Tuesday, February 28, 2023
A recent roundtable discussion highlighted key capabilities that will be detailed in a forthcoming report.

Each year, the volume of cyberattacks and their impact reaches new levels. The number of cyberattacks targeting governments increased 95% worldwide during the last half of 2022, compared to the same period in 2021 while the cost of public sector data breaches increased 7.25% between March 2021 and March 2022. High-profile attacks, including those involving the US Office of Personnel Management, SolarWinds and the Colonial Pipeline infrastructure, have demonstrated how closely cybersecurity is tied to business continuity and operational resilience. Recent reports have found that many organizations struggle with chronic shortages in cybersecurity capacity, resources, skills, and budget.

Meanwhile, reliance on connected devices and services is expanding attack surfaces and the associated vulnerabilities available for exploit. Inconsistent protection, often stemming from a lack of user awareness about cyber risk management, has become key variable opening organizations to compromise. Indeed, many traditional risk models are now obsolete, along with the existing relationships and longstanding assumptions that have long guided cybersecurity decision-making.

New thinking and new approaches to cyber governance – for governments and their work with industry partners and the nations they serve – are required. Governments must act to bolster security capabilities, for agencies and to protect critical infrastructures across the nation.

To gather insights and frame actionable recommendations for governments in addressing this critical issue, the IBM Center for The Business of Government and the Institute for Business Value, in collaboration with partner organizations including the National Academy of Public Administration and Center for American Studies, recently convened leaders and experts from the government, nonprofit, academic, and commercial sectors for a highly interactive, moderated discussion in Washington, DC and Rome, Italy. The sessions, titled "Preparing for Future Shocks: Actions to Build Cybersecurity Resilience", provided content for governments and key stakeholders to help government to increase cybersecurity resilience for government and critical infrastructure. This content will assist in preparing for the inevitable impact of future cyber shocks to our communities and societies especially in light of the increasing vulnerabilities posed by hybrid and distributed work.

The session covered many areas, and laid out four areas for action:

  • Increase the cyber talent resource base
  • Improve organizational collaboration for faster response
  • Build cyber resilience to bolster democracy
  • Promote government-private sector partnerships

These action areas will be detailed in new report to be released in March based on the session and discussion, authored by former US Federal CIO Tony Scott, to inform decision-makers at all levels of government.

This will be the second in our year-long series of high-level meetings with leaders around actions that governments and stakeholders can take to address major shocks, which are only increasing in frequency and magnitude (see our first report that focused on emergency preparedness and response). Each topic in this series is the focus of advanced research, as well as high-level discussions that build on lessons learned and develop new frameworks for action. These learnings are then summarized in a report, which will be followed by a capstone report in Fall 2023. In addition to the emergency response and cybersecurity topics, future reports will address supply chain resiliency, sustainability, workforce skills, and international cooperation.

We look forward to sharing the March cyber report, as well as the entire series, to help governments work together and across sectors as they prepare for and respond to future shocks.