WBG

De-risking digital investments to support cyber resilient development

Francesca Spidalieri and Melissa Hathaway

Did you know that the United Nations estimates that the funding gap for building [digital] infrastructure in developing countries is over one trillion dollars annually? Today, all modern infrastructure projects, as well as all Sustainable Development Goals (SDGs), include at least some digital components and/or are dependent on digital systems — which, in turn, are increasingly vulnerable to cyber risks and threats. Embracing digital technologies to improve society requires us to understand the “dark side of innovation” and incorporate cybersecurity and cyber resilience into all development projects.

For the last decade, nations worldwide have embarked on a digital transformation journey embracing and embedding information and communications technologies (ICTs) into their networked environments and infrastructures  to improve productivity, efficiency, innovation, and competitiveness. In particular, developing countries — which often suffer from weak legal and regulatory frameworks alongside poor governance and high poverty — are prioritizing digitization and connectivity to foster economic growth , enable skills development, encourage modernization, and advance human and social development.

This is why development organizations — including the United Nations, multilateral development banks, national development organizations, and major donors — are promoting digitization as a key enabler of inclusive and sustainable economic growth and social development.   They also aim to narrow the “digital divide” between the connected and unconnected. These entities are allocating significant funds toward digital development in lower- and middle-income countries to accelerate the achievement of the SDGs and other desired development outcomes in those countries.

But despite the clear benefits of digital technologies to economies and societies, most digital investments and development assistance programs have not placed the necessary attention (or de-risking mechanisms) on the risks stemming from the misuse of ICTs, including becoming tools for cybercrime, data exploitation, critical infrastructure failures, disruptions of essential services, increased surveillance, disinformation, digital authoritarianism, and other risks to health and safety. And because the rapid adoption of digital technologies in developing countries was not accompanied by adequate investments in cybersecurity, they are now experiencing greater vulnerabilities and malicious activities  that are threatening the security and resilience of their digital infrastructure and systems and eroding trust in the digital environment.  Without the proper safeguards, increased digitization in developing countries may provide new breeding grounds for organized crime, terrorism, and other digital-related threats  that ultimately undermine development efforts.

Understanding the specific cybersecurity risks these countries face is critical in this context. Developing local institutional, governance, legal, and workforce capacity is more crucial than ever to harness and manage their digital transformation, mitigate related risks, and will enable these countries to develop more resilient economies and societies. This calls for the broader development community to elevate cybersecurity as a first-order strategic and operational priority in all development programs and carefully evaluate cyber/digital risks throughout their programming lifecycle, from a project’s identification to its design, appraisal, and implementation.

Organizations working in this space must also recognize that ICTs are commodities rather than long-term capital assets — meaning they must be replaced every 5-7 years.  This means all development projects using digital technologies must factor in the ongoing cost of ICT support, training, and systems upgrades — to ensure sustainable and resilient services, infrastructures, and ultimately development outcomes. To achieve their desired economic future, recipient countries must also provide funds for the continuity of digital projects, equipment upgrades, workforce training, and retention into their national budget.  

These recommendations are underpinned by an extensive study we conducted to identify key challenges and benefits of incorporating cybersecurity, cyber resilience, and cyber capacity building into digital investments and the broader development agenda. Our report, “Integrating Cyber Capacity Building into the Digital Development Agenda,” concluded that international development organizations and donors must recognize the digital vulnerability of every modern infrastructure project and development assistance program and mainstream cybersecurity and cyber resilience into all development projects —  including sectoral projects not strictly digital (for example, health, energy, transport).

To address this shortfall and protect their digital investments, they must build cybersecurity de-risking mechanisms to identify and mitigate the cybersecurity/technology-related risks in their digital development projects — much like the mandatory environmental and social safeguards that are the linchpins of infrastructure, health, energy, and transportation projects.

Following the release of our report, we organized an event that included speakers from World Bank, USAID, and the European Bank for Reconstruction and Development. It focused on catalyzing action across multilateral development banks, national and international development organizations, and other large donors to prioritize cybersecurity and cyber resilience as cross-cutting issues in the global development agenda. The session provided an important opportunity to hear how these respective organizations are integrating cybersecurity considerations, resources, responsibilities, and management tools into their development projects and building safeguards into their procurement, assistance, or investments operations to mitigate cyber harms.

This blog is based on the key findings and recommendations from the report “Integrating Cyber Capacity Building into the Digital Development Agenda,” commissioned by the Global Forum for Cyber Expertise (GFCE) with the financial support of the World Bank’s Digital Development Partnership. Download it here.

Previously posted at :