Risk Nexus Global cyber governance: preparing for new business risks Contents

Foreword 3

Executive summary 4

1. Emerging technologies will fundamentally change the nature of cyber risks 6 1.1 Cyberspace – present and future 7 1.2 An environment favoring attackers 8 1.3 The changing nature of cyber risk 8 1.4 The impact of global cyber governance on business 11

2. An inadequate global cyber governance framework 12 2.1 Three layers of cyber governance 13 2.2 Key characteristics of global and regional governance capabilities 15 2.2.1 Ideological differences preclude strong and effective institutions 15 2.2.2 The current governance framework does not adequately refl ect the global nature of cyberspace 18

3. Toward a new governance framework: challenges and opportunities 19 3.1 The current cyber disorder 20 3.2 Actions for the private sector 21 3.2.1 Champion common values 21 3.2.2 Share information to mitigate cyber risk 21 3.2.3 Risk management 22 3.2.4 Resilience 23 3.3 Actions for policymakers 24 3.3.1 Strengthening global institutions 24 3.3.2 Managing systemic cyber risks 25 3.3.3 Enhancing public-private cooperation 27 3.3.4 Increasing inclusiveness 28

Conclusion 29

Disclaimer 30

2 Global cyber governance | Preparing for new business risks Foreword

The process of globalization, the emergence of new powers, and the increasing relevance of non-state actors are creating a multipolar and interconnected world. In the international arena, political and ideological diversity among the most relevant parties, diffusion of power, and the impact of changing global economics have added complexity to the geopolitical landscape. Businesses now operate in a much more diffi cult, heterogeneous environment.

Global Cyber governance is one of the are among the most important key challenges facing businesses. In view developments affecting the global of the signifi cance and complexity of the risk landscape. surrounding issues, ESADEgeo, a leading This report aims to provide a detailed authority on global governance, and study on the state of the global Javier Solana, Zurich Insurance Group, a global insurer, President, ESADEgeo-Center for governance of cyber security. It assesses have joined to offer insights into ways it Global Economy and Geopolitics the current and evolving nature of cyber might be improved. risk, examines the existing global We live in a world full of opportunities, governance framework, and proposes but also risks. There is no better example new paths to tackle the current disorder of this than the relationship between in cyberspace. The existing governance information and communications framework from the 20th century technologies (ICTs) and cybersecurity. cannot be expected to respond suffi ciently The cyber realm underpins almost all to a 21st century technology. This report economic and societal activity – from contains a mixture of bold and fi nance to trade, information, energy pragmatic suggestions to resolve some and beyond. As Henry Kissinger suggests, of the more diffi cult issues we face. technology is even challenging our The world needs a fl uid and more traditional understanding of sovereignty comprehensive dialogue between and political order. Whether and how business, politics and civil society to the risks associated with cyber ensure the security of cyberspace. technology are controlled will therefore Developing an inclusive and reliable have seismic consequences for all governance regime for the security of concerned. The 2014 Atlantic Council/ the cyber realm is a prerequisite to Axel P. Lehmann Zurich report, ‘Beyond data breaches: Chief Risk Offi cer and Regional Chairman managing the risks and grasping the global interconnections of cyber risk,’ of Europe, Middle East and Africa opportunities that emerging technology highlighted this correlation between risk Zurich Insurance Group presents. It is therefore one of the and opportunity, noting in particular the critical tasks of our times: essential highly systemic and cascading nature of to protect economic growth, technical cyber risk. According to the 2015 edition progress, political stability and social of the Global Risks report, the evolution development. We look forward to of geopolitical tension into cyberspace working with others on this complex and the impact of emerging technology and exciting global challenge.

Global cyber governance | Preparing for new business risks 3 Executive summary

Section 1: Emerging technologies will fundamentally change the nature of cyber risk

Cyberspace has rapidly become essential to home appliances or autonomous vehicles may the daily life of individuals, governments and also shake up established business practices businesses. Yet with this exponential increase and create new security threats. Cyber risks in activity comes the ease of use and access to will become increasingly interconnected with data for malicious purposes. Cyber attacks are other global risks.1 Much of this evolution is increasing in number, sophistication, scope and already apparent. impact. In this context, cyber security is arguably the most salient non-traditional security issue Companies in almost all sectors are exposed on the global agenda. to cyber threats, with the potential for causing enormous damage in terms of reputation and Emerging technologies such as the Internet physical losses, liabilities, and regulatory costs. of Things will increase the complexity of Unchecked, growing cyber threats risk networks. Other disruptive technologies, curtailing technical and economic development such as unmanned aerial vehicles, additive on a global scale.2 manufacturing (such as 3-D printing), new

Section 2: An inadequate global cyber governance framework Fast fact Fast fact Fast fact Cyber attacks respect neither state nor cyber attacks on critical infrastructure for Asia leads internet organizationalThe online borders. population A holistic and global Smartphonepolitical purposes. sales Here, soar effective global usage approach to cyber governance is therefore governance is lacking. Between these two vital.Around Despite half of some the world’ recents population progress at the Accordextremes,ing to the weWo rfildwide nd the Quarterly ‘gray zone’ – a sphere will be online by 2017. Mobile PhoneTracker, sales of Today more than 50% of the world’s international and regional levels on norms and where the interests of industry, governments 3 smartphones exceeded 300 million units internet users are in Asia. confi dence-buildingPopulation measures (CBMs) , a and individuals intersect. Issues addressed in comprehensive and functional regime of globalin shipmentsthis space for theinclude first time net inneutrality, Q2 2014. intellectual cyber security governance is clearly lacking. In property rights, freedom of speech, non-state an effort to improve the situation, we or criminal cyber attacks and data protection. undertook1/2 a detailed mapping of the rules, +50% institutions, and procedures that form the The ‘gray zone’ encompasses all international current global cyber governance framework. instruments that deal with cyber risks from a non-technical and non-military perspective. It is This chapter summarizes the main conclusions Smartphones of that work. An academic report containing Q2 in this area,300m with shipment its variouss global governance models and organizational cultures, that the this research2017 in detail will be publicly available in the near future. international community can most effectively work to improve the current situation and 2014 The current global cyber governance regime facilitate the mitigation of cyber threats. can be regarded as having three layers. First, there are the more technical aspects that Our analysis has identifi ed two key characteristics facilitate the proper functioning of network of global cyber governance: ideological systems. Global governance in this area is differences and geopolitical tensions preclude relatively effective, and is based on a strong and effective global governance multi-stakeholder model. At the other extreme institutions; and the current governance of the spectrum are cyber warfare issues such framework does not adequately refl ect the as terrorism and espionage between states, or global nature of cyberspace.

Authors’ note: As with any pioneering research in a novel fi eld, the samples and data available for this report have signifi cant limitations. Many of the data points that would have been required are not publicly available, while others don´t even exist; that is, the relevant organizations do not compile the necessary information. Due to these limitations, the fi ndings of the study should be treated with some caution. They are as accurate as the available 1 Zurich Insurance Group/Atlantic Council (2014) ‘Beyond Data Breaches: Global Interconnections of Cyber Risk,’ information has allowed, but certainly not defi nitive. Yet they provide a valuable study of Risk Nexus. Available at: http://www.zurich.com/internet/ this topic and thus hopefully take the research a step forward to a point where it can be main/SiteCollectionDocuments/insight/ improved by future work. risk-nexus-april-2014-en.pdf 2 World Economic Forum (2015): ‘Partnering for Cyber Resilience: Towards the Quantifi cation of Cyber Threats’. In collaboration with Deloitte, 2015, p.9. 3 ICT for Peace, ‘Baseline Review of ICT-Related Processes and Events: Implications for International and Regional Security’, 2014, p.44.

4 Global cyber governance | Preparing for new business risks Section 3: Toward a new governance framework: challenges and opportunities

Given the shortfalls in global cyber governance For policymakers, there are a number of steps that and the urgent need for effective risk mitigation, we believe, if taken, would allow major progress there are a number of recommendations that toward a more effective global cyber governance should be considered. In the absence of state framework. Recommendations include: consensus, we believe there is a role for the private sector to actively lobby for a set of • Strengthen ‘fi t for purpose’ global guiding principles to overlay the global cyber institutions, which would include creating governance framework. That governance a G20 + 20 Cyber Stability Board and should be global and inclusive in nature, based taking steps to isolate these institutions on a multi-stakeholder approach and fl exible from geopolitical tensions. enough to adapt to rapidly-evolving challenges. • Consider creating a cyber alert system, The private sector should also take specifi c based on the model of the World Health steps to mitigate cyber risk and enhance Organization (WHO). general resilience in the meantime, given the lack of effective global governance. Greater • Enhance public-private cooperation, information-sharing will play a key role in including dialogue and incentives for developing the tools to achieve this, such as investment in cyber security. a well-functioning insurance market. • Seek to increase the representation of LDCs and civil society within the global governance framework.

Table 1: Summary of private sector and policymaker recommendations to improve global cyber governance

Recommendation Proposed mechanism Business Greater information-sharing to mitigate Insurance industry via the CRO forum. cyber risk. Anonymized business loss reporting via private sector-led initiatives, e.g., FS-ISAC, public-private bodies e.g., ENISA. Champion common values for Lobby through institutions, particularly global cyber governance in absence privately-led initiatives, e.g., CRO forum of governments’ consensus. and multi-stakeholder dialogue forums, such as WEF. Take targeted actions to manage cyber risk. Adopt SANS 20 Critical Security Controls. Further actions needed for larger organizations. Enhance general resilience to cyber risk. Built-in redundancy, incident response and business continuity planning, scenario planning and exercises. Policymaker Strengthen those aspects of global Develop informal global cyber networks. governance that have worked properly Adopt a ‘build it and they will come’ and isolate them from geopolitical approach. tensions. Create a system-wide institution for G20+20 Cyber Stability Board. incident response. Enhance crisis management to deal with Cyber WHO (World Health Organization). a potential systemic cyber crisis. Seek greater public-private cooperation. Incentivize alignment of public/private interests on cyber security. Reinforce protection of critical information Cyber stress tests. infrastructures.

Global cyber governance | Preparing for new business risks 5 Section 1 Emerging technologies will fundamentally change the nature of cyber risks

6 Global cyber governance | Preparing for new business risks Fast fact Fast fact Fast fact1.1 Cyberspace – in human history, affecting even the poorest 5 Asia leads internet The online population Smartphonepresent andsales future soar and remoter areas of the planet. According to usage the Worldwide Quarterly Mobile Phone Tracker, Around half of the world’s population AccordingInformation to the Wor ldwideand communications Quarterly technologies in the second quarter of 2014, sales of will be online by 2017. Mobile PhoneT(ICTs) haveracker become, sales of a central part of everyday smartphones surpassed the 300-million unit 6 Today more than 50% of the world’s smartphoneslife. Cyberspace exceeded 300 has million become units the backbone of shipments mark for the fi rst time and the internet users are in Asia. Population in shipmentsoperations for the firstand time communications in Q2 2014. for both International Telecommunication Union (ITU) businesses and governments. These technologies forecasts that the number of networked devices are a key factor fueling social and economic will reach 25 billion by 2020. 1/2 development, innovation and growth. Yet we While these new technologies have the potential +50% are only at the beginning of a fundamental to generate massive social and economic transformation. Over the coming years, new benefi ts, they do not come without risks. As the technologiesSmartphones such as big data, unmanned aerial world becomes increasingly connected to, and Q2 vehicles,300m additive shipment manufacturing,s new home dependent upon, cyberspace, the increasing 2017 appliances or autonomous vehicles are likely vulnerability of cyber systems has set alarm bells to shake up established business practices, ringing. For example, as cyber activity grows 2014regulatory paradigms and even social norms. enormously, access and use of data for malicious purposes remains relatively easy. Despite the Fast fact Fast fact Fast fact The Internet of Things (IoT) – or what is Asia leads internet The online population Smartphone sales soar considered by many as the next evolutionary lack of reliable fi gures, there is a consensus in stage, the Internet of Everything (IoE) – will the cyber security community that attacks have usage increase networks’ complexity. Any aspect increased in number, sophistication, scope and According to the Worldwide Quarterly 7 Around half of the world’s population of human life may become online-dependent impact. In the U.S. alone, the annual costs of will be online by 2017. Mobile PhoneTracker, sales of 8 Today more than 50% of the world’s and billions of physical objects with ICT cyber crime are estimated at USD 100 billion. smartphones exceeded 300 million units In this context, cyber risks have attracted internet users are in Asia. Population in shipments for the first time in Q2 2014. systems will be interconnected. Cisco Systems believes that over a 10-year period to 2022, signifi cant attention and are a leading security USD 14.4 trillion in value is at stake in issue on the global agenda. Individuals, governments, and the private sector are 1/2 connecting up what is now unconnected through the Internet of Everything.4 beginning to recognize the scale of the +50% challenge. James Clapper, the U.S. Director of Around half of the world’s population will be National Intelligence, stated in 2013 that cyber Smartphones online in 2017, a fi gure already reached for threats posed the most signifi cant transnational Q2 300m shipments mobile phone users. Mobile broadband is threat to the United States.9 2017 considered the fastest-growing technology

2014

4 John Chambers, ‘Possibilities of The Internet of Everything Economy,’ Cisco Blog, The Platform. 18 February 2013. Available at: http://blogs.cisco.com/news/ the-possibilities-of-the-internet-of-everything-economy. 5 Broadband Commission (2014) ‘The State of Broadband 2014: Broadband for all.’ ITU and UNESCO. Available at: http://www.broadbandcommission.org/Documents/ reports/bb-annualreport2014.pdf 6 The International Data Corporation (IDC) Worldwide Quarterly Mobile Phone Tracker. 7 The Europol European Cybercrime Centre – EC3 (2014) ‘The Internet Organised Crime Threat Assessment (iOCTA)’. Available at: https://www.europol.europa.eu/ sites/default/fi les/publications/europol_iocta_web.pdf 8 The Wall Street Journal, ‘Annual U.S. Cybercrime Costs Estimated at $100 Billion,’ 22 July 2013. 9 U.S. Department of Defense (2013) ‘Clapper Places Cyber at Top of Transnational Threat List.’ Available at: http://www.defense.gov/news/newsarticle.aspx?id=119500

Global cyber governance | Preparing for new business risks 7 1.2 An environment 1.3 The changing nature of favoring attackers cyber risk Cyber attacks take place in an environment The rapid expansion of cyberspace is having a Focus is increasingly shifting which favors attackers. For example, because major impact on the nature of cyber risk – cyber from defense to resilience.” most cyber infrastructure was designed for threats are becoming increasingly interconnected openness and interoperability rather than with other global risks. security, offensive actions have an advantage over defensive actions. There are also lower Much of this interconnectivity is already apparent. barriers to criminal entry in cyberspace than in Companies in almost all industries are exposed the physical world and a weak government to cyber threats with the potential for monopoly on the use of force. This allows enormous damage in terms of reputation, attackers with limited resources to carry out physical losses, liabilities, and regulatory costs. disruptive actions with considerable, and often At the same time, the distinctions between unpredictable, outcomes. Such attacks may be criminal and state-sponsored cyber-attacks on diffi cult to attribute, with anonymity reinforced the one hand, and state or civilian targets on by darknets.10 Moreover, it is diffi cult to assess the other, have become blurred. There have the damage suffered by the target. already been well-publicized attacks on private fi rms that have been attributed to North Korea, The introduction of new technologies often among others. Elsewhere, confl ict in the Ukraine lacks necessary security elements. These include is fuelling fears that western governments and correct design, confi guration, maintenance and private companies, including fi nancial institutions, management. New developments such as big will become targets of Russian cyber attacks. data, wearable devices, augmented reality and artifi cial intelligence will increase the potential size, types and frequency of attacks.11 Box 2: Disruptive cyber events In addition, the BYOD12 trend – whereby all A disruptive cyber event affects networks, devices tend to converge – will continue to systems, assets, and infrastructures of reduce the separation between professional technology-dependent organizations and and recreational systems. This is worrying individuals. These events include, among considering that mobile cyber crime is an others, malware, attacks on critical extremely widespread phenomenon.13 Cyber information infrastructures, and crime has revealed itself to be very lucrative, networked information systems, website with recent estimates suggesting that the cyber defacement, espionage and extortion. black market can be more profi table than the It also includes unintentional mistakes, illegal drug trade.14 Thus, in recent years cyber privacy policy violation, theft of intellectual crime has grown faster than hacktivism. While property, online fraud, and denial of it is diffi cult to quantify the cost of global cyber service attacks. crime and cyber espionage to the global economy, a publication by McAfee and the 10 A virtual private network within the deep web where Center for Strategic and International Studies Massive cyber breaches at Sony, JPMorgan, users only connect with trusted peers through estimated the total cost of cyber crime at Target, Home Depot, Albertsons, Dairy Queen technologies such as Tor, the Invisible Internet Project (I2P) between USD 300 billion and USD 1 trillion, and Freenet. and other corporations in recent years or 0.4 percent to 1.4 of global GDP.15 11 The Europol European Cybercrime Centre – EC3 (2014) underscore the relevance of cyber security ‘The Internet Organised Crime Threat Assessment awareness for companies in the private sector. (iOCTA)’. Available at: https://www.europol.europa.eu/ According to a report by the Ponemon Institute, sites/default/fi les/publications/europol_iocta_web.pdf Box 1: Global cyber governance 43 percent of U.S. enterprises suffered a data 12 Bring your own device. 16 The network of formal and informal breach in 2013. A 2010 study by Norton 13 Kaspersky Lab and Interpol (2014) ’Mobile Cyber institutions, mechanisms and processes found that 65 percent of internet users globally Threats’. Available at: http://25zbkz3k00wn2tp5092 have been a victim of some type of cyber crime. n6di7b5k.wpengine.netdna-cdn.com/fi les/2014/10/ that guide or restrict activities in report_mobile_cyberthreats_web.pdf cyberspace on a global or regional scale, While the cost of cyber incidents to businesses 14 Lillian Ablon, Martin C. Libicki, Andrea A. Golay (2014) thereby organising and articulating is diffi cult to quantify, a number of studies show ‘Markets for Cybercrime Tools and Stolen Data,’ RAND collective interests in cyberspace. 17 Corp. National Security Research Division and Juniper that it is rising. Networks. Available at: http://www.rand.org/content/ This includes concrete cooperative dam/rand/pubs/research_reports/RR600/RR610/RAND_ problem-solving solutions negotiated by RR610.pdf international bodies, governments, and 15 James Lewis, Stewart Baker. ‘The Economic Impact of non-state actors aiming to improve the Cybercrime and Cyber Espionage.’ McAfee, and The management of cyber risks. Center for Strategic and International Studies (CSIS). July 2013. http://www.mcafee.com/us/resources/reports/ rp-economic-impact-cybercrime.pdf 16 Ponemon Institute LLC (2014) ‘The Challenges of Cloud Information Governance: A Global Data Security Study’. 17 Ponemon Institute LLC, sponsored by IBM (2014); 2014 Cost of Data Breach Study.

8 Global cyber governance | Preparing for new business risks Increasing interconnectedness raises the potential Another crucial area of concern is the for systemic and cascading cyber crisis, with real relationship between the fi nancial sector and consequences for the economy.18 For example, the cyber realm. The world’s fi nancial markets the management of critical infrastructures such are interconnected. This makes the impact of a as electricity grids, power plants, dams, water cyber attack potentially catastrophic. The fi rst distribution systems, railway systems, oil priority of cyber war games announced in refi neries, pipelines, and chemical factories has January between the U.S. and UK was to test signifi cantly improved due to the development resilience of both nations’ public and private of industrial control systems (ICS). These fi nancial institutions.22 command and control information systems are used to control, monitor, and support industrial As a result of growing interconnectedness, processes and operations such as manufacturing, the potential for broad physical and economic product handling, production, and distribution.19 consequences of cyber attacks is increasing. The most important subgroup of ICS comprises In order to assess these risks, different categories supervisory control and data acquisition of cyber threats should be analyzed both in (SCADA).20 SCADA platforms are progressively terms of their underlying motivations as well as more open, based on standard technologies, potential impacts, as shown in Figure 1. While and interconnected. This has reduced costs and traditional cyber crime is mainly driven by profi t improved the overall quality of these systems. motives of criminal organizations, growing However, it has also increased their vulnerability geopolitical tensions may lead to a rise in to cyber attacks and made them easier ideologically-motivated attacks. Table 2 provides to compromise, as the Stuxnet worm21 in more details on the main threat categories. 2010 demonstrated.

Figure 1: Cyber risk landscape by motivation and impact

Profit Cyber crime

Cyber espionage Emerging technologies failure Motivation Critical information Hacktivism infrastructure disruption

18 Zurich Insurance Group/Atlantic Council. Idealogy See footnote 1. Non-physical Impact Physical 19 NIST (2009) Special Publication 800-53, App. B, Glossary. 20 ENISA (2011) ‘Protecting Industrial Control Systems. Source: ESADEgeo. Recommendations for Europe and Member States.’ Available at https://www.enisa.europa.eu/activities/ Resilience-and-CIIP/critical-infrastructure-and-services/ 23, 24, 25 scada-industrial-control-systems/ The increasing connectivity and complexity on detection, response, and recovery. protecting-industrial-control-systems.-recommendations- of cyber risk has led to a change of emphasis Priorities have shifted: it is no longer about for-europe-and-member-states concerning mitigation – from a focus on avoiding all attacks, but about ensuring that 21 A computer worm designed to target Siemens defense to greater concern for system systems can continue to operate, even after SCADA systems that attacked the Iranian nuclear resilience. This includes strategies focused an attack, and can quickly recover. facility at Natanz. 22 http://www.bbc.com/news/uk-politics-30842669 23 Clemente, D. (2013) ‘Cyber Security and Global Interdependence: What Is Critical?’ Chatham House. Executive summary available at: http://www. chathamhouse. org/sites/fi les/chathamhouse/fi eld/fi eld_document/ Executive%20Summary%20Cyber%20Security%20 and%20Global%20Interdependence_0.pdf 24 Zurich Insurance Group/Atlantic Council. See footnote 1. 25 Georgia Institute of Technology (2014) ‘Emerging Cyber Threats Report 2014.’ Available at: http://www.gtsecuritysummit.com/2014Report.pdf

Global cyber governance | Preparing for new business risks 9 Table 2: Cyber risk landscape

Description Examples Main damage International organizations (IOs)

Hacktivism Use of networked DDoS attacks, website and Data compromise or INTERPOL, EC3, platforms to pursue an server disruption, DNS exposure, operational CEC (BC), ISF ideological goal or obtain hijacking, cybersquatting. shut down or slow notoriety. No (or limited) down, damage to physical effect. organizational assets.

Cyber espionage Unauthorized network Spyware, data theft, Intellectual property INTERPOL, EC3, CEC (BC) penetration to access extortion, advanced infringement, theft or information. Risks related persistent threat (APT). breach of confi dential to IPR. Financial or information, loss or ideological motivation. corruption of data. Generally non-physical effects.

Cyber crime Unauthorized network Phishing, malware, Supply chain compromise, INTERPOL, EC3, FIRST, penetration to disrupt and APTs, viruses, worms, reputation damage, CEC (BC), ISF, NRO damage systems, as well Trojans, spam, spoofi ng, business interruption, as stealing data, for ransomware, scareware, online child sexual fi nancial gain. Mild stolen devices, web-based exploitation, identity physical effects. attacks, adware, botnets, theft, extortion, skimming, fast fl ux, money laundering. spoofed apps.

Emerging Risks related to Internet of things, Integrity, availability, ICANN, IETF, ISOC, IEEE, technologies the introduction of embedded medical performance and security ENISA, W3C, IEC, ISO failure new technologies. devices, driverless cars, of connected devices. Generally signifi cant cloud systems. physical effects.

Critical information Risks from disruptions to Submarine cables, Destruction, damage, ENISA, ITU, UN-GGE infrastructures infrastructure. Attacks to smart grid, electricity, or disruption of critical disruption SCADA systems. Strong fi nancial systems. information infrastructures. physical effects.

Cyber warfare Risks related to the use of International confl icts. Destruction, damage, or networks by nation states disruption of defense or related groups to networked systems. destroy or damage ICT systems. Targeting a nation’s private sector may be a focus.

10 Global cyber governance | Preparing for new business risks 1.4 The impact of global cyber infrastructures and, as argued by Zurich Insurance Group and the Atlantic Council, even governance on business systemic cyber crises.26 Uncertainty around global An effective governance framework is a necessary cyber governance thus risks curtailing innovation 27 Besides maintaining internal pre-condition for society to reap the massive and economic growth on a global scale. security, businesses need to benefi ts of new technologies. Businesses will Businesses have a clear interest in ensuring a work with the public sector.” rely on effective global governance of the safe, open and reliable internet. As well as internet to support their investments in the mitigating the risks at a global level, an effective digital economy and related new business cyber governance framework will also enhance models to benefi t their consumers. the ability of the insurance industry to provide However, the existing global cyber governance cost-effi cient insurance propositions to its framework is ill-prepared for the associated customers to cover residual risks. threats. If left unchecked, cyber risks will have In addition to maintaining the security of their profound consequences for businesses that networks and infrastructures, businesses should increasingly rely on cyberspace. Such impacts therefore actively work together with the public will stretch well beyond data breaches and sector to address the broader issues to promote include theft of intellectual property, threats a safe, open and reliable internet. to global supply chains, failure of critical

Box 3: New challenges for the fi nancial sector A crucial area of concern in the coming years will be the relationship between the fi nancial sector and the cyber realm. Financial markets are globally interconnected, which makes the impact of cybercrime potentially catastrophic. According to John E. Savage, a fellow of the IEEE, the undersea cable system captures more than 95 percent of the global internet traffi c including around USD 10 billion in fi nancial transactions per day.28 The cyber resilience of the fi nancial system is a fundamental goal for preventing economic loss, reputational damage, or a massive loss of confi dence. Several experts point out that underestimating cyber threats in the fi nancial sector could lead to a ‘black swan’ event. A triggering cyber event could lead to knock-on shocks, similar to the ‘Lehman moment’ in 2008, due to the systemic character of the fi nancial sector. According to Verizon, in 2013 the fi nancial sector suffered the third-largest number of security incidents – behind only the public sector and the technology industry. Moreover, the proposed alternative to SWIFT, led by Russia and China, also raises questions about the future of online fi nancial transactions. A recent breach discovered by JPMorgan Chase affecting 83 million bank accounts is a clear example that the risk of cyber-attack in the fi nancial sector cannot be underestimated.29 Recurring failures in high-speed trading systems, over-the-counter (OTC) transactions, or errors in the purchase of shares in stock markets (fat fi ngers) are a source of concern, potentially threatening the stability of the electronically-controlled fi nancial system, such as in the May 2010 fl ash crash. In addition, a cloud service provider failure could trigger unexpected impacts. Financial transactions and e-commerce represent the e-version of trade globalization. This is evident in today’s interdependent global economy. It is becoming more common for third parties such as service providers or subcontractors to access company data. In future scenarios of global supply chains, the vulnerability of data will facilitate the exploitation of third parties’ security fl aws and involve the entire chain. Most subcontractors do not report or cooperate in the event of discovering a breach, and therefore the integrity of data supply chains is a growing concern for cyber security. It is therefore necessary to develop global governance in which the vast majority of relevant actors share interests.

26 Zurich Insurance Group/Atlantic Council. See footnote 1. 27 World Economic Forum (2015): ‘Partnering for Cyber Resilience: Towards the Quantifi cation of Cyber Threats’. In collaboration with Deloitte, 2015, p.9. 28 ‘Experts: Cyber-war threatens U.S. security’. Providence Journal, 18 June 2013. http://www.providencejournal. com/breaking-news/ content/20130618-experts-cyber-war-threatens-u.s.- security.ece?template=printart 29 ‘JPMorgan hack exposed data of 83 million, among biggest breaches in history’. Reuters, 2 October 2014. http://www.reuters.com/article/2014/10/03/ us-jpmorgan-cybersecurity-idUSKCN0HR23T20141003

Global cyber governance | Preparing for new business risks 11 Section 2 An inadequate global cyber governance framework

12 Global cyber governance | Preparing for new business risks The increasing interconnectivity and aggregation of risks in a complex system such as cyberspace renders borders of There is still no overarching organizations and states irrelevant. Attacks that originate in global framework for one location may affect multiple jurisdictions. A holistic and cyber security.” global approach to cyber risk is thus vital. Despite some recent progress at the international and regional levels on norms and confi dence-building measures30 (CBMs), a comprehensive and functional regime of global cyber security governance is clearly lacking.

In recent years, several international, In order to assess the effectiveness of the regional, technical, and informal bodies have existing cyber governance framework, we addressed the cyber-security issue. These undertook a detailed mapping of the rules, include the United Nations, Council of institutions, and procedures that govern the Europe (CoE), the Organisation for Economic relationships among the different agents Co-operation and Development (OECD), operating in this sphere. This chapter INTERPOL, the Group of 20 (G-20), Group of summarizes the main conclusions from Eight (G-8), and the Organization for Security this work. and Co-operation in Europe (OSCE). An academic report containing this research in detail will be publicly available in the near future.

2.1 Three layers of In this category, the actors tend to understand cyber security as a shared responsibility, one in cyber governance which each network is responsible for its own The current global governance of security and contributes to the overall security cyber risks can be viewed as comprising of the system. This encourages a sense of three layers. collective stewardship and puts the emphasis on confi dence-building and international First, there is the layer of more technical aspects cooperation to address cyber risks. This that help network systems to function properly, approach has been reinforced by the increasing by ensuring that all the infrastructure and devices interconnectivity and hyperconnectivity of constituting the internet can talk to each other. cyberspace, which creates new vulnerabilities On this level, global governance is largely and opportunities for disruptive attacks. effective – following a multi-stakeholder model based on a loose, bottom-up consensus. These Our research suggests that the technical actors are mainly interested in maintaining layer is where the bulk of the fi nancial cyberspace as an open, cohesive place to secure resources are allocated: Technical mechanisms, connectivity, manage infrastructure in the right e.g., for standard setting and number way and enforce cyber security. management, seem to have larger budgets than other mechanisms.

30 ICT for Peace, ‘Baseline Review of ICT-Related Processes and Events: Implications for International and Regional Security’, 2014. p.44

Global cyber governance | Preparing for new business risks 13 Table 3: Cyber governance subsets Cyber governance subset Main relation Technical governance Private to private (and IOs) Gray zone Private to private (and IOs) Private to government (and IOs) Government to government (and IOs) Cyber warfare Government to government

Cyber warfare represents the other end of intersect. Issues addressed in this space include the spectrum, and includes issues relating to intellectual property rights, cyber attacks by state-sponsored cyber attack, espionage non-state actors on individuals, criminal activity between states, and cyber attacks on critical and data protection. This subset of governance infrastructure for political purposes. Here, encompasses all international instruments that a global governance framework is absent, deal with cyber risks from a non-technical and achieving mutual understanding is progressively non-military perspective. The international more diffi cult, and the role that international institutions within this group are thus organizations play is far from effective. The unsurprisingly very diverse in nature and bilateral method prevails between governments, purpose. Neither the bilateral approach, and no change is expected in the medium term nor a multi-stakeholder model, dominates. due to the sensitive political nature of homeland International institutions responsible for security, content control, or privacy protection mitigating the risks of this subset of cyber involving individual governments. The dual role governance range from state-centric multilateral of governments, both in terms of national formal institutions, regulatory mechanisms, and defense and as perpetrators, has eroded trust non-formal forums, to private organizations that and renders the agreement on common infl uence best practices on cyber security. In the norms diffi cult. gray zone, international institutions that are not exclusively dedicated to cyberspace-related issues There is no transparency about the level have considerable infl uence. of resources that fl ow into these efforts, as the entities involved do not publicly report It is in this gray zone, with its complex set of their budgets. governance models and organizational cultures, that the international community can most Between these two extremes is a ‘gray zone’ signifi cantly improve cyber governance with the – a more diffuse realm where the interests of aim of mitigating cyberthreats (see Figure 2). industry, governments, and individual citizens

Figure 2: Global cyber governance institutions

Internet number Internet technical Technological management Standards coordination standards NRO, RIRs Incident response Infrastructure ISO IANA, ICANN, IAB, IEEE, IETF, (AfriNIC, APNIC, FIRST GUCCI ISOC W3C ARIN, LACNIC, RIPE, NCO) Technical governance

UN framework Multi-stakeholder IPR conferences ECOSOC, UNODC, WIPO Law enforcement LAP, LPC, UNGGE, WGIG, INTERPOL, EC3, NETmundial Financial Best practices WSIS EUROPOL, CoE’s IGF institutions Other stakeholders ENISA OECD Budapest BIS, IOSCO, Convention Telecom & IMF, SWIFT, International WB, WFE trade capacity building Private sector WTO, ITU, IMPACT Wassenaar CBMs

Gray zone Governments Regional OSCE Government organizations groupings G-20, G-8 APEC, ARF, ASEAN, AU COMESA, CIS Regional security organizations ECOWAS, EU, OAS, SADC ARF, EDA, NATO, SCO

Cyber warfare

Source: ESADEgeo.

14 Global cyber governance | Preparing for new business risks 2.2 Key characteristics standards to mitigate cyber risk. In this category, the UN framework plays a key role, with of global and regional forums and bodies such as the UN Group of governance capabilities Governmental Experts (GGE), the World Summit Ideological and geopolitical on the Information Society (WSIS), or the Internet According to our research, the following Governance Forum (IGF). friction has led to incomplete points comprise the key characteristics memberships in many of the current global cyber governance Our research found that while some institutions governance institutions.” framework: are working well, the ideological and geopolitical friction between states has led to incomplete 2.2.1 Ideological differences preclude memberships and limited effectiveness in strong and effective institutions many global cyber governance institutions. Given cultural, ideological and political UN-dependent forums, for example, tend to differences across regions and countries, there lean toward state sovereignty and the principle exists no unanimously-accepted set of values of non-interference in internal affairs. This makes to clearly guide global cyber governance. The it much more diffi cult to reach agreements or revelations of large-scale surveillance programs even a basic consensus. It is especially have exacerbated the problem, leading to an noteworthy that the three main poles on cyber erosion of trust and making it even more diffi cult security issues (the U.S., China, and Russia) for countries to agree on a common set of norms. rarely coincide in terms of their membership in non-UN-sponsored initiatives. The governments One group would prefer a ‘world government’ of these three countries only agree to of cyberspace and an intergovernmental membership of organizations that are not modus operandi. specifi cally focused on cyber security – such as China, Russia and most Arab states are regional security mechanisms and G-groupings: proponents of this model, supporting greater OSCE (the U.S. and Russia); the Shanghai governmental control over cyberspace. Cooperation Organisation (SCO) (China and Russia); G-8 (the U.S. and Russia); and G-20 In the opposite camp, the U.S., EU and Japan, (the U.S., China and Russia). The lack of bodies and some other highly-developed industrial in which the governments of the cyber powers nations defend the current multi-stakeholder are simultaneously present becomes clearer if system where non-governmental institutions we widen the focus to include the EU, Iran, and play a fundamental role. Among the non-aligned Israel. Nor is there any convergence in the are the ‘swing states’ led by the IBSA Dialogue matter of legal instruments. After analyzing the Forum (India, Brazil, South Africa).31 memberships of the international legal instruments that govern the cyber domain, The growing importance of cyberspace and we have concluded that no legal convention its related threats has led to a proliferation or agreement has been signed by all three of international initiatives to discuss policy, major states (see Figure 3). non-binding principles, best practices, and

Figure 3: International and regional legal instruments relating to cyberspace

CIS Agreement

Draft AU Convention

CoE Cybercrime Convention

League of Arab States Convention

SCO Agreement

Source: UNODC Comprehensive Study on Cybercrime, 2013.

31 Maurer, T. & Morgus, R. (2014) ‘Tipping the scale: an analysis of global swing states in the internet governance debate,’ Internet Governance Papers, CIGI.

Global cyber governance | Preparing for new business risks 15 Box 4: Forums Stand-alone forums tend to be sustainability, robustness, security, stability process-oriented initiatives. They aspire to and development of the Internet.” For its represent all actors affected by the cyber part, the World Conference on International sphere, especially civil society and the broad Telecommunications (WCIT), a UN treaty public. These multi-stakeholder forums conference held in Dubai in 2012, discussed emphasize a bottom-up approach, International Telecommunication Regulations consensus-building, and discussions among (ITRs), network security, and the future of the all parties on equal footing. The boards of cyber governance. forums do not make decisions, hence have no decision-making mechanisms. There are other signifi cant forums: the London Process on Cyberspace (LPC) The Internet Governance Forum (IGF), is an established in 2011 by the British Foreign example of such a grouping. It is an open & Commonwealth Offi ce; NETmundial (the forum without permanent members, which global multi-stakeholder meeting on the has a small supporting secretariat in Geneva future of internet governance) that kicked in and no negotiated outcomes. The Forum’s on April 2014 in São Paulo under the lead of mandate is to “discuss public policy issues the Brazilian Internet Steering Committee related to key elements of Internet and 1net, a multi-stakeholder forum on governance in order to foster the internet governance.32

Box 5: Formal international institutions The ITU, one of the oldest intergovernmental assessments on Computer Incident Response organizations (IGOs), is a good example of Teams (CIRTs) in more than 50 countries to a formal international institution within the serve as a national focal point for improving global cyber governance framework. It was the coordination of incident response to founded in Paris in 1865 as the International cyber attacks. Telegraph Union. Traditionally its responsibilities have included allocating radio Our analysis shows an increasing interest in spectrum, regulating international the multilateral governance of cyber security telecommunications and managing satellite among formal international institutions. orbits. With the expansion of information The scope of cyber issues managed by these and communications technologies (ICTs), the organizations extends beyond technical ITU today plays a central role in developing aspects to sensitive and divisive issues such standards and security frameworks, as espionage, privacy, content control, and organizing diverse forums, facilitating access human rights. This makes it harder to reach to resources for states, implementing agreements within institutions with a multiple projects and initiatives, and assisting broader mandate that include cyber UN agencies. The ITU launched its Global governance programs, than in the more Cybersecurity Agenda (GCA)33 in 2007. specialized institutions. Under this framework, the ITU established In the medium-term, less formal institutions, the High-Level Expert Group (HLEG) on cyber such as the G-20 and regional organisations security, launched the Child Online Protection such as the OSCE, the Asia-Pacifi c Economic (COP) initiative and supported cyber security Cooperation (APEC), the Association of capacity-building in least-developed Southeast Asian Nations (ASEAN), and the countries (LDCs). The ITU International Organization of American States (OAS), will Multilateral Partnership Against Cyber be called upon to play a greater role in the Threats (ITU-IMPACT) carried out governance of cyber security.

32 For an overview of private sector initiatives, see Box 7. 33 ITU (2007) Global Cybersecurity Agenda. Available at: http://www.itu.int/en/action/cybersecurity/Documents/ gca-chairman-report.pdf

16 Global cyber governance | Preparing for new business risks Box 6: International agreements The Council of Europe (COE) Budapest Its main objectives are to harmonize No legal convention has been Convention on Cybercrime34 adopted on domestic law and facilitate international November 8, 2001, is the most notable cooperation. On March 1, 2006, the signed by all three major states.” initiative and the fi rst treaty addressing cyber Additional Protocol to the Convention on crime in the international arena. As of Cybercrime came into force. Although the February 2015 it had been signed by 53 Budapest Convention provides regular states, including six non-COE countries.35 consultations (at least once a year) in the A far greater number of countries are basing Cybercrime Convention Committee their own national cyber crime legislation (‘T-CY’), most analysts believe the Budapest on the Budapest Convention, which focuses Convention needs to be updated to make it on international criminal cooperation in the more responsive to new threats and challenges. fi eld of computer and network security.

34 Council of Europe (2001) Convention on Cybercrime. Available at: http://conventions.coe.int/Treaty/en/Treaties/ Html/185.htm 35 The non-Council of Europe states that have ratifi ed the treaty are Australia, Dominican Republic, Japan, Mauritius, Panama and the US (March 2014).

Global cyber governance | Preparing for new business risks 17 2.2.2 The current governance The number of internet users in least-developed framework does not adequately countries (LDCs) surpassed that of industrialized 36 refl ect the global nature of countries in 2005. Today more than 50 percent of internet users worldwide are in Asia. This cyberspace reality, coupled with the projections of an Cyberspace is a truly global phenomenon. explosive growth in internet users in emerging However, our research fi nds that the overall economies, means non-western countries governance framework is primarily focused on will need to increase their participation in Europe and North America. Only two global governance of cyberspace to construct an mechanisms are based outside these two effective global framework. regions – IMPACT and the INTERPOL Global Complex for Innovation (INTERPOL GCI) – both Of special interest are the memberships of based in Southeast Asia. Interestingly, both international institutions analyzed in this of these mechanisms are security-related. chapter (see Figure 4). We looked at how cyber In addition, the ASEAN Regional Forum has governance organizations are connected to been active in the fi eld of confi dence-building member states. In this way, we could identify measures (CBMs) in cyberspace. the core institutional mechanisms of the cyber security governance system, and the central The wealthiest governance mechanisms seem to states within this universe. Based on membership be located in the west, most notably in the U.S. of the organizations we analyzed, there seems Some European cities with a diplomatic tradition, to be a core group led by the UN framework. such as Geneva and The Hague, also account for a substantial portion of the total. Latin America The countries that are members of a larger and Africa usually host only regional institutional number of institutions are clearly western or, to mechanisms with technical and coordination a lesser extent, countries such as Japan, South roles, which operate on small budgets. Korea and Mexico. The rest of the Asian and Latin American countries, in their approach to Technical governance, while more effective than cyber security, fall somewhere between the other layers, is far from universal, particularly in group just cited, and another group that includes the area of incident response. The Forum for post-Soviet states, African countries and Arab Incident Response and Security Teams (FIRST), nations, which are located on the periphery. an international confederation of 305 computer emergency response teams (CERTs), is essential in this fi eld. Yet it operates in just 66 countries.

Figure 4: Member states of bodies analyzed State membership/member numbers

250

200

150

100

50

0 G8 ITU IEC CCI EC3 G2 0 OAS ISO C WSIS FIRST WCIT OSCE ENISA ICANN UNODC IMPACT CEC (BC) OECD-ICCP INTERPOL GCI

Source: ESADEgeo.

36 UNODC, The Globalization of Crime, 2010.

18 Global cyber governance | Preparing for new business risks Section 3 Toward a new governance framework: challenges and opportunities

Global cyber governance | Preparing for new business risks 19 3.1 The current cyber disorder Common tools to manage cyber threats that are already often lacking could get scarcer in As cyber security has gained prominence on coming years, making the situation worse. the agenda, some governments are becoming Concerns over surveillance programs have Both the private sector more involved in shaping policy. With cyber soured cyber-security relations between the and policymakers can take security issues traditionally the domain of U.S., Russia and China. Meanwhile,the EU and technicians, businesses, and the military, this Brazil have announced their intention to deploy specifi c measures to improve government involvement is having a signifi cant a USD 185 million undersea fi ber-optic cable cyber governance.” impact on various international initiatives. between Lisbon and Fortaleza to circumvent A number of governments are creating and third-party surveillance. strengthening cyber security teams within departments overseeing foreign affairs. Such a political approach may lead to ‘data Diplomats are being called on to play a major nationalism.’ This would result in fragmentation role in these discussions. and fi ltering of internet traffi c at borders, confi rming the fear of a cyberspace The downside of this approach, as discussed in ‘Balkanization.’ Information protectionism the previous chapter, is that this is likely to lead of this kind would imply a scenario in which to cyber security becoming more politicized. In governments protect interests, close their a multi-polar world where the major powers do own national systems, and create a restricted not always share common values, political cyberspace that slows technological development tensions may derail collective efforts to create and, in the end, undermines overall cyber a secure cyberspace. security. Turkey and Iran have already passed laws to restrict internet traffi c and A fundamental problem lies in the dual role of telecommunications; other governments such government, both as defenders against foreign as Hungary intend to follow this path. Some intrusions as well as perpetrators. An increasing internet service providers (ISPs), led by the number of countries are building cyber offense European Telecommunications Network capability, resulting in a new form of arms race. Operators’ Association (ETNO) and some African Often, the need for offensive cyber capabilities nations, have proposed a ‘sending party pays’ is motivated by the importance of deterrence system at the WCIT-12 that, if approved, would and preemptive cyber defense. undermine the openness of the internet. Part of the problem is mistrust among key This state of disorder is particularly troublesome players in the global cyber governance debate. as the debate concerning the cyberspace global The prevalence of U.S. companies in cyber governance model heats up. Strong and technologies, for example, leads some to argue concrete actions by both the private sector and that the U.S. has ‘stewardship’ of cyberspace. policymakers are therefore needed to improve Such mistrust not only affects interstate the global cyber governance framework. relations but also hinders real mutual trust between companies and states: Several companies from emerging economies (many of which are state-owned enterprises) maintain strong ties with their governments. Companies from developed economies also work closely with their governments.

20 Global cyber governance | Preparing for new business risks Figure 5: Improving cyber governance: overview

The cyber risk Affected What can be done? landscape stakeholders

• Advocate guiding principles Technical Private • Targeted actions to manage risk governance sector • Enhance resilience to attack

• Claim a seat at the table Greatest potential • Promote inclusiveness, Gray for improvements Civil transparency, accountability zone in governance society • Deepen knowledge • Foster trust

• Strengthen global institutions Cyber Policy • Manage systemic risks • Enhance public-private warfare makers cooperation • Increase inclusiveness

Source: Zurich Insurance Group.

3.2 Actions for the private sector 3.2.2 Share information to mitigate cyber risk (see also Box 7) 3.2.1 Champion common values Increased information-sharing is key toward With geopolitical and ideological tension being able to better understand, quantify and precluding any consensus among governments, protect against cyber risks. we believe the private sector has a role to play when it comes to encouraging common The insurance industry, through the Chief values for cyberspace. The private sector Risk Offi cers’ Forum, is currently establishing should advocate the following three guiding infrastructure to better capture statistical principles for a global cyber governance cyber risk and loss data, and create common framework to ensure a secure, resilient and classifi cations of cyber risk. Along with open global cyberspace: common cyber reporting standards, these steps are the basis of a well-functioning • An effective cyber governance framework cyber insurance market. must be global. Businesses can also help by sharing their cyber • The global cyber governance framework attack experiences and loss information. must be inclusive and based on a multi- However, concern in the private sector that stakeholder approach. failures or breaches of information could • The global cyber governance framework become public and damage reputations poses must be suffi ciently fl exible to adapt to a major barrier to increased information sharing. ever-changing threats. Data anonymity is therefore crucial. As the While a comprehensive regime of cyber CRO Forum suggests, a cyber-risk database governance would allow businesses to better could be modelled on existing loss databases manage cyber risks, it is clear from the fi ndings (e.g., those that exist for operational risks). of Chapter 2 that such a framework is not The anonymity of such databases encourages within reach in the foreseeable future. events to be reported. In the absence of such a framework, businesses In the U.S., the Department of Homeland should take steps to protect themselves from Security has initiated a working group, together emerging cyber threats. with insurers, brokers, and company chief information security offi cers, to explore setting up a repository of information pertaining to breaches. The U.S. is considering limiting liability for those companies that share information.

Global cyber governance | Preparing for new business risks 21 3.2.3 Risk management Advanced measures The Internet of Everything will bring businesses Larger, more sophisticated organizations have huge opportunities. At the same time, the the capability to engage in more advanced associated risks are daunting. A comprehensive cyber risk management and should go well By sharing information the cyber governance regime would allow businesses beyond the 20 Critical Security Controls. private sector can better to better manage these risks. But based on Push out risk horizon: Advanced understand and protect the fi ndings of this report, achieving such a framework in the short-term is out of reach. organizations should expand their view of cyber against cyber risks.” risk management to include counterparties, Businesses should take steps to protect contract and outsourcing agreements, and themselves from emerging cyber threats. The upstream infrastructure. Each of these can be 2014 report ‘Beyond Data Breaches: global at least partially controlled by measures such as interconnections of cyber risk’ by the Atlantic in-depth site visits and audits. Some technical Council and Zurich Insurance Group37 included tools will also increase awareness outside a basic recommendations for measures that company’s own perimeters. smaller and larger businesses can take. It also provided recommendations to enhance general Cyber insurance: With cyber insurance, resilience against cyber attacks for companies companies can transfer cyber risks, especially of all sizes. third-party risks associated with data breaches or business interruptions. As more companies Basic measures become involved and more products become Regardless of the size of the organization, a available, this option is increasingly recommended relatively small number of actions can protect to all companies, not just ‘advanced’ ones. against most cyber risks. These actions are often Demand more resilient and secure quite simple and have not changed much over standards and products: Organizations with the past years; but one reason cyberspace particular heft can push key vendors and remains so pervasively insecure is that so many standards organizations to incorporate more organizations fail to implement them. Different security and resilience, which can have a groups of computer security experts have slightly signifi cant impact. different lists, but they generally overlap; the best known are the SANS 20 Critical Security Board-level risk management: Boards need Controls. The Council on Cybersecurity is to become smarter on cyber risks, include a pushing these 20 controls, especially the broad view of global aggregations of cyber risk ‘First Five Quick Wins’ as follows: in their risk registers, hold executives to account, and move away from a checklist/audit perspective. • Application whitelisting. • Use standard secure system confi gurations. • Patch application software within 48 hours. • Patch system software within 48 hours. • Reduce the number of users with administrative privileges.

37 Zurich Insurance Group/Atlantic Council. See footnote 1.

22 Global cyber governance | Preparing for new business risks 3.2.4 Resilience teams have a comprehensive understanding Unfortunately, one cannot hope that steps to of an organization’s various business lines, and protect against cyber risk will be completely its most business-critical and time-sensitive successful. These disruptions will be of such information and systems. frequency and intensity that most organizations Scenario planning and exercises: The best will have to face them in the same way that organizations examine the most likely and most they deal with natural disasters. Too much of dangerous cyber risks and exercise their security this type of risk will be external, complex, and and response teams, as well as their corporate interdependent. Companies’ main hope is executives and boards, to build muscle memory therefore resilience – the ability to bounce back for responding to incidents. Seize the opportunity from disruptions to make these interruptions as that each crisis provides to create ‘teachable short, and with as limited an impact, as possible. moments’ for responders and executives. Redundancy: A resilient organization needs Risk dialogue: Given the rapidly evolving redundant power and telecommunications and increasingly serious potential impacts of suppliers, alternate ISPs connected to different cyber risk, it is important that businesses and the peering points, and work-arounds with little insurance industry maintain a regular dialogue. reliance on IT to provide alternatives during Such dialogue would help to inform businesses internet disruptions. about the latest developments so that they can Incident response and business continuity create awareness throughout their organizations. planning: Having trained teams ready to A dialogue would also allow businesses and respond when the worst happens is an insurers to create innovative, bilateral steps to advantage that is often overlooked. The best mitigate against developing threats.

Box 7: Specifi c private-sector initiatives to close the cyber governance gap Given the relevance of cyber governance to classifying cyber risks not only will facilitate the business environment, the private sector information-sharing, risk identifi cation and has launched an increasing number of assessment, but also form the basis of a initiatives and activities to support efforts to properly-functioning cyber insurance market. close the governance gap. This box provides a selective, non-exhaustive overview of some Sharing information key initiatives. Private sector awareness of the importance of information-sharing has increased in Establish norms recent years. The Financial Services The World Economic Forum has launched Information Sharing and Analysis Center a multi-year strategic initiative to bring (FS-ISAC) is the global fi nancial industry’s together leaders from the public and private go-to resource for cyber and physical threat sectors with civil society leaders and the intelligence analysis and sharing. FS-ISAC technical community to address overarching is unique in that it was created by and for issues of global internet governance, which members, and operates as a member-owned augment expert discussions within the non-profi t entity. Internet Governance Forum. In many countries, the private sector is A number of companies, predominantly from working with the public sector to share the technology sector, have been promoting threat information. Examples include the norms for the cyber space. Microsoft, for Cyber Security Information Sharing example, has informally proposed a set Partnership in the UK, the European Union of norms to govern the internet. Global Agency for Network and Information companies beyond the technology sector Security (ENISA), or Switzerland’s Reporting should consider joining efforts to promote and Analysis Centre for Information norms as a foundation for an open, safe Assurance (MELANI). and resilient internet. The CRO Forum has noted a variety of Better statistics and data third-party initiatives that have gone live over The Chief Risk Offi cers’ Forum, whose the last 12 to 18 months, serving as loss members are executives in large, database services. For example, DataLossDB8 multinational insurance companies, has collects information on data losses as a third launched an initiative to create a foundation party, and is publicly accessible for free. It is to better capture statistical cyber risk and loss an Open Security Foundation project which data. Establishing common cyber reporting scans news feeds, blogs and other sources standards and practices for coding and for any data breaches.38

38 CRO Forum, The Cyber Risk Challenge and the Role of Insurance, 2014.

Global cyber governance | Preparing for new business risks 23 3.3 Actions for policymakers the defi ciencies of the Mutual Legal Assistance Treaty (MLAT) process, it is necessary to increase 3.3.1 Strengthening the degree of harmonization of legislation global institutions against cyber crime and create new legal tools Despite the growing perception that cyberspace to facilitate law-enforcement. is unsafe, it would be unwise to call for a Strengthening such institutions requires a clear complete redesign of the existing regime, as understanding of the role each international or the current system has demonstrated resilience, regional institution plays. It will be necessary to interconnectivity, and interoperability to a fairly redefi ne the mandate of the international satisfactory degree. Furthermore, an overly- institutions that have an impact in cyberspace ambitious approach does not seem politically to avoid overlapping functions, and to increase feasible in the current geopolitical environment. effi ciency. The international community should The value of imperfect compromises or allocate the global resources of international suboptimal solutions that will nonetheless allow organizations in the same way as the division us to move toward greater cyber security should of labor; clearly defi ning and distributing the not be underestimated. Instead of seeking strict functions of each. international regulation of cyberspace through At the same time, growing political instability treaties of doubtful implementation and could be exploited by authoritarian governments verifi cation, it will probably prove more effective aiming to reduce capabilities and scope of some to focus collective efforts on strengthening technical institutions that can provide stability ‘fi t for purpose’ global institutions, whose and resilience to cyberspace, thus undermining functions are clear and defi ned. G-groupings its multi-stakeholder approach. Isolating and INTERPOL, for example, could be crucial effective cyber governance from the current for crisis management and for coordinating geopolitical tensions must therefore be cross-border law enforcement activities. Due to a priority.

24 Global cyber governance | Preparing for new business risks According to the report ‘Beyond Data Breaches: be a good idea. Groups of states or enterprises Global Interconnections of Cyber Risk,’39 the can advance on a specifi c aspect of global lack of an effective global cyber body could be governance by forming a critical mass of players partially addressed through a G-20 (states) + – but always leaving the door open to entry Creating a ‘Cyber WHO’ 20 (Global Signifi cantly Important Internet by further nations. In some cases, entry will could help to address the risk Organizations; G-SIIOs) Cyber Stability be driven by economic logic: not joining will Board. Originally informally proposed by become more costly. This would circumvent of critical systemic failures.” Microsoft, a Cyber G20 + 20 would bring problems that prevent progress in the together corporate executives who run and governance of cyberspace, such as a lack of maintain the infrastructure, software and trust, insuffi cient awareness, divergent protocols of the internet with government interests, and institutional inertia. leaders. In addition, key governance institutions as ICANN and IETF should also be invited. 3.3.2 Managing systemic cyber risks Analogous to the Financial Stability Board in the The ability of the existing global governance fi nancial sector, it could take a leading role in regime to deal with crisis management is a fi eld crisis management to deal with cyber shocks with signifi cant scope for improvement. It would and coordinate supporting work to improve risk be desirable to have procedures and forums led mitigation and resilience. In this way, the G-20 by international institutions to deal with systemic would have cyber risk management capabilities failures affecting different countries. There should and the real capacity to deal with systemic be room for agreement in order to be prepared failures to prevent a cascade effect. for a feared ‘Cybergeddon’.40 We therefore propose to use methods in the cyber realm Informal coordination among central bank applied to limit the spread of pandemics – after governors is one example of a mechanism that all, infectious diseases and cyber threats not proved successful during the fi nancial crisis. only affect those countries where they have This type of coordination was facilitated through been discovered, and information-sharing is personal contacts and networks outside key to stopping dissemination.41, 42 traditional institutions. An informal practice among the various governors has developed Thus the creation of some form of a that has led them to habitually engage in ’Cyber WHO’ should be considered. The dialogue, and this has resulted in a better World Health Organization (WHO) established understanding of the impact that individual the Global Outbreak Alert and Response decisions may have on the whole system. It Network (GOARN) in 2000. GOARN operates as would be desirable to build similar informal a decentralized network of technical experts, networks to allow national cyber UN regional surveillance programs, and civil governance entities to interact, creating society stakeholders. The WHO also established trust, increasing coordination, and facilitating a six-level pandemic alert system based on the joint responses. To this end, certain steps could geographic spread of the disease and its human be implemented in an incremental way: for transmissibility. Driven by the crises provoked by example, coordination agreements between severe acute respiratory syndrome (SARS) and law-enforcement agencies (LEAs) and CERTs; avian fl u (H5N1), WHO member states adopted early-warning systems; joint cyber security the International Health Regulations (IHRs) for exercises; and adoption of CBMs and risk pandemic preparedness and response. This reduction measures. regulation requires governments to apply measures to increase the quality of incident The cyber governance landscape is reminiscent response in case of a health crisis, communicate of the European integration process: Some health emergencies of international concern to 39 Zurich Insurance Group/Atlantic Council. states want to move forward with a specifi c the WHO within 24 hours, and offer immediate See footnote 1. policy while others may oppose it. We therefore access to data. The new IHRs revisions are 40 Healey, J. (2011) ‘The Five Futures of Cyber Confl ict believe that the model ‘build it and they will legally binding – but do not include provisions and Cooperation,’ Atlantic Council. Available at: come,’ following the example of the European for enforcement. http://www.atlanticcouncil.org/publications/issue-briefs/ instrument of ‘enhanced cooperation,’ might the-fi ve-futures-of-cyber-confl ict-and-cooperation 41 Mulvenon, J.C. & Rattray, G.J. (2012) ‘Addressing Cyber Instability,’ Cyber Confl ict Studies Association Rattray, G.J., Evans, C. & Healey, J. (2010) ‘American Security in the Cyber Commons’ in Contested Commons: The Future of American Power in a Multipolar World, eds. Denmark, A.M. & Mulvenon, J., Center for a New American Security, 137-176. Available at: http://www.cnas.org/fi les/ documents/publications/CNAS%20Contested%20 Commons_1.pdf 42 Rattray, G.J., Evans, C. & Healey, J. (2010) ‘American Security in the Cyber Commons’ in Contested Commons: The Future of American Power in a Multipolar World, eds. Denmark, A.M. & Mulvenon, J., Center for a New American Security, 137-176. Available at: http://www. cnas.org/fi les/documents/publications/CNAS%20 Contested%20Commons_1.pdf

Global cyber governance | Preparing for new business risks 25 A Cyber WHO would implement a One way to ensure such preparedness would systemic-failure preparedness system, with a be for an international institution to act as a standardized outbreak alert similar to the certifying agent. Such an agent would give management of pandemics. Such an alert scores on cyber security levels. In this way, the would trigger specifi c actions by the local and institution could verify that it can function in national cyber authorities nominated to detect an orderly fashion, and its systems will maintain and coordinate the response to systemic failures. their integrity in the face of a cyber attack. The system would implement domestic rapid The institution could also issue cyber security response and information-sharing among recommendations. A desirable approach would interconnected parties, as well as the Cyber be to use global stress tests to verify the level WHO and other international cyber authorities. of cyber security, contingency planning, This will require harmonizing current national surveillance, alert systems, and resilience of warning systems and providing incentives to critical information infrastructures. encourage cooperation between governments, businesses and civil society. Stress test exercises are commonly used to check software and hardware and have also Critical information infrastructure been applied in other fi elds. The European protection (CIIP) is another area of systemic Central Bank (ECB), in cooperation with the cyber risk where there is signifi cant scope European Banking Authority (EBA), the for improvement. European Systemic Risk Board (ESRB), the European Commission, and national Without CIIP, societies cannot function. In many supervisors, conducted EU-wide stress tests cases, a disruption in one area of critical with banks in November 2014 to ensure the infrastructure could have a ripple effect that stability of the European fi nancial system. In goes beyond the borders of the particular 2011, following the Fukushima nuclear power country where the infrastructure is located. plant disaster, the European Commission Unfortunately, research in protecting these decided to subject all nuclear power plants in systems has been cut and vulnerabilities have 43, 44 the EU to stress tests to ensure that they meet increased since then. ENISA’s work in this the highest safety standards. Such governance fi eld is valuable, but global international experiences and best practices could be applied institutions’ involvement in CIIP to address to the CIIP fi eld too. such risks is still patchy and must be improved. Therefore, it is necessary to stress-test how well prepared critical information infrastructure is for an eventual cyber attack.

43 HP (2014) ‘Cyber Risk Report 2013’. Available at: http://images.info.arcsight.com/Web/ ArcSight/%7B8888e67d-94f4-4904-bb75- 35e4dd9f1068%7D_2013_Cyber_Risk(1).pdf 44 However, some CIIP sectors have attracted the attention of researchers. For example, recently Adam Crain, Chris Sistrunk and Adam Todorsky found more than 25 security vulnerabilities in the communications protocol of the US and Canada power plants and electricity grid.

26 Global cyber governance | Preparing for new business risks 3.3.3 Enhancing public-private Business should get fi nancial incentives to cooperation invest in cyber security. Businesses should get Use incentives to align public- and private- fi nancial incentives to invest in cyber security, sector interests. Such incentives should for example, third-party audited continuous encourage the expansion of partnerships and improvement processes. Industry-driven agreements – including between businesses, measures are more likely to create an effective technical experts, and military, legal, and cyber security culture than government- governmental state authorities. The most mandated efforts and static lists of security effective policies in the cyber domain are those measures. Instilling this culture is a crucial that are shared by both the private and public factor in responding collectively to incidents. spheres. Building cooperation schemes is a As well as providing incentives for public-private necessary part of working toward common cooperation in specialist forums and institutions, goals such as developing privacy and data the important role of more generalist ownership standards. The main areas in which multi-stakeholder dialogue forums, whose public and private sectors can achieve more strategic focus includes global governance and synergies are incident response, outreach, cyber risks, should be acknowledged. The information-sharing and policy coordination. World Economic Forum is one such example. As the private sector becomes increasingly aware Finally, it will be necessary for the public and of the necessity for cyber security investments, private sectors, as well as civil society, to work governments and other stakeholders should collaboratively to ensure that governance in make an extra effort to target those the gray zone is lean, avoids ‘gold plating’ public-private organizations that are most and has clearly defi ned objectives. This will effective, especially forums and informal be a challenge given the diverse interests and institutions. Increased transparency over stakeholders involved. organizational resources and budgets would help to improve this reallocation.

Global cyber governance | Preparing for new business risks 27 3.3.4 Increasing inclusiveness Lastly, alongside governments and the private Use private sector globalization as a sector, civil society (non-state and springboard toward more inclusive cyber not-for-profi t organizations) should have governance. The expansion of Asian a seat at the table when rethinking global Cooperation should be inclusive, companies involved in cyberspace is an cyber governance. Organizations such as and include less-developed opportunity to create greater understanding. ICT4Peace point out that civil society has an countries and civil society For example, the Chinese e-commerce company important role to play in promoting Alibaba’s IPO on the New York Stock Exchange inclusiveness, transparency and accountability; organizations.” was a reminder that its two main shareholders deepening knowledge; and fostering trust are Yahoo (U.S.) and Softbank (Japan). Similarly, between states. On the latter point, for example, Huawei has a Cyber Security Evaluation Centre ICT4Peace is launching a new capacity-building (HCSEC) in Banbury, England, which works with project with different regional organizations. the UK intelligence agency GCHQ. This project is aimed at leveling the playing fi eld, ensuring that all regions are substantively International and regional organizations and technically equipped to participate in should pay more attention to the cyber international and regional ICT-related CBMs security and critical information and norms processes.45 infrastructure of LDCs. Strengthening the cyber security capabilities of developing countries through capacity-building, training and technology transfer is key to strengthening the resilience of the entire system.

45 ICTforPeace (2014): ‘A Role for Civil Society?’. Geneva 2014.

28 Global cyber governance | Preparing for new business risks Conclusion

We are fast approaching a defi ning moment for global cyber governance. The ubiquity of the internet and impact of emerging technology present huge opportunities for global growth. But at the same time, cyber risks are becoming both more systemic and more interconnected. An effective cyber governance framework is vital if we are to fulfi ll the promise of the opportunities outlined in this report.

However, such a framework is currently A pragmatic approach will also be absent. Geopolitical and ideological important for the private sector. tensions between states are increasingly Businesses can be agents of change being played out in the cyber realm by championing common values – including over matters of governance. for cyber governance and leading The result has been to limit the initiatives to close the governance gap. coordination and effectiveness of global In the meantime, they must respond cyber governance institutions. to the incomplete nature of cyber governance by mitigating against Bold recommendations to improve the specifi c cyber risks and increasing current situation, such as the creation their overall cyber resilience. of a form of Cyber WHO to mitigate against systemic cyber risk, can have Governance, no matter how a signifi cant impact. But a degree of comprehensive, can never nullify all risks. pragmatism will be just as important. But effective governance can be the key The current geopolitical and ideological to keeping risks at a manageable level. tensions are unlikely to be resolved in the Given the importance of cyberspace to next few years, making the consensus our world, improving its governance on needed for whole-scale redesign of the a global scale is therefore critical. global cyber governance framework We hope this report can be of real value a signifi cant challenge. Instead, there to efforts to raise awareness of cyber should be a focus on strengthening risks, and realize the benefi ts that new those institutions that work, insulating technologies can provide if these risks them from geopolitical tensions and are addressed. increasing their inclusiveness.

Authors: This report is the product of a collaboration between ESADEgeo and Zurich Insurance Group. The project was directed by Angel Pascual-Ramsay at ESADEgeo and Benno Keller at Zurich. The report was researched and written by Angel Pascual-Ramsay, Angel Saz-Carranza and Alvaro Imbernon at ESADEgeo and Benno Keller and David Swaden at Zurich Insurance Group.

Global cyber governance | Preparing for new business risks 29 Disclaimer

This publication has been prepared by Zurich developments or objectives. Undue reliance Insurance Group Ltd and Fundacion ESADE and should not be placed on such statements the opinions expressed therein are those of because, by their nature, they are subject to Zurich Insurance Group Ltd and Fundacion known and unknown risks and uncertainties ESADE as of the date of writing and are subject and can be affected by other factors that to change without notice. could cause actual results, developments and plans and objectives to differ materially This publication has been produced solely for from those expressed or implied in the informational purposes. The analysis contained forward-looking statements. and opinions expressed herein are based on numerous assumptions. Different assumptions The subject matter of this publication is also not could result in materially different conclusions. tied to any specifi c insurance product nor will it All information contained in this publication ensure coverage under any insurance policy. have been compiled and obtained from sources believed to be reliable and credible but no This publication may not be reproduced either representation or warranty, express or implied, in whole, or in part, without prior written is made by Zurich Insurance Group Ltd or any of permission of Zurich Insurance Group Ltd, its subsidiaries (the ‘Zurich Group’) or Fundacion Mythenquai 2, 8002 Zurich, Switzerland and ESADE as to their accuracy or completeness. Fundacion ESADE, Avenida Pedralbes, 60-62, Barcelona, Spain. Zurich Insurance Group Ltd This publication is not intended to be legal, and Fundacion ESADE expressly prohibit the underwriting, fi nancial, investment or any other distribution of this publication by or to third type of professional advice. Persons requiring parties for any reason. Neither the Zurich Group advice should consult an independent adviser. nor Fundacion ESADE accept liability for any The Zurich Group and Fundacion ESADE disclaim loss arising from the use or distribution of this any and all liability whatsoever resulting from presentation. This publication is for distribution the use of or reliance upon this publication. only under such circumstances as may be Certain statements in this publication are permitted by applicable law and regulations. forward-looking statements, including, but This publication does not constitute an offer not limited to, statements that are predictions or an invitation for the sale or purchase of of or indicate future events, trends, plans, securities in any jurisdiction.

30 Global cyber governance | Preparing for new business risks Global cyber governance | Preparing for new business risks 31 Zurich Insurance Company Ltd Mythenquai 2 8022 Zurich Switzerland

138488A01 (03/15) ZCA