Let us know what type of content you'd like to see more of. Fill out our three question survey.
What Have We Learned in the Past Five Years about Cybersecurity?
This post is one of a series of posts on Cyber Security.
Oct 19, 2023
This is the third in a series of blog posts about cybersecurity to mark Cybersecurity Awareness Month in October.
For digital development practitioners, cybersecurity is now in the digital development zeitgeist. Over the past five years or so, it has become an important standalone technical area, as well as a critical building block of all our interventions. In honor of Cybersecurity Awareness Month, I wanted to revisit Digital@DAI’s earliest posts about cybersecurity from 2018 to see how our initial thinking holds up against a 2023 mindset. Our first-ever series on cybersecurity introduced the concept of cybersecurity to digital development practitioners by doing three things:
- Providing a technical explanation of cybersecurity and linking it to the concept of trust;
- Examining cybersecurity through the lens of regulations, skills, and institutions, aligned to the World Bank’s 2016 Digital Dividends report, and;
- Examining the topic of pirated software at the micro level.
Photo: Kevin Ku/Unsplash.
Re-reading these articles today, what struck me about this series?
- We were clearly focused on awareness raising–Reading this series five years later, it is clear that the underlying purpose of the first article was to sensitize digital development practitioners (and international development practitioners more generally) to the field of cybersecurity and to emphasize the nuanced interplay between cybersecurity and digital development. Sentences like, “As development professionals committed to leveraging digital access and tools that provide services globally, we must take the concept of securing trust more seriously. This will require us to focus on cybersecurity. Cybersecurity sounds daunting, particularly for people who associate the profession with dark rooms, humming computers, and coding expertise” would almost certainly not be necessary in 2023 for digital development professionals because—as stated previously—cybersecurity is everywhere these days.
- Examining cybersecurity through the framework of relevant regulations, skills, and institutions foreshadowed much donor-funded cybersecurity work in the years to come—The second article adapts the idea from the World Bank’s 2016 Digital Dividends report that regulations, skills, and institutions “help build a strong foundation for the adoption of digital tools” to the cybersecurity field. This directly aligns with the type of cybersecurity work that donors have funded since the initial publication of this blog series in 2018. For example, the Cybersecurity for Critical Infrastructure activity in Ukraine—which kicked off in 2020—focuses in part on Ukraine’s cybersecurity enabling environment, which aligns with “regulations” and “institutions” from the Digital Dividends report. Similarly, its commitment to developing Ukraine’s cybersecurity workforce matches the “skills” component of Digital Dividends. We definitely got this part right.
- Estonia remains a cybersecurity and e-governance leader—Estonia gets a shoutout in the second article for its commitment to digitally transforming its government, which was a highly prescient observation. Indeed, Estonia is still revered among cybersecurity professionals in the digital development space for its highly advanced digital infrastructure and e-governance space. Just last month, USAID announced a new collaboration with the Estonian Centre for International Development (ESTDEV) to promote the interoperability of digital tools. Meanwhile, Estonia’s e-Governance Academy (eGA) is becoming a key player in the donor-funded cybersecurity space, having worked in more than 140 countries and regularly collaborating with partner countries to strengthen the cybersecurity of their digital infrastructure and workforce.
What looks different in 2023?
- Making the case for digital development practitioners to prioritize cybersecurity because it affects trust in digital tools, rather than the harms stemming from cyber attacks and cyber crimes–the first article clearly links the concept of cybersecurity to the concept of trust, arguing that, “As development professionals committed to leveraging digital access and tools that provide services globally, we must take the concept of securing trust more seriously. This will require us to focus on cybersecurity.” To be clear, I agree with this statement; a lack of cybersecurity and a lack of trust in technology can absolutely disincentivize citizens, businesses, and governments to go digital. However, the underlying argument is that development practitioners need to prioritize cybersecurity because it affects the uptake of digital tools and digital transformation. But, if you ask most digital development professionals today why it is important to prioritize cybersecurity in our work, I bet that the majority will emphasize the physical, economic, and sociocultural harms stemming from cyber attacks and cybercrimes—not its impact on trust in digital tools. Neither answer is wrong, but it just reflects how much our industry has shifted in the past five years. (Perhaps because awareness raising around cybersecurity has been so effective!)
- Breaking cybersecurity down into just two technological components, access, and storage—even though the second article broadly examines cybersecurity in the context of regulation, skills, and institutions, the first article takes a narrower view of cybersecurity. It states that cybersecurity has two components: “Access, in this case, is different than how we in the digital development community understand it. When we are thinking about access for cybersecurity, it specifically means how do people get the data they are seeking. Storage, then, refers to the back end of these systems, where the data we are sharing or the data we are requesting is being warehoused.” While the final paragraphs of the article do talk about the human aspect of cybersecurity—specifically the importance of cultivating cyber hygiene skills among digital tool users—it was striking to me that this article explicitly looked at cybersecurity only in terms of technology. Today, it is much more common to think about cybersecurity according to the “people, processes, technology” framework or the National Institute of Standards and Technology’s Cybersecurity Framework (identify, protect, detect, respond, and recover), which examines cybersecurity more holistically and more broadly than the technology piece alone.
- Focusing on pirated software seems almost quaint in the age of generative AI-assisted cyber attacks—the third article does a deep dive into the cybersecurity implications of using pirated software. To be clear, pirated software is still a critical threat vector particularly in low- and middle-income countries, where companies, civil society organizations, and individual people may not be able to afford genuine, licensed software. However, given the new types of cyber attacks that have emerged since this article was originally written and our current hype cycle on generative AI, it feels like a real blast from the past to focus on pirated software rather than highly sophisticated technologies and types of attacks.
I thoroughly enjoyed my walk down memory lane at Digital@DAI, re-reading some of our earliest posts about cybersecurity and thinking back on how differently we framed some issues just five years ago. Even though we did not perfectly predict the future, we still did a solid job of capturing key issues in the years to come after the initial publication of these articles. Here’s to the next five years of writing about cyber.