Is our view of cybersecurity too local?

Cybersecurity is a top priority for most agencies, as evidenced by ongoing efforts to formulate, tweak, and implement relevant plans and policies. But there is a big world beyond America's borders. Could looking at the global landscape help the government better shape its approach to securing U.S. cyber interests? Examining decidedly nontechnical factors -- including socioeconomics, demographics and the rapidly changing nature of Internet users -- could help inform cyber policies and make them more effective, according to a new study from Microsoft.

"Linking Cybersecurity Policy and Performance" marks a step away from the tech giant's usual undertakings, but its authors hope the study and its atypical approach will stoke important cyber discussions, said Paul Nicholas, senior director of global security strategy and diplomacy at Microsoft and one of the report’s authors.

"What's interesting is the growth of international dialogue of cyber norms around the world, both military-to-military and broader engagement," he said. "These conversations are becoming more intense. Environments in cyberspace are very different depending on where you are in the world...and that affects how we approach policy-making and solutions."

The study evaluated 80 indicators that included gross domestic product, broadband penetration and malware rates. Thirty-four of them were determined to correlate to cybersecurity performance, which the researchers extrapolated based on computers cleaned per mille, or the number of infected computers cleaned for every 1,000 times Microsoft's anti-malware tool was run.

Factors such as computers per capita, rule of law, demographic instability and literacy rates were among those that closely correlated to cybersecurity performance. Perhaps most significant for policy-makers are findings that point to international agreements as a key factor in cybersecurity performance.

Researchers found that participation in the Council of Europe’s cyber crime treaty, for example, was one of the strongest accelerators of cybersecurity in the countries surveyed. Conversely, in the category of lowest-performing countries in terms of cybersecurity -- labeled "seekers" in the study -- fewer than 10 percent participated in such agreements.

"It was striking that countries joining international commitments -- better law enforcement, concerted efforts to reduce spam, for example -- made the commitment, built the capabilities and then held themselves accountable," Nicholas said. "International conventions made a significant difference."

Less clear, however, was the role of an established military cyber defense strategy. Although 51 percent of countries in the highest-performing category, or "maximizers," have a military cyberspace presence, so did 21 percent of the lowest-performing countries. The study’s authors noted that many military strategies are in the formative stages, and those governments might not have had time to implement policies and capabilities.

"Most military defense strategies are less than five years old, versus the [cyber crime treaty], which is more than 10 years old," Nicholas said. "Military also can [mean] less transparency, so it's harder to get a read on the impact and maturity cycle."

Cyber crime rates, such as piracy and malware, were also prime indicators in the study, but their implications were not always as clear as might be expected. Seekers and countries in the middle category of "aspirants," which is the largest subset of countries, had comparatively high rates of piracy -- 68 percent and 62 percent, respectively, compared to 42 percent of maximizers.

"The implications of this observation are complex," the researchers wrote. "Countries that do a better job managing cybersecurity may also do a better job mitigating piracy, or countries with higher piracy rates may have a more difficult time containing malware and other cyber threats."

What that portends is just one area Microsoft hopes to tackle in the next round of research, Nicholas said. "We want to look at how to fine-tune and advance the models to improve understanding and effectiveness," he said. "We’re encouraging more debate. We hope that governments will find the study helpful when making policy decisions. Specifically, they can view factors affecting their regions’ cybersecurity such as key policies, piracy rates, laws, education, etc., and reflect on ways to improve their security standings based on their unique situations."