World Faces Cyber Security Cliff-Edge, Warns Expert
Everyday life is on the precipice of digital transformation – potentially for the worse – according to Sean Kanuck, Director of the International Institute for Strategic Studies (IISS).
Kanuck’s comments were made while delivering a talk to the CyberSec European Cybersecurity Forum in Krakow, Poland. Kanuck warned: “Cyber operations are increasingly being used to achieve traditional political, economic and criminal ends.
“We are increasingly seeing obstacles through governmental, political and economic regulation to global interoperability – meaning that the issue is becoming one of state craft and public policy, more than simply technological challenges.
“And we are seeing the extensive reassertion of sovereignty in this area, and the real conflict and competition is increasingly over the value of the information itself.”
Trends in Cyber-Crime
Kanuck also spoke on five strategic trends that are ‘changing this ecosystem’ of global cyber-crime.
The first trend is the increase of surreptitious cyber-conflict, perpetrated by nation states, to avoid open military responses from others. Kanuck said: “We see them achieving coercive, political objectives that leave victims uncertain how to respond or even whether or not to publicly declare who they know perpetrated it against them because a public declaration with a failure to take response action only undermines your own strategic deterrent capability”.
Secondly, Kanuck noted, was the upward trend of industries both developing and then becoming victims of digital tools. He said: “Those companies are finding themselves becoming the target of nation-state, criminal or ideologically motivated hacking efforts. We have seen Microsoft comment on the exploitation of its software code and even enter the discussion about appropriate norms of behaviour and propose a digital Geneva Convention – corporate leaders talking of what is a traditional political space”.
“We have also seen public-private partnerships being suggested or pursued to deal with attacks against the healthcare sector, or even talking about the nascent cyber-insurance sector as a possible solution for driving corporate best practices and supporting regulation.”
Third, and most disturbingly to Kanuck, is the deployment of infrastructure in such ways that make it easy to fail. Kanuck warned: “Increasing horizontal and vertical integration in our just-in-time economies leaves very little redundancy, which means we are creating single points of failure with few backups and alternatives if those primary systems are compromised.
“As we shift to the internet of things, supported by artificial intelligence algorithms, our infrastructure is going to remain insecure, the operative nodes are going to be decentralised in the hands of individual users: small and medium-sized businesses and other entities which may not have leading cyber-security expertise to be able to deal with critical, persistent threats and sophisticated actors”.
Fourthly, and complementary to those issues surrounding infrastructure, is the increasing trend of proxy (indirect) attacks intended to hit a target by going through another. Kanuck said: “In many cases, if attackers cannot reach the desired goal, they will compromise another entity that provides access to it through a trusted business relationship, for example.”
The final trend which Kanuck warned of was the tendency of criminals to target data, for theft or destruction. Kanuck said: “This is incredibly nefarious, because half the problem in cyber security is knowing that you have a problem. If you do not have a breach that affects availability, yet compromises the integrity, how long will it be before you appreciate that penetration?”
Kanuck conceded that nation state-level interference is not a new trend, but reiterated the “scale, the scope and the near costlessness with which it can be perpetrated through social media platforms or other technologies creates such a quantitative imbalance that it takes on a qualitative influence”.
The solution, according to Kanuck, is to encourage more talks between ‘real news’ and ‘real crime’, versus the ‘fake news’ and ‘fake crime’ of the higher-profile attacks that have rocked the globe in recent months.
“The story of WannaCry is like a Hollywood thriller: US spy agency figures out exploit to one of world’s largest software companies; North Korea re-purposes; and British healthcare system brought down.
“Think about the complexity and the magnitude of what we are discussing, and I offer that this is just the beginning of a masquerading hall of mirrors of criminals pretending to be governments, governments pretending to be criminals, and everything in between.”
Collaboration between businesses and governments, Kanuck contested, could encourage innovation in the security sector and prevent attacks in the future. Kanuck said: “We need to find ways to be interoperable while following the law in all jurisdictions, and governments are going to need to work together to find ways to make that seamless and efficient.”
In closing, Kanuck said: “If we realise that actors’ actions are influenced by their own interest and incentives, it tells us about the important role of regulation and effective law enforcement in both deterring action and incentivising desired behaviours.”