In recent years, a criminal gang pulled off a series of bank robberies without

having to walk into any bank. According toInternational Business Times, the
Carbanak crime syndicate made up of computer hackers from Russia, Ukraine,
elsewhere in Europe, and China used malware to steal around US$1 billion
from approximately 100 financial institutions over a two-year period starting in
2013. These thefts continue today, and are part of a global plague of cybercrime
with annual costs that are estimated to range from $445 billion to more than $1
trillion.
Although cybercrime is a visible concern for companies and governments in
industrialized countries, one of its most pernicious effects is still largely
unrecognized: It could hamper the growth of emerging economies around the
world. Digitization in most emerging countries has become a key business enabler
for public and private organizations. In Middle East countries that are not in the
Organisation for Economic Co-operation and Development (OECD), for instance,
digital markets are expanding at an overall compound annual growth rate of 12
percent and are expected to be worth $35 billion by 2015. But wherever
digitization takes hold, vulnerability to cyber-attack also emerges. It diminishes
the confidentiality, integrity, and availability of information that governments,
businesses, and individuals alike rely on heavily.
Emerging markets are particularly vulnerable because they tend to have highly
concentrated economies such as the oil and gas sectors in many Middle East
countries. The core industries often become attractive targets for saboteurs; for
example, two major oil and gas companies in the Middle East, Saudi Aramco and
RasGas, have been attacked since 2012. The banking industry is also susceptible;
reports on the Carbanak thefts said they affected financial institutions in several
emerging markets: Romania, India, China, Russia, Pakistan, Nepal, Morocco, and
Bulgaria. (No individual banks were identified.)
There is good reason to believe that such gangs will continue targeting banking
systems in the Middle East and Africa, Eastern Europe, Southeast Asia, and Latin
America, especially when they discover how exposed these systems can be. To

secure their economies, the leaders of these countries must urgently and
aggressively promote a national, strategic approach to cybersecurity.
Cyber-attacks, of course, are unavoidable. What matters is how policymakers in
emerging markets manage this threat. Too often, their responses are tactical; they
approach cybersecurity as a technical issue requiring a technical fix. At the same
time, the shortage of home-grown talent creates obstacles to developing essential
cybersecurity capabilities. The result is a patchwork that leaves gaps and creates
new weaknesses for criminals or hostile states to exploit.
A better approach is to establish a national cybersecurity strategy, undertaken by
a lead cybersecurity entity at the highest national level of government, with
prominent businesses involved. Such an approach increases the level of
protection for all digital ecosystems and makes good use of the presence of large
state-owned companies. It also offers an important economic payoff because
cybersecurity is a critical enabler of digital expansion. For instance, emerging
markets are lagging behind in developing electronic transactions, in large part
because of a lack of trust among consumers and vendors.
To achieve a world-class level of cybersecurity, a country needs a strategy that is
comprehensive, collaborative, and capabilities-driven:
Comprehensive: Ensuring the cybersecurity of a country is a complex
undertaking. A wide array of elements from the public and private sectors, as well
as not-for-profits, must be aligned, which requires a large, centrally led effort.
This may sound counterintuitive, given that so many organizations now stress
decentralization and local initiative, but in the case of cybersecurity,
centralization is critical to ensure that national standards are set by an impartial,
civil body. Although the exact form of this leadership will vary by country, in each
case the central national cybersecurity body should be responsible for defining
and supervising the initiatives agenda. To ensure its impartiality, the central

body should be independent of other organizations, such as ministries, councils,

or regulatory authorities. It should report directly to the countrys top leaders.
Collaborative: Collaboration between the private and public sectors, between
the government and citizens, is vital to defend a countrys digital assets. Although
all the people and organizations using a countrys digital networks have a stake in
preserving those networks security, such a broad level of collaboration is difficult
to achieve. Few government agencies and private companies are willing to admit
publicly that they have been victims of cyber intrusions, which means vital
information that could prevent other attacks isnt shared.
In many emerging markets, collaboration between the state and significant
industries is relatively easy because the two already have close relationships. This
collaboration can be expanded in a national cybersecurity context. With the help
of sector regulators, a country can establish operational responsibilities for
relevant corporate stakeholders. A country also can build cybersecurity programs
into its existing state economic programs to develop digital capabilities and
human capital.
Meanwhile, it is important to engage and educate citizens so that they understand
the basics of cybersecurity and can behave responsibly online; for example, they
can learn to recognize hackers efforts to phish secret information from them by
impersonating banks online. Similarly, governments of countries with common
interests should push to establish regional bodies to share responsibility for and
lessons learned about cybersecurity after all, cyber-criminals dont recognize
borders.
Capabilities-driven: A strategic approach to national cybersecurity can help
build robust capabilities for constructing safe systems and for defending them
from attack. This construction requires well-designed information assurance
standards, regular and ongoing measurement and testing of cybersecurity, and
the establishment of a security mind-set in the decision making and daily
activities of the state, the private sector, and citizens. It can also include scenario-

planning (thinking in advance about potential attacks and their impact), a

national incident-response plan, and the establishment of threat neutralization
and cyberlaw enforcement organizations.
Emerging markets also need to provide incentives to attract people to the
cybersecurity industry incentives that include generous financial packages.
They will need to create academic cybersecurity curricula that are consistent with
what the public and private sector need, courses that are also in line with national
talent development plans. Emerging markets also should fill the talent gap
through collaborative programs with international organizations and promote
international and regional awareness of cybersecurity by hosting world-class
conventions.
Creating and implementing a national cybersecurity strategy is a substantial
undertaking it is more challenging than simply calling in the technical experts.
For emerging markets, a casual approach to national cybersecurity could
undermine the potential benefits of digitization and prove to be even more costly
than clever bank robberies.