Governments need to agree on cyber security realities and priorities, and move towards more effective regulation, legislation and law enforcement to enable tech interoperability for business
The world is at a critical crossroad when it comes to the impact of cyber attacks on everyday life, according to Sean Kanuck, director of the International Institute for Strategic Studies (IISS).
“Cyber operations are increasingly being used to achieve traditional political, economic and criminal ends,” he told the CyberSec European Cybersecurity Forum in Krakow.
Kanuck warned that, at the same time, researchers are seeing the evolution of data integrity attacks and that the challenges of global interoperability are not limited to technical issues.
“We have found commercial solutions to those, but we are increasingly seeing obstacles through governmental, political and economic regulation to global interoperability – meaning that the issue is becoming one of state craft and public policy, more than simply technological challenges.
“And we are seeing the extensive reassertion of sovereignty in this area, and the real conflict and competition is increasingly over the value of the information itself,” he said.
Five cyber attack trends
According to Kanuck, there are five strategic trends that are “changing this ecosystem” of cyber conflict and cyber crime.
First, he said, nation sates are intentionally operating below the threshold of armed attack to prevent military responses.
“We see them achieving coercive, political objectives that leave victims uncertain how to respond or even whether or not to publicly declare who they know perpetrated it against them because a public declaration with a failure to take response action only undermines your own strategic deterrent capability,” said Kanuck.
Second, he said, industry is increasingly a focal point, with private sector companies not only developing the technologies, but sometimes seeing those technologies become the enablers for attacks against them.
“Those companies are finding themselves becoming the target of nation-state, criminal or ideologically motivated hacking efforts. We have seen Microsoft comment on the exploitation of its software code and even enter the discussion about appropriate norms of behaviour and propose a digital Geneva Convention – corporate leaders talking of what is a traditional political space,” he said.
“We have also seen public-private partnerships being suggested or pursued to deal with attacks against the healthcare sector, or even talking about the nascent cyber insurance sector as a possible solution for driving corporate best practices and supporting regulation.”
Third, Kanuck said perhaps the most disturbing is what is happening in the development of infrastructure from a security perspective.
“Increasing horizontal and vertical integration in our just-in-time economies leaves very little redundancy, which means we are creating single points of failure with few backups and alternatives if those primary systems are compromised.
“As we shift to the internet of things [IoT], supported by artificial intelligence [AI] algorithms, our infrastructure is going to remain insecure, the operative nodes are going to be decentralised in the hands of individual users: small and medium-sized businesses and other entities which may not have leading cyber security expertise to be able to deal with critical, persistent threats and sophisticated actors,” he said.
As a result, Kanuck said automated systems would be communicating bi-directionally with the infrastructure – such as the electric grid – with lower resiliency if those information flows were compromised by a cyber attack. “We are also facing higher volatility [because of] uncertainty of the magnitude of the possible changes.”
Compounding that, he said, is the fourth trend, which is that attacks are increasingly being carried out indirectly. “In many cases, if attackers cannot reach the desired goal, they will compromise another entity that provides access to it through a trusted business relationship, for example.”
And finally, Kanuck said researchers are increasingly seeing the content or the accuracy of the data itself becoming the target.
“This is incredibly nefarious, because half the problem in cyber security is knowing that you have a problem,” he said. “If you do not have a breach that affects availability, yet compromises the integrity, how long will it be before you appreciate that penetration?”
This problem is potentially compounded if organisations back up their data before they discover a data integrity attack, said Kanuck, because an organisation’s backups and tertiary backups may be compromised before they find out about the breach that caused the compromise.
While some nation states meddle in other countries’ elections for decades, what is new, he said, is that the “scale, the scope and the near costlessness with which it can be perpetrated through social media platforms or other technologies creates such a quantitative imbalance that it takes on a qualitative influence”.
Focus on real news and real crime
In addition to “fake news”, Kanuck said 2017 has also seen “fake crime”, alluding to the global WannaCry attack.
“The story of WannaCry is like a Hollywood thriller: US spy agency figures out exploit to one of world’s largest software companies; North Korea re-purposes, and British healthcare system brought down,” he said.
“Think about the complexity and the magnitude of what we are discussing, and I offer that this is just the beginning of a masquerading hall of mirrors of criminals pretending to be governments, governments pretending to be criminals, and everything in between.”
The antidote to all this, said Kanuck, is to have more conversations about the “real news” and the “real crime” that needs attention.
In addition, he said the evolution of data between different regions and jurisdictions is “critical” to business: “We need to find ways to be interoperable while following the law in all jurisdictions, and governments are going to need to work together to find ways to make that seamless and efficient.”
However, Kanuck said the reality right now is that UN governmental experts have so far failed to reach consensus on this issue. “There is not a commonality of appreciation and understanding at the political level around the world,” he said.
In closing, Kanuck said: “If we realise that actors’ actions are influenced by their own interest and incentives, it tells us about the important role of regulation and effective law enforcement in both deterring action and incentivising desired behaviours.”