Institutions, Laws and Policies
The advances of digital technology and the intertwined connections between computing and communications have set in motion many changes affecting and impacting the way we live. From 2000 to 2017, the Internet has expanded exponentially on a global level, and currently an estimated 3.7 billion people are connected to the Internet, which is close to 42 percent of the world’s population. The technology has advanced so fast and has become more and more user friendly; at the same time, people around the world have become more and more sophisticated in the use of technology. These developments have also created unparalleled opportunities for cybercriminals in that criminal behaviors that were not imaginable a few years ago have become daily occurrences today. Digital technologies today make available to ordinary citizens tools that have the power and capability to inflict considerable damage, economic and social. As never before, and at insignificant cost, criminals can cause significant harm to individuals, companies and governments from unheard of locations worldwide.
In order to create a control mechanism over cyber space and some form of deterrence for cybercriminals, a number of countries around the world have reformed their existing laws and legislation to address cybercrimes; however, these have proven to provide vague and inefficient solutions. It is argued in this book that in order for ethical standards to be established in cyber space, penal legislation must be developed and adopted which is clear and transparent; in other words, new laws have to be legislated to deal with cybercrimes. In addition, since cybercrime is borderless, where offenders can aim their attacks at many people, systems and organizations in any country of the world regardless of their geographic location, international collaboration of law enforcement agencies and the creation of a common denominator for cyber laws in the different countries are critical. It is estimated that in 2016 cybercrime cost the global economy US$0.5 trillion and it is expected the cost will rise to US$7 trillion by 2021. United States’ former Secretary of Defense, Leon Panetta, cautioned of the rising threat of a ‘cyber Pearl Harbor’ (Panetta, 2012).
As information and computer technologies (ICTs) have developed, so have crimes related to their utilization; as a result of the move to the use of computer networks, new techniques of carrying out crimes have been exploited. Traditional laws were not developed with cyber society in mind. The main concern is the degree of relevance of legislations and their effectiveness in dealing with cybercrime. Traditional criminal laws describe qualified unethical behaviors that were developed over hundreds of years. The technological advancements of ICT networks have provided criminals with new opportunities to carry out attacks and commit fraud online. The costs incurred due to these attacks are considerable: loss of data and information, loss of revenues, losses associated with reputation and image of the entity affected, and damage to soft and hard infrastructure. Given the nature of cyber space in terms of lack of geographic boundaries, these attacks can cause inestimable devastation in a number of countries at once and attribution is a serious problem.
Several individuals have been engaged in the fight against computer crime from its early development. The pioneer in the area of computer crime is, by the account of many experts in the field, Donn B. Parker, a senior computer security consultant at the Stanford Research Institute in the United States. His journey with computer crime and cybersecurity started in the early 1970s; his first book on the subject was Computer Crime published in 1976. Parker was also the lead author of Computer Crime: Criminal Justice Resource Manual (1989), the first basic US federal manual for computer-related law enforcement.
In 1982, the Organisation for Economic Co-operation and Development (OECD) appointed an expert committee, the Information and Computer Communication Policy (ICCP) Committee, to discuss computer-related crimes and the need for changes in the legal systems. This committee presented its recommendations in 1986, stating that, given the nature of cybercrime, it was highly desirable to create some form of international cooperation to reduce and control such activity (OECD, 1986). In addition, it recommended that member countries change their penal legislation to cover cybercrimes. In 2012, the OECD published a seminal working paper entitled ‘Cybersecurity policy making at a turning point: Analysing a new generation of national cybersecurity strategies for the Internet economy’. The paper covers a comparative analysis of national cybersecurity strategies for member OECD countries and reveals that in the majority of countries cybersecurity has become a national policy priority. What makes this paper stand out is that it pioneered a holistic approach to cybersecurity analyzing it from economic, social, educational, legal, technical and military aspects (OECD, 2012). In its 2017 Digital Economy Outlook, the OECD states that cybercrime incidents appear to be rising in terms of complexity, rate of occurrence and magnitude. According to the report, in May 2017 computers in 150 countries around the world were infected by WannaCry, malicious software (ransomware) that blocks access to the victim’s data until a ransom is paid. This was devastating for both the public and private sectors; just as an example, manufacturing firms such as Nissan Motors and Renault stopped production at several sites. Operations at FedEx and Deutsche Bank were disrupted for a few days (Sharman, 2017). Cybercriminals have been very active both in developed and developing countries. While the developed world has moved at an early stage to enact laws and policies to deal with cybercrime, the developing world has been slow moving in this direction.
The 1980s and 1990s saw a great number of developing countries diversifying their economies from reliance on commodities and moving toward knowledge-based societies; to that end, there is a strong need for an appropriate legal foundation to govern cyber space and cybersecurity policies to create a framework for a cyber-safe society. The regulatory system, even in developed economies, has always had difficulties in keeping abreast with the advancement of technology. The author always refers to this phenomenon as ‘the legal system being in a reactive mode, while the technological system is in a proactive mode.’
One of the most disturbing trends in recent years has been the surfacing of an advanced, well-developed underground economy in which spam software, credit card information and identity theft information are all available at affordable prices. Symantec, the prime security software company, raised red flags about what it calls the ‘underground server’ economy in November 2015, with the publication of a report that estimates nearly US$500 million worth of goods and information is available on online black markets. Credit card data accounted for the largest percentage of the information available for sale on these underground market servers; further, Symantec reports that identity theft information constitutes 16 percent and financial information accounts for 8 percent (Symantec, 2015). What is even more frightening than the accessibility of this information is its affordability! According to Symantec, bank account information is selling for US$10 to US$1000, while information about financial websites’ exposure is promoted for an average of US$740. If all the information available on the servers were made use of successfully it would net in close to US$5 billion, the report estimates. A primary reason why this data is more broadly available is that hackers have taken hacking as a full-time job, earning a living by stealing information and putting it on the black market for sale on underground server systems. A previous study published by Symantec in 2014 states the average cost per cybercrime victim has increased, despite the fact that the number of victims has decreased. According to the report, the price associated with consumer cybercrime is US$113 billion annually; this is a 50 percent increase over 2012 (Symantec, 2014). According to Google, as many as 5.5 percent of unique IP addresses (amounting to ‘millions of users’) visiting Google pages included injected ads. Ad injectors are unwanted software that insert new ads or replace the ones already there and they have plagued the Internet for many years (Google, 2015). It is estimated that the cost associated with cybercrimes will reach US$6 trillion by 2021 (Symantec, 2014). In addition, in its 2016 report, Symantec found that 2015 saw a record-setting total of nine mega-breaches, and 429 million exposed identities. The report states that this number is underestimated because many entities either do not report the crimes or underreport them; Symantec provides a conservative estimate of unreported breaches that pushes the number of records lost to more than half a billion (Symantec, 2016). Another 2016 report published by Symantec indicates that ransomware was one of the major threats facing Internet users, both individuals and organizations. Attackers have sharpened and refined their ransomware activities using robust encryption and anonymous payment systems, such as Bitcoin, in order to create campaigns to treacherous worldwide malware. The ransomware activities are expected to increase in the near future (Symantec, 2017).
The rise of malware and underground servers has resulted in alarming financial disasters for a large number of businesses. The frequency and volume of those attacks have increased in recent years. Newsweek has termed 2014 the ‘year of cyberattacks’, starting with the attack on Sony, followed by Target, J.P. Morgan, Home Depot and others. These were only some of the many victims of cyberattacks in 2014; Staples, Healthcare.gov, Neiman Marcus, the University of Maryland System and many others also suffered cyberattacks that left many customers vulnerable (Tobias, 2014). Ransomware continues to lead the cybersecurity landscape in 2017, with businesses paying millions of dollars to release their encrypted files. Attacks such as WannaCry and NotPetya are taking over systems and data left, right and center, and disseminating new infections through a variety of proven methods. The continuation of this trend makes one thing very clear—ransomware is still leading the world of cybersecurity. Among industries, in 2017 education was the most attacked, followed by telecommunications, entertainment & media and financial services.
Given the less than optimal economic conditions in developing countries, financial crimes are expected to increase as cybercriminals take advantage of the predominant economic confusion and desperation of jobless people. The present global economic crisis will become a goldmine for cybercriminals and will most likely lead to more financial crimes in the next few years. Businesses and governmental agencies around the world are being pressurized by the economic downturn, and the insecurity facing them is compounded by significant added risks due to data leakage, data loss, and outside attacks, all of which have increased significantly over the past couple of years.
The growth of electronic commerce and activities in cyber space in the past few years has created a need for vibrant and effective regulatory mechanisms to further strengthen the legal infrastructure that is crucial to the success and security of cyber space. All of these regulatory mechanisms and the legal infrastructure come within the domain of cyber policies which will guide the regulatory environment. Creating an appropriate regulatory environment is important because it touches almost all aspects of transactions and activities concerning the Internet, the World Wide Web, and cyber space. Regulations also concern everyone; the most vigorous cyber gangs are using tried-and-true modus operandi to find Web applications containing major faults; they perform simple activities to break in, such as overloading a badly written program with too much input. Usually, the intruder aims at taking control of the victim’s personal computer and using it to breed infections and perform illegal activities. Meanwhile, all of the victim’s important data are gathered and traded. In the past few years, email, blog sites, social-network messages, search engine results, and popular webpages have become overloaded with such infections. In 2013 alone, 41.6 percent of user computers were attacked at least once; in order to conduct all these attacks over the Internet, cybercriminals used 10604 273 unique hosts, which is 60.5 percent more than in 2012 (NDTV, 2016). One can only speculate the root cause of the proliferation of these attacks. Lately, phishers have been singling out smaller financial services companies and smaller banks worldwide, which may not be as prepared as the larger banking institutions; in addition, phishing software is becoming more and more sophisticated, allowing the hijacking of a larger pool of Internet technologies.
Cybercrime activities are coming in various forms and shapes. Crimes are carried on by individuals, governments and organized criminal rings. Many governments, increasingly in the developing and newly industrialized nations, are carrying out cyber intelligence and offensive cyber activities. The majority of those activities are politically motivated, as in the case of the attack that targeted Sony Pictures Entertainment in 2014, where employee data, emails and unreleased movies were exposed.
It is important to note that the cost of cybercrimes is significant but is very difficult to measure, as many public and private sector entities in both developed and developing countries might be under cyberattack but are unaware of the cyber activities. As a result, there are no reliable cost figures based on recognized methodologies to measure the actual cost of those cybercriminal activities. The greatest cost component has to do with lost business, such as the cost associated with Nissan, FedEx and Renault stopping service and production back in May 2017.
IT TRENDS AND CYBERSECURITY
New trends in information technology (IT) development such as the diffusion of the Internet of Things (IoT), the move to the mobile platform, the widespread development of open source software, and the explosion of big data worldwide have added to the economic growth of countries falling in the developing/emerging domain but at the same time have increased cybersecurity concerns. As a set of related technologies, IoT includes the use of sensors, identification systems such as SIMs, chips and cards, and radio frequency identification (RFIDs), among others.
A recently published study authored collaboratively by Cisco Systems and the United Nations’ International Telecommunication Union (ITU) estimates the number of networked devices at 25 billion worldwide by 2020, or as many as 50 billion if we consider RFID tags (ITU, 2015). This report states that in developing nations, IoT is helping meet all the sustainable developments goals set forth by the United Nations. Many examples are discussed in the study dealing with how developing/emerging countries are making use of IoT in many economic sectors, from health, utilities and agriculture, to disaster management. Just by way of examples, as of May 2017 Johns Hopkins University had 140 mobile health (mHealth) projects in developing countries. As of November 2017, the World Bank identified tens of projects in developing countries incorporating big data. A number of stakeholders are involved in implementing IoT projects in developing countries, including companies, NGOs, governments and universities. In advancing growth and development, IoT has improved the planning, delivery, implementation and monitoring of projects in various sectors in developing countries (Labrique, 2017). In the healthcare sector IoT is creating huge value-added in developing/emerging countries in healthcare. Nexleaf Analytics, a not-for-profit technology company supported by the Bill and Melinda Gates Foundation, is relying on the cloud to improve healthcare delivery in India (Nexleaf.org, 2017). During the transport of vaccines to remote areas for instance, Nexleaf monitors the temperature of vaccines via a device which uploads data to the cloud in real time. A server then sends warnings if and when the temperature exceeds acceptable levels.
Other examples of the use of advanced technologies such as IoT, Big Data and the Digital Mobile platform include applications in the utilities sector where a team at the Robotic Embedded Systems Laboratory of the University of Southern California tested a network of 48 manual arsenic biosensors to monitor water quality in Bangladesh. In Kenya, a team from Oxford University attached basic accelerometers (similar to those found in a mobile phone) to water pump handles that deliver data via Short Messaging Systems (SMS) to monitor water usage. Also in Kenya, M-KOPA installs solar home systems at a discount and charges households for the amount of electricity they use. The system disconnects the power if the meter runs out and the users can buy more with mobile payments. M-KOPA remotely monitors the efficiency of its systems and makes adjustments as needed.
Overall, the use of IoT has been shown to improve efficiency and enhance effectiveness. The technology is advancing social and economic growth in developing countries. As mentioned above, projects abound from healthcare to water sanitation, to electricity and agriculture. From a holistic perspective, the three areas that stand out in the use of IoT in development and growth are smart cities, water grids and smart power.
The above are only a few examples of how the development in information technology, especially IoT, is being utilized to achieve economic and social objectives in developing/emerging economies. With the enormous opportunities created by the technology, there are also great challenges associated with cybercrime. With the use of IoT, a large quantity of personal and corporate information will reside in the cloud where it interacts with a host of devices. The security chain could afford cybercriminals with a vulnerability to take advantage of systems by having access to and manipulating the data. Because there are so many devices that can be hacked, hackers can accomplish more.
The availability of advanced technologies in developing and emerging countries makes it critical for those countries to create a culture of cybersecurity awareness and to develop and implement quality cybersecurity policies and strategies. As the diffusion of IoT in developing countries increases and becomes a modus operandi, decision makers in those countries have to be concerned about protecting the IT infrastructure. One possible explanation of why the adoption of IoT is growing rapidly in those countries is that the technology has moved from improving efficiency to the creation of new business models and products (ITU, 2015).
Given the importance of cybersecurity, and in trying to provide better metrics to measure infractions, Microsoft, in collaboration with a number of companies around the world, undertook the exercise of exploring predictive cybersecurity models in order to define and improve the understanding of the key technical and non-technical factors that contribute to cybersecurity (Microsoft, 2013). The study attempted to measure cybersecurity performance by using the diffusion rate of malware as a proxy for measuring cybersecurity performance. Malware infection rates were assessed on 600 million devices worldwide with the objective of defining the landscape of exploits, vulnerabilities, malware, and other intelligence data. This Microsoft study found that the diffusion of malware is negatively related to the levels of economic and social development of nations, concluding that more developed countries possess better cybersecurity. The model developed by Microsoft lumped countries into one of three categories of countries: (1) maximizers, countries with higher than expected cybersecurity performance; (2) aspirants, countries with an acceptable/expected cybersecurity performance and who are still developing cybersecurity capabilities; and (3) seekers, countries whose cybersecurity performance is below the model expected levels. Most developing countries were categorized seekers or in category 3. The Microsoft model also identified 11 key factors that can predict changes in global rates of malware; those factors included economic development factors, digital access factors, and institutional factors (Microsoft, 2013). As our study will demonstrate, economic, technological and institutional factors will determine the quality and comprehensiveness of cybersecurity policies and strategies of nations. The results will be presented in Chapter 5 of this book.
The implications of the communication/cyber revolution are profound but still far from being evident for the developing/emerging world. Lower transaction and communication costs, combined with quality production of goods tend to entice many businesses to outsource to developing countries, however. The United Nations has been very active in promoting the diffusion of ICT as a means of economic development. A number of United Nations initiatives affirm that the difficulties associated with the digital revolution make it necessary for emerging and developing countries to identify the major challenges facing them as active participants in the knowledge economy. Specifically, these are the challenges they face in creating wealth and making optimum use of the new development opportunities offered by the information society in various priority sectors; the vitality of creating a trust framework through appropriate regulation of new social, economic and cultural phenomena; as well as prevention and control of the dangers and risks associated with the information revolution. Research has shown that the ability of those countries to be successful in getting on the information/knowledge society bandwagon is linked with possessing tangible and intangible resources. Of great importance is a legal structure that addresses criminal cyber activities. Deterrence and awareness are necessary conditions for the success of cyber laws; well-structured and well-designed cybersecurity policies and strategies aiming at creating awareness and acting as a deterrent for cybercriminals are musts in this respect, above and beyond the necessary financial, human and political resources. To achieve a well governed cyber society, a country must possess tangible and intangible resources. In this book we construct and test a number of hypotheses dealing with the level of quality and comprehensiveness of a country’s cybersecurity strategy and policy and its available resources. Those will be covered in Chapters 4 and 5.
The resource-based theory has been an area of interest over the years but it was only since the 1950s that this area of research was given noteworthy legitimacy (Lockett and Wild, 2014). This theory progressed into what is referred to in the literature as the VRIO framework (Barney et al., 2011). VRIO looks at the characteristics of resources possessed by firms, agencies, and in our case, countries. In order for an entity to create and sustain its competitive advantage it ought to possess resources which are valuable (V), rare (R), hard to imitate (I) and efficiently organized (O). The book assesses countries’ financial, human and technological resources and their impact on the level of quality and comprehensiveness of their cybersecurity policies and strategies.
The resource-based view of the firm will be covered more comprehensively in Chapter 3 of this book. The following section will introduce deterrence theory and how it applies to cyber space.
Deterrence theory is based on the assumption that people choose to engage in crimes and violate certain laws after they assess the benefits and costs of their actions. The deterrence theory of punishment can be traced back to the early works of classical philosophers such as Hobbes, Beccaria and Bentham. These early philosophers addressed both the effectiveness and fairness of punishment. Today, despite the merits of deterrence theory, research based on the belief that punishment deters criminals has been scarce. Four decades ago, research criminologist Charles Tittle found support for the theory and established that punishment deters crime but that the gravity of punishment can only deter crime when there is a high level of certainty that punishment will be executed (Tittle, 1969).
From a holistic perspective, there are five different approaches to deterrence identified in the literature. The two well-described approaches to deterrence are punishment and denial, and the more recent identified approaches include association, norms and taboos and entanglement. Deterrence by punishment is based on a cause–effect relationship; in other words, if a crime is committed then an appropriate punishment is levied on the perpetrator. This is intended to deter the would-be criminal from committing a crime for fear of being punished. Deterrence by punishment will work only if the would-be criminal believes that the punishment is highly probable and severe. Even though this form of deterrence is straightforward and easy to understand, it is extremely difficult to apply in cyber space, given the nature and complexity involved. This will be discussed further in Chapter 3 of this book.
The second type of deterrence is that associated with denial. This type of deterrence is based on either diminishing the perceived benefits a criminal expects to gain from criminal activities, or creating high barriers to entry, which would raise the costs and level of difficulty experienced by would-be criminals. Under such conditions, the expectation is that the would-be criminal would perceive the benefit of their action to be much less than the associated cost so they would decide not to engage in their criminal activities given the high likelihood of failure.
The remaining three approaches to deterrence are new and not as well documented or tested as the classical approaches associated with punishment and denial. However, they are gaining importance and will be covered in more detail in Chapter 3 along with the classical approaches. Deterrence by association, the first of the three new approaches, is based on creating an association between the criminal and the criminal activity; it is basically making it possible to name and shame the perpetrator. The main idea here is to inflict a social damage/cost on the criminal. Deterrence by norms and taboos is the second of the three new approaches. Norms are thought of as a standard of acceptable behavior, or how people should act, while taboos are a description of inappropriate ways people should behave. Based on this approach, it is hoped that people will be deterred from engaging in criminal activities by having full understanding of the norms and taboos of a certain society. The last approach is deterrence by entanglement. Entanglement refers to the existence of a number of interdependencies that lead to a successful cyberattack but inflict great cost on both the attacker and the victim at the same time. All approaches will be discussed further in Chapter 3.
CYBERSECURITY POLICIES AND STRATEGIES
In analyzing the content of cybersecurity policies and strategies for the sample of developing/emerging economies, we will attempt to highlight the three main areas of capabilities critical to reducing the economic, political and social risks of cyber activities. These are: (1) prevention; (2) detection; and (3) response. Prevention deals with introducing fundamental measures dealing with identifying and placing responsibility for addressing cybercrime within the national boundaries and creating programs and activities to raise awareness for citizens. Education programs and civic activities are examples of ways to raise awareness.
Detection has to do with strengthening a country’s technological detection measures; this entails investing in those technologies and being on the lookout for incidents and activities involving cybercrimes. Isolating unusual patterns in data traffic and trying to identify locations of the attacks are examples of detection. This is a very difficult activity due to the difficulty associated with attribution.
Response has to do with the development of a well-designed plan in dealing with possible attacks and the penalties associated with those crimes. In a nutshell, for a cybersecurity strategy to be effective, responses and the associated penalties have to be clearly stated and executed.
A study done by Luiijf et al. (2013) looked at published cybersecurity strategies of 19 countries, including developed and developing countries. The six developing countries included in their analysis were the Czech Republic, Estonia, India, Lithuania, South Africa and Uganda. Based on the content analysis performed on those strategies, the researchers concluded that large differences exist between the national focal points and approaches to cybersecurity. In addition, the analysis highlighted strengths and weaknesses of those strategies. The paper concludes that large differences exist between countries’ national strategic objectives as stated in the cybersecurity document, including different visions like a safe, secure and resilient ICT environment, economic prosperity, national security, and defense. This study, however, stopped short of looking at the role of protecting children, or the approaches taken for deterrence, detection and/or response.
Based on the previously mentioned study, only 8 of the 19 countries have defined the notion of cybersecurity explicitly. Most of the strategies addressed economic prosperity aspects of the cyber space, but it was indicated that 18 of the 19 countries included in the study had no clear indication of the agency leading the cybersecurity initiatives. Further, 8 of the 19 countries have references to the cooperation between the private and public sectors in combating cybercriminal activities (Luiijf et al., 2013).
In this book we will look at the contents of national cybersecurity strategies and policies and identify if the document(s) addressed the following:
• coverage of the critical infrastructure of the country;
• reference to cybersecurity in what concerns the military and defense;
• reference to how cybersecurity affects the economic prosperity of citizens;
• reference to the role of globalization and necessity of international cooperation in this domain;
• reference to how cybersecurity is a necessary condition for national security;
• reference to how cybersecurity increases users’ confidence in ICT;
• reference to how a secure cyber space affects social life;
• reference to the protection of children;
• reference to sources of cybercriminal activities including (h)activism, espionage, organized crimes, terrorism and cyberwars from nation states;
• reference to cyber laws.
The above list was constructed based on an extensive literature search and the authors’ own points of view. For instance, reference to cyber laws was added to the list given its importance in prevention and response. The cybersecurity strategies and policies of the sample of developing countries will be evaluated based on the above components of content, and an index measuring the quality and comprehensiveness of the cybersecurity documents will be created based on the content analysis.
GLOBALIZATION OF CYBER SPACE
Cyber space and e-commerce have become a driving force for the globalization of the world economy, and countries that do not engage in e-commerce may put the competitiveness of their economies at risk. As a result, many firms and organizations in developing countries have become integral parts of global networks of production supply chains that increasingly use e-commerce mechanisms. Through these networks, entities in more developed countries induce developing-country enterprises to adopt new information technologies, organizational changes and business practices.
The diffusion of the use of cyber space in developing/emerging economies is relatively low. The main stumbling blocks are associated with regulatory, cultural and social factors, including (1) the lack of regulations dealing with data messages and recognition of electronic signatures; (2) the absence of specific legislation protecting consumers, intellectual property, personal data, information systems, and networks; (3) the dearth of appropriate fiscal and customs legislation covering electronic transactions; and (4) the absence and/or inadequacy of laws dealing with cybercrimes.
Moore’s Law refers to the fact that today’s technological advances are advancing at an accelerated pace. In addition, evidence from the breakthroughs in genetics and nanotechnology indicate that those developments are more pervasive and impactful. They are driving down computing and communications costs at a pace never seen in the history of humanity. Leading these transformations are the accelerated developments in ICT, biotechnology, and just-emerging nanotechnology. Information and communications technology involves innovations in hardware, software, telecommunications, database processing systems and microprocessors. In addition to the Internet of Things (IoT) is the diffusion of the mobile platform and the cloud. These innovations enable the processing and storage of enormous amounts of information, along with rapid distribution of information through communication networks. Moore’s Law predicts the doubling of computing power every 12–18 months due to the speedy evolution of microprocessor technology.
Gilder’s Law predicts the doubling of communications power every six months—a bandwidth explosion—due to advances in fiber optic network technologies. Individuals, households and institutions are linked in processing and executing a huge number of instructions in imperceptible timespans. This radically alters access to information and the structure of communication, thus extending the networked reach to all corners of the world. Today’s technological revolution is associated with and fueled by another significant shift to economic globalization that is creating pockets of economic power around the world. Those two developments reinforce each other. Globalization boosts technological progress with the competition and incentives of the global marketplace and the world’s financial and scientific resources. The global marketplace is based on technological changes, with technology being a driving force in market competition. Those developing countries that can create the necessary infrastructure will lead the group of countries standing in line to participate in new global business models of outsourcing, intermediation and supply and value chain integration. In developing countries, as the user base expands, this will lead to reduction in the cost structure, and as technologies are adapted to a country’s local needs, the potential of cyber space will be unlimited. The organization of work must be revamped if national economies are to perform more effectively in a global market. Practitioners, theorists and futurists alike concur that the challenge for countries that want to maximize their global presence involves structuring relationships and the flow of secure information so that the right parties can obtain it at the right time. Information technology and e-commerce initiatives play critical roles in the strategy of global competition. Countries reap the biggest benefits not by superimposing computers on top of old work processes but by restructuring those processes and the national culture. This strategy is to move always in the direction of creating new and more advanced economic and business capacities. Through the standardization of messages and business processes, today’s market makers will create interoperability among markets. They will serve also as guarantors of predictable, trustworthy behaviors among trading partners, giving entrepreneurs the confidence that they need to take their great ideas into the market and build virtual businesses. Another crucial step is to establish standard specifications for business processes—the ways in which messages are generated and acted upon once they are received.
Technology to support this vast interconnected global commerce network is maturing rapidly due, in large part, to the great progress being made in establishing standard specifications for building commerce messages dealing with contracts, purchase orders, invoices and so forth. These are mainly all activities associated with the inner and outer value chain. One of the global consequences of IT, however, is the international concern about the risks and dangers that developed as well as developing economies may face in the wide application of IT. One such risk may be found in the proliferation of criminal activities in cyber space.
REVAMPING THE LEGAL SYSTEM
Many studies suggest that the key determinants of economic development are the accumulation of physical and human capital and technological improvements. Traditional neoclassical growth theory emphasizes physical capital accumulation whereas endogenous growth theory presumes that investment in human capital and technological progress are the main sources of economic growth. More recently, and as an extension to neoclassical models, Mankiw et al. (1992) have shown that physical and human capital are important determinants of growth. Nevertheless, it remains an open question whether these factors are the real sources of economic development. There is reason to believe that if physical or human capital enrichment or technological improvements are taking place, the real growth factors must already have been unbound. Accordingly, physical and human capital and technology should be seen as proximate causes of growth. The changing value proposition in the knowledge economy is triggering a revolution in the way businesses and governments carry out their jobs.
The Internet always did have its own complicated ethics, and Internet-based ethics were set aside by old style management principles. This is radically shifting. Internet-based ethics are becoming the rules of the game. For example, not only does business-to-business supply-chain management provide huge efficiencies and significant bottom line enhancement but its deep integration allows partners to see into and through other organizations. As a consequence, decision makers are often privy to their competitors’ internal strengths and weaknesses, trade secrets, unique know-how, market positioning, key personnel, and other valuable economic assets.
In summary, perhaps the most profound ethical changes in the New Economy are going on internally, inside the organization and at the firm level. In the New Economy, where knowledge, not equipment, drives profits, employees can no longer be considered ‘outsiders’. They are the source of competitive advantage. The traditional command-and-control model of management is rapidly being replaced by decentralized teams of individuals motivated by their ownership in the corporation. Value in the New Economy is being fundamentally redefined. As a result, transparency and the rule of law are becoming two of the keys to success in the twenty-first century. In e-business circles, transparency is no longer a rhetorical word. It is the rule of the game. It is unarguably recognized that the IT revolution will have significant long-run effects on the economy and that the principal effects are more likely to be microeconomic than macroeconomic. As a result, the new information economy will require changes in the way the government provides property rights, institutional frameworks and ‘rules of the game’ that underpin the market economy. Two main reasons underlie these changes; first is the pace of technological progress in the IT sector, which is very rapid and will continue to be very rapid for the foreseeable future. For example, at the end of the 1950s, there were 2000 computers processing 10000 instructions per second. Today, Gartner estimates that the overall shipments of devices including PCs and tablets will surpass 2.5 billion units (Gartner, 2014). Forrester Research (2008) predicted that the number of personal computers would reach 2 billion by the end of 2015. Forrester Research’s forecast was based on the assumption that from 2003 to 2015 the total number of personal computers in the world would increase annually by 12 percent. By the end of 2014, there were more than 2 billion personal computers used worldwide (Quora.com, 2017). As the IT sector of the economy becomes a larger share of the total economy, the overall rate of productivity growth will increase toward the rate of productivity growth in the IT sector. Secondly, the computers, switches, cables and programs that are the products of today’s leading sectors are general-purpose technologies. As a result, advances in high-technology affect all aspects of the economy, thereby leading to larger overall effects. These microeconomic effects will have long-lasting and far-reaching impacts on the economy. As a result, the role of the government in developed and developing economies needs to be re-examined. Since the creation of knowledge is cumulative, the importance of intellectual property rights becomes more critical in the new information economy. Three issues are interrelated: property rights over ideas; incentives to fund research and development; and the exchange of information among researchers.
The new information economy is ‘Schumpeterian’ rather than ‘Smithian’. In a Schumpeterian economy, the production of goods exhibits increasing returns to scale. Under these conditions, the competitive equilibrium is not the likely outcome—setting price equal to marginal cost does not allow the firm to recover the large fixed costs. However, government regulation or government subsidies to cover fixed costs destroy the entrepreneurial spirit and replace it with ‘group-think and red-tape defects of administrative bureaucracy’ (Hakkio, 2001). In addition, when innovation becomes the principal source of wealth, temporary monopoly power and profits may be essential to stimulate innovation. In a Brookings study on the economic impact of the Internet, a group of scholars estimated that the increased use of the Internet could add 0.25 to 0.5 percent to productivity growth over the next five years (Brookings Institute, 2007). Most of the impacts come from reducing the cost of data-intensive transactions (ordering, invoicing, accounting and recruiting), from improved management of supply chains, from increased competition, and from increased efficiency of the wholesale and retail trade. In addition, many of the benefits of IT may result in improved standards of living, even though measured gross domestic product is unaffected.
The emergence of the information economy has been a key feature of faster productivity growth for many economies, developed and developing. Information technology has affected productivity in two ways. First, the IT sector itself has contributed directly to stronger productivity. Computers and other IT hardware have become better and cheaper, leading to increases in investment, employment and output of the IT sector. Secondly, advances in technology have also increased productivity in the more traditional sectors of the economy: financial services, business services, and the retail and distribution industries. In the US, economic policy has contributed to a revival in productivity growth. Policies to maintain domestic competition and increase international competition have been stressed. Funds have been provided to support basic research and education. Also, and most importantly, the mix of monetary and fiscal policy has lowered interest rates and encouraged investment. The information economy can improve the effectiveness of monetary policy by allowing the private sector to better anticipate future central bank actions. Central banks typically operate by affecting overnight interest rates. By affecting current overnight rates and, most importantly, by affecting market expectations of future rates, monetary policy can affect financial market prices such as long-term interest rates, exchange rates and equity prices. These prices will have the greatest effect on economic activity.
GLOBAL COOPERATION AND A THRIVING CYBER SPACE
Cyber space is one of the most complex legal frontlines today; the Internet diffusion has been growing at an increased rate between 2000 and 2017; it is estimated that Internet diffusion increased at an average rate of 290 percent globally, and presently an estimated 3.5 billion people per year are surfing the Internet. Developing/emerging countries in Africa and Asia have accounted for the largest chunk of the increase. The Internet diffusion rate was 7.3 percent in 2009; that number jumped to 49.7 percent in Asia and 29 percent in Africa in 2017 (statista.com, 2017). Cybersecurity and cybercrime, including enormous and synchronized attacks against countries’ vital information infrastructure and attackers’ misuse of the Internet, are activities of major concern to society in general and developing economies in particular. In addition, the costs associated with cyberattacks are substantial, not only when it comes to lost revenues and inconvenience caused by network inoperability but, and most recently, in cybercrimes they constitute a prime obstacle to the diffusion of e-commerce and e-government in developing economies. Thus governments have an important role in developing control mechanisms in the form of laws and legislation in order to minimize the rate and severity of cybercrimes to speed up Internet diffusion. Setting inappropriate policies and complementary services, particularly affecting the telecommunications sector, other infrastructure, human capital, and the investment environment, severely constrain Internet access in developing countries. The major impediment to the growth and success of cyber use in many developing and emerging economies is still poor telecommunications infrastructure. Required telecommunications facilities include transmission facilities connecting a country’s domestic network to the greater Internet, the domestic Internet backbone, and connections from homes and businesses to the backbone network. The defects of domestic telecommunications services may be less important for the larger firms in developing countries; these firms may find it profitable to invest in telecommunications facilities (such as wireless) that bypass the local network. A growing number of African Internet sites, for instance, are hosted on servers in Europe or the US due to the poor infrastructure in those countries. Hence, even traffic that originates and terminates domestically can cost the same as international transmission.
The high cost of Internet access, the lack of local loop infrastructure necessary for basic dial-up modem access, and the poor quality of the local loop infrastructure that does exist all impede connections to the domestic backbone. Country comparisons show a strong relationship between usage price and Internet penetration. For many developing countries, the most important issue is the lack of telephone service to homes and businesses.
Despite increases in rates of telephone line penetration during the 1990s and the first half of the 2000s, the average number of telephone lines per capita was close to 5 percent for Africa. The most popular alternatives by which developing countries can overcome inadequate local loop infrastructure are shared facilities or wireless local loop. Shared facilities, which involve local entrepreneurs selling the use of a computer with Internet access, are a fast and relatively cheap way of increasing Internet use. Wireless and satellite technologies also provide an alternative to the high costs and inefficiencies of many domestic telecommunications systems. Although currently used primarily for voice, mobile phones are increasingly acting as better devices for many of the usual Internet applications. Cellular phones in some developing countries have experienced strong growth rates and relatively high penetration, similar to those in industrial countries. The United Arab Emirates (UAE) leads the Middle East and Africa in mobile phone penetration; in 2017, for instance, the mobile phone penetration rate was estimated at 228 percent. On average, however, for developing countries as a group, mobile phone penetration remains well below industrial-country levels. Poor infrastructure services (other than telecommunications) are an important constraint on the use of cyber space in developing economies. Frequent and long power interruptions can seriously interfere with data transmission and systems performance; to get around this problem, many Bangalore software firms are using their own generators or relying on portable solar power generators, for example (eMarketer, 2015). The lack of safeguards against fraud can severely restrict credit card purchases, the most common means of conducting transactions over the Internet. For example, many consumers in the Gulf countries of Saudi Arabia, UAE and Kuwait are unwilling to purchase goods over the Internet because credit card companies will not compensate holders for fraudulent use of cards (in many industrial countries, cardholders have only a limited exposure to loss). A critical mass of highly skilled labor is needed in developing countries to supply the necessary applications, provide support, and disseminate relevant technical knowledge for e-commerce. The workforce in many developing countries lacks a sufficient supply of these skills, and the demand for this specialized labor from industrial countries has further strained the supply of this labor in developing countries. Several regulatory impediments to the widespread adoption of cyber space activities exist in many developing countries. Duties and taxes on computer hardware and software and communication equipment increase the expense of connecting to the Internet. For example, a computer imported into some African countries may be taxed at rates exceeding 50 percent (UNCTAD, 2015). The overall environment for private sector activities is a significant determinant of Internet service diffusion. An open foreign direct investment regime helps promote technology diffusion, which is important to the growth of e-commerce. Government must provide a supportive legal framework for electronic transactions, including recognition of digital signatures; legal admissibility of electronic contracts; and the establishment of data storage requirements in paper form, intellectual property rights for digital content, liability of Internet service providers, privacy of personal data, and mechanisms for resolving disputes.
A number of international organizations have undertaken leadership in pushing toward cyber law development in both developing and developed economies. The International Telecommunication Union (ITU) is identified as a leader in this domain; it launched the Global Security Agenda in November 2007, and formed a High-Level Experts Group to look into the issues and develop proposals for long-term strategies to promote cybersecurity. This group is currently working with the International Multilateral Partnership Against Cyber-Threats (IMPACT), a group sponsored by the government of Malaysia, with the aim of putting together an early warning system for cyberattacks. Another initiative undertaken by the ITU is COP, Child Online Protection, to develop safe guiding principles of surfing the Internet for children. The ITU also developed the Global Cybersecurity Index (GCI) in April 2014; the index measures a country’s readiness to combat cybercrimes in terms of legal, compliance and technical measures. The index also assesses the level of capacity building at the national level (ITU, 2014). In a nutshell, the GCI is a measure of each nation state’s level of cybersecurity development; it essentially seeks to establish a framework of incentives to motivate countries in an attempt to strengthen their efforts in cybersecurity. The fundamental goal is to help create a worldwide culture of cybersecurity and help provide mechanisms to incorporate security at the highest levels of information and communication technologies.
The Council of Europe has developed what is thought by many to be the most comprehensive treaty to protect people against cybercriminals. It developed the Cybercrime Convention to resolve legal disputes and take forward a universal, collective system to take legal action against cybercriminals. The idea for the Convention on Cybercrime was founded on a number of studies carried out by the Council in 1989 and 1995. As a result, the Council created a committee to draft this convention; once it was completed, it opened for signing and ratification in November 2001. At the writing of this book, 47 countries have signed and/or ratified the convention, 29 of which can be classified as emerging economies (Council of Europe, 2015).
CYBERSECURITY AND THE LEGAL SYSTEM
The idea that technology is a catalyst of economic growth and development is shared by many all around the world. ICT is perceived to be a crucial element for economic growth, social equity and political stability. This view is a common denominator of many decision makers in emerging economies, where the diffusion of the Internet is high and the technology infrastructure is well developed as compared to other developing countries. Emerging economies’ governments are infusing more money and deploying human and technical resources in an effort to increase Internet use and diffusion within their countries. A small country like Qatar with a population of about 2.2 million people, for instance, has a 97.4 percent Internet diffusion rate as of 31 December 2016, ranked second worldwide after Bermuda (Internetworldstat.com, 2017). Qatar has overtaken Singapore and many of the developed countries. In another Gulf Cooperation Country (GCC), the United Arab Emirates (UAE), where the Internet diffusion rate stands at 93 percent, broadband access is available via various means: ADSL, WiFi, Fiber to the Home (FttP), leased lines and mobile networks. In a large number of emerging economies, broadband has become much more commonplace in the past few years, as exhibited by the rising number of broadband subscriptions attributed to fiber. Brazil is another emerging economy that has placed a lot of faith in digitization; the 2016 Internet diffusion rate of Brazil stood at 66.4 percent.
Understanding the potential of making use of ICT for both social and economic development, many emerging countries have undertaken unwavering initiatives to develop their digital economies. In general, both governments and the private sectors have been effective in creating online services and contents that form the foundation of the digital economy. Governments of many of the emerging countries have made the development of the ICT industry a national priority and to this end they are marching in the direction of digitization. It is worth noting that, in addition to investing in the hardware side of the technology, many have developed the soft side of their digital economies, including instituting policies and streamlining business processes; these will be discussed further in the book. As an example, spending on IT products and services in the Middle East exceeded US$32 billion in 2014. Consumers, the public sector, and the communications and financial service sectors were the leading IT investors in the Middle East region, accounting for approximately 74 percent of the total IT spending in 2014. Public sector investments are geared toward improving government services, education and healthcare services; these sectors continue to be key drivers in the countries of the GCC (IDC, 2015). Saudi Arabia’s spending on ICT alone is expected to exceed US$37 billion in 2015; healthcare and energy are the two sectors that will receive the lion’s share of ICT investments in the kingdom.
With increased investment in ICT and more digitization, the threat of cyberattacks, hacktivism and cyberwars will undoubtedly increase. Unfortunately, while the development of information technology increases linearly, the risks associated with cyber space increase exponentially. In addition, while the development of the hard side of ICT increases steadily, policies and laws dealing with crimes associated with cyber space are lagging years behind. Risks associated with cyber warfare in emerging economies and the countries’ capabilities to deal with those risks are, at best, based on guesswork. Cyber readiness, both offensive and defensive, is hard to evaluate and assess with any degree of accuracy. All we state at this juncture is that as sophisticated, digital technology becomes accessible, more and more cybercriminals will venture out. It is a known fact that the evolution and development of e-commerce and online financial transactions has given criminals new tools to move traditional crimes over to cyber space as new technology takes over older approaches (Sapa, 2013).
A report published in June 2014 states that the cost of cybercrime for the global economy has been estimated at US$445 billion yearly; close to 800 million people around the world had their personally identifying information (PII) and/or their identity stolen in 2013 (Williams, 2014). The total cost is estimated to surpass the US$6 trillion mark by 2021.
Despite the above stated statistics, an accurate assessment of cybercrime data and its financial cost is incalculable. Two factors lead to compounding this predicament: (1) the reluctance of businesses and governmental agencies to report cybercrimes, which can lead to reduced trust in governmental agencies and negative financial implications for businesses; (2) the fast development of technology, which makes cybercrimes hard to detect given the new methods used by cybercriminals to commit their acts.
Emerging and developing nations have been slow-moving in crafting and implementing cybersecurity laws, policies and strategies despite mounting international dangers to, and rising cyber threats on, Internet-connected systems globally. Being connected amplifies the negative impact of a cyberattack; as the number of cyberattacks increases linearly, the damage, socially, politically and economically, increases exponentially. While a number of countries around the world have taken some steps to develop their own laws and guidelines concerning domestic law enforcement, cybercrime by its very nature is often global and multinational. In addition, many of the laws developed to deal with cybercrimes do not have enough teeth and, as such, do not act as a deterrence to criminals. Just as an example, the UAE established special cybercrime units to deal with crimes within and outside its territory (Al-Jandaly, 2016). This is in addition to establishing dedicated police units to deal specifically with cybercrimes. These measures are value-adding but what is missing is the necessary training of those involved in combating cybercrimes and the required public awareness.
Given the many problems related to financial, social and political costs associated with an insecure cyber space, the development of cybersecurity policies and strategies becomes a necessity both for emerging and developed economies. The prime objective is to minimize the negative impact that might hinder the growth and development of these economies.
At the time of writing this book, few developing and emerging economies possess suitable policies and practices geared to ensure a secure cyber space environment in an effort to support their public and private sectors and institutions and private individuals. The relatively high levels of diffusion of the Internet and worldwide networking, in addition to imperfect governance structure, make cybercrime a rich area for hackers and cybercriminals in emerging and developing countries, especially cyber terrorists. The authors maintain that the necessary legal structure aimed at dealing with cybercriminal activities lags five to ten years behind the advancement in technology and networking.
The literature on cybersecurity policy and strategies has been growing steadily over the past 15 years. Most of the literature, however, is geared toward the countries of the North. Given the prospective high rate of Internet diffusion in the countries of the South, especially in the countries in Africa, Asia and Latin America, it is imperative for us to turn our attention to crafting cybersecurity strategies in emerging and developing countries.
In developed countries, policy makers and legislatures have tried to levy severe penalties on cybercrime, including long jail terms and heavy financial fines, but, so far, those policies have not been successful in curbing the problem. Even in the most advanced countries, cyber laws have not measured up to cyberattacks and threats. In developing countries specific laws dealing with cybercrimes have not yet been fully crafted (Karake and Al Qasimi, 2010). On the international front, a number of NGOs have strived to standardize cybercrime laws in a number of countries. As an example, the Council of Europe’s Convention on Cybercrime helped establish some standards for cybercrime, including hacking, fraud, virus writing and child pornography. While the impact of these efforts has been minimal, as societies we need to keep supporting those global efforts since the global nature of the Internet dictates a global response. All developing nations—whether large, small, rich or poor—must develop well-structured strategies guided by international standards dealing with cybercrime laws and enforcement, in addition to proactive strategies aimed at minimizing the occurrence of those incidents.
One of the main challenges of enforcing cybercrime laws is jurisdiction; the cybercriminal, the intended target of the crime and the location where the attack originates are often in different locations. Consequently, enforcement dictates cooperation among a number of countries, which can be challenging and difficult to manage, especially if the actions taken by the cybercriminal are not considered to be a crime in one of the countries involved. Individuals in one nation can, via the Internet, violate a cybercrime law in another nation without physically being there. In addition, the country in which they reside may not have criminalized the action, so they would not physically be in a country where a law was broken, hence they will be protected from punishment for their crimes. The European Convention addresses the jurisdiction issue by making the country criminalize the unwanted actions and cooperate in the investigation of the crime. However, attribution remains difficult, but the Convention emphasizes the fact that more cooperation among countries would eventually lead to more attribution.
It is important to emphasize that laws and punishment alone do not deter cybercriminals; for cyber strategies and policies to be effective they must be proactive, in that, in addition to those defensive mechanisms, countries must use preventive techniques to increase the security of cyber space. Cooperation with other countries through the signing of treaties and the crafting of well-designed cybersecurity strategies and policies are two proactive approaches to curbing cyberattacks.
EXAMPLES OF CYBERATTACKS FROM GLOBAL POINTS OF VIEW
The cost associated with cyberattacks is extremely large; as an example, Estonia’s online infrastructure suffered a severe attack that caused the interruption and the blocking of the functioning of its government institutions, public and private economic sectors, and the private use of computer networks by Estonian citizens for a few weeks. In April 2007, cyberattacks were elevated to warfare when it was claimed and later proven by the Estonians that a foreign government had launched a series of parallel and coordinated cyberattacks on the Estonian public and private sectors. Estonian banks, parliament, ministries, newspapers and TV were all paralyzed. The costs to Estonia, social, financial and political, were huge. However, something good came out of these cyberattacks: Estonia has spent the last few years becoming one of the most safeguarded countries against potential cybercrimes. Today, almost eight years later, the model developed by Estonia is being studied and applied by many countries looking to develop and build their national cybersecurity strategies and capabilities. This is of particular importance since the Estonians have a public–private business cybersecurity partnership model that is the envy of many countries (Rehman, 2013).
Another example that has been a target for cyberattacks is Iran. In the fall of 2010, it was reported that a new strain of malware was rapidly spreading on the Internet, with concentrations of the virus in Indonesia, India and Iran domains. After the discovery of this self-replicating worm (named Stuxnet), it was discovered that the worm was designed to target several previously unknown weaknesses in Windows, known as zero-day exploits, and alter the operation of Siemens Simatic process logic controller computers, which are used in power plants, production lines and other heavy industry. The danger of the virus was magnified by its capability of masking its presence while controlling and monitoring the infected systems. Stuxnet has been able to cause the destruction of about 1000 of the 5000 Iranian centrifuge enrichment devices. It was estimated that Stuxnet set back the Iranian nuclear program by two years.
Saudi Arabia’s Aramco is another example. In August 2012, Aramco’s computer network was attacked by a computer virus infecting more than 30000 of its computer servers. The world’s largest oil producer, with annual sales of more than US$200 billion, was crippled for a couple of weeks; it took the company (and the country) two weeks to go back to a semi-normal operational environment of its networks and somehow recover from the damage. Later named Shamoon, the virus caused substantial interruption to the world’s largest oil producer. It was reported that both drilling and production data were lost, including data provided by multinational companies such as Santa Fe, Ocean and Schlumberger. The Shamoon virus also hit Aramco’s management offices throughout the country as well as its offices worldwide (Houston and The Hague); the state-of-the-art Exploration and Petroleum Engineering Center in Dhahran were also affected. Up until the attack on Aramco, hacktivists had usually launched distributed denial of service (DDoS) attacks, in which they flood a website with requests until it crashes. However, the cyberattack on Aramco was the first substantial use of malware in a hacktivist attack.
The above-mentioned examples give an indication of the devastating economic cost of cyberattacks and the importance of creating a governance structure for cyber space both at the individual country level and at the international level.
Enforcing Cybersecurity in Developing and Emerging Economies: Institutions, Laws and Policies is a theory-based, empirical investigation to describe the linkage and determinants of the development, implementation of quality strategies and policies of national cybersecurity. The book’s six chapters are organized as follows:
• Chapter 1 has provided an overview of the entire book and has established the context for the whole book. Importance of the research at hand is emphasized, along with the theories used, the geographic area of implementation, the methods used, and the methodology applied.
• Chapter 2 provides an overview of the move to the digital economy and the state of technology and security in cyber space. Coverage of the threat of cybercrime to economies and businesses is introduced in this chapter. The chapter also covers the recent technological development and its impact on facilitating cybercriminal activities, especially in the financial, healthcare and energy sectors, the three industries most affected by cybercrimes.
• Chapter 3 reviews the literature on the different approaches to cybersecurity including the economic-based approach, the political/social-based approach, the resource-based approach and the deterrence-based approach.
• Chapter 4 is devoted to the content analysis of a number of emerging and developing countries’ engagement in the information age and the importance of cybersecurity policies and strategies to those countries. This chapter will also cover the hypotheses to be tested in Chapter 5.
• Chapter 5 is devoted to model testing, data analysis and presentation of the results; the analysis will reveal why some countries are more inclined to develop and implement what we refer to as mature national cybersecurity policies and strategies which will serve as a foundation for a mature cyber society.
• Chapter 6 consists of a summary, concluding remarks, practical implications of findings, and recommendations for future research.
This book aims to take a step toward an empirical/theoretical framework for understanding the impact of mature cybersecurity policies and strategies and their determinants in terms of growth and development of emerging and developing economies.
Basically, a framework that is grounded in economic theory is developed. The framework uses core constructs that appear central to economic-based, social/political-based, resource-based and technology diffusion literature and provides a fine-grained understanding of cyber space adoption processes by public and private sector entities in developing and emerging countries. In so doing, this book considers how each exchange encounter is shaped by, and in turn shapes, relational characteristics, which form the bases for growth and development.
This book is aimed at the ‘low to middle’ level of rigor. It is not designed to compete with extremely sophisticated modeling or quantitatively oriented books. Actually, this book does not know of any competitor. This level of rigor makes the book attractive to any student, professional, practitioner, or policy maker interested in finding answers to questions such as:
1. What are the determinants to the development of quality and comprehensive cybersecurity policies and strategies?
2. What countries have been more vigilant in the development of cybersecurity policies and implementation of cybersecurity strategies?
3. What are the components of an ideal cybersecurity policy and strategy for developing economies?
The major thrust of the book, which evaluates the experience of cyber space policies and strategies, and their relation to cyber laws and regulations in developing and emerging economies from economic-based, political/social-based, and resource-based theory perspectives, is unique and innovative in nature.
The features of uniqueness and innovativeness, coupled with the radical changes in the use of governmental resources to improve the effectiveness and efficiency of an economy, and the effects of these changes on the economic structure of a country, make this book useful to many disciplines.
The book is inspired by a number of factors, including (1) the importance of the subject at hand and (2) the lack of empirical research on the subject. Most of the work done by others is descriptive in nature and applies mainly to developed, advanced economies. This book brings economic concepts into the picture of developing cybersecurity policies and strategies and adopting a cyber law model by using a number of theories as a vehicle of analysis.
The Internet and cyber space revolution is not only changing the technology of the workplace but is fundamentally redefining the way that countries design their growth and development strategies. Electronic governments and the B2B world with its e-markets, customer focus, and deeply integrated corporate and economic relationships are driving growth and development of economies at e-speed and creating value in different ways.
The key to survival in the relatively new world of cyber space depends upon governmental leaders’ ability to adapt to a new, more collaborative, corporate-type and transparent competition model. This new reality presents major challenges to traditional ways of governing and leading economic growth and development. Economic development is the process of creating wealth by mobilizing human, financial, physical, natural and capital resources to produce (generate) marketable goods and services.
The government’s role is to influence the process for the benefit of the various stakeholders in the country. Economic development, then, is fundamentally about enhancing the factors of productive capacity—land, labor, capital and technology—of a national, state or local economy.
Early economic development theory was but merely an extension of conventional economic theory that equated ‘development’ with growth and industrialization. As a result, Latin American, Asian and African countries were seen mostly as ‘underdeveloped’ countries, that is, ‘primitive’ versions of European nations that could, with time, ‘develop’ the institutions and standards of living of Europe and North America.
Economic growth is caused by improvements in the quantity and quality of the factors of production that a country has available, that is, land, labor, capital and enterprise. Conversely, economic decline may occur if the quantity or quality of any of the factors of production falls. Increases in the supply of labor can increase economic growth. Increases in the population can increase the number of young people entering the labor force.
Increases in the population can also lead to an increase in market demand, thus stimulating production. However, if the population grows at a faster rate than the level of GDP, the GDP per capita will fall. It is not simply the amount of labor and skills that will lead to economic growth. It is often the quality of that labor. This will depend on the educational provision in countries. Improving the skills of the workforce is seen as an important key to economic growth. Many developing countries have made enormous efforts to provide universal primary education. As more and more capital is used, labor has to be better trained in the skills to use it. It should always be remembered that education spending involves an opportunity cost in terms of current consumption and thus it is often referred to as investment spending on human capital.
Al-Jandaly, B. (2016). Dubai fares well against cyber criminals, Gulf News, 12 September, accessed 17 May 2017.
Barney, J., Ketchen, D. and Wright, M. (2011). The future of resource-based theory, Journal of Management, 37(5): 1299–315.
Brookings Institute (2007). The effects of broadband deployment on output and employment: A cross-sectional analysis of US data, accessed 9 October 2016 at http://www3.brookings.edu/views/papers/crandall/200706/itan.pdf.
Council of Europe (2015). Convention on Cybercrime, accessed at http://www.coe.int.
eMarketer (2015). United Arab Emirates leads Middle East and Africa in mobile phone penetration, accessed 20 December 2015 at http://www.emarketer.com/Article/United-Arab-Emirates-Leads-Middle-East-Africa-Mobile-PhonePenetration/1011971#sthash.GsgFRWwb.dpuf.
Forrester Research (2008). In 2008 the number of personal computers in the world will reach one billion, accessed 2 August 2016 at http://www.science-portal.org/in/7.
Gartner (2014). Gartner says worldwide traditional PC, tablet, ultramobile and mobile phone shipments on pace to grow 7.6 percent in 2014, accessed 23 July 2015 at http://www.gartner.com/newsroom/id/2645115.
Google (2015). Google’s research on ad injecting malware shows millions of its visitors are affected, accessed 5 March 2016 at http://thenextweb.com/insider/2015/05/07/googles-research-on-ad-injecting-malware-shows-millions-of-visitors-are-affected/#gref.
Hakkio, C.S. (2001). Economic policy for the information economy, accessed 11 September 2015 at http://www.kansascityfka.com/publicat/q5Sympos/2001/papers/S02/Summ.pdf.
IDC (2015). Gulf Cooperation Council (GCC) Oil and Gas Vertical 2014–2019 IT Spending, accessed 5 March 2016 at https://www.idc.com/getdoc.jsp?containerId=CEMA23096.
International Telecommunication Union (ITU) (2014). Global Cybersecurity Index (GSI), Geneva: United Nations.
International Telecommunication Union (ITU) (2015). Regulation of the Internet of Things, accessed 30 January 2018 at https://www.itu.int/en/ITU-D/Conferences/GSR/Documents/GSR2015/Discussion_papers_and_Presentations/GSR_DiscussionPaper_IoT.pdf.
Internetworldstat.com (2017). Usage and Population Statistics, accessed 3 November 2017 at http://www.internetworldstats.com.
Karake, Z. and Al Qasimi, L. (2010). Cyber Law and Cyber Security in Developing and Emerging Economies, Cheltenham, UK and Northampton, MA, USA: Edward Elgar Publishing.
Labrique, A. (2017). The mobile revolution: A catalyst for global health systems, accessed 1 February 2018 at https://webcache.googleusercontent.com/search?q=cache:4D0WQq-ddPIJ:https://globalhealth.nd.edu/events/2017/03/21/the-mobile-revolution-a-catalyst-for-global-health-systems/+&cd=1&hl=en&ct=clnk&gl=us&client=safari.
Lockett, A. and Wild, A. (2014). Bringing history (back) into the resource-based view, Business History, 56(3): 372–90.
Luiijf, E., Besseling, K. and De Graaf, P. (2013). Nineteen national cyber security strategies, International Journal of Critical Infrastructures, 9(1/2): 3–31.
Mankiw, N.G., Romer, D. and Weil, D.N. (1992). A contribution to the empirics of economic growth, Quarterly Journal of Economics, 107(2): 407–37.
Microsoft (2013). Linking cybersecurity policy and performance, Microsoft, February, accessed 17 December 2017 at http://aka.ms/securityatlas.
NDTV (2016). Cyber-security: A $35-billion opportunity, to create 1 million jobs: Nasscom, accessed October 2018 at https://gadgets.ndtv.com/internet/news/cyber-security-a-35-billion-opportunity-to-create-1-million-jobs-nasscom-827198.
Nexleaf.org (2017). Real-time data for immunization, accessed 12 December 2017 at http://nexleaf.org/impact/coldtrace-real-time-data/.
OECD (1986). Computer-related Criminality: Analysis of the Legal Politics in the OECD Area, ICCP report no. 10, Paris: OECD.
OECD (2012). Cybersecurity Policy Making at a Turning Point: Analysing a New Generation of National Cybersecurity Strategies for the Internet Economy, accessed 13 December 2017 at http://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf.
OECD (2017). OECD Digital Economy Outlook, accessed 20 December 2017 at http://www.keepeek.com/Digital-Asset-Management/oecd/science-and-technology/oecd-digital-economy-outlook-2017_9789264276284-en#page248.
Panetta, L. (2012). Remarks by Secretary Panetta on cybersecurity to the business executives for national security, New York City, 11 October.
Parker, D. (1979). Ethical Conflicts in Computer Science and Technology, Arlington, VA: AFIPS Press.
Parker, D. (1989). Computer Crime: Criminal Justice Resource Manual, Menlo Park, CA: SRI International.
Quora.com (2017). How many PC exist in the world?, accessed 16 January 2019 at https://www.quora.com/How-many-PC-exist-in-the-world.
Rehman, S. (2013). Estonia’s lessons in cyberwarfare, US News and World Report, 14 January.
Sapa (2013). 70% of South Africans have fallen victim to cybercrime, accessed 5 March 2016 at http://www.timeslive.co.za/scitech/2013/11/04/70-of-south-africans-have-fallen-victim-to-cyber-crime.
Sharman, J. (2017). Cyber-attack that crippled the NHS systems hits Nissan car factory in Sunderland and Renault in France, The Independent, 13 May.
Statista.com (2017). Percentage of population using the Internet in the United States from 2000 to 2017, accessed 12 January 2018 at http://www.statista.com/statistics/209117/us-internet-penetration/.
Symantec (2014). 2013 Internet Security Threat Report, accessed 1 April 2016 at http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf.
Symantec (2015). Underground black market: Thriving trade in stolen data, malware, and attack services, November, accessed 2 April 2015 at http://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services.
Symantec (2016). 2015 Internet security threat report, accessed 2 April 2016 at https://www.symantec.com/security-center/threat-report.
Symantec (2017). 2017 Internet security threat report, accessed 22 December 2017 at https://www.websecurity.symantec.com/security-topics/istr-2017-infographic.
Tittle, C.R. (1969). Crime rates and legal sanctions, Social Problems, 16: 409–23.
Tobias, S. (2014). 2014: The year in cyberattacks, Newsweek, 31 December.
UNCTAD (2015). At 11.4 per cent of the value of imports, African countries paid more for international transport than any other region in 2005–2014, New York: United Nations.
Williams, J. (2014). Net losses: Estimating the global cost of cybercrime. Center for Strategic and International Studies, June.