Today’s report, Critical Infrastructure Protection in Latin America and the Caribbean 2018, developed in partnership between Microsoft and the Organization of American States (OAS), demonstrates the value of regional cooperation in global efforts to increase the security of the online environment where it matters most. It acknowledges that rather than focusing on “all politics is local” or “living in a global village”, regions have a key role to play in formulating policies and delivering outcomes for cybersecurity in general, and critical infrastructure protection (CIP) in particular.
“Glocalization,” a buzz phrase from the turn of the millennium, seems well suited to cybersecurity, given the Internet’s simultaneously global reach and local impact. This duality is important to keep in mind when considering the fact that protecting increasingly connected critical infrastructure is a challenge for nations all over the world, and it poses the question of whether the same solutions can be applied across the varied landscapes in which we operate. Regional elements are important in that context, as they provide us with an opportunity to investigate whether the solutions to global cybersecurity challenges need to be tailored to a particular context to be effective, whilst at the same time allowing us to retain a level of scale.
The latter comes about, as even allowing for the global nature of the online environment, we need to recognize that culture, geography, as well as economic relations and trade, are likely to result in a greater level of interconnectivity between neighboring states than far-flung places on opposite sides of the world. In the world of CIP, this means we are more likely to see the same provider operate across two countries in the same region, the same threat actor target linguistically-linked entities, and the consequences of the same cyber-attacks spill across borders.
Close communication and information sharing amongst and between the different regional stakeholders involved in CIP is therefore even more important. This report makes it clear that policymaking in the age of the Internet needs governments working alongside private industry to deliver effective results, leveraging the respective expertise and capabilities of the two groups. But it also reminds us that regional dialogue as well as bilateral discussions between neighboring states, and even between private sector operators in adjacent jurisdictions, helps protect us all.
The need for increased communication and new regional partnerships are only a few of the recommendations that the report puts forward. It also issues a call for risk management to be placed at the center of any CIP initiative, as well as for a move from cybersecurity towards cyber resilience. Moreover, and particularly relevant to the region of Latin America and the Caribbean, the report encourages a holistic approach to CIP at the national level, with governments urged to put forward cybersecurity frameworks, guidelines, and baselines for operators that are outcomes-focused and can withstand the quick pace of technological evolution. Similarly, the report recognizes the need to ensure a clear division of responsibilities in cybersecurity, and a dedicated effort to foster trust between the different entities and stakeholders that must be involved in protecting critical infrastructure.
The examples of global best practices that the report lays out will be recognizable to anyone with experience in the sector. Yet, the report goes a step further by placing these familiar practices in a regional context through the results of an innovative survey of CIP stakeholders across the region. At the global level, we might take for granted the logic behind why we engage in multi-stakeholder dialogue, or why a clear division of responsibilities is so important in modern technology. The survey shows that even in a region where very few CIP frameworks exist, public-private partnerships, within and across countries, have begun to emerge organically and are valued.
At the same time, the survey helps reinforce how much is still to be done on cybersecurity globally. To highlight just one example, almost half of the over 500 respondents, who are trying to protect the most vital national assets in Latin America and the Caribbean, have not yet endorsed risk management. How can the private sector and governments with advanced risk management capabilities best support capacity building in regions of the world trying to protect the infrastructure underpinning their societies, governments, and economies? I believe that this report is the beginning of a dialogue and roadmap for risk reduction.