Local preparations against cybersecurity threats should not be exclusive to governments and the private sector, but should also include the whole of civil society, cybersecurity researchers with the United Nations University Institute in Macau told Macau News Agency (MNA).
Currently, researchers Debora Christine and Mamello Thinyane are conducting a study entitled Smart Citizen Cyber Resilience focusing on how civil society individuals, non-governmental organisations and community groups can better prepare to face cybersecurity risks.
The United Nations University Institute in Macau is a research institute that conducts UN policy-relevant research and generates solutions, addressing key issues expressed in the UN 2030 Agenda for Sustainable Development.
The research conducted by Christine and Thinyane looks to fulfil the UN Sustainable Development Goals for better data usage towards individuals development and wellbeing and better tech inclusion of individuals and population groups.
“Just now we are building a repository of all of these [local cybersecurity] risks and we’ve identified over 109 types of risks… The whole idea of resilience is that we need to be able to anticipate and plan for when these incidents occur so that we can absorb them and adapt. It includes contingency plans and preparation,” Thinyane told MNA.
Local preparations against cybersecurity threats should not be exclusive to governments and the private sector, but should include the whole of civil society, cybersecurity researchers with the local United Nations University Institute told Macau News Agency (MNA).
A former computer sciences professor in South Africa, Thinyane indicated that traditionally people tend to think of cybersecurity in terms of technical risks such as data leakages or data breaches, denial of server, and identity theft, but tend to overlook social issues such as cyberbullying, misinformation or fake news.
“For each of these risks, we are developing contingency plans and countermeasures. Individuals can do two things, they can access what is their risk exposure and based on that they can have options. For example, with data branches, ideally, you should be doing two or three data backups,” Thinyane added.
“So, we’re developing these models to allow individuals to think in a methodical way on how to improve their cybersecurity resilience.”
The project was conceptualised last year as the researchers managed to successfully apply for funding from the Science and Technology Development Fund (FDCT) funding valid for 15 months.
The first key findings of the research are expected to be published in August or September with funding expected to last until March of next year, but with the researchers hoping their work can be maintained after that period and expanded to the other Asia Pacific jurisdictions.
According to the researchers, cybersecurity approaches in countries and regions in the Asia Pacific tend to focus on top-to-bottom models, where most initiatives tend to be expected from government departments and private sector, which have more resources for these kinds of policies.
Last year, local authorities enacted the city’s first Cybersecurity Law, which establishes that private and public companies and entities operating in crucial sectors – including internet, media and communication operators, water and energy supply, banking, financial systems and gaming – would be mandated to enforce cybersecurity measures.
“Those specific stakeholders are more engaged about cyber risks and they have more resources to allocate to this. For example, Macau companies would have dedicated IT departments and probably even cybersecurity directors. On the other hand, civil society organisations like Caritas, a very mission-driven NGO, might not even have an IT department,” Thinyane stated.
“You have to establish resilience in the whole of society… We know from our work that the weakest link in your cybersecurity strategy is what will compromise the whole system… One of the biggest attack surfaces is individuals through social engineering. Simple things like you receive an e-mail from your ‘boss’ to transfer money into some account. Social engineering can compromise individuals to access networks.”
The SAR does have a Macau Computer Emergency Response Team Coordination Centre (MOCERT) managed by the Macau New Technologies Incubator Centre – which provides computer security incident handling information to local enterprises – however, the researchers noted that maybe many locals and organisations are not even aware of its existence.
The top-down model also tends to underplay the risks incurred by individuals and other civil society players, which ends up undermining the overall cyber resilience of society.
“The first phase of our cyber resilience research was already completed and we’ve looked at 14 Asia pacific national cybersecurity strategies excluding Macau which does not have it yet. It has launched the cybersecurity law but no… comprehensive cybersecurity measures with detailed stakeholders and their obligations to meet these objectives,” Christine told MNA.
Mainland China was included in the research, but Hong Kong, like Macau, does not have a cybersecurity strategy that encompassed civil society.
According to the Indonesian researcher, in most of these national cybersecurity strategies, citizens or civil society organisations are not provided with avenues to be involved in these security efforts.
Singapore, Australia and New Zealand were considered as regions with cybersecurity strategies which are better in operationalizing the resilience to cybersecurity efforts to develop a sense of overall society resilience to cyber threats.
“However our focus is not to rank countries but check which ones are more inclusive in their cybersecurity resilience,” Christine added.
In any sense, the researchers believe there should be a ‘marriage’ between top-down and bottom-up strategies to cybersecurity and hope to be able to present their ‘grassroots’ community resilience tools soon.