This is the fifth in a series of blog posts about cybersecurity to mark Cybersecurity Awareness Month in October. This blog first appeared in the Tech Policy Press here.
“Spiderman,” as he was dubbed, worked for military intelligence as an undercover volunteer.
As told by Nathan Thornburgh in Time, Spiderman, later identified as Shawn Carpenter—a U.S. intel contractor by day—watched by night as hackers breached networks of the U.S. military and made off with uncommon stealth. Spiderman “clung unseen to the walls of their chat rooms and servers,” following the stolen files from site to site, landing him virtually in China’s Guangdong province. When his private-sector employers found out what he was doing, they fired Carpenter and stripped him of his top-secret clearance for “inappropriate” after-hours sleuthing.
Around the same time, in October 2004, a small nonprofit called the National Cyber Security Alliance, together with the new U.S. Department of Homeland Security, proclaimed the first National Cybersecurity Awareness Month. Their message: Update your antivirus software twice a year.
Safe to say, cybersecurity awareness has come a long way since Spiderman got sacked.
As we mark the 20th Cybersecurity Awareness Month, security threats continue to evolve while the need for cybersecurity preparedness has become abundantly clear. Integrating cybersecurity into the day-to-day of organizations and institutions across society can profoundly propel a country’s inclusion, economic growth, and infrastructure resilience.
As tomorrow’s cyber challenges are born, where might civil society, including the international development community, be well placed to provide assistance to fill future needs for cybersecurity awareness? Here are a few suggestions to put cybersecurity at the fore:
Micro, small, and medium-sized enterprises (MSMEs) provide inviting targets because their owners may underestimate their risk for cybercrime or not know how to mitigate that risk. Cybersecurity awareness campaigns effectively distill cybersecurity challenges, encourage digital hygiene, and provide practical advice to business owners on confronting new digital risks. Future campaigns should be continually updated to address the cost of cyber defenses for business owners vs. the cost of being hacked so that businesses are informed and empowered to protect themselves.
Hackers’ Shortcut—Dual-Intent Tools
Once hacked, tools used for legitimate administrative and security-testing functions provide a fast track to data for internet culprits. As they upgrade digitally, organizations must protect themselves against nefarious actors encroaching on their well-meant technology. To promote safe upgrading, development organizations can help convene entities to discuss related threats, share information, and establish protection standards. For example, the U.S. Agency for International Development Critical Infrastructure Digitalization and Resilience (CIDR) program, implemented by DAI, regularly facilitates meetings of Critical Infrastructure Cybersecurity Working Groups in Kosovo, Moldova, and North Macedonia. Chaired by top government appointees, these meetings bring together officials from critical infrastructure, the private sector, academia, and civil society to discuss and make recommendations on a range of cybersecurity issues.
Meeting in March of the CIDR-facilitated North Macedonia Critical Infrastructure Cybersecurity Working Group. Photo: USAID CIDR.
The Disinformation Age
With the advent of generative artificial intelligence (AI), there is a growing industry devoted to developing advanced disinformation in the form of deep fakes and other crooked content. This reality calls for forward-thinking investment in digital literacy that raises awareness and recognition to help repel disinformation. Such actions could include coupling online business registration requirements with mandatory digital literacy and risk-awareness training or establishing accountability mechanisms such as hotlines to lodge complaints, report scams, or flag inaccurate content.
Back to the (New) Basics
Speaking of bad information, attackers will attempt to poison machine-learning models, leading to incorrect predictions and decisions. Get used to this and similar scenarios. As new technologies emerge, cyber vulnerabilities will expand, providing criminals with new ways to execute attacks. AI, machine learning, ChatGPT, and the like will increasingly demand human critical thinking and assessment of machine-proposed actions as opposed to passive acceptance. While certain fundamentals will apply today just as they did in 2004, raising awareness around threats introduced by new technologies should be a standing activity in any digital development initiative.
The world has a talent gap problem with demand for qualified cybersecurity workers far outweighing supply even as cyber academics are expanding. For example, while the EU reports 3,100 cybersecurity graduates per year (up 25 percent from 2020), Europe requires 300,000 more cyber professionals to meet its projected needs. In addition to increased cyber workforce development—to include building employer awareness of future cyber-employment needs—there is an opportunity (see Session 26) to use fresh approaches such as mobilizing hip-hop stars, bloggers, and even comic artists to inspire, encourage, and foster a new generation of cybersecurity talent.
Access to Finance Means Access for Hackers
As international development and other industries extend financial services and means for transacting, cybersecurity vulnerabilities extend with it. Industries that advocate for and expand financial inclusion must also build in cybersecurity measures that protect privacy and ensure new digital financial services are aware of vulnerabilities and made secure. USAID’s Digital Ecosystem Country Assessment (DECA) toolkit provides a great starting point for reviewing these risks.
The Future of Global Cybersecurity Awareness
In a 2007 interview with Computer World, Shawn “Spiderman” Carpenter observed: “The cyber realm … provides an appealing risk-to-benefit ratio, low chance of attribution, and a minimal investment for adversaries to conduct sophisticated operations. Why spend millions on [private property] when you can just steal it?”
While cyberattacks and cybercrime remain relatively cheap endeavors, development assistance can provide cost-effective lines of defense. USAID’s Digital Frontiers, with many cyber activities funded by the Digital Connectivity and Cybersecurity Partnership (DCCP), and CIDR programs are among those raising awareness and building related resilience and capacity within the evolving cyber landscape; this includes building awareness among critical infrastructure staff, where human error and lack of knowledge can compromise national security. In addition to the Digital Frontiers examples cited above, CIDR launched activities in Eastern Europe to grow the cyber workforce—including through its Cyber Pathways for Women program—and is providing select assistance to energy, telecom, health, and other essential services.
Moving toward 2030 and beyond, organizations will continue co-creating programs to elevate cybersecurity awareness among businesses and citizens alike. As community members weigh in on expected trends and new initiatives take shape, one thing seems certain—by working together, the international development community can help partner governments and others stay one click ahead of (most of) the bad guys.
Charles Coon is the Senior Communications Manager for the Critical Infrastructure Digitalization and Resilience (CIDR) program; Alexander Riabov is a Senior Communications Advisor with DAI’s Digital Frontiers.