In our first post in the 2018 Cyber Security Series, I discussed why cyber security should be a key consideration in the design of digital tools that help support sustainable development efforts. I highlighted that trust in digital tools should not be taken for granted, but rather constantly invested in by designing digital tools with user input, but also with security in mind. Now I will take a look at some of the other key analog complements that need to be considered when deploying secure, integrated digital systems for sustainable development.
A major challenge in low and middle-income countries is limited access to services for the entire population. In many underdeveloped countries, populations living outside of cities lack access to basic services at a greater scale than those living in more urban areas. For development practitioners, digital tools and services increasingly present an attractive way to bridge the divide between these populations.
As a result, donors and companies with a social impact bottomline are increasingly promoting the digitization of services across markets. On the surface, the idea seems like the ultimate silver bullet for combating many countries’ greatest ails, such as lack of access to health care, limited access to energy, or minimal participation in financial services.
Estonia’s adoption and integration of digital tools and services provides a concrete example of how and why digitization benefits an entire population. For example, by digitizing all state and public services, Estonia saved at least 2 percent of GDP in salaries and other expenses in 2017. Estonia, in many respects, offers a model for what other countries might aspire to become in this digital age. We already see adoption of digitization in countries such as India, Kenya, and Ukraine.
The success of these investments depends greatly on the emphasis on analog complements to not only scale these digital services, but also secure the data stored across the platform. We can point to Estonia as a model for what technology assets could be deployed to mitigate the likelihood of data breaches, but if we are to truly support low- and middle-income countries to successfully adopt secure digitization platforms, the analog complements of systematic chance cannot be ignored.
The World Bank’s 2016 World Development Report titled, Digital Dividends, highlighted three main analog variables that help build a strong foundation for adoption of digital tools: regulations, skills, and institutions. Although the report did not focus specifically on cyber security, I’d argue that investment in the same analog complements is critical for the successful integration of information security in the digital transformation of state and public services across an economy.
Regulations for Cyber Security
The promotion and scale-up of Aadhaar, India’s digital identification system, provides one example as to why regulation and governance protocols are critical to protecting digital tools. The best way to understand governance protocols is to think of a schedule of authority. In the case of cyber security, this protocol would answer questions such as—who has access to what information and when; to whom should a data breach should be reported; and who has the authority to respond.
Examples of data breaches to the Aadhar system illustrates what happens when these governance protocols are lacking. For example, Aadhaar created several mobile applications to help Indian citizens access a variety of services. Due to a coding glitch, hackers were able to easily access peoples demographic data through a vulnerability in the mobile application. Although the details of how this occurred are not public, one possibility is that the governance protocols for double checking and triple checking the security of the application’s code were either not in place or not followed. As a result, the flaw in the code opened the back door for hackers to potentially steal millions of people’s identification.
With governance protocols in place, errors like this could be avoided or quickly resolved upon identification.
Skills and Capacity for Cyber Security
As highlighted in the first blog of the series, cyber security is not only a technical. Rather, the technical side of cyber security is closely tied to governance protocols and the awareness of potential threats for all levels of users, regardless of whether you’re the producer or the consumer of a technology.
In the financial tech industry, the lack of emphasis on skills training demonstrates why capacity building is a critical ingredient to support cyber security mechanisms. The goal for many fintech companies is to help the unbanked become banked. For many of these users, it is their first time using a digital tool to access services and therefore many fall prey to phishing campaigns that ask for what seems like relevant information, but is actually being requested by unknown people or groups. As a result, some newly banked people have accidentally agreed to new financial commitments or handed over personal information that was later used against them.
By increasing funding towards digital literacy and digital skills, people are more likely to identify suspicious behavior and avoid sharing information with services that are unrecognized. The challenge is that many times, funding is allocated directly into the cost of developing or designing a digital tool, rather than the skills needed to protect a consumer. Yet, when it comes to digitization of public services, this variable cannot be ignored as it will reduce trust in the system and limit the scale of adoption. It may also inadvertently lead to the manipulation of personal information that could be used by bad actors to instigate tension within a changing ecosystem.
Institutions for Cyber Security
Institutional support is the third critical piece. With increased digitization of services, public and private institutions are being created or restructured to support the digitization process. In Kenya, for example, the Information and Communication Technology Authority, a state-owned enterprise, was established in 2014 in an effort to facilitate and regulate the design and implementation of ICT of public services. The creation of this institution comes almost a decade after the launch of M-Pesa in Kenya, one of the most successful digital finance tools to date. In theory, an institution like the ICT Authority of Kenya oversees and regulates all state-led ICT initiatives, including the building of digital infrastructure and establishment cyber security measures. Through institutions like these, the public sector can help create the backbone of a vibrant digital economy that addresses cyber security by developing standards that signal to the market the minimum requirements needed to participate. Without institutions like these that govern and manage all digital assets in an economy at the macro level, clarity surrounding governance protocols or skill building initiatives at the meso or micro level, may fall short.
Together, these three analog complements, along with an investment in approved technology assets, help strengthen the cyber security of any state. Countries such as Ukraine, a test-bed for Russian malware, are working to find the right recipe to support their cyber security strategy. For example, earlier this year, Ukraine passed a cyber security law that called for the creation of new institutions to support the integration of cyber security policy across government agencies and began the process of developing a schedule of authorities for cyber security responsibilities of the state. Although the law does emphasize the need for capacity building across state agencies less, the enactment of this law is a step in the right direction. It shows an intent to tackle not only the technical side of cyber security, but also the three analog complements discussed in this blog.
As development practitioners who recognize the importance of focusing on cyber security to support sustainable digital development initiatives, we should applaud these types of approaches and support countries to fill gaps, like with skill building, that might be underfunded.
Part 3 of this blog will look at cyber security through a different angle and look at the risks associated with software piracy.