Last year, McAfee and the Center for Strategic and International Studies published a report on the cost of cybercrime, estimating the annual cost to the global economy to be over $400 billion. The U.S., China, Japan, and Germany account for $200 billion of that.
With the State of the Union address and ensuing changes in cybersecurity regulations in the U.S., there’s a greater interest in how other nations handle cybersecurity and what we can learn from their innovations and mistakes.
A recent study of the number of data breaches in Europe between 2005-2014 finds that the industry most impacted by data breaches has been commercial/retail, and the country in Europe most impacted by data breaches (by far) is the U.K. As a nation that boasts a global financial capital at its epicenter, the U.K. prides itself on its cybersecurity research and innovation. And after the Charlie Hebdo attacks in Paris, there have been more impassioned and urgent conversations about the need to step up and modernize cybersurveillance and “interception” across Europe, which would potentially entail updating some of the most recent legislation on cybersecurity.
The European Union for Foreign Affairs and Security Policy published a strategy for “An Open, Safe and Secure Cyberspace” in 2013, which established minimum network/information security requirements and set standards for security in recent technologies like cloud computing. The Union also enacted a Cybersecurity Directive, which established cyberemergency response teams and communication between Member States and the European Commission. Each of the Member States is required to take their own actions to ramp up cybersecurity and increase awareness, as well as involve the private sector in preventing and detecting threats. The national standards put in place were seen as vital since a threat to a member is a threat to the whole. The European Commission also created a European Cybercrime Centre (nearly two years before the U.S. established the National Cybersecurity and Communications Integration Center).
There has also been a great deal of pushback on increased digital surveillance from the government, including from the American NSA whistleblower Edward Snowden. Snowden warned in a 2014 virtual interview that U.K. spy agencies were conducting mass surveillance with hardly any oversight. He specifically points the finger at GCHQ, a self-described “security and intelligence organisation tasked by the government to protect the nation from threats.” Echoing similar suspicions, a Romanian cybersecurity law was recently declared unconstitutional by the Romanian Constitutional Court. The ruling stated not only that the any access to computer data can be given only with a court order, but also that it is unconstitutional for the Romanian Intelligence Agency to be the authority in charge of cybersecurity.
With recent attacks on organizations ranging from a DDoS (deliberate denial of service) attack on a Finnish bank to the hacking of a German iron plant resulting in actual physical damage to machinery, it’s going to be difficult to silence the voices calling for increased security, despite the threats to personal privacy.
A string of cybercrimes in Singapore forced the government to thoroughly ramp up its security policies in recent years. Prime Minister Lee Hsien Loong announced last month that they’d be creating the Cyber Security Agency of Singapore in response to attacks on government portals and recent worldwide high-profile hackings. Like other government cybersecurity agencies, the goals of Singapore’s will be to put cybersecurity policies and strategies into place, as well as cooperate with the private sector in order to create a more secure environment across the board.
Already known for its strict internet censorship (a.k.a. The Great Firewall), Beijing recently set themselves in the center of controversy once again with the creation of policies intended to improve cybersecurity for Chinese industries. One such policy requires companies selling hardware to surrender source code, undergo audits, and build “back doors” into both hardware and software. Critics suspect that this is China’s attempt to discourage foreign business, with the ultimate goal of building up China’s tech industry and reducing the amount of foreign hands in Chinese business. And these policies are expected to be just the beginning as China, like other nations, reevaluates its cyberdefenses. However, these policies could also make doing business in China nearly impossible for foreign vendors despite the buying power of Chinese markets.
Historically, this isn’t a first for China. In 2007, the Ministry of Public Security introduced the “Multi-Level Protection Scheme” that restricted any foreign company from supplying core technologies to critical infrastructure industries (banking, government, etc.). But China also has a history of backing down when faced with the prospect of large technology companies no longer selling their products in China; for example, an urgent letter from U.S. companies (including Intel and Broadcom) forced China to back down from their WLAN Authentication and Privacy Infrastructure policy.
According to the McAfee and CSIS study, Brazil suffered the most losses from cybercrime of any other country in Latin America – there are reports that one-third of Brazilian companies had at one point been the victim of a data breach. From attacks that shut down financial websites or hacked into personal DSL routers, the hacker community in Brazil has shown itself to be both active and innovative. However, Brazil has notoriously weak laws for prosecuting cybercrime, thus encouraging more crime at little risk to the hackers. So, the onus for digital protection has been put on businesses themselves; it’s estimated that Brazilian banks spent $910 million on cybersecurity in 2013 alone.
What’s clear from this brief global tour is that governments worldwide see the effects of cybercrime on their own economies, are concerned about a general lack of cybersecurity, and recognize that any successful defense will require close collaboration with the private sector. Even industries without strict compliance guidelines will need to start investing in more secure ways to do business, including file-sharing and collaboration tools. The companies that drag their feet the least will be a step ahead when governments start implementing tighter national standards.