It is often said that “money makes the world go round”. We only have to look at the impact of the financial shocks of the past decade to see the truth in this. However, the thing that keeps money – and increasingly every other element of society – functioning is the technology on which critical systems and infrastructures are now based.
In the financial world a system of credit ratings informs investors and decision makers of the performance and likely resilience of a nation’s economic posture in the context of global financial markets. In a similar way, for governments and national law enforcement agencies, understanding a country’s sovereign security rating can provide essential intelligence on the nation’s cybersecurity posture, digital infrastructure stability and readiness to deal with the complex and evolving cyberthreat environment. As the global digital environment continues to develop, sovereign security ratings are set to become a critical benchmark for governments aiming to safeguard citizens and protect critical national infrastructure.
Assessing risk to the digital nation
In his first speech as GCHQ director in April, Jeremy Fleming’s message was clear: “Hostile nation-states are rapidly building and enhancing their cybertools to stay ahead in the global race. Whether it’s stealing another government’s secrets or the IP from a defence contractor… some states are willing (and very able) to do it.” This statement has been brought into stark focus with the recent accusation by The National Cyber Security Centre that Russian military intelligence services were behind four high profile cyber-attacks.
Hostile state activity is, of course, only part of the story. Cybercriminals exploiting system vulnerabilities for financial gain are just as capable of bringing organisations to their knees. Witness the ransomware explosion of the past two years and its impacts on the NHS and other key organisations in the UK and globally. Critical National Infrastructure (CNI) is an attractive target for both nation-state sponsored actors and cybercriminals, who are putting it regularly under attack.
Understanding the risks that these threats pose on a national scale and the response protocols that are in place is of growing importance. This is not just from a public safety and information security perspective. From an economic sense, cyber incidents that cause instability have significant potential to directly or indirectly affect economic performance.
In recognition of this, governments must take the initiative on national cybersecurity. Britain launched the National Cyber Security Centre in 2016. Its vision was to “making the UK the safest place in the world to live and do business online”. It recognises that cybersecurity is everybody’s business and mitigating against the risk of cyberattacks requires a collective effort to improve online security awareness. The challenge that nations face is how to benchmark their posture on cybersecurity so they can make meaningful progress in improving it.
Sovereign security ratings – a valuable tool for national cybersecurity
Many large companies already engage in cyber-risk assessment to establish the level of risk associated with their supply chain and vendors; it’s a key part of best-practice risk assessment. There is a vast quantity of data that is continuously gathered, analysed and evaluated to offer insight into cyber-risk at a corporate level. At BitSight, we recognised the tremendous value that this detailed intelligence can offer not just to companies who want to mitigate cyber risk but also to countries.
The result is the sovereign security ratings platform. It takes this mass of cyber intelligence and gives it international scope, providing context from continuous analysis of the global threat environment. This allows agencies to benchmark performance against other countries. The platform calculates ratings using a proprietary algorithm that examines four classes of externally observable data: compromised systems, security diligence, user behaviour, and data breaches to give a rating that is updated daily. Previously, this data would be collected and analysed manually – a hugely time-consuming process in a world where threats can develop and escalate in an incredibly short time.
What do the Sovereign security rating provide?
As well as giving a national perspective, intelligence can be broken down by key industries and companies. This means that those which provide CNI can be continuously monitored. It ensures that governments can assess the nation’s exposure to threats that might affect those companies or sectors.
Once there is an understanding of the nation’s cybersecurity performance and areas of potential vulnerability, intelligence and law enforcement agencies can start to build initiatives that will mitigate risk, drive improvement in key suppliers and strengthen the nation’s overall cybersecurity posture.
BitSight’s sovereign security rating platform also warns of emerging threats, such as malware campaigns, in particular geographic locations, so Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) can act to mitigate those threats in a timely manner.
Sovereign security rankings differ from cybersecurity rankings such as the Global Cyber Security index because they derive from live, independent intelligence and continuous monitoring, rather than a self-reported commitment to legal, technical and organisational activity. While the latter provides a useful snapshot of countries’ engagement in cybersecurity, nations will find greater operational value in a system which delivers real-time information and alerts when threats against critical infrastructure begin to escalate. This dynamic capability is essential in the light of the fast-moving, rapidly evolving cyberthreat landscape.
Sovereign security rankings provide insight into cyber resilience
In the same way that credit ratings provide information about the stability of a country’s economy, so sovereign security ratings provide insight into its cyber resilience. Society’s dependence on technology to deliver infrastructure from communications and banking to healthcare and defence means that protecting it has become critically important for governments worldwide and sovereign security ratings are another tool in their armoury.
I’ll leave the final word to GCHQ Director Jeremy Fleming, who leaves us in no doubt as to the importance of cybersecurity to the overall security efforts of the nation state: “In short, cyber has become an indispensable part of modern national security statecraft, and the cyber security element of it [is] critical to organisations of all sizes in all sectors.”
BitSight transforms how companies manage third and fourth party risk, underwrite cyber insurance policies, benchmark security performance, and assess aggregate risk with objective, verifiable and actionable Security Ratings.