Navigating the Future of Cybersecurity Policy

logo Cyberspace2025 Cyberspace2025

menu-icon1 CHAPTERS
Cyberspace 2025:
Today's Decisions, Tomorrow's Terrain

Navigating the Future of Cybersecurity Policy

In the year 2025, we will be more dependent on the Internet than ever before. What will be the forces that shape that world? Some of the answers may be surprising.

F or the past 10 years, the world—particularly in developed economies—has witnessed unprecedented growth and innovation in information and communications technology (ICT). But in the coming years it will be the emerging economies of the world that will witness extraordinary growth. By 2025, there will be upwards of 4.7 Billion people online of which 75 percent will come from emerging economies.

Research grounded in an econometric model—the Cyber 2025 Model—forecasts that the next decade will witness expansive technological growth, significant demographic shifts, and increasing education needs. These three tectonic shifts present challenges for the future of ICT and cybersecurity.

The adoption of new technology will occur at a faster rate and have a greater impact than ever before. For example, worldwide adoption of smartphones grew tenfold between 2007 and 2012. If this pace continues, 80 percent of Internet connections could originate from a mobile device by the year 2025. Growth in connected devices (and overall technology use) will accelerate the global trend towards cloud computing. By 2025, most of the data created in the world will move through or be stored in the cloud at some point. Most countries will recognize that cloud technology is not only a necessity for meeting the demands of their citizens, but a requisite for participation in the global economy.

A small percentage of skilled tech workers will drive innovation for a highly Internet dependent world: in 2025 there will be nearly five billion people online and more than 50 billion connected devices. However, by that time, emerging economies will produce 16 million science, technology, engineering, and mathematics (STEM) graduates annually, which will be nearly 5 times more than the 3.3 million per year from developed countries. This skills gap, defined by the need in developed countries for appropriately skilled workers, will set the stage for fierce economic competition for technology talent.

Two critical demographic shifts are expected by 2025, when developed countries will face rapidly aging populations and declining birthrates, while emerging economies can expect more working-age adults because of rising birthrates.

One measure of the impact of age on an economy is the dependency ratio, which refers to the percentage of the population younger than age 14 and older than 65—that is, those who are dependent on working adults. The Cyber 2025 Model forecasts that developed countries will move from having one dependent child or retiree per working-age adult in 2012 (a one-to-one ratio) to a three-to-two ratio in 2025. These changes will have a dramatic and lasting effect on resource needs and long-term economic sustainability.

How well societies cope with these challenges will depend largely on the policy choices they make. To make the best choices, policymakers need a map of the terrain of the future, which can be created with the right econometric model.

“The Cyber 2025 Model illustrates that the failure to prepare for these expected demographic shifts, particularly aging populations, can have serious consequences for unprepared countries, including unmanageable public debt increases, high youth unemployment, and social instability. It even affects cybersecurity as many more ICT systems are deployed to scale services that countries may lack the technical expertise to manage.”

— Matt Thomlinson, Vice President, Microsoft Security


A map of the future terrain of cyberspace:
The Cyber 2025 Model

Predicting the future is challenging. Forecasters can be led astray by their own biases, such as a desire for the future to conform to their contemporary viewpoints. So a foundation in quantitative analysis is critical. The Cyber 2025 Model is therefore rooted in an econometric model that builds on historical data of 80 countries from 1990 through 2012 to create 2025 forecasts for key indicators of macroeconomic, socio-demographic, and technology conditions. The quantitative analysis is complemented by insights and research from leading thinkers and experts in academia, government, and multilateral institutions.

The Cyber 2025 Model then created baseline, optimistic, and pessimistic forecasts—called Plateau, Peak and Canyon—that countries may experience. Within each of these scenarios, Microsoft also examined their unique cybersecurity challenges.


Plateau: a future that’s stable, but stalled

THE PLATEAU SCENARIO is characterized by asymmetry—a highly uneven approach to governance, technology growth, and the economy. Some governments have protectionist policies and standards that close off stakeholder participation and international cooperation, while others support open trade and liberalize rules for foreign direct investment. Some governments adopt policy regulations that promote ICT development, while others create an uncertain business environment that restricts innovation. For instance, some countries staunchly protect intellectual property (IP) while others deny, revoke, or invalidate patents and other IP rights.

Plateau societies struggle with the challenges of cybersecurity because responses are often limited to individual nations or sectors despite the trans-border nature of Internet infrastructure. Government focus is often on compliance over security. This results in regular and pervasive data breaches in developed countries, for example, which in turn leads to reactive regulatory attempts to improve data protection.

“Two key societal ambitions—innovation and security—will develop, stall, or decline globally. The outcomes will result from policy decisions and their relationships to people, processes, and technologies in the cyberecosystem and beyond.”

— Matt Thomlinson, Vice President, Microsoft Security



Peak: a world that's connected and cooperative

THE PEAK SCENARIO is characterized by clear, effective government policies and standards across both developed and emerging economies, and strong collaboration between governments to support open trade and promote foreign direct investment. This is a scenario of innovation, in which the actions of governments, businesses, and societal organizations foster the widespread and rapid adoption of technology and ICT fulfills its potential. The political, economic, and social support leads to accelerated economic and technology growth and improved global cybersecurity.

In this scenario, governance, economic development, and social conditions improve in all economies, although the Cyber2025 Model shows that emerging economies improve the most. Their regulatory quality improves markedly, their economies grow at faster rates, and ICT development approaches the level of progress seen in developed countries.

All countries recognize the importance of cybersecurity and build national strategies that enhance information-sharing and law enforcement cooperation. In addition, developed and emerging economies create the right mix of incentives for educational institutions and students, thereby attracting workers with skills matched to market need.



Canyon: a world of deepening isolation

THE CANYON SCENARIO is characterized by a failure to fulfill the potential of technology to positively transform governments, economies, and societies. In this scenario, economic and technology growth is relatively slow, with limited adoption of ICT and deep failures in cybersecurity. Protectionist economic policies and government resistance to the rapidly changing technological environment inhibit cooperation and isolate countries. Instead of taking advantage of anticipated ICT growth, governments restrict technology trade and control the flow of information. National policies center on controlling ICT systems and do not support research and development (R&D), such as by failing to protect intellectual property or even violating it outright. Private-sector spending on R&D and innovation then plummets, because individuals and businesses are unwilling to invest in developing technologies that may be pirated or misappropriated. Countries are thus unable to leverage technology to prepare for changes in demographics and labor market needs.

Approaches to cybersecurity are overly prescriptive and do not respond adequately to changing technology or threat conditions. Countries foster an environment of mistrust and animosity toward the global community, adopting cybersecurity policies that are nationalistic and protectionist. A lack of modern infrastructure in emerging economies discourages ICT opportunities and prohibits existing providers from adequately addressing a country’s cybersecurity needs, leaving the population with outdated technology, vulnerable to cybersecurity threats. Cyberattacks plague governments that in turn invest resources in offensive cybertechnologies, instead of managing risk to support economic growth.

“Risks are not just from the commonly recognized sources — such as criminals, malware, or even state-sponsored cyberattacks; they can emerge from policies as well. Societal responses to immigration challenges, education and workforce needs, trade liberalization, as well as international cooperation to resolve cyberconflict, will shape the future of cyberspace for both developed and emerging economies.“

— Paul Nicholas, Senior Director, Microsoft Global Security Strategy and Diplomacy



The Cyberspace 2025 report highlights the transformative power of technology and connectivity, demographic shifts in developed and emerging economies, and the growing gaps in skills that support a highly Internet-dependent world. The future opportunities and risks are closely tied to policy decisions—today’s policy decisions.

There is no one-size-fits-all answer for attaining the Peak scenario. However, these foundations can help guide policymakers as they shape the specific terrain for their countries and begin to build the landscape of cyberspace in 2025.

Commit to an open, free Internet where privacy is protected. Governments should promote widespread adoption of online services by providing incentives, fostering user confidence, and developing consistent and clear guidelines for online service providers, including in the areas of privacy and security.

Advance cybersecurity risk management and coordination. As technology evolves, so too will the sophistication of threats. Policymakers should place a strong emphasis on advancing the discipline of risk management to match the evolving threat landscape of cyberspace. Investing in information-sharing and incident-response capabilities that are effective within a country and internationally will be essential in supporting security, privacy, and reliability across the myriad devices and scenarios that will shape cyberspace.

Harmonize laws and standards that affect cybersecurity. Given the nature of the Internet, developing global ICT laws and standards rather than ones that are unique to each nation is an important principle. Harmonization of ICT law and international standards promotes understanding and predictability, enables collaboration on problem-solving among countries, and helps to establish a more secure Internet.

Promote global free trade. Governments can expand technology access for businesses by building upon existing trade agreements and forging new ones that eliminate barriers to trade. Such trade agreements can also expand investment opportunities, preserve consumer choice, and promote the dissemination and adoption of new technologies

Invest strategically in infrastructure and research and development. Broadband access remains unaffordable for most of the world’s people, but strategic investment by governments, advances in technology, and flexible regulation can dramatically reduce the cost of that access. Government-funded research at universities and labs stimulates innovation and helps to train the next generation of scientists and engineers.

Enable talent mobility and retention. Building an appropriately trained local talent pool requires strong science, technology, engineering, and math (STEM) skills. Where talent shortages exist, governments can bridge the gap by attracting expertise from other countries. Regulatory frameworks should provide appropriate flexibility so employers can expand their operations and develop their workforce while maintaining worker protections within a range of workforce models. Governments that work to remove legal, regulatory, and practical barriers to importing and retaining talent can best take advantage of opportunities for economic growth.

Support the education of a modern workforce. If governments are to maintain and strengthen their ability to compete globally, they must adapt and improve their education systems to prepare students for the global economy by raising educational and teaching standards, rewarding effective educators, and providing teachers with the technology, support, and tools they need. Governments should also promote interest and training in STEM skills, which are needed for a broad array of readily available and high-paying jobs.

Develop cybersecurity norms for stability and security in cyberspace. Policymakers should analyze and prioritize existing cybersecurity best practices at the national, regional, and international levels, and determine where global principles or standards need to be developed. Key areas to explore should include confidence-building measures, responses to security incidents, assessment and mitigation of risk to critical ICT infrastructure, management of cyberrisk, supply chain security, protecting core encryption, and trust mechanisms of the Internet.

“Perhaps one of the most striking policies affecting ICT growth would not necessarily be considered a 'tech' policy. Developed countries will continue to attract talent for ICT jobs in the short term, but inflexible immigration policies and mounting debt may inhibit long-term competition for talent. Conversely, the growth in STEM-educated talent in emerging economies may not translate into innovation and growth in the short term, but over the long term emerging economies will win in talent retention.”

— Paul Nicholas, Senior Director, Microsoft Global Security Strategy and Diplomacy