Protecting industrial facilities from unwanted intruders used to mean putting a padlock on the front door, erecting a fence, and making sure the alarm system was switched on. But in the 21st century, security is a more complex matter. In the era of the Internet-of-Things (IoT), where physical and digital worlds merge, organizations need to protect themselves from a host of cyber threats.
Ensuring that companies across the globe can use digital solutions to spur innovation, growth and job creation without sacrificing security is a key concern for G7 Member States meeting in Turin this week to discuss how to “Secure the Digital Industrial Revolution.” Earlier this year, G7 Foreign Ministers affirmed their commitment to preventing cyberconflict and prioritizing cooperation in cyberspace by applying existing international law, as well as highlighting their support for non-binding norms on appropriate nation state behavior online. This declaration was an encouraging step forward, but more concrete action is needed to detect, deter and respond to cyber threats.
The G7 has an opportunity to lead the way on cybersecurity by further deepening its work on three critical areas. Firstly, advancing the global cybersecurity norms debate with concrete proposals which include the perspectives of the private sector, civil society and academia. Secondly, promoting the alignment of national and regional cybersecurity policies based on international standards and frameworks – the NIST Cybersecurity Framework and the EU NIS Directive come to mind. Thirdly, leading the way in developing best practices for securing the Internet-of-Things from the ground up.
These efforts would be well within the remit of the G7 working group on cyber, the so-called Ise-Shima Cyber Group (ISCG), established at the meeting of G7 leaders in Ise-Shima in May 2016. The ISCG should prioritize tackling these cyber policy issues, particularly in light of the digital industrial revolution’s impact on global economies.
Security concerns remain one of the principal barriers to the uptake of industrial Internet applications. Often, organizations are fearful of being exposed to new threats. A recent survey revealed that less than 40% of security professionals believe the organizations they work for would be able to adequately detect or mitigate a security breach. As a result, many companies are reluctant to adopt new technologies which could in fact transform their operations for the better.
To reverse this trend, governments, the private sector, and researchers must work together to raise the bar for device and network security. This will be the subject of much discussion in Turin, where I’m participating today in the G7 ICT Industry Multi-Stakeholder Conference on making the digital economy and society inclusive, open and secure, as well as a side event on IoT security “Securing the Digital Industrial Revolution: Can (Io)Things safely work in the wild cyberspace” tomorrow.
One of the themes of the workshop will be how to ensure that digital devices and networks can stand up to an attack from any angle. At Microsoft, we believe IoT security rests on a role-based approach, with manufacturers, developers and operators each taking steps which add up to a higher level of protection overall. At the same time, organizations need to maintain consistency and control across the board, with full visibility of the state of security at any given moment. Meanwhile, governments can help promote IoT security by promoting best practices in collaboration with the business community, issuing best practices for securing critical sectors such as healthcare or transport, and investing in education and awareness-raising.
Earlier this month, the President of the European Commission, Jean-Claude Juncker, observed that “cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks.” Given what’s at stake, it is vital that the G7 continues to give due weight to this issue, taking into consideration the borderless nature of cyberspace which demands a collaborative, consistent and coordinated approach across both public and private sectors. After all, just because we cannot see attacks in cyberspace does not mean they are not a real threat. If governments do not come to this realization, and respond accordingly, the consequences could be severe, far-reaching, and very real indeed.