When the World Economic Forum (WEF) released its “Global Risks Report 2018,” in January, it also issued a new report titled “Cyber Resilience: Playbook for Public-Private Collaboration,” which aims to improve the way governments and policymakers around the world make decisions about cybersecurity. Since, as the report noted, the first line of defense is rarely the government, this framework is designed to promote collaboration both within our own borders and across the globe.

To create the framework, the WEF, in collaboration with the Boston Consulting Group, asked its experts to create an initial list of values that policymakers would need to weigh when choosing between various cyber policies. The 30 options were eventually distilled down to five key values that are central to any choice regarding cybersecurity policy: security, privacy, economic value, fairness and accountability. The remaining 25 options can be mapped to one of these five key values.

Understanding the Trade-Offs of Cyber Resilience

“While leaders are accustomed to debating cybersecurity policy topics in isolation, there is seldom reflection on whether the sum of the parts of cybersecurity policy crafted on a day-to-day basis amounts to a coherent whole.” — The World Economic Forum’s “Cyber Resilience: Playbook for Public-Private Collaboration”

The report laid out the risks and trade-offs associated with each policy choice and noted that, by now, all of the easy choices have already been exhausted. What’s left is a series of challenging decisions at the organizational, national and international levels, and the effects of these decisions are both far-reaching and long-lasting.

So how can security experts help decision-makers understand the risks and trade-offs of their policies when our world today is so polarized? The report addresses that aspect specifically, warning policymakers to avoid rhetorical simplicity, false choices and absolute positions. Instead, they should embrace nuanced reflection and discussion to connect various policy choices to the five key values.

However, policymakers in several countries have started requiring organizations to implement very specific cybersecurity processes and technologies. This drastic approach, reminiscent of the disastrous days of security by compliance, can often lead to a false sense of security — and an even worse resilience posture. A better approach is to design regulations that evolve with the conditions instead of the usual post-crisis panic. As the report put it, “Efforts should also be framed in the context of an ongoing iterative process rather than ad hoc and crisis-driven, resulting in patchwork legislation.”

The 14 Key Policy Topics

The playbook outlined 14 policy topics that lawmakers, policymakers, government officials and business leaders should consider to improve global cyber resilience. These key topics are:

1. Research, threat sharing and the government’s role in facilitating the exchange of information;

2. Zero-day vulnerabilities — whether governments develop or purchase them and how they should warn the private sector of their use;

3. The liability for vulnerabilities, especially after a product is no longer supported;

4. The attribution issue — the extent to which we can point to a particular actor as the source of an attack.

5. How to prevent or disrupt botnets;

6. Balancing the interests of the state with those of its own citizens;

7. National information security roles, including which agency should be responsible for what in each country and the need for cross-border collaboration;

8. The benefits and the drawbacks of encryption, especially as law enforcement agencies seek to implement workarounds and backdoors;

9. Cross-border data flows and the responsibilities of each jurisdiction;

10. Notification requirements and the level of sanctions that policymakers should mandate for breached organizations;

11. Duty of assistance and the best ways to leverage public resources in case of cyber emergencies;

12. Active defense and the issue of organizations taking matters into their own hands;

13. Liability thresholds and the duty of care that organizations should be able to implement and demonstrate; and

14. Cyber insurance and the effectiveness of incentives.

Overall Value for Multiple Stakeholders

While it may be tempting to dismiss this document as a directive aimed solely at politicians and policymakers, the playbook lays out very real risks that organizations around the world must face when dealing with their own cyber resilience capabilities. How can we talk about and decide on the best approach to keeping businesses running?

Ultimately, the WEF playbook provides a mature, approachable framework to help governments and other organizations think about the tough choices chief information security officers (CISOs) must make. These challenges are presented in clear language and supported by visuals to illustrate the interconnected nature of each choice.

In the words of the report, the framework aims to “shape a digital future that is sustainable, inclusive and trustworthy.” By promoting a standard by which governments and organizations take care to connect policies to values, the WEF is one step closer to improving cyber resilience around the globe.