The internet reaches into every corner of the world and is vital to everything from health systems and financial markets to public services and election organising. This intense global interconnectedness clearly comes with great benefits, but a cybercrime epidemic is putting millions of lives at risk.
A successful hack against a small Ukrainian software company might not sound like a big deal for the rest of us, but within a year of M.E.Doc's servers being breached in 2017, the NotPetya hack had cost businesses around the world more than $10 billion.
In the same year, the WannaCry attack hit the UK's National Health Service first and hardest, but within days it had spread to over 150 countries. And when the International Committee of the Red Cross was targeted in 2022, sensitive data related to more than half a million people worldwide was exposed.
The costs associated with this global epidemic of cybercrime rise into the trillions, and this trend is accompanied by an increase in the rate of State-linked online attacks on civilian and humanitarian infrastructure.
The growing scale and sophistication of these challenges mean that narrow, technical solutions to cybersecurity are no longer enough.
Only a collective response will work
Recognition of the gravity of the situation has also driven a shift towards the idea of cyber resilience, rather than cybersecurity, whereby systems and societies are collectively able to react, adapt, and recover when attacks occur.
However, whilst businesses and governments agree on the need for a global approach, their task is made more difficult by the growing fragmentation of the digital domain, driven by rapid technological developments and differences in political posture, regulatory approaches and organisational capacity.
Together, these factors create fault lines that make cyber infiltration more likely, and mean that no one company, government or international body has the ability to fully manage international cyber risks on its own.
Foundations in place
The foundations for the collective, cooperative work needed for comprehensive cyber resilience are already underway, and they were laid at the UN.
In 2015, for example, the General Assembly endorsed 11 voluntary, non-binding norms of responsible State behaviour in cyberspace, and reaffirmed them in 2021.
But in order to realise the potential of these norms, Governments need to identify what qualifies as critical infrastructure, assign responsibility to a competent agency, build up effective cyber capacity within these agencies and create rules around incident reporting and cooperation to ensure that attacks and their spread are properly tracked and addressed.
