Digital security
Digital security is essential for trust in the digital age.
The OECD has been facilitating international co-operation and developing policy analysis and recommendations in this area since the early 1990s. Our work on digital security aims to develop and promote policies that strengthen trust without inhibiting the potential of information and communication technologies (ICTs) to support innovation, competitiveness and growth.
Why “digital security” instead of “cybersecurity”?
Digital security refers to the economic and social aspects of cybersecurity, as opposed to purely technical aspects and those related to criminal law enforcement or national and international security.
The term “digital” is consistent with expressions such as digital economy, digital transformation and digital technologies. It forms a basis for constructive international dialogue between stakeholders seeking to foster trust and maximise opportunities from ICTs.
Latest releases
OECD Policy Framework on Digital Security: Cybersecurity for Prosperity
December 2022
The OECD Policy Framework on Digital Security charts the economic and social dimension of cybersecurity, highlights the OECD approach to digital security policy and equips policymakers to use OECD digital security Recommendations in developing better policies. The Framework also identifies linkages with other policy areas addressed through existing OECD standards and tools.
OECD Recommendations on digital security support stakeholders in developing digital security policies for economic and social prosperity, in line with the OECD’s mandate to help governments develop “better policies for better lives”.
Digital security of products
Vulnerability treatment
Current work
Current OECD work on digital security includes three workstreams building on the findings from the first event of the Global Forum on Digital Security for Prosperity, which focused on the roles and responsibilities of actors for digital security.
Enhancing the digital security of products
From “traditional” software to cloud services and Internet of Things (IoT) devices, our economies and societies are increasingly reliant upon “smart products”, i.e. products that contain code and can connect to each other, e.g. through the Internet.
In recent years, cyber-attacks such as Mirai, WannaCry, NotPetya and SolarWinds have underlined that the exploitation of vulnerabilities in smart products can have severe economic and social consequences. Beyond financial losses and reputational damages, these attacks increasingly impact users’ safety and can threaten human lives.
New OECD work in this area unveils that economic factors that play an important role in the relative “insecurity” of smart products.
In “Understanding the digital security of products: an in-depth analysis”, we provide an analytical framework based on smart products value chain and lifecycle, and apply it to three case studies: computers and smartphones, consumer Internet of Things (IoT) devices, and cloud services. The analysis shows that complex and opaque value chains lead to a misallocation of responsibility for digital security risk management, while significant information asymmetries and externalities often limit stakeholders’ ability to behave optimally.
In “Enhancing the digital security of products: a policy discussion”, we explore how policy makers can address the key economic challenges that prevent smart products from reaching an optimal level of digital security. Increasing transparency and information sharing, promoting co-operation (including at the international level), and ensuring the duty of care of supply-side actors (e.g. through the principles of security-by-design, security-by-default and responsible end-of-life) are important avenues for policy action. Many policy tools can be leveraged to achieve these objectives, from public procurement, certification and multi-stakeholder partnerships, to labels, liability law and ex ante legal requirements.
This work builds upon the OECD Recommendation on digital security risk management for economic and social prosperity. The findings from the two reports are informing the development of a new OECD Recommendation in this area.
Encouraging vulnerability treatment
Most digital security incidents are caused by malicious actors (e.g. cybercriminals and state-sponsored groups) exploiting vulnerabilities in organisations’ digital ecosystems.
The OECD has explored how policy makers can help address cybersecurity vulnerabilities in:
- Code vulnerabilities, i.e. vulnerabilities in software and firmware such as “zero-days”;
- System vulnerabilities, i.e. misconfigurations of information systems and lack of patching.
OECD analysis shows that:
- Over the last few years, the cybersecurity technical community has progressed in developing good practice for treating vulnerabilities, such as co-ordinated vulnerability disclosure (CVD), vulnerability disclosure policies, and bug bounties.
- Economic and social challenges prevent stakeholders from adopting such good practice, including a lack of awareness and co-operation, limited market incentives, legal barriers, limited trust in government, and a lack of resources and skills.
- Policy makers can play a decisive role. Removing obstacles and encouraging vulnerability treatment could significantly reduce digital security risk for all.
- Governments need to take action, including to change the culture related to vulnerabilities, lead by example, and remove obstacles such as imperfect legal frameworks that create risk for “ethical hackers”.
Reports
- Encouraging vulnerability treatment: Overview for policy makers
- Encouraging vulnerability treatment: Background report – Responsible management, handling and disclosure of vulnerabilities
This work builds upon the OECD Recommendation on digital security risk management for economic and social prosperity. The findings will inform the development of a new OECD Recommendation in this area.
Responsible response: Clarifying the scope of businesses’ action in response to an attack
What should be the limits of businesses’ action in response to a digital security attack? Should they, for example, be allowed to counterattack, i.e. take action targeting the attacker? Or should they only block the attacks they detect?
While there seems to be a general recognition that businesses should not be allowed to counterattack, some security measures which do not fall in that category can go beyond just stopping the attacker (so-called “grey zone”). It is important to understand what these measures might be and assess whether they would be acceptable or should be banned, or perhaps regulated.
This workstream aims at ensuring that businesses can use the widest spectrum of security measures to protect their economic and social activities without creating risks for others.
Objectives
- Explore whether governments should ban counterattack by businesses
- Develop a methodology to assess the acceptability of security measures’ categories from a public policy perspective
- Foster an international dialogue in this area
The work is supported by an informal multistakeholder advisory group, including experts from governments, businesses, civil society, the technical community and academia.
OECD Recommendations on digital security
These legal instruments provide international standards in the area of digital security policy.
- Recommendation on Digital Security Risk Management (2022; updates and replaces the 2015 Recommendation on Digital Security Risk Management for Economic and Social Prosperity)
- Recommendation on National Digital Security Strategies (2022)
- Recommendation on the Digital Security of Products and Services (2022)
- Recommendation on the Treatment of Digital Security Vulnerabilities (2022)
- Recommendation on Digital Security of Critical Activities (2019; updates and replaces the 2008 Recommendation on the Protection of Critical Information Infrastructures).
- Guidelines on Cryptography Policy (1997)
Other work and reports
Policy responses to COVID-19
- Digital security: Seven lessons learned during the COVID-19 crisis
- Dealing with digital security risk during the COVID-19 crisis
The OECD has developed several reports on digital security measurement, including a framework and a set of statistical indicators that can be used to assess the digital security risk management practices of businesses as well as guidance to improve the international comparability of computer security incident response team (CSIRT) statistics.
Enhancing trust in Brazil's digital economy
This chapter of the 2020 report Going Digital in Brazil includes an overview and analysis of Brazil’s digital security policies, as well as recommendations in this area.
Digital security policy in Sweden
This chapter in OECD Reviews of Digital Transformation: Going Digital in Sweden provides an overarching description and analysis of digital security policy in the country. Sweden’s 2017 National Cybersecurity Strategy aims to better integrate digital security policy within the broader digital transformation agenda and marks a positive turning point towards a more holistic approach to digital security.
National cybersecurity strategies
This 2012 report analysed the latest generation of national cybersecurity strategies in ten countries and identified commonalities and differences.
The full text of the contribution of non-governmental stakeholders to this work is also available.
Malware and botnets
- Proactive Policy Measures by Internet Service Providers (ISPs) against Botnets (2012)
- The Role of Internet Service Providers (ISP) in Botnet Mitigation. An Empirical Analysis Based on Spam Data (2010)
- Computer Viruses and Other Malicious Software: A Threat to the Internet Economy (2009)
- Economics of Malware: Security Decisions, Incentives and Externalities (2008)
Digital identity and electronic authentication
- Developments in digital identity – OECD roundtables (2015)
- Digital Identity Management – Enabling trust in the Internet economy (2011)
- Guidance and Recommendation on Electronic Authentication (2007)
- The use of authentication across borders in OECD Countries (2005)
- Summary of Responses to the Survey of Legal and Policy Frameworks for Electronic Authentication Services and E-Signatures in OECD Member Countries (2004)
- Progress Achieved by OECD Member Countries in Furtherance of the Ottawa Declaration on Electronic Authentication for Electronic Commerce (2002)
- Joint OECD-Private Sector Workshop on Electronic Authentication (1999)
Enhancing the digital security of critical activities, Going Digital Toolkit policy note (2021)
Managing digital security and privacy risk, background report for the OECD Ministerial on the Digital Economy (2016)
Global Forum on Digital Security for Prosperity
The OECD Global Forum on Digital Security for Prosperity holds international thematic events gathering policy makers and experts from all stakeholder groups.
Outputs from these discussions influence international public policy discussions and can lead to the development of analytical work, principles and international policy recommendations, both at the OECD and in other international fora.
Working Party on Security in the Digital Economy
OECD work on digital security is carried out by Working Party on Security in the Digital Economy (SDE), which reports to the OECD Committee on Digital Economy Policy (CDEP). The SDE develops and promotes evidence-based policies strengthening security in the digital economy without inhibiting the benefits from digital transformation, with a particular focus on the management of digital security risks to economic and social activities, including critical ones, and on the improvement of security in digital products and services. The SDE works in co-operation with CDEP’s Working Party on Data Governance and Privacy (DGP) and other OECD bodies.