The Keynote Lecture for the 2024 Annual Cybersecurity Capacity Building Conference held by the Global Cyber Security Capacity Centre, University of Oxford, 30 April 2024.
Dear Cyber Experts, Esteemed Colleagues, Ladies, and Gentlemen,
I am deeply honoured to stand before you today, commemorating the 10th Anniversary of the Global Cyber Security Capacity Centre of the University of Oxford. It is great to see so many colleagues here who have worked hard to promote global cyber stability over the last ten years. Reflecting on this milestone, I am reminded of the inaugural event here a decade ago, where the landscape of cybersecurity was different. It was a time when the notion of combating cyber threats seemed novel and innovative, a challenge embraced by diplomats and national security policymakers with a sense of urgency and determination.
Today, however, we confront a significantly more daunting and rapidly evolving cyber threat landscape. The challenges we face are multifaceted, with cyber-attacks eroding trust in digital infrastructure, wreaking havoc on economies, and profoundly impacting the lives of individuals through online threats, as well as posing threats to democracies worldwide.
In 2023, the global cost of cybercrime soared to an estimated $8 trillion, underscoring the staggering scale of the challenge before us. Despite this alarming reality, only 68 out of 193 UN Member States have acceded to the Budapest Convention, the only international instrument to address cybercrime, highlighting the urgent need for greater international cooperation in combating cybercrime.
The proliferation of cryptocurrency investment fraud, and the rampant onslaught of ransomware attacks targeting smaller and medium-sized businesses in Europe and beyond further underscore the severity of the threat. Despite the efforts of law enforcement agencies to combat these criminal activities, their reach remains limited. Shockingly, 9 out of 10 small companies in Germany opt not to report ransomware attacks, instead resorting to negotiation with cybercriminals to retrieve their data—a troubling trend indicative of the challenges we face in combating cyber threats.
We also live in darker times now as war has returned to Europe. Geopolitical tensions have added extra strain to already fragile global stability in cyberspace. Compounding these challenges is the emergence of approximately 60 cyber commands worldwide, tasked with planning and executing military activities in cyberspace. Cyberspace has indisputably become a frontline in modern warfare, dominated by offensive doctrines employed by both major and minor cyber powers.
While a small cadre of cyber diplomats has established a normative framework for responsible state behaviour in cyberspace, with cyber norms, international law and confidence building measures aiming to stabilise cyberspace, progress has been hindered by protracted UN deliberations and a lack of sustained investment and commitment to upholding cyber norms, Capacity Building Measures (CBMs) and international law.
Against this background, the cyber capacity-building community plays a pivotal role in addressing the pressing needs of providing expertise and tools for bolstering cyber resilience in our post-industrialised nations as well as in emerging and transitioning economies. Comprised of diplomats, national security, international development and cyber experts, this community seeks to bolster cyber resilience and capability globally, yet faces significant challenges in securing adequate resources and support.
In Europe alone, we are confronted with an alarming skills and workforce gap in cybersecurity, with an estimated shortfall of half a million experts. Addressing this deficit presents a formidable challenge, exacerbated by the inherent inertia of educational systems in adapting to emerging disciplines such as cybersecurity.
Therefore, colleagues, as we convene at one of Europe's oldest academic institutions, it is incumbent upon us to redefine our approach to cybersecurity and resilience-related capacity building. Historically, cybersecurity has been approached predominantly from a technological standpoint, with efforts focused on enhancing expertise and competence within specialized domains. However, to truly advance cyber awareness and resilience, we must broaden our perspective to encompass the economic and societal dimensions of cybersecurity to our cyber capacity building narrative and reach the decision-makers to underline the urgency of the situation.
Far too often, the invaluable contributions of cybersecurity professionals go unnoticed, overshadowed by sensationalized headlines depicting high-profile, but low probability cyberattacks. It is imperative that we elevate the discourse surrounding cybersecurity capacity building to resonate with senior leaders across government and the private sector, emphasizing its role in fostering digital trust and safeguarding our collective digital ecosystem.
To this end, we must cultivate a new narrative on cyber capacity building that transcends traditional national security paradigms. This narrative should underscore the role of cybersecurity in fostering digital trust and enabling the benefits of digitalization to be realized over the long term. Cyber capacity building should encompass not only technological advancements but also broader initiatives aimed at fostering digital identity management, enhancing end-user experience, and safeguarding vulnerable populations online.
We should also start speaking in the language of numbers to drive home the fact how much our societies are losing value due to uncontrolled cybercrime. We need to measure the cyber harm in economic terms, also gathering the statistics how our manufacturing and critical services sectors are impacted by cyber threats and what this means in terms of our GDP. We have many academic experts and a wide research community here who can surely establish methodology how we should understand and analyse the impact of cyber insecurity to our societies.
If we could back our arguments also with hard data, this might change the calculus by the senior leadership. The cyber narrative should be mainstreamed into the minds of the public as a plague hindering further economic growth and societal well-being. Instead of the Cyber Pearl Harbour, we have the death by a thousand cuts, which might eventually have an even more devastating effect to our liberal democracies.
I would like to describe now how we can turn our vision for a changed narrative to positive and actionable agenda points. Achieving this vision necessitates a concerted effort to mobilize stakeholders across sectors, including private sector technology providers, government regulators, academia, and civil society. Key pillars include:
- We need to strengthen the digital ecosystem through the development of trusted products and regulatory frameworks that prioritize security by design principles. New cyber ecosystem regulations have been put forward by the EU and the US, we should work with the regulators how to mainstream this valuable trusted ecosystem work to capacity building.
- We need to implement robust organizational procedures for cyber risk management, threat assessment, and incident response, coupled with comprehensive awareness and education initiatives.
- We should harness technological innovations such as generative AI to enhance automation and efficiency in cyber defence mechanisms, while acknowledging the irreplaceable role of human expertise in innovation and adaptation.
- We should initiate the shift of thinking about cyber security in terms of investing into the future. If we invest now, we will avoid a major setback in the future, especially in the international development context.
While the challenges confronting the Western world are significant, it is imperative that we extend our efforts to support transitioning and developing nations in building cyber resilience. We know that fast digitalising developing countries eventually will also face significant cyber risks that hamper their development.
Despite the modest investments made by entities such as the EU, UK, USA, and other nations, the overall investment in cyber capacity building in developing contexts remains inadequate. But in absolute numbers, this is a drop in the ocean. The overall EU development assistance budget in 2024 is 189.3B Euros, the UK development budget in 2024/25 is 8.3B Pounds. Cyber programmes are a small fraction of this investment, counted in a dozen less than 10 million programmes.
To address this disparity, we must advocate for a paradigm shift in development assistance, ensuring that cyber capacity building is integrated into broader initiatives aimed at fostering economic growth and resilience. Moreover, we must explore innovative financing mechanisms, such as earmarking a percentage of infrastructure and digital project investments for cybersecurity initiatives, and making the cyber investment a condition for all infrastructure programmes.
Central to this effort is the cultivation of a cohesive narrative that positions cyber resilience as an integral component of all digitalization efforts, grounded in economic and civilian imperatives rather than national security considerations.
By mainstreaming cyber capacity building into wider development assistance frameworks and prioritizing investments in human capital and expertise, we can forge a more resilient and secure digital future for all.
Finally, let me briefly describe also the valuable building blocks of cyber capacity building that we have created in those last ten years. In addition to the Oxford Centre, we also have the GFCE set up by the Dutch government and integrating a large number of global stakeholders into the cyber capacity building effort.
We have several good initiatives set up by the EU, such as the EU Cybernet that maintains the pool of experts and organisations who could be mobilised for the EU capacity building programmes outside the EU. We also have a number of successful cap building programmes set up by the EU, and executed by COE, such as the GLACY and GLACY+, that have helped some 120 countries to adopt the cybercrime laws, train judges and prosecutors and other LE experts to investigate cybercrime.
The UK government has been instrumental in cap building in the Commonwealth and beyond. I am glad to note (under my Estonian citizen hat here) that the UK and Estonia are working together now on two key initiatives helping Ukraine to fight the war of aggression, the Tallinn Mechanism and the Ramstein IT Coalition.
The United Stats, Australia, Canada and many other Western nations have been making useful efforts on capacity building too, it is all collected by the GFCE in its Cybil portal. But there is still clearly a need for further investment and coordination. The GFCE could set up a clearing house function in order to avoid duplication, and advance complementarity.
In addition, regional organisations such as ASEAN, OSCE, OAS and others are key pillars of cyber capacity building efforts. The World Bank has set up a cyber fund under its digital pillar and there are also many good examples of global platforms like WEF doing useful work in this area.
The glass could be seen as half full, or at least a quarter full, if we look at these examples of collective action.
At the same time, with the growing threats out there, our efforts should be stepped up. To quote the famous British author “My dear, here we must run as fast as we can, just to stay in place. And if you wish to go anywhere, you must run twice as fast than that”, said the Red Queen to Alice in Alice in Wonderland by Lewis Carroll.
I am confident that with this brainpower in this room today, and with the help of our global network that we have built in last ten years, we are prepared to run twice as fast now.
Thank you.