Since 2014, the digital landscape has significantly changed globally. First, and most obvious, the number of internet users has nearly doubled from 2.8 billion to more than 4 billion in the last six years. Second, and perhaps a bit less obvious, the number of cyber incidents, such as data breaches or cybercrimes, impacting the average internet user, has grown exponentially. For a while now, I’ve been thinking about what these cybersecurity trends mean for our work in digital development. I recently read an article that helped frame the challenge in a way that is easily digestible, even by the least digitally focused development expert.
Published in 2016, the “Cyber Harms: Concepts, Taxonomy and Measurement” explains how there needs to be a clear model for understanding the damage caused by cyber incidents. The authors define “cyber harm” as “damaging consequences resulting from cyber events, which can originate from malicious, accidental, or natural phenomena, manifesting itself within or outside of the internet.” The authors conclude there are six types of cyber harm that can manifest themselves either as a direct result or as an indirect result of a cyber incident and can impact an individual, organization or country. They are:
Physical harm includes bodily injury or damage to physical assets (hardware, infrastructure, etc).
Psychological harm includes depression or anxiety. It may manifest itself immediately after a cyber incident or in the long term. For instance, as a result of cyber bullying or cyber stalking.
Economic harm manifests itself as financial loss and can be a result of a data breach or other cybercrime. An example of economic harm is the financial losses suffered by South African companies due to data breaches.
Reputational harm manifests itself differently across stakeholders. For instance, at an organizational level a cyber incident may result in loss of consumers. At a personal level, a cyber incident may lead to the disruption of personal life. Nationally, it may lead to less favorable trade negotiations.
Cultural harm is the hardest to measure and is best explained by an increase in social disruption. A good example of this might be the spreading of misinformation online leading to real-world violence, as it has in India. Similar incidents have occurred in Sri Lanka and Myanmar.
Political harm includes disruption in a political process or government services. A good example is election interference. This might occur by deliberate internet shutdown, such as the recent case of Togo or by the botnets programmed to influence public opinion prior to a critical national vote, such as with Brexit.
These types of cyber harms are both broad and complex to measure. And, the data that has been collected is mostly from high-income countries and focused exclusively on economic harm. This is likely because it’s easiest to measure. (Either you lose money as a result of a cyber incident or you don’t). More recently, given the increased focus on the impact of technology companies on democratic processes (think Cambridge Analytica), there has been a growing number of studies and reports on the political harms of cyber incidents. Similarly, there is a growing number of studies on the psychological harms of cyber incidents. In a recent report in USA Today, 77 percent of cyber incident victims interviewed, reported increased levels of stress, while 85 percent reported sleep deprivation. The reason I mention these studies, is because there is clearly a growing understanding in society writ large that digitization has real-world consequences beyond economic opportunity.
Picture from Piqsels.
What this Means for the Digital Development Community
For the most part, reports on cyber harms have been limited to high-income countries. The challenge for us working in digital development, is how to translate these observed trends in high income countries to the low- and middle-income environments in which we work.
To do so, we must first reject the notion that high-income countries and low- and middle-income countries (LMICS) will experience cyber harm sequentially and recognize that this is unlike other development challenges where there are clear lessons learned we can apply from developed countries to developing countries. Why? Because in reality all countries are experiencing the challenges posed by increased digital access, and therefore, are seeing more digital threats simultaneously. The perception that these issues are more prevalent in high-income countries is likely skewed because there is more readily available data of incidents in those countries. But there are cases of cyber harm incidents across LMICs, including today, as countries try to combat Coronavirus.
As a digital development community, we have an opportunity and a responsibility to participate in these conversations to ensure that our broader goals of digital access and inclusion are not overlooked as a result of government or organizational fear of cyber harms.
What Can We Do?
Contribute. As mentioned earlier, what this topic is missing is data and case studies across LMICs. We work with communities with different levels of digital inclusion. Understanding their experiences with cyber harm will be critical to designing digital development programming that mitigates those harms.
Empower. Last year we made the case that educating the user should be central to all digital development programming. I believe that is even more necessary today given the breadth of harm that cyber incidents can cause.
Security by Design. Where possible, we should ensure that any digital assets we design for development programming are protecting people’s information at the outset.
Collaborate. High-, middle-, and low-income countries are all facing the challenges posed by cyber incidents and cyber harms. What opportunities are there to collaborate and bring lessons learned from across countries to better safeguard digital programming?
As the knowledge and understanding of cyber harms continues to spread, it will be the responsibility of digital development practitioners to translate that knowledge and apply it to our work. Not doing so, will risk undermining our goals of digital inclusion, digital access, and internet freedom.