The huge increase in the use of digital technologies throughout the COVID-19 pandemic has led to far greater numbers of connected devices, increasing the attack surface for cyber criminals. How can governments, companies and individuals keep up, who is responsible for securing safety online and what should our priorities be? These were the questions put by moderator Ioana Stupariu, Executive Director, Readytech Consulting, to a diverse panel of experts in a lively debate on the new cybersecurity landscape.
For Rois Ni Thuama, Head of Cyber Governance, Red Sift, ransomware, malware and phishing remain the key threats, despite the many thousands of new vulnerabilities and unique malicious objects. What has changed for the better is that we are now able to mitigate and manage these attacks with the help of trusted, independent sources such as the ENISA threat landscape report, the NIST Cybersecurity Framework, the National Security Centre in the UK or the FBI. All these bodies offer the same guidance on building security online – even if we are not currently implementing their advice as much as we could. “We are all worried about the threat landscape and new vulnerabilities, but we are not getting on top of what we know and what we should do to defend ourselves,” she said, citing the example of a report that only 2% of business domains have deployed global industry standards to protect against phishing.
“Nation state actors are using technically artless ways to get into companies,” she continued. Crime follows opportunity, and these are often not sophisticated attacks. As we have not implemented the established guidance, we are seeing time and again the same threats, the vast majority from simple entrance points. “The threat landscape is noisy and messy, but look to trusted experts to reduce the noise – and address the most significant cyber threats first,” she urged.
Speaking from the Asia Pacific region, Annabel Lee, Head of Digital Policy, Asia-Pacific & Japan, Amazon Web Services (AWS), highlighted that the region was not one country or legal unit, but was made up of many different jurisdictions with varying levels of economic development and digital transformation. Wherever you are, however, “one of the key challenges is the conflation between the importance of security and the location of data, specifically the idea that if you secure data in your country and only your country, that would result in your data being more secure.”
Data breaches happen because companies cannot access good technical services at good prices, so try to implement their own security measures through their own servers and coders without realizing the complexity, leading to poor outcomes. So it is important to be confident in using cloud service providers and high quality security services to protect data. “Governments think if they can keep the data onshore secure it will keep it secure, but this is not true: many incidents occur remotely and data breaches occur over the Internet,” she added.
From a government perspective, the major challenge is balancing the benefits of digital technologies and major trends such as AI and machine learning against the risks incurred, set out Professor Marco Gercke, Director, Cybercrime Research Institute. It is important to be aware of the severe impact attacks can have on society, and to prioritize security by design, implementing regulation to strengthen security or devising comprehensive cyber security strategies.
The risks have to be weighed up against the benefits of increasing digitalization agreed Irene Kaggwa, Acting Executive Director and Director, Engineering and Communication Infrastructure, Uganda Communications Commission. Governments are encouraging people to go online and benefit from ICTs, but “we have to plan for and make provision for risks, so it is not just about the policy and legal but also the technical point of view as a government”. This includes creating enabling laws to prosecute criminals, ensuring a deterrent culture, and establishing emergency response teams. Across the continent of Africa, it is important to note that not everyone has the same financial resources to invest in the necessary cybercrime technology or the expertise to ensure networks are as secure as possible. Providing a continuous flow of information to companies, telcos and end users is critical to keep networks updated, and businesses and consumers aware of good cyber practices.
Government alone cannot solve cybersecurity issues, echoed Gercke. Government policy and legislation are important building blocks in establishing cybersecurity, but must be accompanied by defining obligations and liabilities to increase implementation and enforcement. Major companies are taking cybersecurity more seriously since individual executives or company leaders may be held liable for cyber attacks.
Additional components in the ongoing process of building resilience to cyber attack are important new pieces of legislation, added Ni Thuama. The European Union’s forthcoming Digital Resilience Act (DORA) includes the requirement for company boards to become duly informed and exercise reasonable diligence with regards to existential threats including cyber attacks. In the US, the Department of Defence has produced a cybersecurity maturity model certificate, ensuring suppliers have a raft of security measures in place over a number of levels, depending on what is being supplied, and allowing for maturity over time, as bad actors do not normally suddenly appear.
Securing the supply chain
The problem of third party risk and securing the supply chain against cyber threats has always been with us, explained Gene Yoo, CEO, Resecurity, but has grown larger as cloud enabled apps transform the reach of businesses. “The problem is as big as any company using outside resources, whether human or digital, and without enough time or money to support it,” he said, but “the reality is that we don’t have the resources to protect it.” Due to digitalization and globalization, outside foreign suppliers increase the exposure to risk traditionally inherent in supply chains.
Trust and innovation
Privacy remains a key issue across the world, stressed Ivana Bartoletti Global Chief Privacy Officer, Wipro & Co-Founder, Women Leading in AI. Alignment is happening on privacy and data protection, including during the pandemic when data and digital were so critical to work, business, and education, yet people still focused on ensuring privacy. “There is mistrust, and without trust it is very difficult to innovate” she said, as innovative products or the people who develop them are regarded with suspicion. We need global policy and regulation in consumer and competition law; we do have effective privacy solutions and technologies, but these are costly and not easily accessible for smaller companies or individuals.
The value of privacy and data compliance in the commercial sector is fully understood by ZTE, stressed Ruixin Gao, Director of Data Protection Compliance, ZTE. Privacy is a critical need for end users, but also governments and telco operators who themselves have huge numbers of end users. Good products and a high level of trust earnt from consumers create direct value – prioritizing privacy in production for customers and stakeholders creates value for all parties, including the vendor. “Compliance creates value,” is a key watchword for ZTE as an international telco industry company, said Gao.
Privacy laws and data protection regulation are important for us to trust what companies are doing and ensure the balance of power, providing individual end users with recourse if something goes wrong, agreed AWS’ Lee. But there is a gap between regulators and companies in terms of understanding privacy laws. Bridging this gap is important as if privacy law is not understood, then it will not be complied with or enforced. Customer trust is a top priority for AWS, she added, outlining three key steps: enabling customers to maintain full ownership and control over data, which is never accessed or used to derive data for marketing purposes without customer agreement; ensuring transparency by providing clear information on technology, data policies and protection practices; and building tools for customers to protect data and monitor legal requirements.
Businesses have become more aware of associating their brand with secure content, agreed Ni Thuama. Consumers may not trust private companies currently, but by ensuring data is secure and showing a robust position on security, businesses can drive change. The insurance sector has suffered from the impact of ransomware, and is now responding by demanding a higher standard from the businesses they are insuring, including multi factor authentication, end point detection and encryption as privacy requirements. These are the elements that business should adopt to ensure greater security, she added.
The insurance industry’s response to ransomware may drive change, pointed out Gercke, but the problem was in part created by the insurance sector itself and its willingness to pay out in the face of ransomware attacks rather than the more expensive option of going through the process of further security, so they are in part responsible.
Resecurity’s Yoo highlighted that signing an agreement with a company gives consent for that company to read any content for machine learning and content development purposes. Ransomware is a good business. The technical hygiene problem inherent in many companies makes it easy to make money in cyber space by demanding payouts to stop attacks. Many attacks are not made public, and no amount of regulation will change this. .
Lee agreed that fear and uncertainty may be created to drive insurance, but business users tend to be fully aware of the use of their data by companies in relation to AI and machine learning; companies can be fully transparent about its use and offer opt out options to their customers. The situation is more complicated for individual users companies as lengthy privacy agreements can be confusing: companies must be held to higher standards and accountability demanded.
Where privacy and security intersect, there is always some form of trade off to be made, suggested moderator Stupariu.
Compromising privacy to achieve better health, for example, or physical or cyber security, is often couched in the language of trade off, agreed Bartolletti, but it is not in fact a matter of either or – both privacy and security can be achieved by leveraging new technologies. We should try to make the most of privacy, and understand what automated privacy measures can be put in place so that the user is not continuously asked to make choices. Data can be safeguarded automatically, providing security as and when needed like airbags in cars.
“There is no doubt that companies that can use privacy-enhancing technologies and innovate at the same time have a competitive edge,” she said, given that customers increasingly place value on privacy and will choose not to be tracked when given the choice. “The language of trade-offs is dangerous, negative and lazy –we need to have the courage to say how we can safeguard both privacy and security.”
Borderless cyber threats
Cyber threats are borderless, not localized, and establishing a fortress in national cyber space will not work, as the very act of being online means being exposed to threats, said Stiparu.
Greater collaboration throughout the ecosystem is critical, agreed Kaggwa. Looking at third party suppliers, if you only concentrate on your own part you will not be secure, as you will only ever be as hygienic or fortified as the people you are connected to. More standards and guidance is needed to be global and holistic in approach, to increase reaction time and to make the internet safe for all and mitigate risks by acting across borders.
Best practices for industry and government
In terms of best practice in privacy compliance, ZTE’s Gao highlighted that privacy should be by design or default. The value of the product, whether an app, software or hardware, is enhanced by inbuilt privacy features. ZTE includes data protection as a requirement for all research and testing sites for new products and tools; it is also a company priority for internal staff throughout the world. Compliance with security requirements can make companies more ethical and increase value, he added.
It is important to start from the bottom up, not the top down, in establishing better data hygiene and security habits, said Yoo. The very terms cybersecurity or cultural change should be avoided in favour of terms people know and practical actions they can understand and take.
Cyber security can be treated much like risk management pointed out Ni Thuama – and it is all about leadership. If cybersecurity is seen to be taken seriously, there will be more trust.
It is incumbent on companies and social media companies to safeguard users and take responsibility for both security and privacy, stressed Bartoletti. Users need to understand what can be done to ensure privacy, but “in reality, the best thing users can do is to demand stringent compliance from the company itself,” as it is more difficult for users to understand transparency related to automated machine learning than for companies to do so. “The best is to demand transparency from the companies and refuse to take on all the burden of responsibility,” she urged.
“You cannot trust what you don’t know or can’t see,” said Kaggwa, and we only have the company’s word for it on compliance, privacy or transparency. We may need to gradually redefine what the acceptable levels of privacy are within this environment. In Africa, establishing trust is a process, arising from the recognized need for guidelines or best practice in place to guide operators, financial institutions and a whole range of users to develop cybersecurity standards and hold industry accountable. Governments and consumers must themselves also adopt better cyber security practices, she added.
Accountability and the ability for governments to set up clear objectives with solid enforcement frameworks are key factors, said Lee. In addition, it is critical that consumers do not fear new technology such as machine learning; it is not the AI itself that makes a decision or prediction, but the company that acts upon that decision which should be held accountable.
“Don’t lose sight of the benefits to society of technology, despite the negative aspects of cyber security,” urged Gercke. Prepare realistically and anticipate exposures, data breaches or attacks, which are bound to happen in both companies and governments.
Kaggwa agreed that it is important not to jettison development and innovation because of cyber security risks. Government cannot solve it alone but needs industry and individuals onboard to engage in a continuous process of sanitizing networks and securing space online.
Privacy is important not just now but for our future, for families and children in the era of machine learning and AI, added Gao.
For Bartoletti, companies will have a competitive edge if they can bring together privacy, security and innovation. Make the most of privacy-enhancing technology and deploy a security by design approach, she urged companies.
“Security and innovation are not mutually exclusive outcomes,” stressed Lee. Moving to the cloud has helped companies in the innovation space have a stronger security position. Innovation and security are interlinked: you can only be successful in innovation by embracing security as well.
“It is a long journey and we need to be patient, with understanding between business, IT and security to work together. Once we build that bridge together with consumers, end users, we will have a better route ahead,” counselled Yoo. There is a great deal of regulation, but no one size fits all. Do not focus on trends or terminology, but on action and basic principles, he concluded.
Resources are limited, so businesses looking for concrete action points should consult credible sources, address challenges based on what is most significant in each individual case, and solve known threats before worrying about new vulnerabilities, said Ni Thuama.
Transparency and accountability is the way to increase consumer trust in the face of threats in cyber space, summed up moderator Stupariu, with all stakeholders in societies and economies worldwide working together across borders to cooperate on prevention measures.