Let’s adequately fund cybersecurity nonprofits. The internet depends on it.
The entities responsible for protecting the internet itself and the most vulnerable in society are in trouble.
OPINION By PHILIP REITINGER
Ask most people what organizations make up the internet, and they’ll likely say Apple, Google or Microsoft. But Big Tech is only part of the web. There’s a vast network of nonprofits and nongovernmental organizations that occupy massive chunks of valuable digital real estate. They are vital to the internet, upholding standards that make technology interoperable and creating the open-source code and tools to streamline operations, improve efficiency and enhance reliability. It’s an ecosystem purpose-built to protect the internet.
Yet these nonprofits and NGOs are taken for granted and underfunded, leaving them under-resourced to adequately protect others online. This exposes the entire internet — even the world’s biggest corporations — to enormous risk. That’s why it’s critical to rethink how we fund these nonprofits that work to secure the internet. Adequate funding in this space would also give many tech nonprofits the ability to scale new and innovative tools that would benefit and help protect the web.
Many will agree with this sentiment, but good intentions aren’t enough. Shoring up support for nonprofits will require a fundamental shift in how we support and fund the organizations doing the hard work to secure everyone online. This requires the attention of private philanthropy, the current White House and the administration that follows, other governments around the world, congressional and state lawmakers and the private sector to consider the global risks of digital insecurity and new avenues for funding.
There are critical gaps that need immediate attention. No single entity is responsible for cybersecurity or in a position to fundamentally address the growing number of online threats that proliferate daily. Unlike road systems, for example, nobody knows who is responsible for fixing a “pothole” on the internet. Even more difficult, the most significant online problems require solutions much more complex than patching the street. For instance, ransomware is a scourge that requires multiple interrelated and structural changes to effectively prevent. As a result, despite the deadly risks of ransomware hitting a hospital, financial losses or the availability of essential services, limited progress or investment has been made toward cybersecurity for everyone. Nobody is responsible because everybody is responsible.
Furthermore, entities responsible for protecting the most vulnerable in society are among the least able to protect themselves. Charities that feed the hungry and treat the sick, and even small hospitals in developed countries, face massive risks. Small businesses offer key local services everywhere and remain the majority of the economy in many nations but are among the most prominent victims of developing threats. These organizations are below the “Security Poverty Line,” to quote Wendy Nather. They lack either the knowledge to mitigate cyberattacks or the funds to pay for preventative security.
Most everyone responds in the same inadequate way. To mitigate risks, individuals and businesses invest only in securing themselves. That’s expensive and doesn’t address an insecure internet. Instead, we need an ecosystem-wide approach that focuses on tools, services and platforms that work at scale, protecting the entire web and vulnerable groups.
Imagine for a moment if this were the most common approach for a small business. It uses code from open-source libraries such as Log4j or Django to create its products faster and cheaper. The staff uses open-source LibreOffice software to keep operating costs down. This business uses Quad9 as its recursive DNS resolver to block malicious websites and prevent things like malware that could cost the company millions if attacked. Its websites are encrypted with Let’s Encrypt certificates, and it gets free reports from The Shadowserver Foundation to understand and fix network vulnerabilities. These projects are built to be easy to use, even for a small business with limited IT resources, designed to be secure without user action and can rely on a fundamentally secure ecosystem. Sounds pretty good, right?
Many of the tools on which this small business relies are run or supported by nonprofits. Hundreds of nonprofits maintain critical cyber functions for the good of the internet and all its users, including the most vulnerable and under-resourced in our society. They are not household names, but they are vital to a safe and functioning internet. They are often run by skeleton crews and volunteers, with razor-thin budgets that rely on donations, grants, sponsorships, and other short-term funding, all of which could be pulled at any time. Large companies also depend on these same sorts of public interest tools.
It’s a fragile model — and it needs help from governments, companies and others who use the internet. Communities once came together to accomplish work that was impossible to do alone – one farmer could not build a barn, but the community of farmers could in a day. Cybersecurity shouldn’t be any different. It involves complex problems that require the whole community to do their part to solve. But such communities need assistance to advance their common good.
There are initiatives trying to help. Common Good Cyber is one that was formed by the Global Cyber Alliance and led by seven organizations to drive collective and sustained action to support nonprofits that deliver cybersecurity tools, services and platforms that work at scale.
Safeguarding the internet is a shared responsibility that transcends geographical and sectoral boundaries. Common Good Cyber can’t do this alone. The security of all of us depends on the security of any of us.
We must come together — individuals, businesses, governments and philanthropists — to provide sustainable funding and resources for nonprofit cybersecurity initiatives. By investing in these groups, we invest in the safety and stability of the entire internet. We are rallying global leaders, cyber defenders and philanthropies to pledge and endorse the creation of a fund for cybersecurity as a common good. Together, we can build a safer internet for everyone.
Philip Reitinger is the president and CEO of the Global Cyber Alliance, an international nonprofit organization focused on delivering a secure and trustworthy internet for everyone.