The organization calls for a cybersecurity equivalent of the UK’s state-owned healthcare system
A wave of cyber-attacks against organizations that are critical to the fight against coronavirus has exposed the failings of a market-driven approach to cyber-preparedness, according to the World Economic Forum (WEF).
The WEF has identified a ‘cyber poverty gap’ in which many sectors and government agencies central to society’s ability to cope during emergencies – like healthcare, social welfare, and local government – are among the least cyber-resilient, even as global cybersecurity spending soars.
“For the past decade, security has been driven by a major principle: those who invest the most are the best protected,” said William Dixon, head of operations at the WEF’s Centre for Cybersecurity and co-author of the organization’s coronavirus security analysis.
“But in areas such as healthcare, retail and local government services the last few weeks have indicated that the market falls short of what is needed to build collective resilience at a time of crisis.”
As much of society mobilizes to protect the most vulnerable – including cybersecurity vendors – cybercriminals have had no qualms about exploiting a global health emergency that has so far claimed more than 18,500 lives.
There has been a surge in spear-phishing scams impersonating trusted health bodies like the World Health Organization, while a suspected DDoS attack struck the US Department of Health and Human Services on March 15.
An NHS for cybersecurity
The WEF recommends the creation of a cybersecurity equivalent to the UK’s publicly-owned National Health Service (NHS).
This would “realign priorities of industry to realise the collective good, and ensure – as [Aneurin] Bevan [the architect of the NHS] put it – that illness should not be an offense for which people should be penalised and the cost should be burdened by the community.”
The WEF prescribes a three-pronged strategy to closing the cyber-security inequality gap: incentivising adoption of next-generation defenses, accelerating skills development, and addressing market imbalances.
Citing the UK government’s Active Cyber Defence programme and Microsoft’s recent takedown of the Necurs botnet, the analysis says security automation capabilities such as machine learning and artificial intelligence “will enable us to scale our collective response and dramatically drive down the cost of security to make it more accessible.”
The WEF’s manifesto – co-authored by David Balson, director of intelligence at data intelligence platform Ripjar – said the price of security systems and controls was rising while the skills needed to administer them was in short supply.
The dearth of cyber skills in the healthcare sector, which is struggling to cope with an explosion in Covid-19 infections, was laid bare in the NHS during the 2017 Wannacry attack, they noted.
“Hospitals often run at a loss with small operating margins, yet the average salary of a chief information security officer is now over $200,000,” said the authors.
“What the pandemic is indicating is the imbalance of cyber haves and have nots at times of crisis is heightened significantly,” William Dixon told The Daily Swig.
“We might need to think about how new market incentives and regulation can really accelerate cybersecurity for all, and not just for some, especially in industries we collectively rely on.
“This is a problem that existed before the pandemic, but the cases we have seen, especially in the Czech Republic, show how important it is to address it.”