The partnership is a result of a long-standing history of defense partnerships but does not represent a paradigm shift in defense collaborations. However, the nature of this defense collaboration continues to evolve concerning the relationship of Pakistan to the United States and India. Examining the India-US defense partnership with an eye to the history, agreement details, and overall implications is worth the effort. Chanakya’s philosophical concepts, which are discussed below, are also instructive.

History

The United States and India are not new defense partners. The current agreement is an extension of those older agreements. This series of partnerships began in 2002 under the General Security of Military Information Agreement (GSOMIA), the Communications Compatibility and Security Agreement (COMCASA), the Basic Exchange and Cooperation Agreement (BECA), and the Logistics Exchange Memorandum of Agreement (LEMOA).

The most recent agreement expands the areas of cooperative defense to cyber and maritime security issues. This agreement will help bring the American and Indian militaries into alignment and make their defense capabilities and strategies align more effectively.

This US-India defense partnership is one of the ways that India can move toward greater defense independence and create “self-reliant” defense industries. The goal of this effort is to encourage the development of defense systems produced domestically or developed through technology transfers from other countries and to allow India to produce and export these products globally.

The US-India partnership also anticipates India having an upgraded military, being able to project maritime power more effectively, and enhancing its ability to deter aggression. The improvements in India’s military capabilities and its nuclear posture align with India’s pursuit of strategic autonomy; however, India’s evolving security environment is beginning to mirror the American security environment.

The partnership between the US and India will also help to reinforce the Quad framework (US, Japan, Australia, and India) as a key element of American Indo-Pacific Strategy, creating a free, open, and rules-based regional order. It is also anticipated that increased defense cooperation between the US and India will provide an enhanced collective deterrent against Chinese assertiveness and will enable the US and India to conduct more frequent and extensive joint naval and air exercises, such as the Malabar exercise.

Similar to other forms of strategic wisdom that are based upon the doctrines of Chanakya, the US-India defense agreement appears to reflect the concepts of not engaging directly with an adversary, depleting an adversary’s resources, and winning when the circumstances are appropriate. As such, it appears that India is employing a similar approach (building partnerships, establishing a defense industrial base, attaining strategic independence, and then waiting until the opportunity presents itself to engage) with similar replenishment concepts (economic and diplomatic) that were outlined in Chanakya’s playbook to allow India to capitalize on a potential weakening of the enemy due to internal politics.

While this agreement does provide a framework for cooperation and addresses some of the regional security concerns, including India’s negative view of China as an aggressive actor in the Indo-Pacific, the agreement does not establish a legally binding security arrangement, like the North Atlantic Treaty Organization (NATO).

Rather, the agreement reflects an increasing level of strategic convergence and represents a cooperative structure for defense. Media coverage of the agreement frequently exaggerates the significance of the agreement, while downplaying the fact that defense relationships between the US and India are not new and have little impact on the strategic balance between India and Pakistan.

While some in Pakistan see this latest agreement as a threat, the best option for Pakistan is to employ diplomacy, act in good faith to prevent future terror attacks in Indian territory, and avoid escalating tensions due to a false perception of encirclement. Positive dialogue with India and other regional actors will decrease the chance of conflict and build trust.

The US can serve as a stabilizing force to create dialogue between India and Pakistan and enhance regional cooperative mechanisms. Regional actors, such as China, Bangladesh, and Sri Lanka, etc., need to develop new policies to maintain an equilibrium in South Asia and not take action that exacerbates existing regional tensions.

The latest US-India agreement serves as a foundation for increased cooperation and may benefit regional stability and the overall security of the Indo-Pacific region. The degree to which this defense agreement has the ability to positively contribute to the strategic stability of South Asia depends on successful implementation of its provisions and the degree to which the United States and India can work with other regional states to address emerging challenges.

Harsa Kakar is as an Assistant Research Fellow at Balochistan Think Tank Network (BTTN), Quetta. The views expressed are personal. She can be reached at Kakarhsa01@gmail.com.

The Impact of the India-US Growing Strategic Partnership on South Asia was originally published on Global Security Review.

According to McAfee, over $1 trillion was lost to cybercrime in 2020. Some estimate if governments do not secure the cybersphere, this number will continue to skyrocket and reach over $10 trillion annually by 2025. Even cybersecurity firms are at risk. For example, FireEye, a government contract cybersecurity company, was recently a victim of a state-sponsored attack targeting its assessment tools.

Currently, the United States has no whole-of-government approach to secure its cyber vulnerabilities. Private companies maintain most of the control, with little to no oversight, and the Department of Defense (DOD) focuses almost exclusively on military cyber vulnerabilities. The United States needs to take definitive action to secure its systems to avoid further loss. By expanding the Department of Defense’s Cyber Command (USCYBERCOM), the U.S. can create a whole-of-government approach to improve resiliency and consolidate cyber expertise and resources.

USCYBERCOM is one of the commands of the Department of Defense. It has three points of focus: defending the DOD’s network, offering mission support, and strengthening U.S. networks against cyber-attacks. Expanding USCYBERCOM’s focus beyond military capabilities to include other U.S. Government Departments, allies, and private companies will lead to more effective policy.

First, expanding USCYBERCOM increases resiliency against internal and external threats, against both state and non-state actors. By adapting preexisting infrastructure, more of these threats can be easily assessed and rectified. USCYBERCOM methods can be easily expanded to encompass more critical infrastructure.

Second, consolidating resources means more effective work. The number of qualified personnel is relatively small and spread through different government agencies and private companies. By fusing the specialized workforce, the government can implement more innovative ideas and decrease vulnerability. Furthermore, merging budgets provides more extensive protection. The United States government spends between $18-19 billion per year on cybersecurity. Instead of having this money spent across various agencies and departments, collective action would be more easily achieved by combining them.

Finally, expanding USCYBERCOM leads to a whole-of-government approach. As it currently stands, private companies work separately on their systems, the US government employs them, and there is little oversight. USCYBERCOM works on military cyber capacities with congressional oversight. An expanded USCYBERCOM would involve more government agencies, include private companies’ input, and generate even more robust oversight from the Congress. This extensive involvement creates a well-rounded approach to cyber vulnerabilities and a timely response to discovered weaknesses.

For some, the dual-hat arrangement that the commander of CYBERCOM is also the Director of the National Security Agency (NSA) is controversial. Established in 2009 under the Obama Administration, USCYBERCOM was a small operation, and under the agreement, USCYBERCOM and NSA shared staffing and information resources. Following the Snowden leaks, different leaders have suggested the separation of the two. But this is not in the interest of national cybersecurity as, without this agreement, the NSA would not be compelled to share information or manpower. Without formal information-sharing agreements, U.S. agencies may be simultaneously working to address the same vulnerabilities. Expanding CYBERCOM will reduce duplication and lead to a more effective government response to cyberattacks and cyber vulnerabilities.

Expanding the responsibilities and members of USCYBERCOM gives the United States the ability to stand against malicious actors by implementing comprehensive and unified cyber policy. Decisive action will enable us to address vulnerabilities and reduce monetary and property losses. As the internet continues to expand, CYBERCOM can protect and promote American security and prosperity.

Expand U.S. CYBERCOM to better secure American Infrastructure was originally published on Global Security Review.

The United States can only sanction and indict so many people before discovering that this alone will neither prevent nor deter future cyberattacks. The United States must have a unified plan to confront cyberaggression through defensive and offensive action in the cyber realm. This position may mean protecting fragile democratic allies and conducting coordinated cyber strikes against malignant state and non-state actors.

While the latest cyberattack is still under investigation, authorities suspect that a Russian-backed group known as Cozy Bear hacked a management company called SolarWinds via its Orion tool, which is used to monitor outages. Then, between March and June 2020, this group inserted malware into its updates, impacting countless federal and private systems.

It was only when cybersecurity firm FireEye discovered the breach that the hack was revealed. FireEye noted that this attack was conducted by “a nation with top-tier offensive capabilities.” Indeed, Russia has previously used malware to steal critical information, but this attack was much different, focusing on “supply-side” vulnerabilities, including SolarWinds’ monitoring products. In 2018, the Government Accountability Office outlined the cybersecurity challenges related to supply-side risks (though they admitted that an attack of this magnitude was left out).

This “sophisticated” attack reportedly used IP addresses located in the United States, all while evading the Cybersecurity and Infrastructure Security Agency’s costly and sophisticated intrusion detection system called Einstein. The malware sat dormant until activated, sending sensitive information to the hackers.

This cyberattack is concerning due to Russia’s interference in the 2016 U.S. election through a coordinated information operations campaign that included a sophisticated social media strategy, hacking, and the release of compromising information via Wikileaks. Russian-backed agents also allegedly attempted to hack voting systems in nearly all 50 states. These agents could delete or change voter data. Russia also used a quasi-private company known as the Internet Research Agency to create a “troll farm” to influence social media.

According to a congressional report, the 2016 meddling intended to “sow discord in American politics and society.” The response to the Russian interference was lukewarm. The United States indicted 12 Russians for operating a military agency called the Main Intelligence Directorate of the General Staff, and the U.S. Treasury Department sanctioned some Russian entities and individuals. Clearly, these penalties didn’t go far enough because here we are again.

The United States isn’t Russia’s only target. The Russian-backed group Fancy Bear (the same group involved in 2016’s Russian meddling) hacked Montenegro’s government apparatus, hoping to influence the country’s impending NATO membership. In 2007, Estonia—which introduced online voting in 2001 and was considered one of the most technologically advanced nations globally—was also a victim of a Russian information operations campaign involving hacking and disinformation. Russia also conducted coordinated information operation campaigns involving social media and hacking in countries like Ukraine.

Nation-states such as China, Iran, North Korea, and Russia are operating with impunity in the cyber domain. Each of these respective countries has carried out cyberattacks on the United States, its allies, or private-sector entities. It is almost like the Wild West in the cyber realm, and these world powers have proven time and time again that no matter how much in good faith the United States acts, they will cooperate only in words alone.

There are some realistic options on the table to prevent and deter further cyberaggression. In 2011, President Obama defined attacks in the cyber realm as potential acts of war. With this in mind, the United States can respond with conventional means but is highly unlikely to react in such a manner. On the other hand, the United States has other tools in its arsenal for an appropriate response.

First, the United States needs an oversight board that can proactively and expeditiously identify government vulnerabilities, make recommendations, and penalizes contracted companies for security violations. While valuable, the report on Russian meddling took years to produce. In theory, an oversight board would be flexible enough to both produce reports and perform risk assessments.

While the hack is still under investigation, there are some red flags that cannot be ignored. SolarWinds’s server was left relatively unprotected with a weak password (solarwinds123), and the sign-in certificate was somehow manipulated to hack the systems. SolarWinds’s server was continuously exposed since at least 2018, thereby allowing anyone with a valid sign-in certificate to log onto its network. A government oversight board would have the ability to investigate and penalize a company or an individual for placing such compromising information online.

Second, a comprehensive systems upgrade is critical. Current U.S. cyber defenses — such as the Cybersecurity and Infrastructure Security Agency’s Einstein — failed because they didn’t have sensors to recognize and neutralize malicious traffic or an information-sharing agreement with agencies to identify servers that shouldn’t be sending information internationally. Likewise, the Pentagon’s cloud-based software is antiquated and vulnerable to attack (an upgrade is well in order). Of course, such upgrades require both funding and congressional will.

Third, cyber-offensive activities should be an option in the future. The National Security Agency has the capability and the know-how to conduct cyberattacks through the agency’s elite hacking unit known as Tailored Access Operations. However, such operations are rarely acknowledged, and that should change. There should be known penalties for cyberaggression.

The National Security Agency conducted a cyberattack against Iran using the Stuxnet virus, but the operation received little acknowledgment from the U.S. government. The Stuxnet virus destroyed thousands of Iran’s centrifuges at the Natanz powerplant that could have been used to make a nuclear weapon.

Additionally, in 2018, the U.S. Cyber Command conducted an attack against Russia’s Internet Research Agency, successfully disrupting Russia’s information operations campaign during that year’s U.S. mid-term elections. This attack was acknowledged by the U.S. government and also sent a message that cyber aggression will not be tolerated.

The United States must be ready to respond to further cyber aggression in the future. The United States must shore up its cyber defenses and leverage cyber offense as an option for deterrence. Countries like Russia don’t seem to care too much for the carrot approach. Perhaps it is time for the stick.

Déjà Vu: Hacked Again was originally published on Global Security Review.

At the international level, top United Nations officials have warned that “cybercrime is also on the rise, with a 600 percent increase in malicious emails during the current crisis.” The United Nations (UN) officials described the COVID-19-related cyber threats as an “infodemic” of misinformation. It is a situation where people received misinformation, disinformation, and rumors during a health emergency.  Cybercriminals have been conducting attempted ransomware attacks in which their phishing and ransomware campaigns are using the coronavirus pandemic to actively target healthcare workers. The International Criminal Police Organization (INTERPOL) also sees an increase in counterfeit medical products, fraud, and cybercrime. Cybercriminals would disguise themselves as the World Health Organization (WHO) to conduct scams or to steal personal and sensitive information.

One direct and obvious factor contributing to the rise of cyber threats is the drastic increase of internet users – from students, teachers, government workers, to private-sector employees and politicians. After the shutdown of schools and many governmental and non-government sectors, all face-to-face meetings were transferred into online platforms. The Internet has become the primary tool for many people to conduct their works. The amount of time that people spend on the Internet increased, exposing themselves to the risks of cyberthreats. Private-sector data revealed a 350% surge in phishing websites since the start of the pandemic.

Another factor is the inadequate cybersecurity education to raise public awareness in many countries, including the United States. With the sudden change of people’s online-using habits before and after the outbreak of the COVID-19, people (old and young) have not yet realized that they could be in danger online – even staying at home. This is not a new problem. For example, one article pointed out that employees of healthcare organizations in North America lack cybersecurity education and awareness in three main areas: regulation, policy, and training.

With the increasing number of internet users in the event of COVID-19, there are three areas that we need to take immediate action. First, one of the most vulnerable groups during COVID-19 is school-aged children. Most of the school children had to used e-learning in the past spring semester and now have entered their summer vacation, and it is difficult to have a comprehensive study about how much time they spend in front of the “screens.” The amount of time they use electronic devices has drastically increased. Since they could not quickly distinguish between the real and virtual worlds, there has been an immediate risk of falling prey to cybercriminals.

The second area is the protection of information and finance for enterprises and workers. The world’s dependence on information and telecommunication technologies is unprecedented. The Business Email Compromise (BEC) is on the rise, especially during the pandemic, and there is much work to be done. The growth of digital dependency in the workforce worldwide has increased the vulnerability to companies and their employees.

The third area is the cybersecurity infrastructure in many developing countries are not strong enough. According to the International Telecommunication Union, nearly 90 countries are still only at the early stages of making commitments to cybersecurity.” It relies on multi-national efforts to assist those countries, including adjusting national legal and regulatory frameworks in the cyberspace and unifying cybersecurity awareness campaigns, despite it is challenging to conduct on-site capacity building during this situation.

As the COVID-19 pandemic continues to change our way of life, it is a daunting alarm that people are exposing more to the increasing cybersecurity threats while not having enough awareness and education. For the private sector, the improvement of data management, IT security, and employee education are critical to prevent cyber hacking and BECs. We need to push governments to work more with private sectors and international partners toward feasible and effective campaigns.

The worst-case scenario is that the governments are more concerned about the economy than the increasing level of cybersecurity threats.  Whether governments and companies learn security lessons from the COVID-19 pandemic remains to be seen.

COVID-19 & Global Cybersecurity: Urgent Action is Needed was originally published on Global Security Review.

Cyber-Espionage and the Economy

While the current pandemic crisis presents businesses with unprecedented economic challenges to their very existence, it has also created a tremendous level of cyber-risks. Heightened risks are present not only due to the significant numbers of individuals working from home, increasing the vulnerability landscape, but also because as states fall deeper into recessions, some may resort to cyber-espionage in an attempt to position better their post-pandemic political, economic, and industrial structures. Regardless of the industry, the intellectual property (IP) of any organization is likely to be a precious target for foreign government-sponsored hackers.

Whether they seek production know-how, manufacturing plans, patents, research, or trade secrets, foreign governments may resort to unethical means of acquiring critical industrial and trade information to enhance their domestic economy posture and further leverage their comparative and absolute advantages, while simultaneously imposing costs on their adversaries. Chinese government-sponsored hacking groups, as well as their Russian counterparts, have a long-standing history of engaging in such malicious acts.

Government-sponsored and international criminal hacking groups, particularly those sponsored by the Chinese and Russian governments, are likely already taking advantage of the pandemic to increase their espionage activities around the globe. In this respect, it was recently reported that the Chinese cyber threat group, APT41, has already launched “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years” according to the cybersecurity firm FireEye. The attacks targeted the healthcare sector, including the pharmaceutical industry as well as other industries, including banking, manufacturing, media, telecommunications, and non-profits in several countries. Though, arguably, different sectors might be more prone to cyber-espionage campaigns than others, depending on the level of the industry’s criticality and IP possession. Yet in desperate economic times, government-sponsored hackers are likely to “harvest” as much data as possible—even non-industrial data.

Politically Motivated Cyber-Espionage

Many would argue that an organization’s IP or industrial data are the primary targets for government-backed hackers and cyber-attacks. However, non-industrial data can also be of great value to adversary governments to leverage their political advantage and position. Such data can include the general online behavior of the public, which then can give adversary-states insight into public sentiment towards the government of a target country, thus allowing adversaries to more effectively plan and orchestrate targeted online disinformation campaigns. These online campaigns are usually conducted to degrade the credibility and trust between the targeted country’s public and its media and governmental institutions. In doing so, adversaries attempt to covertly shape political developments in targeted countries.

Accordingly, cyber espionage is an activity that effective online disinformation campaigns are built upon. Again, it is no wonder how Chinese and Russian backed cyber-troops pioneered the systematic use of online disinformation tactics and exploitation of social media for such purpose. The latter is particularly evident from the recent actions performed by China and Russia while the ongoing pandemic crisis is taking place, where both countries tried to push conspiracy theories targeting western audiences to create political divisions, fear, and confusion. Furthermore, as the pandemic crisis continues to profoundly disrupt the global economy, the debate on global power shifts, and the reshaping of the international order is already starting to take place. In this regard, one cannot ignore China’s hegemonic intentions, and neither should one be surprised to see a surge of Chinese cyber-espionage and disinformation campaigns.

Countermeasures

Undoubtedly, the current pandemic presents both public and private organizations around the world with unprecedented economic risks leading to severe consequences on a macro and micro-scale. Although macro-level implications are evident in terms of economic performance, unemployment, and economic security, micro-level consequences may include a rise in crime, public unrest, and threats to civil order. Furthermore, the micro-level effects mentioned can be further fuelled by foreign cyber espionage and disinformation campaigns aimed at undermining the internal stability of a targeted state by adversarial actors.

That said, protective measures and recovery plans must be collective, in coordination and close partnership between a nation’s government, domestic organizations, and the private sector. The current pandemic has narrowed the available options for mitigating the economic fallout given the unanticipated and significant decline many industries are facing.

As economic measures, including but not limited to stimulus packages—an integral part of a state’s national security—are being implemented around the globe, the focus here is on governmental countermeasures targeting the spread of foreign cyber-espionage and disinformation. Even a slight relaxation of counter-espionage and counter-disinformation measures could impact economic recovery efforts. In this respect, several actions can be taken at the national level:

1. Sovereign states should agree on a formalized collective, coordinated intergovernmental response of indictment, and sanctions against governments sponsoring hacking groups should be implemented.
2. Governments should reinforce and harness their cyber defenses and data encryption. Additionally, governments must continuously address the weakest link in their cybersecurity chain: the human factor. The human element is mostly thought of in terms of increasing cyber-awareness and hygiene training. However, the particular focus here is the importance of increased monitoring of staff to limit insider threats who can be recruited by foreign bodies for facilitating espionage or network access.
3. Existing data policies of every governmental institution should be reviewed to further control and limit who have access to what.
4. Governments should strongly encourage the private sector industries to harness their internal cybersecurity team. While medics globally are on the frontline of fighting the pandemic and coronavirus spread, the organization’s cybersecurity teams are on the frontline of fighting the dangerously rising level of cyberthreats and associated digital risks related to espionage. That said, regardless of the industry, organizations must empower their cybersecurity teams more than before to more effectively counter increasing vulnerabilities surface and cyber-risks. Especially that with the growing pandemic uncertainties, social distancing measures will undoubtedly increase the individuals use of internet, computers, tablets, and smartphones.
5. Governments should increase online cyber-hygiene and awareness training for their general public. While cyber-hygiene has been something long-time called for, yet it is currently more required than before. Individuals must ensure vigilance while digitally navigating. Especially in times of crisis and fear, due to human nature, individuals thrive on more news and updates on the internet. In this regard, cybercriminals will possibly exploit such concerns to distribute more malware, malicious link, malicious websites, phishing emails, and scamming attempts. Recent reports found that global phishing activity increased by 667 percent during March 2020.
6. Governments should as well as encourage the private sector industries to limit the access of employees working from home to the organization’s intellectual property. Whether confidential financial documents, business plans, or critical research in an R&D department, employees’ access to any document or material deemed as the organization’s intellectual property should be as limited as possible. Concerning point five, it is never guaranteed that employees will not fall prey to any online malicious trap that could infect their device.
7. Continuously re-evaluate the digital and online tools needed by public and private sector employees needs to work from home to ensure safety, privacy, and security as much as possible. As different organizations utilize different tools and thus requires a different level of assessment. However, one example we can indicate here is the rapid adoption of Zoom, a video conferencing website and app that saw a rapid rise globally over the past month as a result of the “working from home” implementation. Accordingly, it’s been reported that hackers are capitalizing on the current extensive use of communication apps, including Zoom and Google classrooms, and are trying to infiltrate online meetings. Furthermore, there are ongoing concerns over Zoom’s privacy practices, with countries like Taiwan already banning its use.
8. In tackling online disinformation threats, governments should set up a dedicated taskforce comprising stakeholders of its national intelligence, national security, media, and ICT authorities. Such a task force would contribute to protecting their nation’s citizens by ultimately monitoring continuously and responding to foreign media outlets, online propaganda, and social media for adversaries’ disinformation campaigns. Furthermore, such a taskforce should regularly communicate to the public the right and factual information to avoid unintentional misinformation spread by the public.
9. Governments should work at all levels to ensure the highest level possible of transparency and government performance with its citizens via daily press briefings, in appearances on national media outlets, and official social media accounts. In doing so, governments minimize the possibility of having its citizens falling victim to falsified information spread by adversaries online.

With the ongoing pandemic crisis combined with the “warning drums” of a deep economic recession, governments worldwide are facing a full-scale national crisis that perhaps the maximum was done prepare for it was a hypothetical simulation or a table-top exercise. Managing the crisis, in reality, can be much more complex and a nightmare for decision-makers. However, flexible, agile, and governments that are being flexible and adaptable while at the same time prioritizing their cybersecurity measures and counter-espionage efforts are more prone to survive the crisis as well as sustain domestic business operations with minimal loss.

A Global Recession Will Fuel Cyber-Espionage was originally published on Global Security Review.

Data breaches seem to be the name of the game in tech this year, and the latest, a software flaw that exposed the private data of hundreds of thousands of Google+ users, has just snagged the spotlight. Despite the fact that data breaches and cybersecurity attacks occur across the globe, their occurrences in major technology markets such as the United States and the European Union (EU) tend to take policy precedence and draw greater media attention.

However, as emerging market nations—such as Indonesia and those in Sub-Saharan Africa—continue to rapidly digitize and foster new technology-based businesses, more attention needs to be paid to the risks these markets and their users face. Failure to do so will significantly hinder economic growth and business development in these regions.

Over 90% of African businesses operate under the cybersecurity poverty line, which means they are unable to adequately protect themselves from vulnerabilities and losses. Although Africa has comparatively limited communications infrastructure, the continent has a high penetration rate of new technologies, and as a result is a prime target for digital attacks. In 2017, cybercrime cost the continent $3.5 billion and yet 96% of online security incidents went unreported. Large and expanding digital hubs such as Nigeria and Kenya particularly suffered, accruing losses of $649 million and $210 million, respectively.

Cybercrime in Africa has targeted startups, corporations, institutions and governments alike. This June, South African insurance company Liberty Holdings Ltd. was held ransom by hackers who were able to access sensitive data including emails. The company is responsible for overseeing 2.5 million life-insurance policies and administering over 10,000 retirement plans and 500,000 individual and institutional investment customers, raising concerns about the consequences of such a hack. Some progress, however, is being made: there was a 73% increase of Information Security Management System certified companies on the continent between 2015 and 2016, the majority of which are based in South Africa, Nigeria and Morocco.

Similarly, in the Asia-Pacific region, cybercrime poses a serious threat to economic success. A study commissioned by Microsoft found that the total potential losses to the region from cyber attacks was $1.745 trillion, or 7% of the region’s current gross domestic product (GDP). These risks are particularly apparent in the ASEAN region, where nations invest an average of 0.07% of their GDP in cybersecurity infrastructure and operations. The consequences of such underfunded and undervalued cybersecurity initiatives can be seen in practice in Indonesia, where the country’s highest valued startup on record, Go-Jek, was found to have significant security vulnerabilities. 

Go-Jek is a ride-sharing and logistics startup that has over 15 million weekly active users and is widely considered a major competitor to global brands such as Uber and Lyft. In March 2017, Fallible, an Indian security firm claimed they were able to extract information such as GPS coordinates of rides and user data such as phone numbers and pick up and drop off points from two problematic APIs on the app. The firm also claimed they were able to exploit a vulnerability which enabled them to manipulate notifications users received. An Indonesian hacker based in Thailand identified similar vulnerabilities in 2016. Go-Jek is Indonesia’s first startup to become a unicorn (meaning it became valued at $1 billion), and over the past year, the company has invested heavily in expanding their services to include mobile payments. 

This expansion into a field that engages with even more sensitive user data underscores the need for a greater cybersecurity focus, as well as a complementary regulatory environment that similarly prioritizes security in tandem with growth. In 2017, the Government of Indonesia took steps in this regard, establishing a National Cyber Agency (NCA) to develop an integrated cyber defense strategy. However, given that in the same year, almost half of Indonesia’s companies were impacted by over 205 million cyber-attacks, costing $34 billion in direct financial losses and long-term reputational damage, there is a great deal of work to be done. 

In larger and more developed technology markets, data security and privacy laws such as the recently passed General Data Protection Regulation (GDPR) compel companies to invest more time and resources into developing and maintaining robust security infrastructure. However, in markets, such as in Sub-Saharan Africa and Asia-Pacific, where such regulations and cybersecurity-focused policy environments are weaker or lacking in enforcement, commensurate practices by businesses are less common.

Going forward, emerging market businesses and governments need to recognize that to achieve economic growth and reap the benefits of the ongoing digital boom, cybersecurity needs to be a priority. In practice, this means that there needs to be greater emphasis on operating and maintaining updated and robust security systems; training and expanding cybersecurity workforces; developing long-term cyber resilience strategies that account for all levels of corporate or institutional operations; raising awareness about the importance of such security practices; and generating legislation that adequately offers protections and remediations. 

Greater investment in regionally-specific cybersecurity infrastructure can also open up noteworthy business opportunities. The cybersecurity market is expected to be worth $2 billion by 2020, and thus far the African continent has not released any commercially viable cybersecurity products, while ASEAN nations, although having made some progress, also have room to grow.

The average cost of cybercrime for businesses and governments across the globe is increasing at a rapid rate, and emerging markets are at significant risk. Developing more robust cybersecurity infrastructure, policies, programs and cultures must be prioritized. This is particularly important now as these regions will soon be host to the majority of global internet users, as well as a large share of future digital businesses and services. 

Cyber Insecurity is Harming Emerging Markets was originally published on Global Security Review.