsasidentifiedbytheUnitedNationsGlobalCompact10Principlesandthe17SustainableDevelopmentGoals.Inadditiontooperationaltrackingandcompliancetoachievedesiredobjectives,thesesustainabilitypoliciesandprocessesalsoenableorganizationstobemoretransparentabouttheirdecisions.Furthermore,thecybersecuritynexustothesenowcommonplacebusinesspracticessuggestsorganizations’existingsustainabilityprocessesandpolicieslikelyprovideafoundationuponwhichtoincorporateandscaleenhancedapproachestocybersecurity,includinggreatertransparency.Enhancedtransparencyenablesbothsupplyanddemandsidetounderstandaproduct’sprovenanceandcontributestomarketforcesformoresecureproducts.
Finally,sustainablecybersecuritycanenhancenationalsecurity.Theprivatesector
ownsandoperates80-90percentofallICTs;theyalsoresearchandbuildthem.Assuch,effortstomanagetheuseofICTsmustaccountforallstakeholders,whichcanlimittheeffectivenessofmultilateralagreementsaroundthemisuseofICTs.IftheprivatesectorbuildsandusesICTsinamoresustainablemanner,theabilityfornationstatestomisusethembecomesmoredifficult,decreasingthelikelihoodandbenefitsofmisuse.Thus,thinkingsustainablyaboutcybersecuritymayultimatelyconstrainnationstatemisuseofICTs.Inaddition,totheextentthatlaxsecurityandprivacypoliciesacrosstheecosystemhavefacilitatedthecurrentmisuseofICTstounderminedemocracy,collectiveactiontobettersecuretheseassetsshouldberecognizedasareinforcementtodemocracyandabuttressagainstfurtherattacksthroughICTs.Sustainablecybersecuritysupportsandenablesstabledemocracies.
![Page 4: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/4.jpg)
iii
Throughsustainablecybersecuritypractices,stakeholdersaroundtheworldcanbe
intentionalastheyparticipateinandcontributetothemoderneconomy,whetherindevelopingproductsandservices,runningahousehold,operatingcriticalinfrastructure,orformulatingnationalpolicies.Asaresult,incorporatingelementsofsustainabilitymanagementintocybersecuritywillhelpreframeperceptionsofcybersecurityfromfear,uncertainty,anddoubttoamoreproactivemindsetofopportunity,transformation,anddynamism.Thisshift,weassert,willinturnleadtoimprovedcybersecuritypracticesbyallstakeholdersandultimatelyamoresecure,resilient,andenduringICTecosystemtosupportthemoderneconomy.Throughthiscollectiveeffort,allstakeholderscanhavegreaterconfidenceandtrustthatinformationandcommunicationstechnologieswillsecurelysupporttoday’sinnovationsbeyondtomorrow.
Thepaperconcludeswithasetofpriorityactionseachstakeholdergroupcantake
collectivelytoimprovecybersecurity.InthecomingmonthsPublicKnowledgewillconveneaseriesofdiscussionsaroundtheconceptofsustainablecybersecurity,thelegalandpolicyconstraintstoimplementingsuchanapproach,andtheincentivesthatcouldspurrapidtransitiontosustainablecybersecurity.
![Page 5: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/5.jpg)
1
Introduction Increasingly,data,information,andthedevicesthatprocessthemaredrivingthe
globaleconomyandenablingitsgrowth.Thedigitaleconomy,asubsetoftheoveralleconomy,issettoexperienceexponentialgrowthduetothedevelopmentandadoptionofinterconnectedthings,alsoknownasthe“InternetofThings,”orIoT.Thisnewgrowthfollowsadecade(2006-2016)inwhichthedigitaleconomygrewataratefasterthantheoveralleconomy,5.6percentcomparedto1.5percentperyear.2Theincreaseindataanditscriticalroleintheglobaleconomyhasledseveral,includingWhiteHouseCybersecurityCoordinatorRobJoyceandtheEconomist,toanalogizedatatooil.3Joycefurthernotedthat,incontrasttolimitedresourceslikeoil,cleanair,andwater,whenmeasuredbythenumberofdevicesconnectingtoit,theinternetis,atthistime,unlimited.
Unfortunately,thereisanevolvingriskthatthreatenstoday’sinternetandthe
economicandsocialgoodthatitsupports.Thatthreatisgrowingglobalmistrustofinformationandcommunicationstechnologies(ICTs),whichareabroadcollectionofinterconnecteddevices,includingbutnotlimitedtothecolloquialinternet.The2018RSAPrivacyandSecurityreportfoundthat78percentofrespondentslimittheamountofpersonalinformationtheyputonlineorsharewithcompanies.4A2015PewResearchCenterstudypresagedonereasonforthispractice:inadditiontoconcernsabouteconomicsectorsthatAmericansassociatewithdatacollectionandmonitoring,“Americansalsohaveexceedinglylowlevelsofconfidenceintheprivacyandsecurityoftherecordsthataremaintainedbyavarietyofinstitutionsinthedigitalage.”5Andin2016,theNationalTelecommunicationsInformationAdministrationreportedthatlackoftrustininternetprivacyandsecuritydetersconsumersfromengagingincertainelectronictransactionsandothere-commerceactivities.6
2SeeBUREAUOFECONOMICANALYSIS,InitialEstimatesShowDigitalEconomyAccountedfor6.5PercentofGDPin2016,BEA.GOV(March15,2018),https://blog.bea.gov/2018/03/15/initial-estimates-show-digital-economy-accounted-for-6-5-percent-of-gdp-in-2016/.3SeeTHEECONOMIST,TheWorld’sMostValuableResourceIsNoLongerOil,ButData,ECONOMIST.COM(May6,2017),https://www.economist.com/news/leaders/21721656-data-economy-demands-new-approach-antitrust-rules-worlds-most-valuable-resource.4SeeRSA,2018RSAPRIVACY&SECURITYREPORT7(2018),https://www.rsa.com/content/dam/en/e-book/rsa-data-privacy-report.pdf.5MaryMadden&LeeRainie,AMERICAN’SATTITUDESABOUTPRIVACY,SECURITYANDSURVEILLANCE3(PewResearchCentered.,2015),http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/;seealsoCENTREFORINT’LGOVERNANCEINNOVATION,2017CIGI-IpsosGlobalSurveyonInternetSecurityandTrust,CIGIONLINE(lastvisitedApr.2,2018),https://www.cigionline.org/internet-survey.6SeeRafiGoldberg,LackofTrustinInternetPrivacyandSecuritymayDeterEconomicandOtherOnlineActivities,NTIA(May13,2016),https://www.ntia.doc.gov/blog/2016/lack-trust-internet-privacy-and-security-may-deter-economic-and-other-online-activities.
![Page 6: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/6.jpg)
1
Thesestudies,pairedwithneardailydatabreachesandothersecurityheadlines,remindusthatthecurrentapproachtocybersecurity--thoughincreasinglymoreappropriatelyfocusedonriskmanagementandlessoncompliance--isstillinsufficienttosecurethemoderneconomy.Itis,inaword:unsustainable.Inadditiontotheriskspresentedbyconsumer-gradeIoT,7thegrowingprevalenceofsmartcitiesandconnectedcriticalinfrastructurefurtherincreasesthedangerscurrentcybersecuritypracticesposetothelongevityofthebroaderecosystem.Addthetrustchallengesof“fakenews”andthegrowthofartificialintelligenceandtheopportunitiesforstrategicfailuregrowexponentially.
Inshort,wefaceatickingtimebombasIoTemergesacrosseconomiesthereby
significantlyexpandingknowncybersecuritychallenges,andtoday’smodelfordealingwiththesedevelopmentsunderestimatestheirdangerandunder-investsinprotection.Wethereforebelieveafundamentalshiftinapproach,fromshort-termmarketsignalstosustainability,isessentialtominimizethelikelihoodofacalamityofpublicconfidencethatcouldunderminethemoderneconomyanddemocraticinstitutions.SustainablecybersecurityisanapproachinwhichinteractionswiththeICTecosystemareunderstoodanddeliberate,andwhereeachparticipantunderstandsitsresponsibilityasastewardtorespectandprotectittopreserveitsfutureuse.Transitioningtoasustainability-styleapproachtocybersecuritywillrequirethemostpowerfulsocietalinstitutionstoshiftcoursewithoutdelayandinparallel,andincludescommitmentsfrom(1)businessestorevisemanagerialapproachestobetterallocateinvestmentstrategiesandassessprofitabilitymeasurements(internalizeexternalities);(2)governmentstoevolvenationalstrategies;(3)insurerstoshiftincentivesthroughnewunderwritingparameters;(4)educationalinstitutionstomodernizecurricula;and(5)consumerstolearntherelevantelementsofcybersecurityandbuildthemintodailylife.
Thispaperproposesthatincorporatingelementsofsustainabilitymanagementinto
cybersecuritywillhelpreframeperceptionsofcybersecurityfromfear,uncertainty,anddoubttoamoreengagingmindsetofopportunity,transformation,anddynamism.Thisshift,weassert,willinturnleadtoimprovedcybersecuritypracticesbyallstakeholdersandultimatelyamoresecure,resilient,andenduringecosystemtosupportthemoderneconomy.8Wereachthisconclusionbyoutliningseveralkeyaspectsofsustainabilityandconsideringtheirrelevanceandapplicationinthecontextofcybersecurity.Thepaperconcludeswithalistofpriorityactionseachstakeholdergroupcantakecollectivelytoimprovecybersecurity.
7MaliciousactorswillincreasinglyusecompromisedIoTdevicestolaunchglobalautomatedattacks.SeeThePresident’sNationalSecurityTelecommunicationsAdvisoryCommittee,NSTACReporttothePresidentonInternetandCommunicationsResilience1(Nov.16,2017),https://www.dhs.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20President%20on%20ICR%20FINAL%20%2810-12-17%29%20%281%29-%20508%20compliant_0.pdf.8SeeMariaBada,JasonR.C.Nurse,andAngelaSasse,CyberSecurityAwarenessCampaigns:Whydotheyfailtochangebehavior?,GLOBALCYBERSECURITYCAPACITYCENTRE(Sept.15,2016),https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/csss2015_bada_et_al.pdf.
![Page 7: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/7.jpg)
2
Traditional approaches to cybersecurity are insufficient for the modern economy.
Securitychallengeshaveconfronteduserssincetheearliestdaysofinterconnectednetworks.Networkadministratorsinitiallyusedcompliance-basedapproachestoaddressthesechallenges,whichrequiredadministratorstocompleteaseriesoftasks,oftenchecklists,tocomplywithestablishedsecurityrequirements.However,scalingcompliancetoincreasinglycomplexandexpansivenetworksthatincludenotonlycomputersbutalsomobileandothersmartdeviceshasbecomeincreasinglylesseffectiveinsecuringinterconnectednetworks.Inrecentyears,inordertohelpprioritizetheassetsmostcriticaltoanorganization’soperations,theapproachtocybersecurityhasbeguntoshiftfromcompliancetoriskmanagement.Whileriskmanagementcanbeeffectiveinreducingsecurityriskstoenterprisenetworks,itcanbelessusefulinguidingorganizations’decisionsaboutthesecurityofprogramsanddevicesthatmightformorconnecttothosenetworks,particularlyfororganizationswhoseofferingshavesuddenlybecome“connected.”Aneffectiveapproachtocybersecuritymustexpandthecurrentunderstandingofthecybersecuritylifecycletoincludeinputsthatcanaffecttheoperationofthenetworkandthenetworkstowhichitconnects.
Today’seconomyrunsondata,andfortoolongaprimaryfocushasbeenon
connectingandcollectingitwithoutappropriateconcernforprotectingit.Anumberoffactorshavecontributedtothepresentstate.First,inadequateeducationandtraining–suchasteachinginformationsecurityinonlynarrowfields,ifany–havecontributedtopoorhardwareandsoftwaredesignanddevelopmentprocedures9andweaknetworkarchitectureandprotection.Next,businessdecisionstobefirst-to-marketratherthansecure-to-markethavefloodedthemarketplacewithproductssufferingfromknownvulnerabilitiesandlittleornoupdatability.Finally,consumershavemadechoiceswithinsufficientknowledgeandunderstandingofproductandservicesecurityandprivacyfeatures,forcingthemtobeartoomuchresponsibilityforthesecurityoftheirdataandthedevicesthatgenerateit.10
Theconsequencesofthisshort-termapproachtocybersecurityappearregularlyin
newspapersaroundtheworld.Themostcriticalofcomputerhardwarewasfordecadesvulnerabletoacutesecurityweaknesses;11multiplegovernmentsandorganizationshavehadsensitiveconsumerpersonaldataandproprietarycorporateinformation
9SeeBrendenI.Koerner,InsidetheCyberattackthatShockedtheUSGovernment,WIRED(Oct.23,2016,5:00PM),https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/.10SeegenerallyTHECOUNCILOFECON.ADVISORS,THECOSTOFMALICIOUSCYBERACTIVITYTOTHEU.S.ECONOMY(CouncilofEconomicAdvisors,Feb.2018),https://www.whitehouse.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf.(“CEAReport”). 11SeeMichaelLines,Meltdown/Spectre:TheFirstLarge-ScaleExampleofa“Genetic”Threat,DARKREADING(Feb.20,2018,10:30AM),https://www.darkreading.com/vulnerabilities---threats/meltdown-spectre-the-first-large-scale-example-of-a-genetic-threat/a/d-id/1331071?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple;seealsoBradChacos&MichaelSimon,MeltdownandSpectreFAQ:HowthecriticalCPUflawsaffectPCsandMacs,PCWORLD(Feb.22,2018,7:14AM),https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html.
![Page 8: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/8.jpg)
3
compromised;12andindustrialcontrolsystemsandothercriticalinfrastructurehavebeenunlawfullyaccessedbycriminalsandnationstateactors.13Morerecently,poorlysecuredIoThasbecomeaforcemultiplierformaliciousactorswhocontinuetoexpandthescaleandimpactofdistributeddenial-of-service(DDoS)attacks.14
Stakeholdermisconceptionsaboutmarketinterestinsecuritycapabilities
exacerbatetheresultsofsociety’ssuboptimalchoices.Forexample,arecentstudyofcommunicationsserviceproviders(e.g.,telecommunicationscarriers)andpurchasers(e.g.,enterprisessuchascorporations)foundthatenterpriseswerewillingtopaya15percentpremiumtosupportcompliancewithsecureinternetroutingpractices(theprocessoftransmittingpacketsovertheinternet).15Thesamestudyrevealedthatserviceprovidersunderestimatedthevaluetheircustomersplaceonsecurityandhighlightedthatproviders’securitypostureisacharacteristictodistinguishcompetitors.16Thisdisconnecthighlightstheneedforadditionalanalysisofenterpriseandconsumerwillingnesstopaymoreforbettersecurity,andnotjustintheconnectivityandtransmissioncontext.Atthesametime,itbegsthequestionofwhetherornottheyshouldhaveto.Securityisafactofdoingbusiness.Doingitrightshouldnotalwayshavetocostenterprisecustomersandindividualconsumersmore.Buttodate,doingitwronghas–perhapsmostsignificantlyinriskingpublictrustinICTs.
Togetherwiththesemisperceptions,currentmarketincentivesdonotsupport
adequatecybersecurityinvestmentandfunding.17Often,theorganizationalvictimofmaliciouscyberactivitycouldhaveavoidedorreduceditsimpactbyinvestingincybersecurityduringprocurement,employeetraining,andnetworkdesignandmanagement,tonamebutafeweffectiveapproaches.“Whenmarketincentivesencouragemanufacturerstofeaturesecurityinnovationsasabalancedcomplementtofunctionalityandperformance,adoptionoftoolsandprocessesthatresultinhighlysecureproductsiseasiertojustify.”18Thegovernment,institutionalinvestors,andotherrelevant 12SeeMichaelAdams,WhytheOPMAttackIsFarWorseThanYouImagine,LAWFARE(Mar.11,2016,10:00AM),https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagine;seealso,THEUNITEDSTATESDEP’T.OFJUSTICE,USChargesThreeChineseHackersWhoWorkatInternetSecurityFirmforHackingThreeCorporationsforCommercialAdvantage,JUSTICE.GOV(Nov.27,2017),https://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations.13SeeTHEUNITEDSTATESDEP’T.OFJUSTICE,SevenIraniansWorkingforIslamicRevolutionaryGuardCorps-AffiliatedEntitiesChargedforConductingCoordinatedCampaignofCyberAttacksAgainstU.S.FinancialSector,JUSTICE.GOV(Mar.24,2016),https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged;seealso,JosephBerger,ADam,SmallandUnsung,IsCaughtUpInAnIranianhackingCase,NEWYORKTIMES(Mar.25,2016),https://www.nytimes.com/2016/03/26/nyregion/rye-brook-dam-caught-in-computer-hacking-case.html. 14SeeDanGooden,USserviceprovidersurvivesthebiggestrecordedDDoSinhistory,ARSTECHNICA(Mar.3,2018,4:24PM),https://arstechnica.com/information-technology/2018/03/us-service-provider-survives-the-biggest-recorded-ddos-in-history/.15See451RESEARCH,MANRSPROJECTSTUDYREPORT7(CommissionedbyInternetSociety,Aug.2017),https://www.routingmanifesto.org/wp-content/uploads/sites/14/2017/10/MANRS-451-Study-Report.pdf.16Id.at10.17SeegenerallyCEAReport,supranote10.18THESECRETARYOFCOMMERCEANDTHESECRETARYOFHOMELANDSECURITY,AREPORTTOTHEPRESIDENTONENHANCINGTHERESILIENCEOFTHEINTERNETANDCOMMUNICATIONSECOSYSTEMSAGAINSTBOTNETSANDOTHER
![Page 9: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/9.jpg)
4
stakeholdersmustemphasizethatinvestmentincybersecurityintheearlystageofaproductorservicedevelopment,aswellasinnetworkarchitectureandmanagement,aremorecosteffectivethanattemptingtoboltitonjustbeforegoingtomarket,orfailingtoaddressitatall.19
Inadequatecybersecuritypracticesbygovernmentsandnon-governmental
organizations(NGOs)presentaparticularlypressingconcerngiventhecriticalrolesofsuchorganizationsintheecosystemandininfluencingpublicperceptionsoftrust.20Insecurenetworksrisknotonlybecomingpartoftheproblem,butalsothetarget.Criminalsandnationstatescantakeadvantageofvulnerabilitiesinnetworksto,forexample,buildabotnet,21whichcanbedirectedatanynumberofinternet-connecteddevices,fromhomerefrigeratorstosmartfactoriestomedicaldevices,regardlessofthesetargets’proximity.Givenchallengesinattributingcyberactivity,poorcybersecuritypracticesbygovernmentsinparticularcanpotentiallyexacerbatetheconsequencesandfurthererodepublictrustinICTs-if,forexample,agovernmentweretotakeactionabroadinresponsetomaliciousactivityenabledbyapoorlyconfiguredsystemthathasbeencompromisedbyactorsoperatinginathirdcountry.Andyet,duetotheincreasinglyprevalentroleICTsplayinallaspectsofsociety,thesameconcernsaboutunintendedconsequencescouldbesaidforalmostallstakeholders’cybersecurityactions.22
Furthermore,theeffectsofthecurrentunsustainableapproachtoICTsecurity
threatennotonlystrongdigitaleconomies,butalsonascentones.FailuretotrustandadoptICTs,dueinparttotheirinsecurity,riskscountriesrealizingthebenefitstheseemergingdigitalpopulationscouldexperienceinthemoderneconomy.Atthesametime,authoritarianregimesexploitinsecureICTsandtheireffectstodeveloplegalsystemsthat AUTOMATED,DISTRIBUTEDTHREATS:DRAFTFORPUBLICCOMMENT23(Jan.5,2018),https://www.ntia.doc.gov/files/ntia/publications/eo_13800_botnet_report_for_public_comment.pdf.(“InternetResilienceDraftReport”).19Seeid.at33-34;seealso,RobertHawk,DevSecOps:TheImportanceofBuildingSecurityfromtheBeginning,DARKREADING(Mar.9,2018,10:30AM),https://www.darkreading.com/endpoint/devsecops-the-importance-of-building-security-from-the-beginning/a/d-id/1331210?_mc=sm_dr&hootPostID=4af20634b103363ab773998659c63368;Leigh-AnneGalloway,ASecureDevelopmentApproachPaysOff,DARKREADING(Mar.2,2018,10:30AM),https://www.darkreading.com/application-security/a-secure-development-approach-pays-off/a/d-id/1331154?ngAction=register&ngAsset=389473.20See,e.g.,DanteDisparte,CitiesHeldForRansom-LessonsFromAtlanta'sCyberExtortion,FORBES(Apr.2,2018,9:30AM),https://www.forbes.com/sites/dantedisparte/2018/04/02/cities-held-for-ransom-lessons-from-atlantas-cyber-extortion/#54f4d935996b;AjayBhalla,BhaskarChakravorti,&RaviShankarChaturvedi,The4DimensionsofDigitalTrust,ChartedAcross42Countries,HARVARDBUSINESSREVIEW,https://hbr.org/2018/02/the-4-dimensions-of-digital-trust-charted-across-42-countries(Feb.19,2018). 21See,e.g.,UNITEDSTATESDEP’T.OFHOMELANDSECURITY,THEINCREASEDTHREATTONETWORKINFRASTRUCTUREDEVICESANDRECOMMENDEDMITIGATIONS(NationalCybersecurityandCommunicationsIntegrationCenter,Aug.30,2016),https://cyber.dhs.gov/assets/report/ar-16-20173.pdf;UNITEDSTATESDEP’T.OFHOMELANDSECURITY,BindingOperationalDirectiveBOD-16-02,ThreattoNetworkInfrastructureDevices(DHSSept.27,2016),https://cyber.dhs.gov/assets/report/bod-16-02.pdf.22SeeDannyPalmer,Ransomwareforrobotsisthenextbigsecuritynightmare,ZDNET(Mar.9,2018,7:47AM),http://www.zdnet.com/article/ransomware-for-robots-is-the-next-big-security-nightmare/.
![Page 10: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/10.jpg)
5
undermineprivacyinthenameofsecurity.Thesegovernmentalpoliciescantakemanyforms,fromuncheckedaccesstocommunications’metadataandcontenttodatalocalizationandsourcecoderequirements,anyoneofwhichcanunderminesecurityandprivacyandtherebypublictrustininformationandcommunicationstechnologies.Stakeholders’failuretoaddressICTsecuritychallengesthroughouttheecosystemmaycostemergingdigitaleconomiestheopportunitytoseethetrueeconomicandsocialbenefitsinterconnectioncanbring.
Evenwellintentionedregulatoryeffortsthatdirectlyandindirectlyimprove
cybersecurity,e.g.,theGeneralDataProtectionRegulation(GDPR),canfallshort.23Althoughtheresultsoftheseeffortsarenotyetcalculable,thisvariedregulatorylandscapepresentschallengesfororganizationsoperatinginternationallyandhighlightsthelimitationsnationalandregionalregulatoryregimesfaceintrulyenhancingcybersecurityonaglobalscale.
TheseshortfallsandlimitationsevidenceaneedforamoreholisticapproachtoICT
securityandprivacy.Publicandprivateorganizationsandconsumersshouldcollaboratetoidentifybestpracticesandframeworksthattranscendboundaries,nationallaws,andculturestocreateacohesiveICTsecurityagendatosustainthemoderneconomyintothefuture.AnenduringapproachshouldviewthesecurityofICTsandassociatedprivacyenhancementsascriticaltotheirsustainability,andthusthesustainabilityofthemoderneconomy.AsPaloAltoNetworksCEO,MarkMcLaughlin,hascautioned,“Thelifeofthedigitalageisliterallyatriskifwedon’tadvancesecurityprevention.”24
Recent developments portend a more holistic approach to cybersecurity. Inrecentmonths,inpartasaresultofgrowingdistrustinICTs,25manycybersecurityfirms,amongotherorganizations,arebeginningtoextolthebroaderimportanceofcybersecurity,anditisnotjusttosellmoregoodsandservices.Rather,theyrecognizethatcybersecurityisessentialtothemoderneconomy,andthatweaksecurityiserodingpublictrustinthetoolsthatenableit.Inlate2017,acybersecuritycompanyCEOremarkedthat“whatcybersecuritycompaniesknowshouldbeapublicgood.”26Thisbeliefreflectsthatofagrowingnumberofpublicandprivateorganizationswhodescribecybersecurityasasharedresponsibility.Intermsquitesimilartoenvironmental 23LincolnKaffenberger,EmanuelKopp,&ChristopherWilson,CyberRisk,MarketFailures,andFinancialStability,Int’lMonetaryFundWorkingPaper185(2017),at17,30(“Theregulatoryregimeshouldencourageongoingvigilancebyboardsandseniormanagementtobuildresiliencethroughinvestmentincybersecuritywhilegivinginstitutionsflexibilitytoaddresstherisksinthewaytheyseeasoptimal.However,actionsbyindividualcountries—andbyfinancialsectorparticipantsalone—willnotbesufficient.”).24SeeDavidNeedle,PaloAltoNetworksCEO“NextGenSecuritySolutionsMustRestoreTrust”,RSACONFERENCE(Mar.3,2016),https://www.rsaconference.com/blogs/palo-alto-networks-ceo-nex-gen-security-solutions-must-restore-trust.25See,e.g.,StephanieJohnson,PaloAltoNetworksAcademy:ProtectingLifeintheDigitalAgeOneStudentataTime,PALOALTONETWORKS(Feb.26,2018,1:00PM),https://researchcenter.paloaltonetworks.com/2018/02/palo-alto-networks-academy-protecting-life-digital-age-one-student-time/(“Cybersecurityisessentialtomaintainingtrustinourdigitalwayoflife.”).26Needle,supranote24.
![Page 11: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/11.jpg)
6
stewardship–afieldknownforitssustainabilitypractices,arecentreportfortheInternetSocietynotedthe“valueofcontributingtotheoverallsecurityoftheinternetcommunity”27inhighlightingthebenefitsofimplementinginternetroutingbestpractices.
Publicrecognitionoftheneedforcollaborativeactionstoimprovecybersecurityextendswellbeyondcybersecurityfirms.Atthe2018WorldEconomicForum(WEF),WEFannouncedtheGlobalCentreforCybersecurity.Itsfociincludeestablishinganindependentlibraryofcyberbestpractices;helpingpartnerstoenhanceknowledgeoncybersecurity;workingtowardsanappropriateandagileregulatoryframeworkoncybersecurity;andservingasalaboratoryandearly-warningthinktankforfuturecybersecurityscenarios.
Afewweekslater,atthe2018MunichSecurityConference,severalmultinationalcorporationsannounced10principlesintheCharterofTrustforaSecureDigitalWorld.Theseprinciplesrangefromeducationandsecuritybydesigntotransparencyandresponse.28Thepressreleaseemphasizestherolesofgovernmentsandcompaniesintakingdecisiveaction:“[t]hismeansmakingeveryefforttoprotectthedataandassetsofindividualsandbusinesses;preventdamagefrompeople,businessesandinfrastructures;andbuildareliablebasisfortrustinaconnectedanddigitalworld.”29
IntheUnitedStates,inMarch2018,severalbusinessesformedtheCoalitionto
ReduceCyberRisk,which“aimstoenhancecybersecurityandsupporteconomicgrowthbypartneringacrossindustryandwithgovernmentsaroundtheworldtostrengthenandalignapproachestoimprovingcybersecurityriskmanagement.”ThatsamemonthtwotradeassociationsformedtheCounciltoSecuretheDigitalEconomy,whichwill“pursuesecuritymitigationasintenselyasdigitalinnovation.[TheCouncil]willdetermineadistinctsetofprioritiesandindustryinitiatives,workinginpartnershipwiththepublicsectorbothintheU.S.andglobally.”30
Atthe2018annualRSAcybersecurityconference,34technologyandsecuritycompaniesannouncedtheCybersecurityTechAccord.CompaniessigningtheTechAccordcommittoequalprotectionforcustomersworldwide.Theseprotectionsincludemountingastrongerdefenseofcustomers,regardlessofthemotivationforattacksonline;refrainingfromassistinggovernmentslaunchcyberattacksandprotectingagainsttamperingandexploitationofproductsandservicesthroughdevelopment,design,anddistribution;buildingcapacitytoempowerdevelopersandtechnologyuserstobetterprotectthemselves;andactingcollectivelythroughformalandinformalpartnershipswithindustry,civilsociety,andsecurityresearchestoenhancesecurityinformationsharingandvulnerabilitydisclosure.31 27451Research,supranote15at10.28SeeSIEMENS,CharterofTrust(2018),https://www.siemens.com/press/pool/de/feature/2018/corporate/2018-02-cybersecurity/charter-of-trust-e.pdf.29Id.30USTelecomandITILaunchCounciltoSecuretheDigitalEconomy,USTELECOM.ORG(Feb.23,2018),https://www.ustelecom.org/news/press-release/ustelecom-and-iti-launch-council-secure-digital-economy.31https://cybertechaccord.org.
![Page 12: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/12.jpg)
7
Theinsurancemarketisalsobeginningtobroadenitsapproachtoassessingcyberrisk.Inearly2018,AllianzGlobalCorporate&Specialty(AGCS)announcedapartnershipwithglobalriskconsultingfirmAonPLCandtechnologycompaniesAppleandCisco.AGCSwillofferdiscountedcyberinsurancepoliciestocompaniesthatsubmittoariskassessmentanduseidentifiedtechnologyproducts.Theeffortdemonstratesthebroadershiftincybersecurityfromcompliancetoriskmanagement,whichextendsriskevaluationbeyondtheinsured’snetworkoperationstoitsengagementswiththeecosystemtoaddresssecurity“moreholistically.”32
Governments,too,areincreasinglycallingforgreatercybersecurityactionforthe
collectivegood.Thesecallsechosustainabilitymanagementpracticessuchasreducingpollutionandframingresponsiblebusinessdevelopmentchoicesasinvestments.Forexample,inimplementingExecutiveOrder13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,theU.S.NationalTelecommunicationsandInformationAdministrationseekstodevelopapathwaytoward“anadaptable,sustainable,andsecuretechnologymarket.”Italsocalledoncompaniesnotonlytoavoidcarryingmaliciousinternettraffic,butalsotomakepublicsuchdecisions.Similarly,the2015JapaneseCybersecurityStrategyconciselyobserves:
[i]nbringingproductsandservicesinwhichhighlevelsecurityisassuredasaqualityfeaturetothemarket,andinmakingmanagementdecisionsfornewbusinesscreation,cybersecurityknowledgehasbecomeabasiccompetencyrequired for enterprise senior executives. For the enhancement of Japan’ssocio-economic vitality as well as sustainable development, it is necessarythat more enterprise senior executives will grasp such societal changesprecisely, and raise awareness of cybersecuritymeasures not as inevitable“cost” of business but as an “investment” for more progressivemanagement.33Morerecently,theWhiteHouseCouncilofEconomicAdvisorsstatedplainly
that“[c]ybersecurityisacommongood…[that]weakcybersecuritycarriesacostnotonlytothefirmitselfbutalsotothebroadereconomythroughthenegativeexternalitiesimposedonthefirm’scustomersandemployeesandonitscorporatepartners.”34Sufficetosay,nascentbutexponentialgrowthinIoTwilllikelycompoundtheseexternalitiesabsentasignificantshiftinstakeholderbehavior.
Toaddressthesechallenges,severalorganizations,bothpublicandprivate,arecallingforacybersecuritymoonshotalongthelinesofthegovernment-ledeffort
32AllisonGrande,AppleCiscoPartnerwithInsurersforNovelCyberCoverage,Law360(Feb.6,2018,10:40PM),https://www.law360.com/articles/1009760/apple-cisco-partner-with-insurers-for-novel-cyber-coverage.33THEGOV’T.OFJAPAN,CYBERSECURITYSTRATEGY12,14-15(Sept.4,2015),https://www.nisc.go.jp/eng/pdf/cs-strategy-en.pdf.34CEAReport,supranote10at21.
![Page 13: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/13.jpg)
8
thatculminatedinthefirstlunarlanding.35Whilepotentiallyahelpfulmotivatingframe,therearealsolimitationstothemoonshotconceptinthecontextofcybersecurity,inpartbecauseitisacontinuouscombinationofactions.Forexample,giventheimpactofMoore’slawandotherinnovationattributesofthesetechnologies,willacybersecuritymoonshoteverbecomplete?Howdoesacybersecuritymoonshotaccountfortheroleofconsumers?Andhowdoesitaddresssupportingelements,suchastheneedtoexpandandenhancecybersecurityeducation?
Sustainable cybersecurity to secure the modern economy.
Inadditiontoacybersecuritymoonshot,stakeholders–governments,corporations,educators,andconsumers–needtoreframetheirapproachtocybersecuritytooneofsustainability.Sustainabilityacknowledgesrolesforarangeofstakeholdersandrecognizestheneedtomanageandengagetodayinordertoensurethesameorbetteropportunitiestomorrow.Sustainabilityencompassessupplychainmanagement,interoperabilityandscalability,consumerengagement,andinsomeareasregulatorycompliance.Inthecontextofcybersecurity,itcouldtransformcorporateandconsumerperceptionsfromcostsoftimeandmoneytosavingsandfeatures,andmeaningfullytranslatetheseattributestothemarket.
Gainingrecognitioninthemid-90s,themodernsustainabilitymovementdeveloped
toenableorganizationstooptimallyoperationalizetheirinteractionswithpublicgoods.36Today,thefieldofsustainabilitymanagementseekstointegrateanunderstandingof“thephysicaldimensionsofsustainability”intoroutinemanagementdecision-making.Thefieldteachestomorrow’sCEOstomanagetheirorganization’swaste,useofenergy,water,andotherrawmaterialstoensuresustainabilitythroughoutsupplychains,andtobeawareofthefinancialrisksposedbyenvironmentalaccidents,pollution,andclimatechange.37Sustainabilitymanagement“continuestostudyconservationandpollution,butnowencompassesafarbroadersetofconcernsandhascometoincludethebuiltenvironment,management,andthetransitiontosustainablecities.”38
35See,e.g.,ShaunWaterman,Whatisa“cybermoonshot”anyway?,CYBERSCOOP(Oct.19,2017),https://www.cyberscoop.com/cyber-moonshot-accenture-gus-hunt/;SeanMorgan,CallforaCybersecurity“Moonshoot”DominatesFirst-EverGovernmentIgnite,PALOALTONETWORKS(Oct.27,2017),https://researchcenter.paloaltonetworks.com/2017/10/gov-call-cybersecurity-moonshot-dominates-first-ever-federal-ignite/.36See,e.g.,RebeccaTuhus-Dubrow,“Sustainability”isolderthanyouthink,BOSTONGLOBE.COM(Dec.7,2014),https://www.bostonglobe.com/ideas/2014/12/07/sustainability-older-than-you-think/qCjnEzwtxmBjxebceg8OzL/story.html(“Sustainabilityisabouthavingavisionforthefuture.Andenvironmentalismisaboutdealingwithproblemsthathaveledusuptothepresentday.It’saboutthepastandthepresent.AndIthinksustainabilitysays,OK.Wescreweditallup.Weknowthatemissionsareabigproblem,weknowthatwaterpollutionisaproblem....Nowwhat?”).37StevenCohen,TheEvolutionofSustainabilityEducation,HUFFPOST(May22,2017,8:25AM),https://www.huffingtonpost.com/entry/the-evolution-of-sustainability-education_us_5922d872e4b0e8f558bb282e.38 Id.
![Page 14: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/14.jpg)
9
ForBlackRock,alargeinstitutionalinvestor,“sustainabilitymeanslong-termthinkingineveryrespect,whetheritbereducingourenergyconsumption,contributingtocommunitiesorbuildingbetterfinancialfuturesforourclients.Itisaboutresponsibledecision-making.”39BlackRock’sCEO,LarryFink,observedthatsocietyexpectsresponsibledecision-making:“[t]oprosperovertime,everycompanymustnotonlydeliverfinancialperformance,butalsoshowhowitmakesapositivecontributiontosociety.Companiesmustbenefitalloftheirstakeholders,includingshareholders,employees,customers,andthecommunitiesinwhichtheyoperate.”40BlackRockseesincreasingsocietalexpectationsthatcorporations“serveasocialpurpose.”41
Thisresponsibledecision-makingapproachbenefitsshareholdersinadditionto
society.Indeed,analysisofFortune500companiesmakesclearthatsustainablecompaniesaresuccessful,oftenverysuccessful,companies.Thus,contrarytocommonperceptionsthatsustainabilitytakesawayfromcompanies’profits,infact,sustainablecompaniesaremoresuccessfulthantheirpeersthathavenotadoptedsustainablepractices.42Thereasonsforthissuccessarebeyondthescopeofthispaper.However,inmostCEOs’andorganizationalleaders’evaluationofpriorities,whetherrecognizedbytheseleadersornot,thereisoneelementthatenablesorrisksalloftheothers:cybersecurity.Yet,recentresearchindicatesthatfinancialbenefitscanalsoresultforcompaniesthatadoptresponsiblecybersecuritypractices.43Sustainablecybersecurityisessentialtoachievingshareholdervalueandasocialpurpose.
Beyondprofitability,organizationsshouldbegintoframetheircybersecurity
activitiesinasustainablewayforseveralreasons.Tobegin,ICTsunderpinalmostevery 39BLACKROCK,BlackRockResponsibility:EnvironmentalSustainability,BLACKROCK(lastvisitedMar.12,2018),https://www.blackrock.com/corporate/en-us/responsibility/environmental-sustainability.40BLACKROCK,LarryFink’sLettertoCEO’s:ASenseofPurpose,BLACKROCK(lastvisitedFeb.21,2018),https://www.blackrock.com/corporate/en-us/investor-relations/larry-fink-ceo-letter.41Id.42See,e.g.,CarlyFink&TeniseWhelan,TheComprehensiveBusinessCaseforSustainability,HARVARDBUSINESSREVIEW(October21,2016),https://hbr.org/2016/10/the-comprehensive-business-case-for-sustainability;Eccles,Iannou&Serafeim,THEIMPACTOFCORPORATESUSTAINABILITYONORGANIZATIONALPROCESSESANDPERFORMANCE19(HarvardBusinessSchool,Nov.2014),http://www.hbs.edu/faculty/Publication%20Files/SSRN-id1964011_6791edac-7daa-4603-a220-4a0c6c7a3f7a.pdf.(“Overall,wefindevidencethatfirmsintheHighSustainabilitygroupareabletosignificantlyoutperformtheircounterpartsintheLowSustainabilitygroup.Thisfindingsuggeststhatcompaniescanadoptenvironmentallyandsociallyresponsiblepolicieswithoutsacrificingshareholderwealthcreation.Infact,theoppositeappearstobetrue:HighSustainabilityfirmsgeneratesignificantlyhigherstockreturns,suggestingthatindeedtheintegrationofsuchissuesintoacompany’sbusinessmodelandstrategymaybeasourceofcompetitiveadvantageforacompanyinthelong-run.Amoreengagedworkforce,amoresecurelicensetooperate,amoreloyalandsatisfiedcustomerbase,betterrelationshipswithstakeholders,greatertransparency,amorecollaborativecommunity,andabetterabilitytoinnovatemayallbecontributingfactorstothispotentiallypersistentsuperiorperformanceinthelong-term.”).43SeeAymanSayed,WhySecurity-DrivenCompaniesAreMoreSuccessful,DARKREADING(Mar.7,2018,10:30AM),https://www.darkreading.com/operations/why-security-driven-companies-are-more-successful/a/d-id/1331173;StevenChabinsky,TheTop12PracticesofSecureCoding,SECURITYMAGAZINE(Jan.1,2018),https://www.securitymagazine.com/articles/88600-the-top-12-practices-of-secure-coding;ScottJ.Shackelford,TimothyL.Fort,&DanuvasinCharoen,SustainableCybersecurity:ApplyingLessonsfromtheGreenMovementtoManagingCyberAttacks,2016U.ILL.L.REV.1995,2020(2016).
![Page 15: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/15.jpg)
10
moderndaytransaction,fromthedeliveryofelectricityandwatertobanking,shopping,manufacturing,andcorrespondence.Assuch,organizationsdevelop,transmit,andhaveaccesstovastamountsofinformation,includingverysensitivedataintheformofproprietaryandpersonallyidentifiableinformation.Asisincreasinglyapparent,failuretoensuretheconfidentiality,integrity,authenticity,oravailabilityofaspectsofthisinformation–actionsmostcommonlydescribedascybersecurityorinformationsecurity–canresultincriticalfailuresforassociatedandunrelatedinformation,devices,andactions.Thesefailuresriskreputation,income,assets,andtheverylongevityoftheorganizationasagoingconcern.44Leftunchecked,poorcybersecuritycanalsothreatenICTsthemselves.“Eventhough[ICTs]arenotanaturalresource–likeair,land,sea,orspace–theycanberuinedbeyondusebycarelessactions.Infact,astheirfoundationisnotnatural,butessentiallybuiltonhumantrust,cyberspaceandtheinternetmaybefarmoresensitivetolong-termpollutionanddisruption.”45
Asaresult,likesustainability,cybersecurityisslowlybutincreasinglybecominga
“C-suite”issue.Justaspastbusinessoperationsmayhavecontributedtoclimatechangeandothertraditionalsustainabilitychallenges,manyoftoday’scybersecurityissuesaretheresultofbusinesspracticesthatfailedtoadequatelyconsiderthebroaderimplicationsofaparticulardecision.Rushingproductswithknownvulnerabilitiestomarketinordertobefirstratherthansecure-to-markethasresultedinanecosystempopulatedwiththousandsofvulnerableconsumerdevicesandindustrialcontrolsystems.46Andlikeothersustainabilityissues,theexternalitiesofvulnerabledevicesandapplications,whetherembeddedinhomesecuritycamerasorcriticalinfrastructure,canhavesignificant,iflatent,consequences,particularlywhenmaliciousactorsexploitmorethanonevulnerabilityatonceoraspartofabroadercampaign.47
Thesustainabilitymovementandcybersecurityalsohaveincommontheopportunitiesandchallengesofinteroperabilityandscale.Sustainabilitypolicyemergedfromtheneedforglobalcollectiveaction.Inrecentdecades,largegroupsofstakeholdersacrosstheworldhaveadoptedsustainabilitypoliciesandprogramstotremendouseffect.48
44SeeDuneLawrence,ALeakWoundedThisCompany.FightingtheFedsFinishedItOff,BLOOMBERG(Apr.25,2016),https://www.bloomberg.com/features/2016-labmd-ftc-tiversa/;PROONCALLTECHNOLOGIES,3CompaniesthatWentoutofBusinessDuetoaSecurityBreach,ProOn-CallBusiness(Nov.6,2014),https://prooncall.com/3-companies-went-business-due-security-breach/.45JasonHealey,ANONSTATESTRATEGYFORSAVINGCYBERSPACE29(FrederickKempeetal.eds.,AtlanticCouncilStrategyPapersNo.8,2017).46RobertLemos,IoTSecurity,EasytoCompromise,NotSoEasytoFix,SYMANTEC(Oct.23,2017),https://www.symantec.com/blogs/corporate-responsibility/iot-security-easy-compromise-not-so-easy-fix;LucianConstantin,CriticalBluetoothFlawPutsOver5BillionDevicesatRiskforHacking,FORBES(Sept.12,2017,9:23AM)https://www.forbes.com/sites/lconstantin/2017/09/12/critical-bluetooth-flaws-put-over-5-billion-devices-at-risk-of-hacking/#72abf0c868b1.47SeeLilyHayNewman,TheBotnetthatBroketheInternetIsn’tGoingAway,WIRED(Dec.9,2016,7:00AM),https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/.48SeeUNITEDNATIONSGLOBALIMPACT,2017UNITEDNATIONSGLOBALCOMPACTPROGRESSREPORT25(UNGlobalImpact,2017),https://www.unglobalcompact.org/docs/publications/UN%20Impact%20Brochure_Concept-FINAL.pdf.
![Page 16: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/16.jpg)
11
Similarly,ICTinteroperability,ensuringthatproductsworkregardlessofthecountryornetworktowhichtheyconnect,hasfosteredanever-expandingglobalmarketplaceandstrongeconomicgrowth.Yet,asdiscussedthroughoutthispaper,thatmarketplaceandassociatedgrowthareatriskfromgrowingdistrustofICTsdueinparttotheirinadequatesecurity.Inordertostrengthenthattrust,organizationsacrosstheecosystemmustdotheirpart.Sustainingcybersecurityinthemoderneconomymeansbeingintentionalaboutinteroperabilityandthebusinesschoicesthatshouldbemadetosecurelyenableit.49
Noteworthy,too,isthecriticalrolecybersecurityplaysincoresustainability
practices.Aswithmostoperationstoday,informationandcommunicationstechnologiesincreasingly,ifnotcompletely,supporttraditionalsustainabilityactionsasidentifiedbytheUnitedNationsGlobalCompact10Principlesandthe17SustainableDevelopmentGoals.50CybersecurityisessentialtoachievingeachofthesePrinciplesandGoals.Forexample,climateactioncannotbeassessedwithoutgatheringdataandanalyzingit.Identifyingthesecurityvulnerabilitiesinsuchscientificcollectionandassessmentisnosmallundertaking.Yetensuringtheintegrity,authenticity,andavailabilityofsuchdatafromnumerouscollectionpointsiscriticaltodevelopingeffectiveoptionstoaddressthechallenge.Relatedly,supplychainmanagement,acrosscuttingissuecriticaltoensuringbusinessoperations,alsodependsupontheintegrity,authenticity,andavailabilityofrelevantinformation.ShortofbecomingauniversalGoalinitself,implementingsustainablecybersecuritypracticescouldbeasupplementtoGoalNine:“Buildresilientinfrastructure,promoteinclusiveandsustainableindustrialization,andfosterinnovation.”
Furthermore,thecybersecuritynexustothesenowcommonplacebusinesspracticessuggestsorganizations’existingsustainabilityprocessesandpolicieslikelyprovideafoundationuponwhichtoincorporateandscaleenhancedapproachestocybersecurity.51Inadditiontooperationaltrackingandcompliancetoachievedesiredobjectives–environmentalimpactor,inthefuture,secureandstablecode–thesesustainabilitypoliciesalsoenableorganizationstobemoretransparentabouttheirdecisions.Thistransparencyhashelpedinvestorsandconsumerstomakemoreinformeddecisionsandbetterevaluatecompetitors.Metricsaboutthesespoliciesandtheirresultsaresovaluabletoinvestorsthatsomestockexchangesnowrequirethemintheformofenvironmental,social,andgovernance(ESG)integratedreports.52 49SeeJohnsonsupra,note25.50SeeUNITEDNATIONSGLOBALCOMPACT,The10PrinciplesoftheUNGlobalCompact,UNGLOBALCOMPACT.ORG,https://www.unglobalcompact.org/what-is-gc/mission/principles(lastvisited,Apr.2,2018);Seealso,UNITEDNATIONSGLOBALCOMPACT,HowYourCompanyCanAdvanceEachoftheSDGs,UNGLOBALIMPACT.ORG,https://www.unglobalcompact.org/sdgs/17-global-goals.(LastvisitedApr.2,2018).Consideralsothatassessingthenumberofdisplacedpersonsduetoconflictalsorequiresaccurateandavailabledata;insomesituationsthatdatamustalsobekeptconfidentialfromcontrollingregimesthatmaybetargetingcertainpopulations.51SeeJosephMarks,DHSToScrutinizeGovernmentSupplyChainForCyberRisks,NEXTGOV(Feb.14,2018),http://www.nextgov.com/cybersecurity/2018/02/dhs-scrutinize-government-supply-chain-cyber-risks/145998/;KristinGoodwin&PaulNicholas,DEVELOPINGANATIONALSTRATEGYFORCYBERSECURITY13(Microsoft,Oct.2013),https://www.microsoft.com/en-us/cybersecurity/default.aspx.52SeeChristopherP.Skroupa,ESGReportingReshapesGlobalMarkets,FORBES(Apr.24,2017),https://www.forbes.com/sites/christopherskroupa/2017/04/24/esg-reporting-reshapes-global-
![Page 17: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/17.jpg)
12
Asimilarapproachtotransparencyaboutcybersecuritypoliciesandpracticescouldhavemeaningfulimpact.“Greaterawarenessanduseoftransparencytoolsandpractices[will]allowboththesupplysideanddemandsidetounderstandwhatgoesintoIoTproducts,generatemarketforcesforbettersecuritythroughtransparency,andincreaseassurancesthatnoknownvulnerabilitiesareshippedwithproducts.”53Wherecurrentlysecuritiesexchangesrequireorganizationstoprovideinformationonmaterialcybersecurityissues,inthefuture,duetoincreasingregulationsaroundcybersecurity,companies’cybersecuritypublicreportingobligationswillexpand.Asintegratedreportingmatures,ratherthaninclusionofcybersecurityactivitiessimplyfulfillingareportingrequirement,inlightofitsstrategicimportancetotraditionalESGelementsoutlinedabove,cybersecurityshouldbecomeanintegratedreportingcornerstone.54
Intheinterim,organizationsshouldbuilduponrecenteffortstowardgreater
transparencyaboutcybersecurity.Inadditiontothecoalitionsandcentersdescribedabove,somecompanies,includingIntel,alreadydiscusstheirsecurityandprivacypracticesinthebroadercontextoftheirpublicpolicywork.Intelnotesthat“trustintheglobaldigitaleconomyiscontingentuponprovidingrobustsecurityandahighlevelofprivacyprotection.”55AndtheU.S.governmenthasbeguntosharedetailsaboutsecurityvulnerabilitiesinitsnetwork.56Furthermore,overtheyears,computerhardwaremanufacturershavetakenstepstomakephysicalproductionmoresustainablebyextendingthelifespanandrecyclabilityoftheirproducts,57whichfurthersuggests–inadditiontotherecentlyannouncedefforts–thatthetechnologysectormaybeagoodstartingpointandpartnerinextendingsustainabilitypracticestoincorporatecybersecurity.
markets/#71bdf9ff5d5e;seealsoTimothyF.Slaper&TanyaJ.Hall,TheTripleBottomLine:WhatIsItandHowDoesItWork?,INDIANABUSINESSREVIEW(Spring2011),http://www.ibrc.indiana.edu/ibr/2011/spring/article2.html;seegenerallyGlobalReportingInstitute,https://www.globalreporting.org/information/about-gri/Pages/default.aspx.53SeeInternetResilienceDraftReport,supranote18at26,28. 54Theintegratedreportshowshowareductioningreenhousegasimpactsprofitability,logistics,thesupplychain,thevaluechain,etc.SeeSkroupa,supranote52.55IntelPublicPolicy:SecurityandPrivacy,https://www.intel.com/content/www/us/en/policy/policy-security-privacy.html(lastvisitedFeb.23,2018);seealsoIntel2016CorporateResponsibilityReport,https://www.intel.com/content/www/us/en/corporate-responsibility/corporate-responsibility.html(lastvisitedFeb.23,2018).56SeeLetterfromSenatorRonWydentoChristopherC.Krebs,DepartmentofHomelandSecurity(Sept.21,2017),https://www.wyden.senate.gov/imo/media/doc/letter%20to%20DHS%20Regarding%20NPPD's%20Kaspersky%20BDO.pdf.57SeeNathanielBullard&AdamMinter,TheUpsidetoAmerica’sGadgetInfatuation,BLOOMBERG(Dec.29,2017,12:00PM),https://www.bloomberg.com/view/articles/2017-12-29/the-upside-to-america-s-gadget-infatuation(“CompaniessuchasHPInc.andDellInc.areleadingthewaywithdesignsthatextendthelifespanofdevicesandenablerecyclerstoextractmaterialsaffordably.That'sgoodnewsforconsumers,andevenbetternewsfortheenvironment.”);seealso2017ImpactReportat19,SUSTAINABILITYCONSORTIUM(lastvisitedApr.17,2018),https://www.sustainabilityconsortium.org/impact/impact-report/(“Thecomputercategoryinparticularhasbenefitedfrombroadlyadoptedeco-certifications,likeENERGYSTAR(c)andEPEAT,whichhashelpeddrivesectormanufacturerstofocusonthekeysustainabilityissueswithintheirownoperationsandtheirsuppliers.”).
![Page 18: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/18.jpg)
13
Nascenteffortsarealreadyunderwaytoincreasetransparency,raiseconsumerprivacyandsecurityawareness,andfosterdemandforbetterproductsandservices.AgroupoftechnologysecurityandcorporateaccountabilityexpertstogetherwithConsumerReportsaredeveloping“TheDigitalStandard”tocreateadigitalprivacyandsecuritystandardtohelpguidethefuturedesignofconsumersoftware,digitalplatformsandservices,andinternet-connectedproducts.58Establishedsoftwaredevelopmentbestpracticesandeffortstodevelopasoftwarebillofmaterialsalsosupportaninformedmarketplace.Justasconsumersnowlooktoingredientlabelsandbusinesspracticesaroundenvironmentalimpactandchildlaborbeforebuyingproducts,greatertransparencyandawarenessaboutentities’cybersecuritypracticesthrougheffortssuchastheDigitalStandardwillbettereducateconsumers,whowillbegintodemandproductsthatputsecurityfirst.59Attendanttothisdemand,andalsoelementsoftheStandard,areimprovedinformationpoliciesandpracticesthatclearlyconveytothenetworkoperator,deviceowner,andenduser,inplainlanguagethattheaveragepersoncancomprehend,whatdatathedeviceiscollectingandtowhatpurposesthedatawillbeput.60
Astheinternetaddshundredsifnotthousandsofnewdeviceseveryday,itispast
timefortheorganizationsdevelopingthemandthepurchasersthatbuythemtoagreetheymustbedevelopedandmaintainedinassecureamanneraspossible.Inthefuture,organizationsthatcompeteonsecuritycanreapmanyofthesamebenefitsasorganizationsthatadoptedsustainabilitypractices,perhapsmostimportantlygrowingtheeconomybydoingwellanddoinggood.Theeconomyofthefuturedependsonproductsandservicesthatcompetebothonsecurityandfunctionality.
So,too,doesournationalsecurity.The2018DirectorofNationalIntelligencethreat
assessmenthighlightsquitesuccinctlytheurgencytoact:“[t]hepotentialforsurpriseinthecyberrealmwillincreaseinthenextyearandbeyondasbillionsmoredigitaldevicesareconnected—withrelativelylittlebuilt-insecurity—andbothnationstatesandmalignactorsbecomemoreemboldenedandbetterequippedintheuseofincreasinglywidespreadcybertoolkits.”61
Foryearsseniormilitaryandintelligenceleadershaverecognizedtheimportanceof
sustainabilitytonationalsecurity.62Farfromalimitationinthecontextofnationalsecurity,here,too,asustainableapproachtocybersecurityhasmerit.Inevaluatingthenationalsecurityimplicationsofframingcybersecurityasasustainabilityissue,severalfactsmust 58SeegenerallyTheDigitalStandard,https://www.thedigitalstandard.org.59SeeInternetResilienceDraftReport,supranote18at19.60Id.at24(“Customer-supportedprofilesappropriateforhomeandindustrialapplicationswouldprovideasignaltothemarketthatthecustomerswillpreferIoTdevicesthatmeetthebaseline.Theprofileswouldalsoprovideimmediateopportunityforproductdifferentiation.”).61DanielR.Coats,WORLDWIDETHREATASSESSMENT5(OfficeoftheDirectorofNationalIntelligence,Feb.13,2018),https://www.dni.gov/files/documents/Newsroom/Testimonies/2018-ATA---Unclassified-SSCI.pdf.(emphasisadded).62See,e.g.,BenjaminSchneider,DefenseSecretaryHagelreaffirmsclimatechange,sustainabilityarecentralmilitaryconcerns,ENVIRONMENTALDEFENSEFUND(Nov.24,2013),https://www.edf.org/blog/2013/11/24/defense-secretary-hagel-reaffirms-climate-change-sustainability-are-central.
![Page 19: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/19.jpg)
14
bekeptinmind.Tobegin,theprivatesectorownsandoperatesbetween80-90percentofallICTs;theyalsoresearchandbuildthem.Next,effortstomanagetheuseofICTsmustaccountforallstakeholders,whichiswheremultilateralagreementsaroundthemisuseofICTsfacesignificantlimitations.IftheprivatesectorbuildsandusesICTsinamoresustainablemanner,theabilityfornationstatestomisusethembecomesmoredifficult,decreasingthelikelihoodandbenefitsofmisuse.63Thus,thinkingsustainablyaboutcybersecuritymayultimatelyconstrainnationstatemisuseofICTs.
Inaddition,disagreementsoverthemanagementofresourcescontributetomany
nationalsecuritythreats.64Inthiscase,theresourcecouldbeconsideredthe(mostly)openinternetandtheICTswithwhichitinteroperates.Forsomegovernmentstheinternetisatooltoadvancedemocracyandeconomicdevelopmentwhile,fromanauthoritarianviewpoint,itisathreattoregimestabilitythatmustoperateunderstrictcontrolssetbythestate.IfoneassessesthatlaxsecurityandprivacypoliciesacrosstheinternetecosystemfacilitatedinpartthecurrentmisuseofICTstounderminedemocracy,voluntaryandwherenecessarytailoredregulatoryactionsthatincorporatesustainabilityprinciplescanbettersecuretheseassets.SucheffortsshouldberecognizedasreinforcementstodemocracyandabuttressagainstfurtherattacksthroughICTs.Sustainablecybersecuritysupportsandenablesstabledemocracies.
Conclusion
Despiteitsknowninsecurities,theriseoftheInternetofThingsandourincreasingdependenceonit,togetherwithgrowingdistrustininformationandcommunicationstechnologies,necessitateafundamentalreformulationofthesocietalapproachtocybersecurityinorderforthedigitalagetocontinueitsexponentialgrowth.“‘Cybersecurity’onitsownhasnotimehorizon,noeasywaytomaketradeoffsbetweentoday’sneedsandthoseofthefuture.Sustainability,wantingfuturegenerationstohaveanInternetthatisasrich,open,andsecureastheonetoday,istheeasiestwaytoaddresstheseissues.”65Treatingcybersecurityasasustainabilityissuewillbuildupontheadaptive
63ConsiderrecentactionbytheChinesegovernmenttomitigateclimatechange.Inthepastthegovernmentpursuedeconomicgrowthatthecostoftheenvironment;facedwithrisingdeathtollsandotherdomesticimpacts,thegovernmentradicallychangedcourseandbegananaggressiveefforttolimitpollution.See,e.g.,Kearns,Dormido&McDonald,China’sWaronPollutionWillChangetheWorld,BLOOMBERG(Mar.9,2018),https://www.bloomberg.com/graphics/2018-china-pollution/?cmpId=flipboard;YanzhongHuang,WhyChina’sGoodEnvironmentalPoliciesHaveGoneWrong,THENEWYORKTIMES(Jan.14,2018),https://www.nytimes.com/2018/01/14/opinion/china-environmental-policies-wrong.html.64Seee.g.,DanielR.Coats,WorldwideThreatAssessmentoftheUSIntelligenceCommunity13(OfficeoftheDirectorofNationalIntelligence,May11,2017),https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20-%20Final.pdf;JamesR.Clapper,WorldwideThreatAssessmentoftheUSIntelligenceCommunity13-14(OfficeoftheDirectorofNationalIntelligence,Feb.25,2016),https://www.dni.gov/files/documents/Newsroom/Testimonies/HPSCI_Unclassified_2016_ATA_SFR-25Feb16.pdf(“Extremeweather,climatechange,environmentaldegradation,relatedrisingdemandforfoodandwater,poorpolicyresponses,andinadequatecriticalinfrastructurewillprobablyexacerbate—andpotentiallyspark—politicalinstability,adversehealthconditions,andhumanitariancrisesin2016.”).65 Healey,supranote45at36-7.
![Page 20: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/20.jpg)
15
andscalablenatureofthesustainabilitymovement.Independently,theseoperationalapproacheshaveevolvedalongsiderapidtechnologicalinnovation,demonstratingtheirimportanceandendurance;bringingthemtogetherwillfurtherstrengthentheireffectiveness.
Fromthisexpansiveviewpoint,onecanbegintoenvisionwhatsustainable
cybersecuritymeans–itismorethanjustactionstakenbydevelopersandmanufacturersofhardwareandphysicalgoodscompanies.IncorporatingsustainablecybersecuritymanagementpracticesthroughouttheinternetandICTecosystemenablesallstakeholderstodotheirparttoenhancetheecosystem’ssecurityandreinforcetrustinit.Throughsustainablecybersecuritypractices,stakeholdersgloballycanbeintentionalastheyparticipateinandcontributetothemoderneconomy,whetherindevelopingproductsandservices,runningahousehold,operatingcriticalinfrastructure,ordevelopingnationalpolicies.Throughthiscollectiveeffort,allstakeholderscanhavegreaterconfidencethatinformationandcommunicationstechnologieswillsecurelysupporttoday’sinnovationsbeyondtomorrow.
![Page 21: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/21.jpg)
16
OperationalizingSustainableCybersecurity
Whatfollowsareprioritizedbutnotexhaustiveactionsstakeholdersacrosstheinternetecosystemcantakeandworktowardtobuildandsustainamoreresilientnetworkofnetworks,onethatprotectsthesecurityandprivacyofthedatadrivingthemoderneconomy.
Forproductmanufacturers:
o Followingsecuresoftwaredevelopmentbestpractices,e.g.,SoftwareAssuranceMarketplace;OWASP
o Publishingasoftwarebillofmaterialsthatdetailstheproductdevelopmentprocess
o Establishingaproduct’susage,lifespan,andend-of-lifemanagement ▪ UsingtheManufacturerUsageDescriptionSpecification ▪ Updatingpurchaserswhenaproductexceedsitssupportedlife ▪ Offeringdiscountedupgradestoreducepopulationofinsecure
products ▪ Ensuringwhereappropriateproductsfailsafetosafe/securemode
o Sellingproductsthataresecurebydesignwithnoknowndefects o Developingvulnerabilitymanagementandpatchdisseminationpoliciesand
processes,includingautomaticupdateswhereappropriate o Participatingininformationsharingandanalysisorganizations o Educatingworkforceaboutcybersecurity,includingapplicationoutsidethe
workenvironment
Forenterprisenetworkoperators:
o UtilizingtheNISTCybersecurityFramework–identify,protect,detect,respond,recover
o Includingthesupportingpoliciesandprocedures,e.g.,incidentresponseplan
o Requiringasoftwarebillofmaterialsforpurchasesofinternet-connecteddevices
o Validatingtheintegrityofhardwareandsoftware o Developingpatchmanagementprocessestoensureproductsremainupto
date o Maintainingleastprivilegeacrossthenetwork o Securingaccesstoinfrastructuredevices o Segregatingnetworksandfunctions o UsingDomainMessageAuthenticationReportingandConformance(DMARC) o ImplementingBestCommonPractice38&84-ingressandegressfiltering o Participatingininformationsharingandanalysisorganizations o Educatingworkforceaboutcybersecurity,includingapplicationoutsidethe
workenvironment
![Page 22: Transforming Cybersecurity Through Sustainability...1 These studies, paired with near daily data breaches and other security headlines, remind us that the current approach to cybersecurity](https://reader030.fdocuments.in/reader030/viewer/2022040805/5e452e8ca3e3b7377054dfc4/html5/thumbnails/22.jpg)
17
Forcivilsocietyandconsumers:
o Educatingthemselvesaboutcybersecurity o Practicinggoodcyberhygiene
o Backingupdata o Installingupdateswheninformedbymanufacturers o Usingstrongpasswordsandnotreusingthem o Usingtwo-factorauthentication o Reducingopportunitiestobeavictimofsocialengineering o Usingwebbrowsersthatfilterbaddomains
o Reinforcinggoodhygienewithfriendsandfamily o Investinginproductswithrobustsecurity,asevidencedby,forexample,the
DigitalStandard o Holdingaccountableorganizationsthatfailtoadequatelydevelopandsecure
productsbyusingtheircompetitors,whereavailable Forgovernments:
o Leadingbyexampleinprocurement,enterpriseoperations,personnelandnationaleducation,andresearchanddevelopment
o Conveningstakeholderstobuildcybersecuritycapacityinternationally o Supportingandparticipatingininternationalstandardsorganizations o Improvingincentivesforstakeholderstoimplementsustainable
cybersecurity,includingbyreevaluatingliabilityframeworks o Collaboratingtoinvestigateandwheneverpossibleprosecutecriminal
misuseofICTs o RefrainingfromactivitiesthatunderminepublictrustinICTs
Next steps Weproposetofacilitateandparticipateinaseriesofmultistakeholderconversationsaboutthispaperandtheactionsitoutlines.Agendaitemsfortheseconversationsinclude:● Arethesetherightactionsfortheseactors?What’smissing? ● Whatarethelegaland/orpolicychallengeslimitingtheseactions’implementation? ● Whatincentivescouldspurbroaderadoptionoftheseactions? ● Whichactionswouldmakeusefulcasestudies?