The product of human ingenuity and innovation, cyberspace now delivers a range of critical services to more citizens around the world than ever before. Yet, the online world as we know it stands at the threshold of unprecedented change. 

Being invited to speak at the EastWest Institute’s Worldwide Security Conference in Brussels this week provided an opportunity to examine the needs faced by the global security community as we prepare to meet the needs of the Internet’s next billion users. The International Telecommunication Union (ITU) reported that the number of Internet users reached the two billion threshold in March of this year and according to a Boston Consulting Group report, another billion are expected to come online in the next four years, bringing the total number of Internet users worldwide to about three billion by 2015.

Planning to ensure that our online world—cyberspace—is trustworthy, resilient and secure as we move into this uncertain future, policy leaders need to consider the fundamental changes that are occurring in cyberspace, and the policy issues that these changes will likely present and that will need to be addressed. Looking toward the future of three billion users, four factors will fundamentally change the future of cyberspace security: people, devices, data, and cloud services.

People: The Global Online Population Expands, Diversifies, and Grows More Internet-Dependent
The emergence of the next billion Internet users will impact security in two ways.  Most important will be the impact of the demographic characteristics of these users.  Consider that the next billion users will (1) be younger, (2) spend more time online, (3) be more mobile, (4) see the world through social media and apps, and (5) make greater use of natural interfaces. These five factors could hasten the onset of totally digital lifestyles making connectivity seemingly as essential as oxygen. The next billion could also help foster new innovation in the development and application of technology.

Separately,however, this emerging user population also represents a greatly expanded “target rich” environment for cybercriminals that want to exploit their data, social networks, and devices via botnets or other means.

Devices: From the Internet of Things to Immersive Computing
These new users will require new devices.  According to The Boston Consulting Group, the number of Internet-connected devices is predicted to exceed 15 billion—twice the world's population – by 2015, and to soar to 50 billion devices by 2020.  “Devices” of course refers to more than smart phones, netbooks and tablets.  It also systems such as smart grids, intelligent transportation, healthcare monitoring, smart manufacturing, and environmental sensors.

The advent of powerful wireless devices that both run infrastructure and deliver infrastructure services, including providing access to cloud services, means that cybercriminals and other threat actors need not merely target traditional, and increasingly protected, commercial software and consumer applications to execute attacks with significant consequences.  Attackers may well target the embedded software, firmware and hardware in these devices to attack the infrastructure or seize control of the devices and turn them into sensors that can report status, collect personally identifiable information, or conduct other espionage.

Data: Rapid increases in Understanding, Traffic and Opportunity
The striking growth in the number of users and devices will also produce an exponential growth in the amount of data that is being generated, stored, analyzed and transformed into innovation and knowledge.  Analyzing large data sets—so-called big data—will become a key basis of competition, underpinning new waves of productivity growth, innovation, and consumer surplus, according to research by MGI and McKinsey's Business Technology Office.  However, such data sets also represent attractive targets for organized cyber criminals and other threat actors.  From a security standpoint, safeguarding these huge data sets, protecting privacy and integrity, will require concerted global effort requiring collaboration among governments, the private sector, and users.

Cloud Computing: The Information Society Enabler
With an exponentially growing community of increasingly mobile users, cloud computing will commensurately grow in importance. It will fundamentally change how businesses operate, how every manner of services are delivered, and even how lives are lived.  On the positive side, the security best practices implemented by an effective cloud provider may rival or surpass the measures that cloud customers might themselves be able to provide, resulting in enhanced security.  Yet there are global issues that will need to be addressed in terms of transparency and jurisdiction to enable cloud services that are both secure and scalable to service the needs
of this expanded user community across multiple countries.

Preparing for the Future Now
So what does all of this mean for policy makers? Policy makers need to focus on three key areas: Improving global collaboration for cybersecurity, reducing the cyber-attack surface, and improving Internet health.

Improving global collaboration for cybersecurity is moving forward, with the EastWest Institute taking a leading role in in promoting increased dialogue about normative behavior among nation states in cyberspace. By defining acceptable behavior, norms help to promote stability and reduce the risk of conflict internationally by reducing uncertainty and fostering predictability.  Important work in this area began in 2010 with the UN sponsored Group of Governmental Experts process and has been taken up in the Organization for Security and Cooperation in Europe.  Recently, China, Russia, Tajikistan and Uzbekistan offered a contribution for consideration, and the United Kingdom will hold a conference on the issue next month. Countries should continue to work together on the important issue of state-level norms; however, with a burgeoning population of citizen users, we must not lose sight of the need for a broader dialogue on norms to guide the activities of enterprises and individuals on the Internet; this dialogue must involve not just governments but the private sector and other Internet community stakeholders as well.

Reducing the cyber-attack surface
Reducing the cyber-attack surface can be achieved by industry and government working in partnership to make the ICT infrastructure less susceptible to attack and compromise. One important way to achieve this is through concerted action to address risks in the supply chain for information and communications technology products and services. Vendors and service providers need to build and maintain world-class approaches to secure software and hardware development methodologies. Microsoft began this journey over 10 years ago and has openly shared its Security Development LifecycleThe nonprofit alliance SAFECode provides a platform for companies to
share, both within the software development community and more broadly, information on secure software development techniques that have proven to be effective as well as those that have not. Industry needs to do more.

For their part, governments need to understand the nature of ICT supply chain risk more clearly and work collaboratively with one another and with vendors to develop a common risk management framework rooted in core principles that both address supply chain integrity concerns and preserve the fruits of global free trade. Such a system should be risk-based, transparent, flexible, and should recognize the realities of reciprocal treatment in the global economic environment.

Improving Internet Health
Improving Internet health requires a global, collaborative approach to protecting people from the potential dangers of the Internet. Despite the best efforts at education and protection, many consumer computers host malware and may be part of a "botnet," unbeknownst to their legitimate owners. There is currently no concerted mechanism to shield users from or help them mitigate these risks. Such infected computers do not simply expose their owners’
valuable information and data; they place others at risk too. This threat to greater society makes it is essential that the technology ecosystem take collective action to combat it.

Work has been underway in industry circles to build cooperation among various stakeholder groups including ISPs, software vendors, and others; to leverage investments made in key regions of the world; and to create a future roadmap for an Internet health system. The active discussions of cybersecurity policy and legislation now underway in many nations afford a ripe opportunity to promote this Internet health model. As part of this discussion, it is important to focus on building a socially acceptable model. While the security benefits may be clear, it is important to achieve those benefits in a way that does not erode privacy or otherwise raise concern.

At its Second World Wide Cybersecurity Conference this past June, EWI launched an important effort to leverage investments made in key regions and to create a future roadmap for an internet health system to protect people, devices and data.

Conclusion
The good news is that as more people from around the world come online, the cultural fabric of the Internet is enriched.  Working together, the global security community can help ensure that the Internet becomes an ever safer environment supporting communication, collaboration, and commerce.

Paul Nicholas
Senior
Director, Global Security Strategy
Microsoft Corporation