Cyber-criminals are the new entrepreneurs of the 21st Century: intelligent business people who have identified innovative ways to capitalise on others’ failings. They succeed because the attack surface is expanding and security hasn’t been built into networks and devices from the ground up.
That was one of the starker suggestion from speakers at a Westminster eForum conference on cyber-security last week.
David Ferbrache, Global Head of Cyber-Futures at KPMG and Chair of the National Cyber Resilience Board for Scotland, said it’s wise to see organised cyber-criminals as an intelligent group of business people who are on a quest to make big profits by increasingly sophisticated means:
I tend to think of cyber-criminals as being a rational group of entrepreneurs. When we start thinking about their business model, what drives their investments, what drives the attack or disrupting services for extortion purposes, we should understand those motivations.
I sometimes wish we [the security community] were as entrepreneurial as the people running these operations. Business people are very good at thinking about business, so our job as cyber-security professionals is often to articulate the threat in business terms and the security intervention, because when you do that it becomes easier to deal with. But we are very, very bad at doing that as a profession. We get lost in the technical detail.
The more holistically we think about the attacks and think about businesses, the more mature our response can be.
Cyber-criminals’ motives are no different to those of their corporate marks: they want to maximise the return on their investments and, like target enterprises, their operations are becoming increasingly commoditised and automated via new technology. In this context, the narrow focus on ‘cyber’ is part of the problem, because security is now threaded through every aspect of organisations’ IT systems, operating models, and business relationships.
The cloud problem
Another challenge is the wholesale shift of those systems into the cloud, especially if companies get the transition wrong. Fiona Boyd, Head of Cyber-Security Operations at Fujitsu EMEIA, observed that 90% of organisations will have a footprint in the cloud by 2020.
For cyber-security professionals, working in isolation in a technical support role is no longer sufficient, she said; they need to back strategic aims with a security-first culture. The pivot is people’s falling trust in digital systems at a time of an exponential rise in threats and a lack of appropriate security skills. (This will be explored in a second diginomica report to follow.)
Cloud service providers are themselves becoming targets due to the many client companies they host. This maximises the potential payback for entrepreneurial criminals, who recognise that ‘the cloud’ is not a fog of code in the sky, but a hardware operation in the real world. This means it can be compromised: each cloud platform is a warehouse full of victims, if criminals can find the right way in.
Usually, that’s via the weakest link in the chain: people. It’s “open season on Office 365”, explained KPMG’s Ferbrache, with attacks that are often highly sophisticated. These don’t just access people’s accounts to steal intellectual property, but also kickstart C-level frauds via financial transactions that appear authentic.
While criminals are getting better at phishing, ransomeware is also becoming more targeted and tailored, and malware is constantly changing. In this context, speed and agility matter when closing vulnerabilities; cybersecurity professionals don’t always have the luxury of time, he said:
Organised criminals now break in, then do the reconnaissance, work out where they are, who the target is, what they can steal, and how much ransom they can extort. These attacks are becoming more business-savvy. Organised crime is a lot less crude than it used to be.
In other words, enterprises should stop seeing such crimes as the preserve of opportunistic outsiders or maladjusted minors – despite conference Chair Lord Arbuthnot of Edrom saying that victims should be wary of retaliating against cyberattacks in case they originate from “a Montessori school” in Westminster. A joke, but an oddly specific one.
Extending the challenge
Ferbrache observed that militaries are investing in cyber-attack capabilities, while states resort to cyber-intelligence gathering because it is less risky to their employees than old-fashioned espionage. The message was clear: the stakes are high and international, and some cyber-criminals run operations that are at least as sophisticated as those of any large enterprise.
Estimates on the global losses to cyber-crime vary from $600 million to $1.2 trillion, said Ferbrache, depending on whether you define cyber-crime in a narrow sense or as an enabler of other crimes, such as complex fraud, theft, money laundering, and terrorist financing.
The extended enterprise is an emerging security challenge, with supply chains often presenting a softer target than whichever organisation is in the criminal’s sights. The widening perimeter and complexity of today’s supplier, partner, and customer ecosystems create multiple points of failure outside the enterprise. These may be invisible to companies that believe they are secure.
As a result, fostering the right skill set is essential in cyber-security. A focus on business impacts and operations is critical, as is an agility mindset – not just to help security professionals protect the enterprise, but also help it recover from attacks.
The feral IoT
But perhaps the biggest area of risk is the Internet of Things (IoT), suggested Professor Jeremy Watson, Director of the PETRAS Hub, the national centre of excellence for IoT research in the UK.
PETRAS is a consortium of 11 universities dedicated to exploring the privacy, ethics, trust, and security aspects of the IoT. It benefits from nearly £10 million in funding from the Engineering and Physical Sciences Research Council (EPSRC), plus an estimated £23 million from private partners.
Watson himself is Professor of Engineering Systems in the Department of Science, Technology, Engineering, and Public Policy at University College London, revealing the complex connections that characterise the life of most cyber-security professionals. But that didn’t stop him using a simple word to describe the IoT: “feral”.
In this “feral space” of “13 billion feral devices”, good cyber-hygiene is critical, because most of the dialogues that machines take part in are with other smart devices or services. The challenge of invisible machine-to-machine (M2M) communications was one of the driving forces behind the UK government’s ‘secure by design’ initiative for the IoT, in an environment that Watson described as providing a “recruitable army of devices for a huge attack cohort”.
The point was rammed home in a survey from the UK’s Consumers’ Association last year. The Which? report criticised “the galaxy of other companies busily working in the background of your smart gadgets”. The organisation tested 19 IoT devices and found serious security risks, including a smart TV that was connected to the internet for just 15 minutes, during which time it sent data to 700 different IP addresses.
A separate 2018 report from activist group The Internet of Things Privacy Forum warned that the IoT may undermine the legal concept of privacy, thanks to its billions of invisible connections. Imagine such openness and lack of insight in a corporate environment – thanks to smart lightbulbs, digital assistants, connected environmental systems, and so on – and it’s clear that invisible routes into unwary enterprises are opening up for cybercriminals.
One solution may be designing devices to be dumb by default, with them only becoming smart incrementally by user opt-in. Another may be setting a ‘use by’ date for any devices that lack an upgrade path to new security standards – not a concept that manufacturers are likely to embrace, despite consumer suspicions of built-in obsolescence.
These and other issues are why we should regard cybersecurity as a “socio-technical” problem, said Watson, and not solely a technology one demanding technology solutions. At least some of the problems are cultural and organisational – and, I’d argue, sometimes rooted in the West’s obsession with sourcing data for marketing and advertising purposes.
Either way, universities are an essential part of the “soft power” in meeting emerging threats, said Professor Chris Hankin, Co-Director of the Institute for Security, Science, and Technology at Imperial College in London, and Director of the International Cyber-Security Centre of Excellence.
The UK is coming to the end of its second national cyber-security programme and has come to see China, India, Israel, Japan, Singapore, and the US as important strategic partners alongside Europe. Meanwhile, the EU’s seven-year, €80 billion Horizon 2020 research and innovation programme ends next year.
Hankin said he hoped the UK could still be involved with European research after 2020, but acknowledged that Brexit may make that difficult. “UK partners are being refused in projects that are being set up”, he said, which is why Britain is now “looking beyond Europe”.
Meanwhile, Estonia is emerging as another source of cyber-security expertise, claimed Pauline Hawkes-Bunyan, Director of Business Risk, Culture, and Resilience at The Investment Association – a trade body that represents more than 250 financial services firms. This may be true, but partly because Russia and former Soviet bloc countries have been pushing billions of dollars of illicit funds through the country and banks are being pressured to improve their systems.
Cyber-resilience is important in the interconnected finance sector, which is grappling with constant regulatory upheaval, digital disruption, and a flood of dirty money. Collaboration “really is a game changer”, she explained, with the Financial Conduct Authority (FCA) setting up a cyber coordination group. However, while a lot of information about cybersecurity goes into the regulators, a lot more could be coming back out in the form of assistance and advice, she said.
Security: in poor health
Healthcare is another sector that has hit the headlines in the wake of sustained attacks. Dr Saira Ghafur, Lead for Digital Health for the Institute of Global Health Innovation at Imperial College London, explained that cyber-security isn’t a technology matter, it’s an urgent patient safety challenge.
Healthcare is increasingly digital. Technologies such as Al and robotics are becoming more prevalent, while wearables and other IoT devices have an emerging role in diagnosis, prediction, and personal health management – all areas in which the insurance sector has a deep interest, particularly in the US payer-based system. Effective cyber-security is already important in protecting patients’ health, privacy, and trust, and that role can only become critical, she suggested.
More than 600 NHS Trust hospitals and 34 acute hospitals were affected by the 2018 WannaCry ransomeware attack, including devices such as MRI scanners. There was no quicker way to undermine public trust in digital health, said Ghafur.
The unique challenge of working in the healthcare environment is that hospitals and clinics can’t simply shut down access to IT systems in the way that a corporation could in an emergency. Medical devices themselves can’t be ditched and replaced overnight, and many were never designed to be connected to the internet in the first place.
This, plus the effect of a decade of austerity has many left hospitals reliant on outdated equipment and operating systems. However, one reason for the NHS facing a £92 million bill for WannaCry was Trusts failing to implement the Microsoft security patch against the ransomeware. Since then, there has been a widespread upgrade to Windows 10 across the NHS – one largely forced by cybercriminals.
Lack of investment, legacy infrastructures, multiple users, and complex interdependencies: the reality of healthcare in 2019. That said, the NHS cybersecurity response is too complex, argued Ghafur; too many organisations are involved and there needs to be a streamlining of accountabilities. “We don’t have security standards for healthcare devices”, she observed, and into this environment are coming AI, robotics, and the IoT.
As ever with Westminster eForum events, this was a useful morning of focused, directed argument. However, this particular event suffered from the same lack of diversity as the cyber-security sector itself, which is 93% male. The overwhelmingly white, middle-aged, male audience did hear from several expert women, but only in the context of panel discussions. All of the longer speeches were by men, at an event characterised by very poor sound. As a result, valuable voices were lost in an echoey room in Whitehall – not an unusual scenario in 2019.