McKinsey on Government
Can you hack it? Managing the cybersecurity challenge
Autumn 2011 | John Dowdy, Joseph Hubback, Dennis Layton, and James Solyom
Cyberspace, according to the US government, is “the interdependent network of information technology infrastructures,” including “the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.” Governments and corporations worldwide are beginning to recognize the fact that securing cyberspace—protecting its confidentiality, integrity, and availability—is of paramount importance.
In its 2009 cyberspace policy review, the Obama administration asserted that “threats to cyberspace pose one of the most serious economic and national security challenges of the 21st century for the United States and our allies.” Europe has similar concerns: the United Kingdom’s National Security Strategy, for example, cites “hostile attacks upon UK cyberspace by other states and large-scale cyber crime” as a Tier 1 threat.
Yet governments today have a poor understanding of the cybersecurity landscape and the scale of the challenge. One reason for this lack of clarity is that the term “cyberattack” is often used to describe everything from low-probability catastrophic events (such as devastating attacks on infrastructure) to higher-frequency threats (such as cyberespionage and intellectual-property theft). In addition, there is a dearth of reliable data on the economic cost of attacks on government. Most top-down estimates of the scale of the issue are based primarily on questionable assumptions that yield implausible figures and thus do not offer a sound basis for decisions about policy or government interventions.
In this article, we propose a cybersecurity taxonomy to help government leaders understand the landscape, and a “value at risk” framework that government leaders can use to prioritize and focus on the most serious threats. It is our firm belief that cybersecurity is first and foremost a management problem, not simply a technical problem, and therefore our taxonomy and framework take a senior-management perspective. We also outline four principles for a best-practice management response to cyberthreats. Adhering to these principles will enable government to act as an effective protector of valuable assets.