A huge proliferation of numbers of devices, increased use of technology and a change in our working patterns resulting from the COVID-19 pandemic are just some of the factors behind increases in cyberattacks. Panelists debated these factors, the risks and challenges we face, how to counter threats and safeguard ourselves as well as the complex regulation governing cybersecurity, during an informative session, ably moderated by Jason Harle, Senior Manager, Cyber Risk, Deloitte.
What’s behind the increase in cyberattacks?
One key driver is the rapid increase in numbers of devices. These are being deployed at speed, and without necessarily following a due thought process in terms of security, according to Martin Yates, Chief Technology Officer, Global Digital Cities, Dell Technologies, Singapore. With some 80bn connected devices expected by 2025, the potential for attack is growing, and the challenge going forward will be protecting this “diversity of devices.”
For Amanda Craig, Director, Cybersecurity Policy, Microsoft, it’s also a question of technology. Alongside a rapid growth in devices, is a widespread adoption of new data-generating technologies, such as IoT, being used together with existing legacy technology, which may not be prepared for today’s technology landscape. Critical functions are increasingly being carried out online, she explained, adding to potential attack targets. Nevertheless, despite an increased awareness amongst global governments of potential cyberthreats, plus more strategies to combat them, criminal groups are also rapidly evolving to harness the landscape around them, including the ongoing COVID-19 pandemic, for targeting new attacks.
For Leonard Sim, Head of Presales APAC, Kaspersky, a mix of increasingly sophisticated threats, coupled with the shift in working patterns has helped increase number of attacks. As companies hastened to focus on the usability of technology in order to facilitate remote working, security was often overlooked, he explained. Increased phishing attacks have capitalized on the pandemic, providing false links to COVID-19 information or sending fake instructions for workers to share credentials. In the workplace, most users work with a “perimeter built around the organization to safeguard its security” noted Americo Muchanga, Chairman, Communications Regulator Authority of Mozambique (INCM)Mozambique, which may not be there in a remote environment. Mindsets towards security still need to be changed, however. In most cases, he explained, security is not seen as an investment, indeed most users only remember security issues when there is a problem. Security must be addressed in a proper way, if not “we could kill the advantage the digital space brings to all of us.” Security threat awareness also needs to be increased among users, he added.
Risks and challenges as we expand into cyberspace
As companies employ more and more digital tools and every device produces moredata, there is a risk of overload. Some companies still operate in a silo system, leaving them unable to deal with a threat in a systemic way, explained Edward Lim, MacAfee Enterprise Technology Specialist, MacAfee, Singapore. At the same time, as processes are put in place, staff must be correctly trained in order to help them respond to challenges.
Increasing quantities of data are being stored, for a host of different purposes, legitimate and malicious, and cannot always be officially checked. People must be more aware of risks, said Wojciech Wiewiórowski, The European Data Protection Supervisor, EDPS, rather than assuming someone is checking and certifying on their behalf.
“We are dealing with unprecedented levels of risk,” warned Tien Minh Hoang, Deputy Director General, Authority of Information Security, MIC, Viet Nam, with highly skilled criminals who have access to resources. Children and elderly people are particularly vulnerable targets for cybercriminals. “These users don’t have the knowledge or skills to protect themselves in cyberspace,” he added, noting that the digital transformation will expand cyberspace, and this hyperconnected cyberspace will bring cybersecurity to a new level, with new responsibilities and opportunities. “Only with a good cooperation between government and industry can we address the new landscape post COVID-19” he said.
Defense against cyberattack
Commenting on the results of an in-session poll on factors hindering the successful defence of cyberattacks and privacy breaches, Lim outlined his potential solutions. These included building an ecosystem into the solution, and crucially sharing intelligence with others. Organizations need to subscribe to good intelligence and use this to proactively enhance defence he said. In addition, they should utilize technology to block known, obvious threats. In this way, only complex attacks will require human intervention, he explained.
Echoing Sim’s earlier comments, Yates agreed that companies may take their eyes off security as they focus on business. Increasing awareness is also essential in defending against attacks. Security should not “be seen as someone else’s problem, it should be something we all take care of.” We should be ready to understand, respond, run through security drills like firedrills, to check how we will respond. This should become part of best practise, he explained.
Muchanga was not surprised by the poll results, which indicated a number of factors could hinder defences. For him it’s also a question of many factors; number of devices, lack of funding, information overload. To be successful, we must try and focus on all these issues, he explained. The more people trained to deal with issues, the more devices with security built in the better. The more we increase awareness, the more effective we will be. For Wiewiórowski, raising risk awareness is also essential. One way to help with this is sharing of guidelines on managing risk, although for this to be effective, they need to be in clear, understandable language and circulated to all members of an organization, not only those in IT.
Panelists pondered how we -citizens, users, the private sector, government and regulators can counter cyberthreats. Having the right strategy is key, according to Muchanga, to protect critical assets, alongside properly resourced and trained people. Sharing an interesting parallel uncovered by Kaspersky labs between COVID-19 and cybercrime, Sim explained how organizations can adapt their cyber defences along similar lines to those used against COVID-19. Firstly, getting the right intelligence, as with the virus, we need reliable information on the threat we face. Secondly, they need to deploy an effective detection and trace system, tracking the cyberthreat, even if hidden. Thirdly, they need to increase awareness of cyberrisk management, which he likened to our own recent increased awareness of the importance of correct handwashing to protect against COVID. In this way, organisations and governments can get more information to end users to help contain the spread of threats.
Cyberrisk management can help us counter risk, explained Craig. Deployed correctly, it can help organizations understand and mitigate the nature of risks, threats, vulnerabilities and crucially, consequences of a data breach. Organizations also need to stay ahead of the game, cautioned Yates, looking to what the threat will resemble in two years time, to try and roadmap out the next set of threats.
Assessing the results of cyberattacks and identifying how the attack was carried out is part of an organization’s social responsibility and accountability, according to Wiewiórowski. Only cooperation with those on the frontline of the attack can give us the knowledge of what has happened or could happen in future.
Forging trust is essential, according to Hoang, between governments, citizens and the industry, so that they can all work together, particularly in areas such as child online protection. Collaboration must be forged nationally and internationally at dialogues such as ITU Virtual Digital World 2020, he explained, in order to build a common ground. He called for more global and regional initiatives to enhance cybersecurity and trust building.
Navigating a myriad of rules and regulations
A range of different rules for cybersecurity and data protection, at regional and national levels can often overlap, explained Wiewiórowski. These can then be further complicated by different sectoral regulations for storing data. As a result, the same incident may trigger a raft of different responses according to each area or sector’s own regulations, he explained. Jurisdictions need to be less fragmented.
Amidst this complicated regulatory backdrop, there are two different regulatory approaches to cybersecurity and privacy, explained Muchanga, either topdown or horizontal. In sectors which are already mature in terms of cybersecurity awareness, a horizontal approach can be used, where government can put in place mechanisms and then each area can deal with its own implementation. But in less cybersecurity-mature areas, a top down approach is needed, overseeing each level in turn. Added to this, each organization needs its own policy, alongside national regulations. And in addition to the multitude of regulations, checks need to be made to check they are being followed.
Cutting through this regulatory jungle can prove complex. Not only can regulations directly impact organizations, explained Craig, but also indirectly through their cross sectoral supply chain, meaning approaches are sometimes duplicated.
In a more connected world, with more networks, and more risk, we need more security “or we are doomed” concluded Muchanga. “We need to learn from the pandemic, adapt our defences,” Said Sim. We need intelligence to know our threats, the ability to detect and trace them and to build awareness and educate end users to protect themselves. In a complex environment, technology can empower but also involve risks, said Craig. Implementing risk management is a foundation step to help support understanding.
Let’s help senior citizens to share the joys of modern applications but help them avoid pitfalls said Yates. In cyberspace, we need “cyberagility,” concluded Hoang. We need to adapt, be agile and respond quickly to cyberattacks.
Wrapping up the session, ITU Secretary General Houlin Zhao explained his background in ITU beginning by working on X509, then X400 and X500 recommendations. From then on, he explained “ITU tried to make the best, most secure systems to offer the public.” Yet even for early internet pioneers, security was not “their first concern,” he told participants, echoing sentiments voiced by panelists earlier in the session. Outlining ITU’s commitment to security, he explained that ITU had “always put security high on the agenda,” including with special taskforces dedicated to the area. The question of security is a geopolitical debate, linked to national security. He commended the debate today, which allowed experts to put forward their views. He expressed hopes that all stakeholders will work together with ITU, so we can assure a safe cyberspace including for the 3.6bn who have yet to be connected.
Phan Tam, Deputy Minister of information and communications, Viet Nam then formally closed the session by thanking all delegates and ITU, inviting all to continue the debate in the physical event to be held in October 2021 in Viet Nam at ITU Digital World 2021.