Megan Stifel, GCA’s Executive Director for the Americas, recently participated in the United Nations’ Open-ended Working Group (OEWG) on issues in Information and Communications Technology (ICT) and cyber. Read more here from Megan about the role civil society plays in broader efforts to reduce cyber risk.
By Megan Stifel
During the United Nations’ discussions on Information and Communication Technology (ICT) and cybersecurity issues recently, stakeholders discussed the critical and irreplaceable role civil society plays in operationalizing the emerging cybersecurity normative framework that fosters trust and stability in the ICT ecosystem. To be most effective, these organizations need strong support from governments and the private sector.
Civil society’s engagement on cybersecurity can take many forms, and the work done by the Global Cyber Alliance (GCA) provides many examples of this. GCA supports the Cybersecurity Tech Accord, the Paris Call, and the Cyber Peace Institute, which are just a few of the mechanisms through which stakeholders are amplifying and implementing best cybersecurity practices. Many of these best practices themselves were developed by civil society through multistakeholder processes. For example, the Center for Internet Security (CIS) Controls are recognized globally as best practices that can reduce risk by as much as 85%. Operationalizing these best practices through multistakeholder mechanisms reduces cyber risk and thereby contributes to the evolution of the normative framework recognized in the 2015 Group of Governmental Experts (GGE). Using multistakeholder processes, states can support civil society engagement on many other aspects of cyber risk reduction, including in discussions on norms, consideration of regulatory practices, procurement, and other incentives structures that foster support for collective action on cybersecurity.
To be most effective, however, civil society organizations need both remit and resources. States can support civil society and normative development by supporting organizations like GCA. GCA was established by CIS, itself a civil society organization, along with two law enforcement entities to help vulnerable populations reduce their cyber risk. These organizations established GCA in recognition of the broader impact such targeted engagement can have on the Internet ecosystem as a whole. It also acknowledges that civil society organizations like GCA can move with agility and inclusiveness that far exceeds that which is available to intergovernmental organizations.
GCA executes its mission by identifying, through stakeholder engagement, cyber risks for which there is insufficient attention but for which consistent engagement can result in scalable implementation of known or identifiable solutions that respect individual privacy while advancing security. Greatest progress is made when governments, the private sector, and civil society all work jointly to achieve objectives.
For example, the risk of Business Email Compromise (BEC) and phishing can be reduced significantly by implementing the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol. GCA has played a significant role in the adoption of this capability by all types of organizations, including governments, for their own email systems. And the greatest progress has been made when governments and the private sector have specifically supported this work, as a number of nations and the Cybersecurity Tech Accord have done.
GCA’s engagement on DMARC is just one example in which a civil society organization has helped support governmental implementation of a standard developed by the technical community. And, consistent with our operating practices, we have measured the impact of this protocol. We studied more than 1,000 organizations and found that the use of this tool prevented at least $19M in losses in the global economy annually, calling attention to the broader impact of this hygiene tool.
Use of technical capabilities like DMARC also serves as an example of the importance of transparency and accountability in reducing digital risk. This hygiene capability supports just that; through open source tools anyone can determine whether an organization has implemented this proven best practice. Consider for a moment the implications that broad adoption of this email protocol can have for due diligence, accountability, and other recommendations identified in the recently released Global Commission on the Stability of Cyberspace (GCSC) report and in the work of the Global Forum on Cyber Expertise (GFCE).
Importantly, the actions of civil society groups can advance a culture of hygiene in places where governments and the private sector face challenges. For example, efforts such as ours to enhance the security of email through DMARC implementation, as well as the creation of our toolkits for small business, election offices, and the forthcoming toolkit for journalists, help create a culture and practice of cybersecurity by raising the level of these groups’ cyber hygiene, which collectively can reduce the impact of abuse and irresponsible behavior in the Internet ecosystem and thereby improve overall trust in ICTs.
Collectively, civil society organizations can have a measurable impact on operationalizing recognized norms of responsible behavior, but we need support from governments and the private sector to sustain our efforts. We all must recognize that such collective support is far less costly than the alternative, where trust in the Internet ecosystem and connected technologies continues to decline due in part to failure to take action on accepted best practices. Without intervention through enhanced cyber hygiene, this continuing decline in trust risks not only the social benefits of interconnected technologies but also the greater societal benefits, including achievement of the Sustainable Development Goals. Nation states, the private sector, and civil society can work together to reduce the cyber risks that threaten agreed upon global development goals, and they can begin now by supporting and using resources such as those developed by GCA to do so.