G20 safeguards digital economy vulnerabilities with a financial sector focus

The G20 can ensure a secure, resilient, sustainable and responsible digital economy, especially in the financial sector, by removing vulnerabilities in Internet infrastructure, encouraging cross-border cooperation, providing guidance to telecommunications regulators and implementing norms regarding cyber-attacks.


Terms of use:
Documents in EconStor may be saved and copied for your personal and scholarly purposes.
You are not to copy documents for public or commercial purposes, to exhibit the documents publicly, to make them publicly available on the internet, or to distribute or otherwise use the documents in public.

Introduction
This paper explores the vulnerabilities that compromise the potential of the future digital economy.It proposes several G20 initiatives to safeguard the potential.The paper describes the need for international cooperation to protect the Internet to realize the promise of inclusive growth.The challenges to the financial sector in particular are explained.The paper notes the inadequacy of current international efforts by the OECD and the G20.It argues that the G20 should establish new norms, formal institutions and informal arrangements to enable the necessary cooperation.

Proposal
The German G20 presidency has set the themes for 2017 as 'Resilience, Sustainability and Responsibility'.Digitalization (infrastructure, standards and norms) is highlighted as a priority focus.The Internet, the global cyberspace, and the digital economy have great potential to increase growth and productivity.Innovation in data and digital tech can transform the manufacturing, transportation, energy, and financial sectors.But the potential is threatened by weaknesses in the digital infrastructure, the instability of international protocol coordination and the lack of effective cross-border cooperation.There is inadequate international coordination on crime and security to establish norms to deal with cyber threats.Secure digital infrastructure, improved international protocol coordination and effective international cooperation are required to ensure the necessary trust in the Internet and global cyberspace.The priority should be protection of the financial sector, the foundation of the economy.The G20 should establish new norms, formal institutions and informal arrangements to enable the necessary cooperation.
Six avenues are recommended for G20 consideration.The G20 could secure the financial sector with appropriate new regulations for ISPs and network operators.More generally, it could invite China, the US and Germany to prepare a future report on cyber defense.The G20 could request G20 Ministers and regulators with Internet responsibility to report on options to modernize and 'vaccinate' the Internet.G20 Energy Ministers could be tasked to improve cyber resilience at power facilities and Development Ministers for ideas to promote Internet accessibility, affordability and appropriate infrastructure.The G20 could empower a formal G20 Working Group to champion future international cooperation.

Need for International Cooperation
Individual nations cannot unilaterally provide the underpinnings to ensure the necessary resilience and sustainability of the digital economy.International cooperation based on consensus and modernized international law is the only avenue.The digital economy requires modern day equivalents to standardization of railway track gauges, aircraft safety requirements, telephony standards, and the 1929 International Convention for the Suppression of Counterfeiting Currency.Leadership is required to improve network operator practices; to cope with the developing 'Internet of Things'; to provide support for globally stable platforms for technical coordination and innovation; and to design global norms for cyber-attacks.However, despite the necessity of international cooperation to realize the potential of the Internet, there are widespread political pressures to 'deglobalize'.The unfortunate result is inward-looking national solutions to address global issues.
E-commerce needs a proper regulated environment to reach its potential.A recent Internet Society survey reports that trends on data breaches "cannot be allowed to continue without s' privacy and users' trust in the Internet, resulting in lower and more selective use of the Internet" (Internet Society, 2016, p. 17).45% of Americans had changed their online behaviour because of their fears (Internet Society, 2017).According to a recent German study, consumers are concerned about the protection of their personal data on the internet. 172 per cent of the people surveyed in six G20 states were concerned that too much personal data is gathered online.More than two thirds were worried that online payments might not be secure.A 2014 Report estimated cyberattacks cost the global economy $445 billion annually (McAfee, 2014).
The surveillance software industry appears to have "turned email theft into a terrifyingand lucrative -political weapon" (Cole, 2017).There have been calls for a software analogue to the 41 country Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.The firm Netsweeper, based in Waterloo, Ontario, sells Internet "content filtering and web threat management solutions"-to organizations and governments around the world (Cole, 2017).It has been reported that when the Houthi rebels took over Yemen`s capital and the Internet service provider, they used Netsweeper technology, software to put in place a draconian Internet censorship regime, blocking the entire Israeli domain.Canada's export control regime doesn't restrict the sale of this type of technology.
The risk is that a series of well-intentioned but blunt and inefficient unilateral solutions will create residual damage, possibly larger damage than the problem to be solved.A May 2017 article on the Foreign Policy website noted: "According to a source with knowledge of a White House meeting […] Trump's team is considering launching an investigation into a Department of Homeland Security program that shares information on cyberattacks in an effort to coordinate globally on countering digital threats, insinuating that it inappropriately opened up streams of sensitive data to Russia and other nonallies" (McLaughlin, 2017)._________________________ 1 https://www.g20.org/Content/EN/Artikel/2017/03_en/2017-03-15-g20-verbrauchergipfel_en.html?nn=2069594Cyber-sovereignty, borders and government control must be carefully handled in the framework of effective international cooperation.Otherwise the Internet could be splintered into separate networks based on incompatible technology and regulations.
International cooperation is essential to realize the Sustainable Development Goals' promise of affordable access for the global population.International collaboration is indispensable to generate and maintain trust in both digital security and in privacy risk management.There is considerable room for improvement in network risk indicators and ISPs' security provisions and device deployment processes.But there is a market failure -ISPs do not have sufficient incentive to address the problems.The financial sector and its customers are bearing the risks and consequences of the failure of ISPs to maintain best practice management.Specific issues are adoption of the Internet Engineering Task Force's Best Current Practice of network operators to diminish 'spoofing' (fake IP addresses disguising identity) and requiring ISPs to regularly scan internally for inventory identification and mapping, and to identify and rectify vulnerable Operating System/service versions.
There is a substantial basis for consideration of potential future G20 initiatives.The Global Commission on Internet Governance recommended government agreements on targets that should be off limits to cyberattack, with a mutual-assistance pact to deter cyber intruders.The OSCE has worked on confidence building measures.There is a bilateral China US agreement on cyber espionage.The Bank for International Settlements (BIS) and the International Organization of Securities Commissions released a report in December 2016 on guidance on cyber resilience for financial market structures.In addition to the forthcoming FSB reports, the UN Group of Government Experts (UNGGE) will issue a report on norm setting for cyber espionage in June 2017.
Tim Maurer has suggested that G-20 governments could formulate and endorse a G20 norm regarding state-to-state cyber conflict, such as: "A State must not conduct or knowingly support any activity that intentionally manipulates the integrity of financial institutions' data and algorithms wherever they are stored or when in transit.To the extent permitted by law, a State must respond promptly to appropriate requests by another State to mitigate activities manipulating the integrity of financial institutions' data and algorithms when such activities are passing through or emanating from its territory or perpetrated by its citizens" (Maurer et al., 2017).
The G20 could establish norms around more general cyberattacks which generate physical harm.Communication channels and norms could be instituted among countries on how to collectively manage incidents at both the diplomatic and technical levels.
The Internet of Things (IoT) opens a new source of vulnerability.Bruce Schneier has argued that the market has prioritized devices' features and cost over security; devices built by teams that don't have security expertise; devices without security updates, or a way to be patched.He points out that when it comes to internet regulation, "[…] there's no government structure to tackle this at a systemic level.Instead, there's a fundamental mismatch between the way governments work and the way this technology works that makes dealing with this problem impossible at the moment" (Schneier, 2016).
One approach is to insist on providing for accountability for outcomes.Legal liability for software may be inevitable -if not imminent now that IoT failures have physical consequences.With a compelling tragic event, or case law done wrong, introducing liability could destroy the software industry.But "the industry will fight any attempt to impose liability absolutely tooth and nail" (Grossman, cited in The Economist, 2017).Industry will raise the spectre of delays analogous to the introduction of new drugs due to regulation of the pharmaceutical industry.Done right, legal liability is in the interest of the public good and public safety, and could even be stimulative to catalyzing appropriate cyber insurance.
There are many gaps in governance of the digital economy which require international collaboration to fill.One suggestion is to promote transparency in labeling to reveal distinctions among market alternatives and to permit evaluation of costs and risks.An internationally consistent IoT/Software Bill of Materials would ideally include ingredients from any 3rd party and open source software parts used in products.Listing known vulnerabilities would require justification.Product standards could be updated to require that IoT devices be patchable.Vendors and/or ISPs could be legally required to offer life-long security updates.There have been calls for a single regulatory agency to house required new expertise, because its applications cut across several existing agencies.There have been proposals for a U.S. National Institutes of Health model for cybersecurity, a Federal Robotics Commission, and a Department of Technology Policy.

Financial Sector Challenges
The digital economy faces a significant, perhaps existential, challenge that could compromise G20 plans to promote inclusive growth.Given Internet vulnerabilities and inadequate security, actions by criminal or terrorist actors can immediately have cross border consequences.There have been many costly instances of denial of service, ransomware and hacking of financial institutions.Breaches in the financial sector and in private sector records are widely reported.
Cyber operations targeting the availability or integrity of data of financial institutions could undermine the stability and trust in the financial system.Credential theft, malware currency manipulation, disk-wiping attacks ('Dark Seoul' and 'man in the browser'), and distributed denial of service attacks have required banks to take defensive and remedial measures costing millions.As more devices and more services are being connected to the Internet, they are increasingly susceptible to mischief and cyberattacks which diminish trust and could ultimately cripple the Internet.
On March 18, 2017, G20 finance ministers and central bank governors sounded the alarm: "The malicious use of Information and Communication Technologies (ICT) could disrupt financial services crucial to both national and international financial systems, undermine security and confidence, and endanger financial stability" (G20 Finance Ministers and Central Bank Governors, 2017, paragraph 7).
A March 27, 2017 Carnegie Endowment for International Peace paper listed cyberattacks on the financial systems of a dozen countries -"[…] defacement of websites, DDoS attacks, and intrusions using more sophisticated malware.The targets of the incidents were mainly banks but also one stock exchange and one payment system, and the countries whose financial sectors were hit included Belgium, Brazil, Estonia, Georgia, Lebanon, Russia, South Korea, Ukraine, and the United States" (Maurer et al., 2017, p. 11).
In May 2017, the 'wannacry' virus attacked thousands of computers encrypting files, demanding a ransom to free the files.According to Europol, ransomware encrypted data on at least 75,000 computers in 99 countries in one day (BBC, 2017).
The challenge is to catalyze innovation in modes and mechanisms of international cooperation to protect the potential of the digital economy for inclusive global growth and development, to upgrade traditional industries, and facilitate structural reform.New forms of international cooperation must minimize risks to the financial sector and other infrastructure, and to ensure security in a way that does not compromise creativity.

Inadequacy of International Efforts
The OECD report, "Key Issues for Digital Transformation in the G20", listed ten policy issues: Unfortunately, with respect to its sixth policy challenge, digital security, the OECD's recommendation are toothless: "G20 economies could explore opportunities for strengthening co-operation and international arrangements that promote greater sharing of good practice and information" (OECD, 2017).
In March 2017, with the aim of enhancing cross-border cooperation, G20 Finance Ministers and Central Bankers asked the Financial Stability Board (FSB) to perform a stock-taking of existing relevant released regulations and supervisory practices in G20 jurisdictions (G20 Finance Ministers and Central Bank Governors, 2017, paragraph 7).The FSB was asked for a progress report for the Leaders Hamburg Summit in July 2017 and for a stocktaking report by October 2017.
G20 Ministers for the Digital Economy met in April 2017 in Dusseldorf.There are three paragraphs in the G20 Ministerial Declaration (out of thirty three) on "strengthening trust in the digital world" (Federal Ministry for Economic Affairs and Energy, 2017, paragraphs 26-28).The declaration expressed fine sentiments but lacked operational or verifiable commitments.
Annexed to the G20 Ministerial Declaration is a paper called "A Roadmap for Digitalisation: Policies for a Digital Future" (Federal Ministry for Economic Affairs and Energy, 2017, Annex paper 1).There are eleven issues covered in the G20 Roadmap -securing trust is number 8. If everything is a priority, nothing is a priority.In a sense, while all the eleven policy challenges are equal, digital infrastructures and security are 'more equal'.The G20 must focus to be relevant and effective.
To be sustainable and resilient, the Internet must first be made secure and resilient.Without trust, the immense potential of the digital economy will not be realized.The G20 Roadmap expresses the appropriate assessment: "Trust and security are fundamental to the functioning of the digital economy; without them, uptake of digital technologies may be limited, undermining an important source of potential growth and social progress" (Federal Ministry for Economic Affairs and Energy, 2017, Annex paper 1, p. 13).
But then instead of initiating concrete action, the G20 Ministers simply noted that they intend to "Exchange experiences […] Encourage the development of national privacy strategies" and discuss the issues within the forthcoming Argentine Presidency (Federal Ministry for Economic Affairs and Energy, 2017, Annex paper 1, p. 13).

G20 Modes of Action
We must remember that the G20 is only a forum for dialogue -the "premier forum for our international economic cooperation" (Kokotsis et al., 2009).The G20 does not take 'decisions'.It was never intended to usurp the mandates of existing international organizations.The G20 is an informal arrangement, without treaty-basis, charter, constitution or binding bylaws.Nonetheless there are several kinds of constructive outcomes that can emerge from a meeting of G20 Leaders (Carin and Shorr, 2013).G20 Leaders can: • commit themselves to specific actions in their individual countries; • invite their own portfolio ministers or working groups of officials and experts to • undertake specific actions; • establish a High Level Panel or expert group with specific terms of reference; • request international organizations to pursue specific tasks; • initiate the creation of entirely new international organizations or informal arrangements.

Potential G20 Initiatives
There are six practical avenues for G20 initiatives to address vulnerabilities in the digital economy: 1) Each G20 government could commit to take specific steps to secure its financial sectors by regulations for ISPs and network operators: • Require ISPs to give early warning of new infections and help their customers find and fix vulnerabilities; 2) The G20 presidency could invite the U.S., China and Germany to prepare a joint report on means of international cooperation to deploy better cyber defenses, to use payment-pattern controls to identify suspicious behavior, and to introduce certification requirements for third-party vendors to limit illicit activity.
3) G20 Leaders could request G20 Ministers and regulators with Internet responsibility to report on options to modernize and "vaccinate" the Internet: • Develop network risk indicators and review ISPs' security provisions and device deployment processes; • Require that IoT devices be patchable in a reasonable time frame, because future vulnerabilities are inevitable; • Legally require vendors and/or ISPs to offer life-long security updates; • Fund and coordinate of research and development of tools and methodologies to build flawless systems from their conception; • Promote public education on cyber-hygiene and IoT labeling initiatives while ensuring broad public access to the Internet; • Update standards on data protection, privacy and the use of algorithms; • Incentivize competition to make the Internet and its devices accessible to all.4) G20 Leaders could task their Energy Ministers to improve cyber resilience at power facilities, focused on removing malware and fielding better defenses.
5) G20 Leaders could invite their Development Ministers to report on options to scale up existing effective initiatives, introduce innovative ideas, or expand the mandate of current international institutions and arrangements to promote Internet accessibility, affordability and appropriate infrastructure; 6) The G20 could appoint a High Level Advisory Panel and upgrade the G20 Task Force on the Digital Economy into a formal G20 Working Group.Illustrative options for their terms of reference and work program are provided in the Annex.

•
Encourage the adoption by network operators of the Internet Society's Mutually Agreed Norms for Routing Security (MANRS) (https://www.routingmanifesto.org/);• Engage ISPs to encourage better device deployment processes and operational decisions, utilizing publicly available data on network risk indicators, such as provided by the non-profit CyberGreen Institute (http://www.cybergreen.net/).