Recently, the World Economic Forum (WEF) – an international nongovernmental and lobbying organization – met in Davos, Switzerland to discuss risks facing the global community in 2023.  Among the threats identified in its comprehensive The Global Risks Report 2023, cybercrime and cyber insecurity was featured in the top 10, alongside other prominent risk concerns such as geopolitical fragmentation, natural disasters, and societal polarization.  Complementing this work, the WEF released a more focused Global Cybersecurity Outlook 2023 report earlier in January, a product that correlated the previous year’s input from cybersecurity and business leaders’ on the leading cyber issues and how they affected organizations throughout the world.

The Global Cybersecurity Outlook was informative but did not provide any revelations with respect to the types of cyber threats targeting the private sector.  On a positive note, the study revealed that business leaders on the whole were more aware of cyber threats than the previous year, an important acknowledgement for private sector entities looking to create budgets and allocate fiscal, material, and personnel resources.  Since cybersecurity often competes with other budget line items, it’s encouraging to see that business leaders being more open to considering cybersecurity as a business problem, and not just a security issue.  This requires organizations to understand how cybersecurity fits into their overall company posture, and not just about password length, patching vulnerabilities, and updating antivirus software.  A robust in-depth self-examination, where and how it does business, what technologies are used, who monitors them, and how cyber-enabled threats are prioritized all contribute to the success and health of the organization.  One big takeaway from the Global Cybersecurity Outlook was that cybersecurity and business leaders still had work to do to work together in communicating risks and addressing them in meaningful and lasting mitigation measures.

The WEF’s increased focus on cybersecurity really came to light in 2022 when it launched its Cyber Resilience Pledge, based on six guiding principles that highlighted cyber security best practices and to create new solutions for leaders in the oil and gas sector.  In addition, the initiative helped spawn other measures to bolster their abilities to assess and mitigate cyber risk such as a streamlined approach to manage third-party cyber risks in the industry.  The effort was largely seen as a success, being endorsed by approximately 20 oil and gas chief executive officers.  Building on this, the WEF followed suit with similar initiatives for the aviation, electricity, and manufacturing industries as well, that are focused on organizing stakeholders from the public and private sectors to discuss cyber risk in their respective industries with the goal of taking collective action on cyber resilience best practices. However, while these pledges serve as acts of good faith, these pledges are promissory and not mandatory, and there has been no substantive follow-up reporting measuring the completion of any milestones that would signify their progress.

In preparation for the release of the Global Cybersecurity Outlook, the WEF advocated a need for global rules that addressed cybercrime, citing the continued growth of the professionalized cybercriminal industry, increased profits, and the expansion of the attack space, as catalysts for action.  The WEF acknowledged the United Nations (UN) efforts in this regards, having agreed to develop a treaty on international cybercrime in January 2022, with a goal of completing an agreement by 2024.  The undertaking is much needed, especially considering that the current Convention on Cybercrime has been in place since 2001 and has not been updated and probably in need of updating given the evolution in the cybercrime ecosystem.  Equally telling is that only 66 governments have ratified it, calling into question it what is written in it has any applicability or relevancy to today’s cyber threat environment.  As a leading international voice in public-private cooperation, the WEF clearly recognizes that only a treaty driven by the consensus of the majority of nations that adhere to its binding commitments can begin to dull the sharpness of cybercrime activity.

The WEF needs to collaborate with the UN to keep momentum in making sure that efforts to codify a cybercrime treaty is not met with the same logjams and internal squabbling as its efforts in trying to formalize responsible nation state behavior in cyberspace.  The WEF’s unique position of being a prestigious organization composed of senior leaders from governments, businesses, and civil society provide a true multi-stakeholder perspective on what such a treaty should cover, taking into consideration public-private sector interests.  Where governments change leadership and direction, the WEF offers a more sustained long-term vision that endures regardless of what governments do. Therefore, it would make sense for the WEF to become more involved in not only championing the treaty as it moves forward but socializing it within members’ own regions and in their respective industries.

Otherwise, the cybercrime treaty could suffer the same results.  Already, China has already started its pushback, maintaining that governments need to have the ability to control content, and that the treaty should criminalize the dissemination of disinformation.  Rest assured, if Russia wasn’t embroiled in an ongoing war, Moscow would likely raise similar concerns to represent its interests.  There has been criticism of the WEF for being elite and super rich, focused on lofty challenges that lean toward a specific political ideology, and generally not in tune with the daily struggles of people.  And while these perceptions may be valid, it is also true that these very positions of power, and the organizations that they represent, are exactly what’s needed to push a cybercrime treaty over the endline.

Because these individuals lead the very entities that are exploited by hostile actors stealing intellectual property, pilfering sensitive data, and extorting money.  Their voices should not only be heard, but their input solicited by the UN members hammering out the treaty.  What we don’t want materializing is a watered-down treaty with minimal utility.  Rather, this treaty needs to reflect not only the current threats of today, but also made with enough flexibility to adjust to a dynamic and ever-changing landscape.  It’s time for the WEF to do more than wax poetic about such topics; they need to put their money and reputations where their mouths are because they have skin in the game.

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.