Risk and Responsibilityin a Hyperconnected WorldPathways to GlobalCyber ResiliencePrepared in collaboration with DeloitteJune 20122 World Economic Forum2012-All rights reserved.No part of this publication may be reproduced or transmitted in any form or by any means,including photocopying and recording,or by any information storage and retrieval system.Risk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience568915213ContentsIntroductionExecutive SummarySection 1:The Changing LandscapeThe Hyperconnected World12 Risk and Responsibility13 Cyber Risk FrameworkSection 2:Individual Action Collective Gain16 Partnering for Cyber Resilience18 Cyber Resilience as anEnabling CapabilitySection 3:Collective Action Individual Gain22 Economics of Cyber Security26 Information Sharing31 Case Studies35 Conclusion3841434547DefinitionsAppendixEndnotesAcknowledgementsContactsRisk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience4Risk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience5IntroductionThroughout the course of 2011,theWorld Economic Forum developed amultistakeholder project to identify andaddress emerging global systemic risksarising from the increasing connectivityof people,processes and objects.Inparticular,the project has focused oncyber security,with the objective ofworking with the private sector acrossmultiple industries and governmentsacross multiple regions to identifypathways to a more secure sharedonline environment.Dedicatedworkshops took place across Asia,Europe and the United States.An initial period of discovery provided the context,direction and initial tools for dialogue:Nature of the Problem Increasing connectivity makesus increasingly interdependent.Cyberspace is aglobal commons and we all have a role in protectingit.Success in complex networks requires new ways ofthinking Strategic Approach Provide leaders with simpleactionable steps;secure commitment to simple stepsto provide a platform for trusted dialogue,especiallybetween private and public actors Common Framework A common cyber risklandscape was developed to provide strategic overviewof issuesAs a result of the ongoing efforts of the Risk&Responsibility in a Hyperconnected World projectsstakeholders,the World Economic Forum launched thecommunity-led Partnership for Cyber Resilience initiativeat the Annual Meeting 2012 in Davos,Switzerland.This initiative offers a common set of principles forleadership,raising business standards and shiftingmindsets based on just securing perimeters to a focus oninterdependence and resilience.By committing to theseprinciples,chief executives and executives in a similarcapacity demonstrate leadership,accountability and bestpractice corporate governance in a digital world.Theprinciples are supported by a set of optional practicaltools for CEOs and other executives.The organizations taking part in this initiative showthemselves to be trusted business partners and legitimatevoices in the policy debate around cyber security andrelated issues.In 2012,the Risk and Responsibility ina Hyperconnected World project will host a number ofpublic sector-focused workshops to provide signatoryorganizations a platform for this debate.While the Partnership for Cyber Resilience initiative isrelevant to public sector organizations in their operationalcapacity(they are also actors in the ecosystem),it doesnot speak to the special role that government has inproviding the environment in which organizations operate.The highly networked nature of cyberspace presentspolicy-makers with unique challenges.In particular,thereis growing awareness that policies designed as a solutionto one particular problem can frequently have unintendedconsequences elsewhere,e.g.on privacy,innovationor even existing and commonly accepted businesspractices.A striking outcome from the regional workshops was thehigh degree of alignment on the overarching goals thatbusinesses and governments wish to achieve.However,this was matched by recognition of significant regionaland national differences in capabilities to deal with cyberthreats and cyber crimes.Cultural differences in normsand values,and the debates these engender,will continuefor some time.However,there is an opportunity toharmonize on a core set of non-prescriptive capabilities,such as in the criminal justice chain,to deliver bothimmediate gains and a platform for continued dialogue.Risk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience6Executive SummaryAs private and public sector actors takesteps towards greater accountability andcapabilities,discussions on collaborationacross sectors and regions can beundertaken with greater trust,confidenceand experience.Scott David,Executive Director of the Law,Technology&ArtsGroup,University of Washington Law School;and RaymondStanton,Global Head of Business Continuity,Security andGovernance,BT GroupThis document is structured to capture some of theemerging and leading thoughts on the current cybersecurity debate.Section 1 describes some of the relevant attributes ofthe“hyperconnected world”as a complex network.Inparticular,it highlights the changing nature of relationshipsas driving a great deal of uncertainty over roles andresponsibilities.A two-step approach to greater clarity andconfidence is proposed:Identify and promote individual actions that have aneffect on the overall environment(e.g.an analogy isoften drawn with basic hygiene practices,such aswashing your hands to stop the spread of germs orviruses)Actors who have committed to these practices canengage in a dialogue to work through new ways ofworking together;mutual trust provides a platform forcollaborationSection 2 provides an overview of the Partnership forCyber Resilience initiative,including the Principles forCyber Resilience.It highlights why the Principles arerelevant and should be taken up by the executive leaderof organizations across all industries and sectors.It alsoaddresses an emerging discussion about cyber resilienceand national competitiveness.While steps can be taken toincrease resilience by both companies and governments,it is clear that collaboration and coordination is required.Section 3 looks at questions of coordination.Functioningmarkets are a powerful tool for allocating resourcesfor maximum social gain.However,markets needsupporting institutions(e.g.property law and contractlaw)in order to operate,thus market failures may requirespecific responses to achieve desired outcomes(e.g.environmental pollution constraints).How does thechallenge of securing cyberspace look through thislens?An example of those challenges is the sharing ofinformation among stakeholders.Information access isan important feature of equitable markets and informationsharing is a common focus for cross-industry,cross-sectoral and transnational cooperation.However,itcan mean different things to different people and somechallenges and barriers still prevent stakeholders fromfully reaping the benefits of information sharing.A simpleanalysis of the dimensions of information sharing isprovided and applied to two case studies.Risk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience7Discussions and workshops held as part of the Risk andResponsibility in a Hyperconnected World project over thelast year have led to the following recommendations:For the private sector:Join the Partnering for Cyber Resilience initiative;commit to the Principles Develop a pervasive culture of cyber awareness andresilience Commit to responsibility and accountability fordeveloping the organizations level of cyber resilience Promote the spread of best practices throughoutsupply chain Engage in policy debate,and where possible,alignunder common core principles and commitments asa first step towards harmonizing policy needs For the public sector:Work towards a flexible,but harmonized criminaljustice capabilities framework Engage private sector and adjacent policydomain experts to identify potential unintendedconsequences of policy development in advance Ensure individual protections and foreign jurisdictioncounterparts to share lessons learned and improveharmonization For public agencies:join the Partnering for CyberResilience initiative;commit to the PrinciplesTrustedDialogueand Robust For the private and public sectors together:Commit to develop robust and sustainable public-private partnerships for a resilient cyber environment,based on clear and mutually agreed assignmentof roles and responsibilities and the principle ofaccountability Explore the need for the development of a cyber riskmarket For academia:Promote the concept of economics of cyber securityto non-specialist fields Advance research on information sharing andthe link between cyber resilience and nationalcompetitivenessIn the second year of the Risk and Responsibility in aHyperconnected World project,the World EconomicForum will develop a tailored,capabilities-based setof guidelines for the basic legal and criminal justicecomponents that governments should put in place toimprove cyber resilience.The project will seek interactionwith government representatives,both in policydevelopment and policy enforcement communities,academics and business representatives in a seriesof workshops and interviews.This will contribute todeveloping guidelines for policy and criminal justicecommunities,and subsequently to seek support for thisnew initiative.The interim results will be presented during the WorldEconomic Forum Annual Meeting of New Champions2012 in Tianjin,Peoples Republic of China on 11-13September.Private SectorPrinciples andAccountabilityPrivate-PublicPartnershipsHarmonizedCapabilitiesObjectives forPublic SectorRisk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience8Section 1:The ChangingLandscapeRisk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience9TheHyperconnectedWorldBeing always“connected”isthe new normal.Such a level ofinterconnectedness presents unique andsubstantial risks,but also opportunities.As new business models develop andnon-traditional sectors are integrated intothe hyperconnected world,the questionof responsibility and ownership becomescritical for the viability and stability ofthe entire digital ecosystem.Buildinga common understanding of rightsand responsibilities therefore becomesessential.Information and communication technologies are at thecentre of a rapid expansion of physical,social and virtualnetworks,connecting objects,people and processesin new ways and on an unprecedented scale.There isincreasing awareness that we are rapidly entering a worldin which everyone and everything is,will be or can beconnected.Over 2 billion people are now connected to the Internet,and this number is set to increase significantly with theadvance of the“Internet of things,”1 in which a wide rangeof networks,devices,appliances and objects are to beconnected.In addition,the total data traffic generatedby mobile devices is projected to surpass that of wireddevices by 2015.2 Some have predicted that by 2020there will be over 50 billion Internet-connected devices.3Being connected has become the new normal across somany aspects of our lives,driving huge change acrossthe worlds of business,government,civil society andour daily lives.In fact,information and communicationnetworks have become a fundamental part of a nationsinfrastructure,needed for economic stability and growth.Such networks lead to increased productivity,businessgrowth and job creation.4 However,there is a growingsense that the changes are only beginning,and perhapsmore importantly,that it may be hard to fully understandthe breadth and depth of opportunities and risks whichthis connectivity brings.Hamadoun I.Tour,Secretary-General,InternationalTelecommunication Union(ITU)Risk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience10Hyperconnectivity does not just allow us to do things moreefficiently;it transforms how we do things and even whatcan be done.From smart grids and e-health to embeddedsensor networks,technology is enabling innovativecollaboration and new types of partnerships,particularlybetween businesses,governments and individuals.However,this can bring about both benefits and harms,social and economic alike.On one hand,first respondersto the Chilean earthquake in 2012 were connectedvia a volunteer mapping platform with real-time needscommunicated through texts from victims on the ground.5On the other hand,cyber crime is estimated at up toUS$1 trillion annually.6The Internet of ThingsAs defined in the World Economic Forums GlobalInformation Technology Report 2012,hyperconnectivityincludes not only people-to-people formats(as individualsand as members of groups,and using a vast array ofmedia),but also communication between people andmachines,and between machines themselves withoutany direct human involvement.7Today,so many physical objects and processes arebeing connected.Everything from business processes tocritical infrastructure,cars,planes,household appliances,pacemakers all are in some way connected to networks.This allows for huge social and economic gains.The datathat this connectivity produces can result in genuine newknowledge of the world and trends.But there is a downside.The risk of this“connectivity ofthings”has been described by Rod Beckstrom in terms of“laws”:Law 1:Everything that is connected to the Internet canbe hacked Law 2:Everything is being connected to the Internet Law 3:Everything else follows from the first two lawsLess Clear BoundariesThe concept of de-perimeterization has emerged in thelast decade as the borders between the internal andexternal networks are becoming less clear.Employeesincreasingly use their own devices for work purposes;partners,contractors and customers share access tonetworks and cloud-based services continue to enjoy rapidgrowth.Security technologist and author Bruce Schneierhighlights the notion that modern networks are more likecities,dynamic and complex entities with many differentboundaries within them.The access,authorization and trustrelationships are even more complicated.8 As such,thinkingabout security in terms of building bigger walls(firewalls andanti-virus software),while still necessary,is not sufficient.Aholistic approach to cyber risk management across theorganization,its network and the larger ecosystem is required.From Centralized Authority to DistributedAccountabilityNetworks allow for point-to-point interactions,whichspread power broadly across its participants.Whetherthose participants are consuming digital goods(e.g.music,books),rating physical products or services(e.g.retail,travel)or exercising their political voice,social and institutionalstructures need to adapt.There are many examples where todays social structuresare transforming from a centralized,hierarchical structureto a decentralized networked system composed of multiplenodes,all able to interact with each other.The move awayfrom“command and control”social structures makedecision-making much more challenging for at least tworeasons:unilateral decisions based on authority have lessinfluence,and the number of complex interdependenciescan mean that steps taken to solve a problem in onedomain can result in unintended consequences elsewhere.Hierarchical SystemRisk and Responsibility in a Hyperconnected World Pathways to Global Cyber ResilienceNetworked System11From a risk perspective,the bottom-up,distributed natureof networks also poses new challenges.On the threatside of the equation,the asymmetry of power betweenthe individual and the state is inverted,and malevolentactors can recruit,coordinate and inflict harm across thewhole network.Highly connected networks are typicallyrobust to random failures,but are vulnerable to targetedattacks.Furthermore,a recognized risk in networkedenvironments is that of cascading failure,exemplified by“Operation Blackout”by hacking collective Anonymous,9which intended to use this networked characteristic of theInternet to disrupt availability.On the response side,a shared networked environmentmakes us more interdependent on each other.Increasing dependence on connectivity for the normalfunctioning of society makes the protection of connectivitya critical issue for all;it is a shared resource,like clean airor water.No one organization can resolve the issue byitself;a collaborative,multistakeholder approach must betaken.Even competitors in a given industry must becomepartners in the effort to ensure a stable and trustedenvironment.The Changing Nature of Relationships State Citizen:The empowered citizen has beenthe focus of much media attention,as a resultof improved transparency and coordination.Atthe same time,the amount of citizen informationgovernments possess has never been higher.Enterprise Consumer:The empoweredconsumer drives change across business modelsand practices,while corporations are the trusteesof vast amounts of personal customer data.Enterprise Enterprise&Government:Companies are discovering opportunities tocollaborate across industries to bring new valuepropositions,from smart grids to smart cities andthe connected car.These propositions often havesocial value to governments or require new laws.Enterprise Enterprise:Competitors in the sameindustry are beginning to share critical cyber riskand threat information with each other in ways thatwould have seemed inconceivable only five yearsago.Government Government:Hyperconnectivitydoes not respect borders or boundaries,requiringimproved transnational and cross-sectoralcoordination;the rate of change in the nature ofthreats renders current policy-making practicesand timeframes inadequate,at least in the case ofthreat or technology specific policyThe changes in how actors can interact with eachother be they governments,citizens-consumersor enterprises not only means that often the“oldrules”do not apply,but it also means that the typeof rules and the way in which rules are made,mightalso need to be re-examined.Risk and Responsibility in a Hyperconnected World Pathways to Global Cyber Resilience12Risk andResponsibilityHyperconnectivity is allowing new types of interactionsbetween actors or nodes in our society and economy,demanding a renewed examination of roles andresponsibilities.As new behaviours and models are emerging,individualand organizations are faced with the need to adapt to newways of thinking and effect change in a new environment.The approach is two-fold:Identify new behaviours for individual nodes:Thisprocess requires working on developing the networkingeffects by aligning individual behaviours.Reconsider the terms of the contracts between thenodes:Once individual behaviours are aligned,theterms of the social,commercial and legal contractsbetween individuals need to be re-examined andadjusted.By developing the Partnering for Cyber Resilienceinitiative,the World Economic Forum intends to help anyA new phase of the initiative is now being developed tohelp public sector organizations in their decision-makingcapacity to enforce policy in the hyperconnected world.The objective is to create a tailored,capabilities-based setof guidelines or principles for the basic legal and criminaljustice components that the public policy and criminaljustice communities can use to reduce cyber crime ata national level,and to benefit them in developing andenforcing policy in the hyperconnected world.Both parts of the initiative are helping each node ofthe network to focus on similar objectives and adopta common approach to address the challengesemerging from the hyperconnected world.The threeissues discussed in this report cyber resilience as anenabling capability,the economics of cyber security andinformation sharing focus on the interactions betweenthe nodes and examine the new terms of the contract thatneeds to be identified to adapt relationships to this newenvironment.o。