Minister of Foreign Trade and IT Andres Sutt (Reform) has made a call to action on cybersecurity aimed at creating a set methodology to assess the level of cybersecurity and set a benchmark for investments into it, along similar lines to NATO's 2-percent of GDP benchmark for member states' contributions.
Minster Sutt unveiled the concept at the Tallinn Digital Summit early in September, accompanied by his keynote speech which can be viewed here.
The minister also sets out the concept in the piece which follows.
From the beginning of the decade our societies have been moving gradually but irreversibly towards ever greater digitization.
This trend has however been skyrocketed by the COVID-19 pandemic and over a very short period our everyday lives have come to rely even more on digital solutions. new platforms, technologies and solutions have been developed and adopted by consumers. In this effort to rapidly relocate our society into the digital environment, the emphasis on cybersecurity has too often been left in the background.
Thereby our increased dependency on digital technologies has exacerbated the vulnerabilities and threats governments, companies and citizens face in the digital sphere. In addition to low-level cyberattacks and campaigns against consumers, large scale offensive cyberoperations and ransomware attacks have become increasingly common and threatening with a profitable business model.
Exploitation of supply-chain weaknesses (SolarWinds, Kaseya), attacking central services such as Microsoft Exchange or targeting critical infrastructure like the Colonial Pipeline in the US or healthcare systems in Ireland are just examples of visible attacks which have been recently successfully carried out.
Between 2019 and 2020, the estimated cost of cyber-attacks on private companies in Europe has been estimated to have grown six-fold to €50,000 on median average. Globally the cost of cyberattacks is estimated to grow to $6 trillion per year, making it an extensively profitable opportunity for criminals and state-backed actors.
Whilst the general topic of cybersecurity is well acknowledged in governments and enterprises, it is typically not seen as a priority and oftentimes overshadowed by other pertinent issues, until a successful cyber incident has taken place. This especially applies in the context of budgetary tightening when IT and cybersecurity investments are considered as expendable and non-essential. Therefore, contributing to a higher-level technological debt and greater vulnerabilities. For many governments, cybersecurity is decentralized between ministers, ministries, and institutions, meaning that investment and prioritization of cybersecurity varies significantly.
The worldwide estimate of spending on cybersecurity is about 0.1 percent of Gross Domestic Product. The US spends some 0.35 percent of its GDP on cybersecurity.1 In Europe, this figure drops as low as 0.03 percent of GDP in some countries. In addition, spending on cybersecurity is highly fragmented, without clear understanding of what can be accounted as an cybersecurity expenditure. Since it is composed of multiple layers including purchasing, upgrading, and maintaining hardware and software, but also management, personnel and culture, there are currently no agreed upon methodologies to assess what can be judged as a sufficient level of investment into cybersecurity.
The path to recovery from the COVID pandemic has been centered on the digital transition in Europe, whereby over €130 billion will be invested through the Recovery and Resilience Facility alone, in addition to billions invested by private companies. These investments will further accelerate the trend of our societies, industries and daily lives relocating into the digital sphere. Given this fundamental step forward in digitization and the evermore prominent and indiscriminate cyberattacks, it is evident that cybersecurity needs to be set as the cornerstone of the digital transformation ahead.
In order to achieve this, it is imperative to establish a common set of best practices alongside with a clear methodology to assess investments into cybersecurity and set an agreed upon investment benchmark for both the public and private sector. This objective is comparable to NATO's 2-percent investment target which has a clear methodology behind it and which all NATO members have agreed to meet and can be held accountable for. In cybersecurity this benchmark could account for the percentage of an IT projects budget which is earmarked for cybersecurity. Going forward this discussion needs to begin at both the political and technical level, together with academia, private companies, and governments on national and multilateral forums.
1 Atlantic Council, Risk Nexus: Overcome by cyber risks? Economic benefits and costs of alternate cyber futures, 10th of September 2015.
September's Tallinn Digital Summit also featured a panel discussion in English featuring the Singaporean, UK, Irish and Austrian ministers for digital affairs, which can be viewed here.
Editor: Andrew Whyte