Securing developing countries is not a charity, it's our responsibility
In the Holiday Edition of Venture in Security, I am talking about cybersecurity for those that need it most - poor and developing countries
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
When we think of cybersecurity, we think of the US, Europe, and Israel with the United States drawing a disproportionate amount of focus. There are many good reasons for that - that’s where the cost of data is the highest, the economies are the most developed, and companies can pay top dollar for protection. Security may be seen by some as a fundamental right but it is, one way or another, a business (and a lucrative one).
The Holiday season, when the hearts of many are in the spirit of giving, is a great time to discuss something that is less pragmatic and less self-centered: cybersecurity in developing countries.
Today, security is not seen as a priority by leaders of developing nations; they have far more pressing problems to solve, such as food security and access to healthcare, both of which have been greatly affected by the COVID pandemic and Russia’s war against Ukraine. At the same time, the understaffed and overextended security teams in Western countries are working day and night to solve their own problems, including the never-ending stream of financially-motivated attacks and commercial espionage.
A simple google search shows that while there is a decent amount of scientific research on the topic of cybersecurity in developing countries, a discourse among industry practitioners is practically non-existent. That is the gap that cannot lead to good results. In this piece, I will briefly describe the problem, explain why we should care, and suggest a non-exhaustive list of potential solutions. After all, securing developing nations is not a charity, it's a necessity.
No one has solved security but the US is moving in the right direction
It is hard to be content with the state of security as we see a continuously growing number of cyber breaches. However, it would be a big miss to not celebrate how far we have come. In 2022, we’ve seen several great advances in making security accessible to people and institutions, including:
The U.S. Cybersecurity and Infrastructure Security Agency now provides a broad range of free tools and services to help cities and towns protect against cyber threats.
The $30M Shared Services Program was launched to defend New York counties. CrowdStrike endpoint detection and response tools are made available for free to all 62 of New York’s counties and Joint Security Operations Center partners, including the cities of Albany, Buffalo, Syracuse, Rochester, and Yonkers.
The City of Dallas launched a free "Dallas Secure" mobile phone app to protect its residents from cyber threats.
The Strengthening American Cybersecurity Act (SACA), The State and Local Government Cybersecurity Act, and The Federal Rotational Cyber Workforce Program Act signed into law in 2022 were among many efforts of the government to strengthen the nation's cyber defense.
The US might not have solved the problem of cybersecurity (no one has), but it is most certainly moving in the right direction to safeguard its people, businesses, and critical infrastructure. It’s a testament to the policymakers, but even more so - to security professionals doing the hard work behind the scenes, pushing the government to continue doing more, and actively participating in advocacy and advisory work needed to make these initiatives happen.
Cybersecurity challenges in poor and developing countries
Developing countries have been struggling to secure their infrastructure, resulting in dire consequences for their governments, people, and businesses. A case in point is Central and Latin America which suffered devastating cyber attacks in the past two years. The Lapsus$ gang started its operation by targeting Brazil’s health ministry and later expanding to Portuguese-speaking companies that included Impresa, Claro, and Embratel. Earlier in 2022, Costa Rica’s government was forced to declare a state of emergency after coming under persistent attacks organized by the Conti cybercrime gang. Financial institutions, businesses, and governments of Bangladesh, Vietnam, the Philippines, Kenya, and other countries have become victims of ransomware and had their funds stolen. These are the countries struggling to provide their citizens with access to essential services, so the cyber attacks are making the already poor even poorer.
There are multiple reasons for the apparent increased cyber insecurity in developed countries.
Firstly, in the past few decades, countries such as Kenya, Mozambique, Tanzania, and Rwanda have experienced rapid digitalization, leapfrogging into the digital era, which has resulted in millions of people from many nations rising out of poverty, gaining the ability to participate in banking, education, and political systems, to name a few. Unfortunately, the process of digitization has not been accompanied by the establishment of cybersecurity practices and the growth of the number of security practitioners, leading the newly digitized nations to become increasingly vulnerable.
The second reason is that people in poor and developing countries often cannot afford the latest versions of operating systems and licensed software which receive regular security patches. Instead, old versions of operating systems, pirated software, and torrent downloads have become widespread in developing nations. Unfortunately, these types of software do not receive any security updates, and some such as torrent downloads stuffed with malvertisements, can be even more dangerous, making them permanently vulnerable to the never-ending cycles of attacks.
The other reason is the low level of awareness of what cybersecurity is, and why it is important. This is due to the catch-22: the lack of appropriate training leads to the lack of security professionals which in turn causes the absence of training. This cycle is ongoing. Low levels of practical education cause poor cyber hygiene practices such as weak and default system passwords, reusing the same credentials across multiple sites, sharing private accounts with other individuals, the absence of the MFA, and others. While simple measures such as MFA have been known to significantly strengthen the security posture of organizations and individuals, the value of these habits has not been understood in many societies.
Lastly, high levels of political instability and pressing economic challenges have pushed the development of cybersecurity legislation and strategies by the government to the sidelines. The growth of internet infrastructure and access has greatly outpaced the legislative and law enforcement capabilities in many developing economies. This has widespread consequences, from the absence of proper cyber hygiene and control in the government and across publicly funded service providers, to the fact that cybercriminals view emerging economies as both perfect, defenseless victims and great hiding places. Cyber gangs often use developing nations as sandbox environments and training grounds for the subsequent financially and politically motivated attacks in developed countries.
Why should people in WEIRD countries care
Cybersecurity loves acronyms, but WEIRD is an acronym not related to security. It was coined by Dr. Joseph Henrich from Harvard to describe societies that are Western, Educated, Industrialized, Rich, and Democratic. Think of the US, Canada, EU, UK, Australia, and a handful of others. If you, like myself, are fortunate to live in one of these countries, you might be wondering “Why should I care about the security of some company in Asia, the Middle East, Africa, or South America?”.
The answer to this question lies in the event that united all humanity, regardless of their country of origin: the global pandemic. A virus that started somewhere in Asia, within days and weeks spread to every corner of civilization, taking the lives of many regardless of their socioeconomic status, political preferences, or everyday diet. This tragic event highlighted that while no country, however rich, can fully avoid the virus, the consequences for poor nations are generally much worse than the consequences for those that are wealthy. When rich countries faced thousands of deaths and mass hospitalization, they promptly ordered vaccines, deployed capital, and implemented measures to keep hospital systems from collapsing (some more successfully than others, but that wasn’t due to the lack of resources). Poor countries were out of luck: not only they oftentimes had to wait much longer for vaccines and rely on the support of intergovernmental organizations, many saw their fragile care systems collapse under pressure. The economy of WEIRD countries suffered due to the loss of productivity but for the most part, it swiftly recovered after the restrictions were lifted and people went back to work. Many poor and developing countries are still trying to overcome the consequences of the epidemic, now exacerbated by Russia’s war in Ukraine.
Like COVID, mpox, and other biological viruses, a digital virus does not discriminate based on citizenship or geography. When WannaCry happened in May 2017, it affected around 200,000 computers across 150 countries (the four most affected countries were Russia, Ukraine, India, and Taiwan). Mydoom, considered by many to be the worst virus outbreak in history, caused estimated damage of $38 billion in 2004 (the cost is much higher in today’s dollars when adjusted for inflation). The NotPetya attack of June 2017 which started in Ukraine, quickly spread to the largest enterprises globally. Some of the most notable victims included Maersk, the world's largest container ship and supply vessel operator, which lost approximately $300m in revenues, and FedEx which suffered a $400m loss in 2018.
In a world where technology is so tightly interconnected, securing digital infrastructure somewhere in Latin America helps secure businesses and people in the US. This is the main and the most compelling reason for people in WEIRD countries to care about cybersecurity in emerging economies.
When the COVID pandemic happened, to distribute vaccines to their citizens, poor countries had to rely on their healthcare infrastructure which after decades of foreign aid, support from the World Health Organization, grants, training, exchanges, and intragovernmental collaboration had the capacity and the capability to do the job. If tomorrow an event of similar magnitude was to happen in the digital world, countries such as the US, fortunate to have armies of well-trained and greatly qualified incident responders, would deploy them to restore their critical infrastructure. Developing countries, on the other hand, would be in big trouble. Even if the “cure” existed, they lack the right talent to take care of their digital life and “administer” this cure. Unlike healthcare, “digital care” (cybersecurity) of today does not have the infrastructure necessary to ensure a nation's security. Due to the lack of time, talent, and the right levels of support, it did not get the chance to develop just yet.
Developing countries have an opportunity to leapfrog if they solve one big problem
Traditional theories of development suggest that to prosper, developing countries should follow the path of developed nations. In the past decades, we have seen that it is not the case as many emerging economies were able to leapfrog into the digital age.
Leapfrogging happens when a nation skips traditional stages of development and instead jumps to the newest technologies, bypassing the intermediary stages developed countries went through to arrive at the same result. There are many examples of leapfrogging; the most prominent ones are the mobile revolution and the rise of fintech.
The mobile revolution resulted in millions of people in developing countries getting access to mobile phones without these nations ever having to build the landline infrastructure. The rise of fintech, on the other hand, enabled poor countries to implement digital payments, peer-to-peer lending, holistic credit scoring, and mobile payments without ever building (and later having to dismantle) the legacy systems.
I believe developing countries have an opportunity to become leaders in cybersecurity by leapfrogging WEIRD societies and jumping straight to evidence-based security.
Businesses in developed countries had to secure their digital systems for the past few decades, and they could not naturally afford to sit and wait until better technology became available. Today, after implementing hundreds of tools that promised to keep them safe, enterprises are stuck with 70+ vendors stitched together, many of which are old, legacy solutions built in ways that are not transparent, not API-first, and do not take into account the security needs of modern organizations. The same problem doesn’t affect developing countries where few companies, not counting large international conglomerates or foreign businesses with a local presence, have had any security tooling at all. While some might have been using an antivirus, there are not many organizations with access to the latest endpoint and network detection capabilities. To top that off, in developed countries the infrastructure that needs securing is often much older and much more complex. For developing nations, there is little need to worry about some obscure architecture from the 1970s or 1980s which still underpins many modern industries such as banking in the US, Canada, and other leading nations.
All this combined creates perfect conditions for emerging economies to build their cybersecurity infrastructure on transparent, proof-based approaches to security. While WEIRD countries are trying to rip and replace legacy vendors and consolidate security tooling, developing nations can bypass all that and do security the right way from day one - by focusing on the fundamentals such as understanding what happens in their environment, creating detection logic to identify bad behaviors, and respond to it when needed.
Or, they could do that in theory if they had an important component necessary for it to happen, namely access to security talent.
Unfortunately, as developing countries don’t have decades of experience securing their systems, they were unable to develop a strong talent pipeline. When we are talking about the talent shortage in the US and Europe, it’s important to recognize that in developing nations, the problem is often even more acute. I will be discussing some ways to accelerate finding a solution to this challenge next.
Securing poor and developing countries: who and what can help
There are many ways we can help to make people and businesses in emerging economies more secure. There is enough research showing the gaps and what needs to be done. For example, a recent study about cybersecurity challenges in developing countries focused on Kenya, concludes that it lacks “adequate manpower or personnel, cost, and infrastructure required to ensure information systems are well secured”. Another report looking at cybersecurity capacity building in developing countries suggests focusing on private-public cooperation, education, governance, policy, and national strategy to solve challenges around securing people and organizations in emerging economies. There is research about Ecuador, several African countries, and others. At the same time, I wasn't able to find a whole lot about the role of the industry itself. Below are some thoughts attempting to fill this gap.
Cybersecurity Practitioners Without Borders
To help bridge the talent gap and enable developing nations to build their cybersecurity capacity and capabilities, we need security professionals from Western countries to help. Security engineers, architects, analysts, and others can make a huge difference by training their counterparts abroad. So much cybersecurity knowledge is experience-based and not captured in any courses, textbooks, or articles, that a hands-on, active knowledge transition can make a great difference.
When the community comes together, amazing things happen. In 2022, BSides Nairobi announced a small fundraiser to help some of their local community members who are not in a position to afford a ticket to the event. The security community responded with lots of kindness and support, and within days more than 650% of the original fundraising goal was achieved.
Security professionals from developed countries, managed security service providers, vendors, and policymakers should look for ways to establish connections and build a foundation for future collaboration. Reporters Without Borders made a great contribution to fighting disinformation, combating propaganda, and defending the freedom to be informed and to inform others throughout the world. Doctors Without Borders made a huge difference in caring for people affected by conflict, disease outbreaks, lack of access to healthcare, and natural and human-made disasters in over 72 countries. To date, over 12,5 million medical consultations were conducted by their humanitarian teams and over 1 million patients were admitted to their care facilities around the world, according to the DWB website.
We need Cybersecurity Practitioners Without Borders. We need people able and willing to help others to succeed. And, we are seeing the emergence of this movement with the selfless service many cybersecurity professionals are doing to help Ukraine combat Russian aggression. There are countless examples of this; here are two of the most recent ones I know of:
Internet 2.0, seeing the cyber capacity building and advanced capabilities as one of the ways they can help, has been providing cybersecurity support, intelligence, and training to Ukraine since the beginning of the war.
Ground Truth Connections is focused on helping people in need with data and well-designed software. Their first initiative is directed at helping connect the Ukrainian people with the information they need for humanitarian purposes.
Democratizing cyber defense
As a community, we can do more to democratize cyber defense. In practical terms, it means continuously sharing resources that help people and organizations secure themselves. We have done a fantastic job with open source projects such as Sigma (a de-facto format for threat detection) and Yara (malware research and detection). Even large corporations such as Splunk and Microsoft are now open sourcing a lot of their research and tooling. This is critical for defending developing countries as open source is most commonly the only kind of tooling practitioners in these countries can access. The rest is either not present at all, or prohibitively expensive.
Another way to democratize cyber defense is to continue developing tools and methodologies such as MITRE ATT&CK framework which has become a de-facto standard way for organizations to assess their security posture, identify gaps, and ensure holistic security coverage. Crowdsourcing knowledge enables practitioners around the globe to contribute, share, and improve together advancing the maturity of the industry forward.
Making security knowledge accessible
It took the West a deadly pandemic with the total shutdown of most of its critical infrastructure to accelerate the use of digital in our daily lives. Before the pandemic, online education was commonly seen as almost worthless, and always - subpar to the in-person experience. Professors and school instructors would often proudly renounce the idea of teaching remotely. Almost three years later, we are finally learning to integrate in-person interactions with online educational experiences. The developing world, on the other hand, is used to learning online as that’s often the only way they can access the latest knowledge, learn new languages, and be a part of the global ecosystem.
Developing nations have a decent number of people who are driven, curious, fluent in technology, and passionate about solving the world’s pressing problems. They are used to learning online, and while the language can often be a barrier, people interested in tech are seeing English as a prerequisite for participation in the global talent ecosystem. As more tech companies are starting to hire abroad, leveraging often more affordable access to top talent, we have the responsibility to not simply extract the resources, but to give back. Making security training accessible is one of the ways we can do it.
Platforms such as Coursera tend to have deep discounts and grants for learners from emerging economies. I think cybersecurity as an industry has the responsibility to do the same, making learning cybersecurity for security practitioners accessible.
We’ve got many great training providers, CTF platforms, and courses for security professionals. What we need is a pledge from them to support security enthusiasts from developing countries. It can take different forms - free courses and workshops tailored to their needs, or simply being able to access cybersecurity education at cost (reasonable prices people can pay). In the same way, I would like to see cybersecurity events like Black Hat offer deep discounts and fully-funded scholarships to practitioners from developing countries. It can’t be that hard, especially if we consider the long-term costs of doing nothing.
It’s worth noting that education must be focused on providing practical skills and preparing industry-ready security practitioners. We cannot allow theorists with no recent (or any) real-world experience to prepare the next generation of cyber defense professionals for countries that have none today.
Making security tooling accessible
One of the challenges in developing countries is that many cybersecurity tools companies need to defend themselves are prohibitively expensive. This is no surprise as most products in the industry are priced for the US buyer, and as a result, are inaccessible to businesses from emerging economies. It doesn’t help that many security companies enforce minimum spending, require long-term commitment, or altogether have no presence in developing countries as it is outside of their “areas of focus”.
I have a strong belief that rather than giving people fish, they should be taught how to fish. In the context of security, it means that while it may be tempting and beneficial in the short-term to provide free security services to eligible organizations that cannot afford it, in the long term we need to help them get access to those resources. This is why I am not advocating for charitable missions to “secure Africa”. But we can make cybersecurity products more accessible so that people in developing countries can go beyond open source.
To make security tooling accessible, two simple solutions could be:
Product discounts: if a vendor is making the majority of its revenue from Western countries (say, the US), it can subsidize some of its products and services to make them affordable to customers from developing economies. I am repeating myself, but it can’t be that hard to implement.
Accessible tooling: to raise the next generation of security practitioners in developing countries, we need to provide them with access to cybersecurity tools and infrastructure. This is where product-led growth with its open, ungated, accessible approach can help, providing free trials and free tiers which are often sufficient for students to learn the trade.
As it stands, talented security practitioners somewhere in Cambodia have little chance to get their hands on the tools they need to know to do their job. I think security vendors have a social responsibility to make their solutions accessible to people and organizations in emerging markets.
Making enterprise software accessible
It is not just security vendors that need to make their tools accessible. Companies providing other types of software which commonly gets pirated in poor countries could benefit from lowering the cost of their offerings thus enabling them to create new revenue channels and provide secure tools to those living and operating businesses in emerging economies.
The problem of securing poor nations’ infrastructure from cyber threats is too big to be solved by security vendors and practitioners alone. Intergovernmental collaboration is needed to address the gaps beyond market control. The good news is that we are seeing reports that the US and European Union are planning to introduce joint funding to secure developing countries. The not-so-good news is that it took a full-fledged war in Ukraine and direct threats from Russia for this effort to get started, and who knows how long it will take for it to yield some tangible results.
I am hopeful that this initiative can make visible progress in the coming year, and that its focus will be on helping developing countries build their own defense capabilities and incubate security talent. Providing them with one-time funding to establish some security capabilities and infrastructure with no experienced practitioners to support it won’t lead to long-term security.
Collaboration and knowledge sharing between developed and developing countries can help nations with low cybersecurity maturity craft the much-needed legislation, create frameworks and standards for securing their infrastructure, processes for purchasing and patching licensed software, and training the next generation of security professionals to defend their networks.
Intergovernmental collaboration is also critical for catching cyber criminals. As Mars Cacacho, Senior Security Engineer explains,
“Unlike other domestic crimes, cyber crimes transcend physical and political boundaries. Although a cybercriminal may be in your jurisdiction, their victims could be halfway around the world. Even if they get caught in the act, they can still get away with it since authorities do not have the competency to do digital forensics and provide irrefutable evidence to pin them down. With this, international cooperation is paramount. Recent examples include the Esthost takedown in Estonia and the Emotet takedown.”
A brief note on China in the context of securing developing countries
Over the past two decades, China has become one of the world’s leading investors in the technology sector of developing countries and the #1 investor in African ICT in particular. Beyond massive government-funded programs, we see Chinese corporations such as Huawei becoming a core component of the ICT infrastructure in Kenya, South Africa, and Ethiopia, to name a few.
These investments, frequently masquerading as charitable and developmental initiatives and private-public partnerships, come with strings attached. China’s track record in siphoning intellectual property and spying on people, businesses, and governments is impeccable. Its tech giant Huawei, the very company that is actively taking part in shaping African digital infrastructure, along with ZTE, has previously been declared a threat to national security in the US.
It is hard to blame developing countries for building their digital world on top of the backbone of China’s international commercial espionage: they need help, and China is gladly offering it. The cost of this “help”, however, can be very high. If we want developing countries to have a fair chance to build their own future, and if we believe that the future of the world should be based on principles of democracy, respect for privacy, and personal freedoms, the West should find paths to support emerging economies. That way they won’t have to look to sell their long-term national security and political independence in exchange for software and hardware from Huawei and the like.
The joint US - EU initiative I mentioned before gives some hope. As The Wall Street Journal states, “by working together on cybersecurity, the EU and US aim to help countries that otherwise might be eager to accept funding from China”.
Article 3 of the UN Universal Declaration of Human Rights states: “Everyone has the right to life, liberty and security of person.” Cybersecurity is a business, but it is also a core component of our fundamental rights. We have to make money, and WEIRD countries are the place to be, but we should not forget about the societal implications of our decisions if we choose to ignore the poor nations.
During holidays, we think of others. This is the time of the year when we reflect on our lives, our dreams, ambitions, and goals. It is also a time to course correct; at first, on the personal, and later in January - on the organizational level. As people fortunate to be in cybersecurity, we carry a lot of responsibility. This is true for security practitioners defending our sleep by sacrificing their own. It is also true for security vendors, policymakers, and technologists of all kinds.
During this holiday period, I encourage us to reflect on security - the state of the space, the directions it is going in, and where it should go for us to build the society of tomorrow on solid footing. As we do it, let’s not forget to think about securing poor and developing countries; not only because it is the right thing to do, but also because by helping them become more secure, we are increasing our own cyber resilience.
No single measure is going to solve the problem of security. Passing cybercrime legislation will not make ransomware go away, and neither will the adoption of password managers. It is the implementation of multiple complementary measures, and the way they reinforce one another, that will make a difference, for the developing world and beyond.
If history teaches us anything, it’s that viruses do not know the national boundaries. Having survived a biological pandemic, we should do what we can to prevent a digital one. Wealthy nations haven’t always been great about taking care of those that are less fortunate. A recent example is a case in point: the pox virus has been around for ages but developed countries have been writing off millions of vaccines instead of sending them where they could make a difference (the US alone let 20 million doses of the pox vaccine expire).
Let’s find a way to learn from our past, not repeat it. We in the tech industry can do better. Securing developing countries is not a charity, it's a necessity.
Happy Holidays. Happy New Year 2023.