"We are seeing a rapidly dawning realisation in foreign ministries around the world that there is a high level of importance and urgency to establishing diplomacy for cybersecurity," said Greg Austin, vice-president, EWI's Worldwide Cyber Security Initiative.
There is also a big demand among leading corporations for new measures within government to secure cyberspace, he told Computer Weekly.
According to Austin, some corporate leaders working with the EWI feel that although governments are making some strides in fighting cybercrime, they are behind where they need to be in terms of co-ordination and information sharing to secure the interests of the private sector.
The EWI is pursuing a combination of classic backroom diplomacy and broad public mobilisation work, he says, which is mainly around new public-private mechanisms on specific problems, aimed at moving government and the private sector closer together, nationally and internationally.
Austin says that while the difficulties associated with acting across different legal jurisdictions with different legal systems in tackling cybersecurity remain unchanged, the overall scene has changed significantly in the past year by the discovery of Stuxnet, the publication of US diplomatic cables by Wikileaks, and the large-scale leaking of personal financial data from the commercial sector.
Credit card data breaches
The loss of credit card information on a large scale is a new phenomenon, says Austin. "It is dawning on people that we are now in a situation where companies urgently have to develop a new approach to risk management," he said.
However, Austin says board-level engagement is usually low, with responsibility for cybersecurity typically falling on the head of IT, chief security officer or chief technology officer.
"In some places there is a more sophisticated approach, where you have risk strategists or a multidimensional approach," he said.
Because of the massive breaches of customer data in the past year and because of what people know to be the rapidly increasing potential of criminal attacks, says Austin, these organisations are starting to look at whether criminal attacks can bring down the world's largest corporations.
The US State Department suffered damage from the Wikileaks scandal by having hundreds of thousands of pages of data published simultaneously containing diplomatic confidences that undermined important relations.
"Imagine what a Wikileaks situation would look like for a leading corporation, with someone leaking that volume of data, exposing relations between various business leaders or the details of deals that are commercially sensitive," said Austin.
This is a big fundamental change for businesses in terms of risk, he says, and puts front and centre the proposition that the people factor in cybersecurity is as important, if not more important than the technical factor.
"In the past, the IT department, the chief technology officer and the chief security officer might have looked after cybersecurity, but now it is an HR problem as well because big companies cannot afford to employ someone who will do a Wikileaks on them," he said.
Security experts are still divided over the origin and purpose of the Stuxnet worm, but most agree that it has demonstrated for the first time that a government or group can act across national borders to destroy the physical assets of another actor through the use of a cyberweapon.
At the same time, says Austin, there has been growing recognition by all major powers that their economic security is tied up with cybersecurity.
"It is now topping the agenda and was being considered by the G8. In just about every geography, cybersecurity is going higher and higher up the political agenda, and it would be interesting to know whether that is being replicated in all the boardrooms around the world, as it should be," he said.
Although big business is sometimes critical of governments for not addressing their risk management needs, governments are starting to catch up on cybercrime, says Austin, which is the foundation of the best practice that is emerging reasonably well in some relationships internationally in terms of tracking down cybercriminals and catching them.
He says what still needs to happen at a national level in some countries is the realisation of how fundamentally important the cyber threats might be in terms of a global risk strategy.
"If you had to ask Sony if it was affected more by the Tsunami or by the breach of its customer data, it would have to say it was studying the possibility of a Tsunami from a risk point of view at board level, but was not studying cyber attacks in the same way," said Austin.
More has to be done around the relationship between the government and commercial interests to manage the bigger risks, says Austin, pointing out that there must be some mechanisms of trusted information sharing between government and the private sector.
Various schemes for information sharing have been emerging around the world over the past five to 10 years, but in terms of risk management, private sector companies need to have a degree of confidence that they know who to talk to in government and how to get information quickly if there is a crisis, he says.
Worldwide Cybersecurity Summit
Best practice can encompass public-private sector cooperation, information sharing in the private sector on attacks or incidents, and getting together representatives of the private sector and governments to address specific problems, says Austin.
The EastWest Institute has started that process, and is championing it through events such as the second Worldwide Cybersecurity Summit taking place in London on 1-2 June 2011.
"The first summit in Dallas in May 2010 demonstrated that we were able to bring people together to talk sensibly about the big diplomatic issues, as well as the lower-level practical mechanisms that leading businesses want attended to for the viability of their business," said Austin.
The first summit paid a lot of attention to "Breakthrough Groups" that brought together public and private sector people to discuss specific problems and develop specific solutions.
The EWI plans to do the same in London, with Breakthrough Group sessions planned on topics including international communications, the power of non-state actors in cyberspace, global internet health, and building a cybersecurity glossary and taxonomy.
"Through the summit process, the EWI has been able to demonstrate that cybersecurity issues are more urgent than people think and that there are relatively easy solutions out there, but to get to those solutions we have to start talking to each other in more meaningful ways, more frequently and across more borders," said Austin.