Wrestle with PESTLE: cybersecurity – threats in the digital age

Reading time: 19 minutes

This LCN Says is part of LawCareers.Net’s ‘Wrestle with PESTLE (WWP)’ series, which looks at various business case studies using the PESTLE technique.

Unsure what PESTLE is? Read our first WWP article, which explains the technique.  

PESTLE stands for:

• political;
• economic;
• sociological;
• technological;
• legal; and
• environmental.

This technique uses the above six external factors to analyse the impact on a business and/or industry.

Case study: cybersecurity – threats in the digital age

Digital technologies pervade every aspect of our lives. From social media to critical government infrastructure, cybersecurity is of increasingly great concern for individuals, corporations and nations. Cybersecurity threats are complex and adaptive, requiring a holistic approach to understand, mitigate and remediate. This article analyses the implications of cybersecurity on politics, the economy, society, technological advancement, the law and environment.

Political

The political implications of cybersecurity are immense, concerning core principles enshrined in international law, including state sovereignty and non-intervention. ‘Cyberspace’ has emerged as a new vector for statecraft and diplomatic relations, but also as a battleground in geopolitical rivalry. States may use these new tools to further political objectives, protect national security and assert sovereignty. However, they can also use them to interfere with the affairs and sovereignty of foreign states.

‘State sovereignty’, under the Westphalian system, refers to the absolute power held by a state over its territory, and the exclusive right to govern its own affairs without foreign interference.

Sovereignty in cyberspace also includes the digital infrastructure within the territory of the state, such as servers, networks and data. However, this depends on an individual state’s position on sovereignty. A state derives jurisdiction over its territorial digital infrastructure by applying domestic laws to govern and protect against threats that occur from cyberspace. A significant issue is that cyberspace has no ‘borders’, meaning that an interstate attack could violate another state's sovereignty without a physical intrusion.

From espionage to sabotage to direct disruption of critical infrastructure, there are many forms of statecraft being executed through cyberspace. This can affect a state’s national security and economic stability. As such, states must have both offensive and defensive cyber capabilities. Strategic cyber operations reflect a change in the geopolitical landscape, where state power is being increasingly consolidated in cyberspace. This shift necessitates a re-evaluation of traditional security paradigms and international relations theories to account for the increasingly digital dimension of statecraft.

These political complications are exacerbated by the international legal framework, or lack thereof, that regulates conduct in cyberspace. Key questions remain:

• Which principles of international law are applicable to cyber operations?
• What are the criteria for attributing cyber-attacks to states?

To an extent, the current legal ambiguity and inconsistency gives strategic advantage to adversarial states, and concomitant uncertainty and threats to other potential target states. The United Nations Group of Governmental Experts is seeking consensus on responsible state behaviour in cyberspace. In seeking balance between state sovereignty and maintaining peace, these efforts underscore the need for diplomacy and international law to deal with political cybersecurity threats.

The 2007 Estonia cyber-attack serves as a seminal case for understanding the political impact of cybersecurity. Causing widespread disruption, this cyber-attack affected government, financial and media networks, crippling key infrastructure and showcasing the vulnerabilities that can be present in a highly digitalised society. This cyber operation was believed to be in response to political disagreements over the relocation of a Soviet-era monument. This event marked a significant escalation in cyber operations against a sovereign nation and underscored the potential for such attacks to serve as tools of geopolitical strategy and influence. By targeting critical infrastructure, cyber operations can be leveraged to achieve political objectives, disrupt societal functions and exert pressure on government decisions.

Economical

Cybersecurity threats have clear economic implications, reaching beyond the cost of reacting and repairing. They have much wider economic impacts, including disruption of critical infrastructure, loss of intellectual property, damage to businesses and erosion of consumer trust. These can have cascading, long-reaching effects on domestic and global markets, and overall economic stability.

Direct financial losses may be the most obvious economic concern for cybersecurity. These include remediation costs, legal fees and regulatory fines. This could also include lost data or lost sales, although these can be harder to quantify. Regulations such as the GDPR, which impose strict data protection requirements and hefty penalties in case of failure, bring to light the monetary risk of cybersecurity and data protection, and represent an enormous regulatory investment in cybersecurity, privacy and data protection.

Beyond direct economic loss, cyber threats pose systemic risks to critical infrastructure sectors, including financial markets, energy, transport and healthcare. Disruption in these sectors can lead to further spillover effects on economic growth and social welfare. For instance, cyber operations can affect confidence in the banking system and compromise financial transactions, resulting in broader economic instability. Attacks on energy infrastructure could cripple other sectors and industries, thus affecting productivity, growth and welfare. There are also issues concerning corporate espionage and IP theft, again undermining growth and innovation. Such cyber-attacks may affect commercial competition and be to the detriment of domestic trade. This could impact commerce not only on a national level, but also on a global scale, with domestic industries being unable to compete with foreign competition.

Cybersecurity has further implications on the labour market, with the cybersecurity sector itself requiring rapid growth in the face of escalated threats. The demand for cybersecurity professionals far outstrips supply, and the industry must continue to invest in education and training to develop a workforce capable of dealing with cybersecurity threats. This skill deficit reflects larger economic issues, including the need for innovation and the development of cybersecurity solutions that can protect digital assets while supporting economic growth.

These economic concerns are closely tied to increasingly digital economics. While digitisation of the economy and government can offer benefits to efficiency and functionality, it also potentiates unprecedented damage. A growing reliance on cyberinfrastructure increases vulnerabilities, multiplying the potential economic fallout from cyber-attacks. Therefore, cybersecurity is an indispensable component of economic policy and national security strategy.

The NotPetya cyber-attack in 2017 exemplifies the profound economic threats posed by cybersecurity vulnerabilities. This malware, masquerading as the existing Petya ransomware but primarily designed to disrupt, initially targeted Ukrainian infrastructure and then went international, affecting companies and organisations worldwide. This cyber operation was likely politically motivated (due to the apparent lack of any direct financial gain to the attackers) with intent to cause economic damage, with estimated global losses of more than US$10 billion.

Social

Digital threats and accompanying cybersecurity measures affect society and human behaviour in a range of ways, including impacts to general cultural and social cohesion, public trust, data privacy and social interaction. With digital technologies percolating our lives, the sociological impact of cybersecurity is very much relevant, and appropriate safeguards should be in place not only for the technical infrastructure, but also for society.

The erosion of trust − in institutions, digital platforms and online − is perhaps the most significant sociological aspect of cybersecurity. Data breaches and cyberattacks can damage the public’s confidence in an organisation's capability to handle personal and sensitive information. This can alter consumer behaviours and sometimes lead to disengagement from the digital domain. This decline in trust eventually spreads beyond individual organisations to erode faith in the digital economy − affecting e-commerce, online banking and other activities that rely on secure digital transactions.

Furthermore, cybersecurity threats pose significant threats to privacy. Collection, storage and the potential for exposure of personal data raises questions about privacy in the digital age. Individuals are increasingly conscious of their digital footprint, and the risk of access or misuse of this by others. This concern directly impacts social norms regarding privacy, data and online social etiquette. This prompts a re-evaluation of these norms in terms of what we consider appropriate behaviour on and offline. The GDPR is a regulatory solution to these privacy concerns, giving users back the reins to their data. However, the social impact of such regulations may cause a cultural change towards prioritising data protection and a broader discourse on the value of privacy in a connected world.

Another significant sociological issue in cybersecurity is digital inequality − disproportionate differences in access to digital technology and cybersecurity resources. These differences may exacerbate existing social inequalities, creating new digital cracks for people to fall through with regards to protections online. There may also be gaps in knowledge about cybersecurity risks and threat prevention. Cybersecurity efforts should therefore consider issues of access, education and inclusiveness, embracing all segments of society and assisting safe navigation in cyberspace.

Broadly speaking, the sociological dimension of cybersecurity intersects with societal resilience and adaptation. Communities, organisations and society generally will continue to face pressure to develop and conform to new norms, behaviours and policies, reflecting the need for security in the digital age. This adaptation, however, isn’t frictionless − it necessitates a balance between security and freedom; innovation and regulation; and individual rights and collective needs.

The 2014 Facebook-Cambridge Analytica data scandal is a prime example of this erosion of public trust in digital platforms. This involved the collection of personally identifiable data of up to 87 million Facebook users. Harvested without user consent by Cambridge Analytica (a political consulting firm), this data was then reportedly used to influence voter opinion on behalf of political clients, including the 2016 US presidential election and the Brexit referendum. This breach raised significant concerns over privacy, data protection and the influence of social media on democracy, highlighting the challenges in data protection and the danger data breaches present to society and individuals. However, it’s been noted that very few users chose to ditch Facebook after the scandal. Academics have noted that users find online privacy to be confusing, and often don’t understand:

• how their data is used;
• the risks of data inferences from others in their network; or
• the potential risks from similar scandals in the future.

You might like to read further on this from Hinds et al, 2020, “It wouldn't happen to me”: Privacy concerns and perspectives following the Cambridge Analytica scandal.

Technological

Technology moves quickly, and this is no different for cybersecurity. With cybersecurity measures constantly being tested by new kinds of cyber-attacks, new protections will always be needed to thwart new problems. This makes cybersecurity a dynamic industry with lots of growth potential.

An increasingly large component of these cybersecurity developments is in the arena of artificial intelligence (AI) and machine learning. These new technologies make it feasible to analyse huge swathes of data in a relatively short span of time to detect patterns and anomalies that may indicate cyber threats. This analytical capability can significantly improve real-time threat detection, potentially acting fully autonomously in response to security incidents, thus reducing the window of vulnerability. On the other hand, cyber attackers are using the same technologies to enable more expedient and sophisticated attacks − for example, large-scale AI-based phishing scams that can mimic legitimate human communications more credibly.

Quantum computing is another technology creating a tremendous shift for cybersecurity. Compared to ‘conventional’ computing, ‘quantum computers’ may enable significantly more advanced cryptographic algorithms. This technology could improve the safeguarding of digital communications and data storage. However, the development of quantum computers could also exponentially increase the speed at which encryption keys can be cracked. This technology is still in its infancy, as it’s largely theoretical and yet to be demonstrated. However, development is gaining momentum, giving rise to the ‘quantum race’. This race underlines a need for proactive cryptographic research to combat potential future quantum threats.

Blockchain technology, perhaps best known for its connection to cryptocurrencies like Bitcoin, provides a framework for an open-source, immutable, tamper-evident ‘distributed ledger’ system, protecting and facilitating secure transactions and encrypted data storage. Blockchain can effectively mitigate issues posed by centralised points of failure (eg, data breaches or the collapse of a single controlling entity) by introducing better transparency for transactions. These applications range from financial services to supply chain management, or any other application where security is paramount, such as storage of healthcare data or protection of IP rights. However, the security of these applications isn’t absolute. A smart contract code or even the blockchain protocol can be rewritten, and it still can be vulnerable. The existing human element − coding, updating and user interaction − presents some vulnerabilities.

The proliferation of internet of things (IoT) devices has increased the interconnectedness of digital systems, allowing smoother integration and new interactions between physical household devices and cyberspace, providing new conveniences and services to users. However, you may be noticing a pattern here, this can open up many new avenues for potential cyber threats. A significant issue with many IoT devices is a total lack of built-in security features and, when these features are present, the security offered is typically low. Cybersecurity organisations and regulators should focus efforts on standardising development practices and introducing robust security protocols for IoT devices.

Although it promises high-speed connectivity with support for many IoT devices − opening doors for new applications and services and potentially revolutionising several industries − 5G technology also introduces some new security challenges. The increased bandwidth and decreased latency of 5G networks could facilitate unprecedented cyberattacks, such as large-scale distributed denial of service (DDoS) attacks. This prompts discussions over stricter security measures and stronger encryption methods; implementation of detection systems to detect anomalous activity; and a need for more advanced management and oversight for these networks, perhaps even international cooperation to oversee networks.

The security of cloud environments is another area of concern, as organisations and individual users increasingly conduct their work and store data on the cloud. Cloud storage and other cloud computing services typically offer users potentially unparalleled levels of accessibility, ease of use and integrations throughout their workflow. Cloud services are, however, common targets of DDoS attacks, data breaches and ransomware, leaving users open to loss of important data, corporate espionage and other damages. Cybersecurity can attempt to address these concerns through measures like stricter user privileges and authentication within organisations, better encryption and password management, robust back-up strategies and automated monitoring of traffic to the service. As with the other issues addressed, these approaches and defences need to adapt rapidly, often hour-to-hour.

For an example of this issue, see the 2009 Stuxnet Worm attack. Described as the “first cyber weapon” with a mere 500KB file size, this ‘worm’ targeted Iranian nuclear facilities and affected centrifuges in a uranium enrichment plant. While initial attributed damages began in June 2009, the worm wasn’t uncovered until 2010. Cybersecurity analysts determined that it’d been hidden, lying dormant inside the facility’s computer infrastructure, for some years prior to the incident. From this case we can see that sophisticated cyber-attacks can translate into real and serious physical consequences. This case highlights the ongoing arms race to address the potential physical (or ‘kinetic’) effects of cybersecurity threats.

Legal

Cyberspace is beginning to see a growing body of international laws, domestic regulation and non-binding guidelines that aim to address the manifold challenges posed by digital threats in a connected world. Such legal solutions seek to protect individuals, organisations and states from cyber threats, while upholding respect for privacy, data protection and state sovereignty. This crystallises a need for a nuanced approach: legislators must understand the effect of existing legal principles and adopt new laws and international norms to contend with these novel cybersecurity issues.

An area of ongoing debate is the application of international law to cyber operations among states, legal scholars and policymakers. Key questions revolve around the applicability of principles of state sovereignty, non-intervention to state conduct in cyberspace. For example, if a state’s critical infrastructure has been disrupted by a cyber operation, is it a violation of the principle of non-intervention or the prohibition of the use of force, as provided in the Charter of the United Nations? It's these issues to which scholarly attempts seek to address − even if they don’t legally bind states directly.

On a national level, various jurisdictions have developed a patchwork of laws and regulations that aim to increase cybersecurity domestically. These typically focus on issues such as:

• preventing cybercrime;
• securing critical cyber infrastructure;
• protecting data; and
• upholding the right to privacy.

The GDPR sets a high standard for data protection within the EU and has influenced similar regimes in non-EU nations. The high standard and broad scope of the regulation has led to many organisations and industries, whether EU-based or otherwise, voluntarily adopting the GDPR as their standard. Similarly, the US applies a range of sector-specific laws, such as the Health Insurance Portability and Accountability Act for the healthcare industry, alongside attempts to improve critical infrastructure in cybersecurity frameworks, like the NIST Cybersecurity Framework.

The protection of personal data and privacy in cyberspace has emerged as a paramount legal concern in terms of individuals’ rights, organisations’ responsibilities and state sovereignty. Regulations such as the GDPR and other national data protection laws aim not only to protect personal data from unauthorised access and breaches, but also to empower individuals with certain rights over their data, including the rights of access, rectification, erasure and portability. These provisions can create a dichotomy between security measures necessitating collection and storage of data and users’ privacy.

Cybersecurity legislation also looks at the criminal aspects of cyberspace, with cybercrime laws addressing hacking, identity theft, distribution of malware and cyber fraud. These laws provide a framework for the investigation and prosecution of cybercrimes. The increasingly transnational nature of cybercrime poses significant challenges in law enforcement, as legally addressing cross-border attacks typically requires international cooperation, and the lack of legal harmonisation presents further obstacles to justice. Cybercrime law may facilitate cross-border cooperation, through instruments such as mutual legal assistance treaties and other international agreements.

Cybersecurity legislation must also consider issues of ethics and human rights − perhaps most obviously those of state surveillance, media censorship and freedom of speech online. As already noted, a delicate balance must be struck between national security interests and individual human rights, with legal frameworks safeguarding against abuse while facilitating legitimate security measures. International human rights law, through instruments like the United Nations General Assembly’s International Covenant on Civil and Political Rights, helps to provide a normative basis for ensuring cybersecurity measures respect human rights in cyberspace.

A key case, especially pertinent to the considered issues of data protection and privacy, is Data Protection Commissioner v Facebook Ireland and Maximillian Schrems 2020. Schrems, an Austrian privacy activist, argued that the US didn’t offer adequate protection, for the EU to US transfer of his data by Facebook, against surveillance from US intelligence agencies. As a result of this case, the Court of Justice of the European Union invalidated the Privacy Shield agreement between the EU and US. The Schrems II judgment is one of the most significant contemporary cases in this area of the law, highlighting the need for robust cybersecurity and data protection measures by services.

Environmental

Last but not least, we consider the environmental factors of cybersecurity. This is an emerging area of concern, regarding digital technologies and their material impacts on the planet. This concern arises from the energy use in data centres, the lifecycle of digital devices and the broader implications of our increasing reliance on cyber infrastructure, and a concomitant need for cybersecurity. As the physical world and cyberspace come together, the greater the potential environmental impact of cybersecurity grows.

Much of the environmental impact of cybersecurity stems from the tremendous energy costs in powering and appropriately cooling the data centres that store, manage and protect huge amounts of data. These systems operate around the clock to provide functionality to cyber infrastructure. Cybersecurity measures, particularly those involving continuous monitoring, data analysis and the use of advanced algorithms for threat detection, contribute to the overall energy consumption. As the volume of data and the complexity of threats increase, so does the need for more powerful computing resources, exacerbating the energy demands and, consequently, the carbon footprint of digital operations.

In assessing the environmental impact of cybersecurity, we must also consider the lifecycle of hardware used in cyber defence systems, including servers, network devices and end-user computers. Manufacturing these devices requires significant amounts of raw materials and energy. In addition, they often have a limited lifespan due to technological obsolescence or wear and tear over time. The disposal of electronic waste also poses a significant environmental challenge, as improper waste management can lead to the release of toxic materials into the environment. Developing more sustainable practices for the manufacture, use and disposal of cybersecurity hardware is crucial for minimising the environmental impact.

There’s a growing movement towards ‘green cybersecurity’ practices, aiming to reduce the environmental impact of cybersecurity. This includes adoption of energy-efficient technologies, development of green data centres operating on renewable energy sources and the implementation of hardware recycling programmes. Virtualisation technologies can also reduce the need for physical devices, while cloud-based cybersecurity services, despite their high-power needs, can optimise resource utilisation through shared infrastructure.

Policy considerations − including regulations, incentives, and initiatives from governments and international organisations − should take the first step in stimulating green cybersecurity and achieving a reduction in the carbon footprint of the digital economy. This will require close collaboration with the cybersecurity industry, environmental experts and policymakers to ensure security needs are met, while balancing environmental sustainability.

While data centres are vitally important for cloud computing and cybersecurity infrastructure, they’re among the largest power consumers in cyberspace due to their non-stop operation and cooling requirements. In response, initiatives like Google's investments in renewable energy sources and energy-efficient technologies demonstrate a commitment to reducing the environmental impact. Similar goals are being pursued by Amazon Web Services and Microsoft.

Conclusion

With borders between physical and digital infrastructures, and services becoming increasingly unclear, the need for solid cybersecurity grows. The various implications of cyber threats and the cybersecurity responses, as examined through this PESTLE analysis, indicate the significance of cybersecurity to various sectors of society, economy and governance. From the political challenges of digital sovereignty to economic disruptions catalysed by cyber incidents, the scope of cybersecurity is vast. While cyberspace offers tremendous new opportunities and solutions, it's not without problems, bringing with it new threats to privacy, social cohesion and communication. While ever-changing legal frameworks attempt to grapple with cybersecurity threats, balancing the dichotomy between protection and privacy, freedom of speech and freedom of information poses a serious challenge. Ensuring the security of rights in the digital space requires a delicate balance and precise scrutiny. Cybersecurity isn’t without environmental considerations − attempts to secure the digital world shouldn’t be at a disproportionate detriment to the physical world.

These challenges are such that any meaningful cybersecurity strategy must adopt a holistic approach − one that not only encompasses the technical and legal solutions it demands, but also considers societal engagement, economic resilience, political cooperation and environmental stewardship. Cybersecurity isn’t just a technical problem; it includes broader considerations about the kind of digital world that we want to use. By understanding the implications outlined in this article, we can work towards a safe, resilient and just cyberspace.

John MacKenzie is a Scots law student at the University of Aberdeen.