Visa’s Vice Chairman of Risk and Public Policy, Ellen Richey, shares her thoughts on the role of public policy in supporting innovation and security technology. Read her full opinion piece below:
Klaus Schwab, World Economic Forum Founder and Executive Chairman, has aptly described the digital transformation of commerce as a new industrial revolution. As stakeholders in the future of the global economy, business leaders, government officials and citizens are asking if this digital revolution requires new regulatory approaches to identity and security. In many countries, policy-makers are questioning whether the private sector can be trusted to safeguard consumer data. To answer that question, it is important to first consider the role of public policy in fostering the innovations that power the digital economy.
When it comes to innovation, the impact of government is difficult to measure. The popular history of the technology industry abounds with tales of rival entrepreneurs battling for market share and of disruptors challenging incumbents. In these “Clash of the Titans” or “David and Goliath” narratives, the role of the public sector in providing an enabling policy environment is scarcely mentioned, giving rise to the inaccurate perception that public policy is a non-factor. But if the government had intervened early on in favour of one technology rather than allowing competition to play out in the marketplace, many innovations might never have occurred.
Public-private partnership and continuous innovation in security technology are society’s best defence against cybercrime. Governments play an indispensable role. Vigorous enforcement of the laws that protect public and private networks from cybercriminals can deter most would-be hackers from attacking email accounts, financial institutions, payment systems and retailers.
Recent history makes clear, however, that some bad actors cannot be deterred by criminal penalties. This is where innovation plays a vital role in keeping our defensive capabilities ahead of the cybercriminals.
One area where well-intentioned public policies can have unintended consequences for innovation in cybersecurity is by signing up to technologies that may become obsolete over time. Restraining the best of our innovators with overly restrictive policies and regulations will only hamper our ability to compete in the arms race against hackers. Rather than focusing on mandating new approaches to security, policy-makers, academics and business leaders should work together to improve cybersecurity education and support a robust pipeline of technology and professionals that can help the entire ecosystem stay ahead of cybercriminals.
Data localization is another policy area where attempts by governments to protect their citizens can backfire. Limiting cross-border data flows makes it more difficult to connect the dots to identify fraud in real time. Rather than enhancing data security, these regulations stifle innovation and prevent new security innovations from being developed or implemented.
How technological change can aid cybersecurity.
The digital ecosystem is expanding at an exponential rate. It took decades for the number of mobile devices to surpass the world’s population of 7.4 billion and now the Internet of Things is expected to reach another 20 billion connected devices in the next three years. The rapid growth of digital devices may seem like a mounting security challenge that needs to be restrained, but in many ways this growth provides an opportunity to make commerce better, easier and more secure.
In the payments industry, for example, we harness the power of data to protect consumers. Every transaction that flows through the Visa network is analysed against up to 500 data elements to determine the risk for fraud and help the card issuer decide whether to approve or decline a purchase. But as commerce becomes increasingly digital across mobile, tablet, electronics, wearables, cars and other connected devices, we need to upgrade the data pipes to be able to analyse information more complex than simple passwords. Contextual data, such as device identification, biometrics, geolocation, browsing behavior, has been made possible by the growth of connected devices. This data can be powerfully predictive of fraudulent or legitimate transactions – even more so than passwords, which can be forgotten or stolen by hackers.
Building on a foundation of security and privacy requires that we recognize this problem and correct our approach. It’s equally important to embrace innovation and invest in ways to harness the power of connected devices and intelligent data to help prevent more fraud. We must resist the pull toward overly prescriptive technologies and solutions that will be difficult to adjust and evolve as conditions quickly change. Hackers certainly aren’t limiting their options.