The World Economic Forum’s Global Risk Report 2019 paints a bleak picture of the top threats facing our planet. Leading the list, and influencing everything that follows is the impact of growing divergence between nations. Ever more countries are seeking to establish national control over their affairs, economies, security and more. WEF’s analysis suggests the divisions are growing, and that such fragmentation and protectionism can create blind spots, undermine global stability, and limit the world’s capacity to respond effectively to global challenges. It is not hard to see how they affect our ability to tackle the global challenge of cyberthreats.
In a hyper-connected world, cyberattackers ranging from state-backed cyberespionage groups to common thieves can target almost anyone, from anywhere, spreading fear, uncertainty and doubt through cyberspace. The online world is being weaponized, and national governments want to protect their citizens as best they can. Some have chosen to do this by putting up barriers, restricting access for technology vendors from nations perceived as a potential threat: the balkanization of cybersecurity. When it comes to a choice between fear and facts, fear seems to win every time. But it is worth asking: who is afraid and what are they afraid of? The answers may not be what governments expect.
Everyone is worried – really?
In mid-2018, we commissioned a multi-country survey to better understand what people really think about foreign organizations and their online security. The research was undertaken by an external agency and involved IT security professionals and consumers in the US, Germany, France, the UK, Italy and Spain.
Among other things, it turns out that the majority of people don’t fear ‘stranger danger’ anywhere near as much as their elected governments might think they do. In fact, over half of businesses (55%) and two-thirds (66%) of consumers we spoke to say their government should go with the company that offers the highest quality products and services, even if it is a foreign business. This figure rises to 8 in 10 for areas critical to national security. In other words, the quality of a company’s products and services matters significantly more than where it comes from.
Barriers weaken security
Allowing open access for vendors underpins competition, and competition powers innovation and performance. Evidence shows that most companies benefit significantly when there are others around them trying to do the same thing, only better. In cybersecurity that quickly translates into better protection for all. So if people don’t fear foreign cybersecurity firms as much as their elected governments think they do, and blocking such companies might actually damage national security in the long term, why are governments choosing this option?
Governments have an obligation to protect critical national infrastructure, the economy and everyday life. In cyberspace this means securing national frameworks against the risk of external attack, sabotage and cyberespionage. One of the easiest things to do in such circumstances is to restrict or ban suppliers from countries they are concerned about. But people deserve – and want – to be able to choose the solution that best meets their needs.
The only people to really benefit from restricted choice are the cyber attackers. Cyberthreats don’t see, let alone respect the boundaries nations put up, and to counter that security needs to be able to operate without borders too.
Trust and transparency
Cybersecurity companies, regardless of their country of origin are largely battling the same cyber-adversaries, and the industry has much to gain from being able to co-operate. No one company has a full 360 view of every new threat, but between them, security researchers from different organizations can better complete the picture.
So it worries us, and others like us, that global cyber-protection is threatened by fragmentation of the industry in response to nations’ growing divergence and technology nationalism.
We believe there is another way to address concerns and minimize risk. The cybersecurity industry needs a global framework for trust and integrity that applies to everyone. The cornerstone of this is transparency. Our industry’s customers and partners need to be able to see what we do and how we do it. We launched our Global Transparency Initiative as our response to this need: relocating elements of our infrastructure to Switzerland and opening Transparency Centers where trusted partners can review our source and update code. We can’t make the world risk-free, but we can and will help to manage that risk.