Rapid digitization over the past 10 years has led to an explosion in the need for effective cybersecurity solutions. According to Fortune Business Insights, the global cybersecurity industry was valued at US$153.65 billion in 2022. This figure is projected to grow 13.8% annually through 2030 (FBI, 2023).
In the past, when computer systems were much more localized, the aim of cybersecurity was to keep hackers outside of a network through firewalls and intrusion detection systems. This approach was analogous to a “castle and moat,” in which no one “outside” the network has access to data, while everyone on the “inside” does (CF, n.d.). However, since the 2010s, both public and private institutions have been placing sensitive information outside their immediate network due to the widespread adoption of third-party services such as cloud platforms, IoT products, and industrial control systems. (Ehrlicher, 2021).
As such, cybercriminals have exploited outdated models of implicit trust within a network for their own gain. In the early 2000s, many hackers were usually independent actors seeking fame and notoriety by corrupting systems. However, by the mid-2010s, cybercriminals had started working in large, sophisticated syndicates because of the huge profits they could make by compromising systems and holding them for ransom (Forrester, 2021). According to Statista, victims of “ransomware” in the US pay an average of US$9.44 million per attack (Petrosyan, 2022), while the global cybercrime industry was valued at a staggering US$8.4 trillion in 2022 (Petrosyan, 2022).
Moreover, the lines between cybercriminals working for a profit and state-sponsored cybercrime syndicates are becoming increasingly blurred. According to the US Department of Defense, certain governments “turn to criminal proxies as a tool of state power” and “allow their government hackers to moonlight as cybercriminals” (Lopez, 2021). At the state level, some governments encourage cybercrime against the public and private institutions of rival countries to cripple critical infrastructure, gather data, and collect ransom (CSIS, n.d.).
Therefore, around the world, governments are partnering with private businesses to improve cybersecurity by bolstering safety mechanisms around critical infrastructure, strengthening best practices in information sharing and network architecture, and enhancing cybersecurity talent through improved training and the adoption of AI.
According to the European Commission, critical infrastructure is “an asset or system which is essential for the maintenance of vital societal functions” (EC, n.d.). In terms of cybersecurity, this means protecting facilities such as power grids, water suppliers, satellite communications, and government agencies from cyberattacks (Delcker, 2022). In the past, the computing systems for critical infrastructure were largely self-contained within the network of an institution. However, modern industrial control systems now allow business networks to operate critical infrastructure remotely. According to the US Government Accountability Office, cybercriminals can now enter business networks through malicious email attachments and gaps in virtual private network connections as well as directly attacking industrial control system devices that are connected to the internet (GAO, 2023).
Protecting critical infrastructure has become increasingly complex because one system, such as a power grid, usually involves a myriad of different public agencies and private sector businesses. Currently, cybersecurity compliance standards are even harder to maintain because private companies now own and operate many segments of critical infrastructure systems. As such, the EU launched the Network and Information Security Directive in 2022 to “address supply chain security” and “introduce more stringent supervisory measures and stricter enforcement requirements” in response to recent Russian state-sponsored cybercrime directed at both public and private institutions (EP, 2022).
The public sector is also trying to find cost-effective ways to mandate higher cybersecurity standards for private companies involved in critical infrastructure. One pertinent type of regulation has been to increase communication between private companies and the government after a cyberattack. The Thai government has ramped up efforts to protect its financial system through more comprehensive support for reporting cyberattacks. According to the National News Bureau of Thailand, a system that includes the National Police, the Association of Government Financial Institutions, the Thai Bankers’ Association, and 21 bank members, will “expedite the acquisition of arrest warrants” by drawing connections between disparate attacks (NNBT, 2022).
Public and private institutions are also bolstering cybersecurity by adapting to the new realities of cloud computing. Recently, Russia has been sponsoring hackers to retaliate against institutions located in countries that show support for Ukraine. According to cybersecurity firm CyberCX, organizations within New Zealand are now more vulnerable to “ransomware, data theft extortion, and distributed denial-of-service attacks” (Morrison, 2022). Therefore, many institutions are building “zero-trust architecture” into cybersecurity systems, which requires users to be continuously validated before being granted access to data (Raina, 2023). In other words, zero-trust architecture can protect user data by wrapping “security around every user, device, and connection for every single transaction” (IBM, n.d.). This stands in contrast to traditional cybersecurity models that grant unchecked access to data once within a network’s “moat”.
Unfortunately, according to the World Economic Forum, there is a shortage of 3.4 million skilled cybersecurity professionals worldwide (Xie, 2023). This means there is a huge gap between the current supply and demand for cybersecurity professionals with both the hard and soft skills that can design, implement, and update complex zero-trust architecture cybersecurity systems (Poremba, 2023).
In Australia, the central government has adopted several initiatives to train cybersecurity professionals. For instance, the Cyber Security National Workforce Growth Program aims to sponsor “training, apprenticeships and internships” through the AUD $70.3 million Cyber Security Skills Partnership Innovation Fund. These programs will also expand cybersecurity education in STEM-related subjects such as “technology, engineering, and mathematics” to provide a stronger base for relevant skills and training (DFAT, n.d.).
In addition, governments and businesses are adopting AI and machine learning (ML) to make up for cybersecurity talent shortages as well as address issues in “threat overload and cumbersome tools” (Sharma, 2023). This has helped public and private institutions keep up with the rapid pace of innovation in cybercrime. For instance, cybersecurity professionals now use AI to synthesize huge amounts of information to identify threats in log events and network flow data as well as provide clients and institutions with suggestions on improving data security and upholding compliance (IBM, n.d.). Ultimately, using AI can free cybersecurity professionals from rote tasks, automate certain defence responses, and “optimize workflows” (MC, 2022).
The following article will examine what New Southbound countries are doing to adapt to international trends in cybersecurity.