Cybersecurity - Why national security is now in our hands, thanks to COVID-19

All of us now have a role to play in maintaining national security during the pandemic, an obligation that was once the preserve of government and the security services. So said the Rt Hon Baroness Neville-Jones, Officer of the UK's all-party Parliamentary Group on Cybersecurity, and Chair of Friday's Westminster eForum conference on the topic.

In this new environment of mass home-working, how each of us behaves and the decisions we make online all count towards our collective safety, she explained. This view was backed by several presentations to the eForum, which revealed an uptick in cyber attacks, phishing attempts, and ransomware incidents that mirrored the spread of the virus - often deliberately. Many targeted the NHS and other organisations that have been working so hard to maintain our health and safety.

In this environment, vendors also have a duty: to provide much greater support to what the Baroness called their "impoverished" public-sector clients. She was referring to those IT companies that have withdrawn support for products that, though outdated, are still relied on by some organisations, including the NHS. 

Just who could she have been talking about? Well, at least one vendor now sees itself as the "first responder to support the first responders", in the words of Simon Staffell, UK Government Affairs Manager at Microsoft UK, which seems to have a free pass to speak at Westminster keynotes. 

He said:

The pandemic has impacted all sectors of society and the economy, and really we can't separate out anymore what is the cybersecurity issue from risk in the wider digital economy that now needs to address, respond, and recover [from the coronavirus].

According to Staffell, hostile state actors have been particularly active in cyberattacks, which tend to reflect events in the news. For example, when the World Health Organisation announced the pandemic in the Spring, there was a rash of WHO-related phishing lures. 

The main culprits in international attacks of every kind are perhaps no surprise: Russia (52% of state-originated threats from July 2019 to June 2020); Iran (25%); China (12%); and North Korea and others (11%). According to Microsoft's figures, nearly 70% of these attacks have been directed at the US and 19% at the UK, with non-governmental organisations (32% of incidents), professional services (31%), government departments (13%), international organisations (10%), and IT firms and higher education institutions (both on seven percent) being the biggest targets.

Staffell added:

A zero-trust architecture has become all the more important in terms of how we respond, particularly multi-factor authentication. We're thinking about how the perimeter of the organisation has completely changed in terms of cybersecurity risk and resilience.

Staffell was referring to most organisations being largely based in employees' homes during lockdown, extending the perimeter of the IT estate into domestic offices, often with family routers, smart home devices, and other security risks thrown into the mix.

A nation of small businesses 

Other threats abound. Microsoft mitigated 600 to 1,000 unique DDoS attacks every day in March 2020 alone - approximately 50% more than pre-COVID levels - with rapid increases also observed in identity-based cyberattacks, credential harvesting, ransomware, and attacks on Internet of Things (IoT) devices. 

Prashant Pillai, Professor of Cybersecurity and Director of the Wolverhampton Cyber Research Institute at the University of Wolverhampton, said that the amount of ransom being paid in ransomware attacks is increasing every year: in 2015, ransoms totalled just $24 million, but two years later had soared to $5 billion. 

The US Presidential Election and other major political events - including the UK's separation from the EU in 2021 - are likely to be triggers for yet more cybersecurity incidents, phishing, and ransomware campaigns. We must all be vigilant.

But the focus on national or international contexts, and on large organisations, is just one part of the cybersecurity story. Small and medium-sized enterprises (SMEs) are equally in organised criminals' sights, and make a massive contribution to Western economies. For example, government figures reveal that 99 percent of the UK's six million-plus companies have between one and 50 employees; Britain really is a nation of small businesses.

Sonali Parekh is Policy Director of the Federation of Small Businesses (FSB). She told the conference:

Our recent research shows that around 20% of small businesses in England and Wales, that's about 1.6 million firms, have experienced at least one cybercrime in the past two years. We estimate that there are approximately 3.9 million incidents of cybercrime per annum against small businesses. 

The most frequently reported cybercrimes are phishing, malware, and processing fraudulent payments online. [...] The average cost per business of cybercrime over two years was around £7,000 [$9,000]. The aggregate direct cost of cybercrime in England and Wales we estimate at around £3.75 billion [$4.86 billion].

The pandemic has made it imperative for SMEs to improve their cybersecurity practices, she added:

In research we carried out during the first lockdown, 16% of small businesses have developed a new or increased online presence, including delivering their offering online, and 24% of small businesses have adopted or increased their use of digital technologies to facilitate working from home. Indeed, 30% of small businesses reported that they've altered their business practices to accommodate it.

Given that many of the trends that COVID-19 has accelerated will remain a staple part of the way small businesses operate and consumers engage with them, tackling cybercrime and improving cyber resilience is even more important for the wider small business community.

We really need to see a time-limited expert review to bring forward recommendations for structural changes to policing on what sort of model works best for different types of business crime. 

We're really keen that the Home Office looks to evaluate and quantify not just the direct costs of crime, but also the indirect costs, including of cybercrime. The financial, social, and psychological impacts, not just in terms of their ability to operate their businesses in the here and now, but also the impact that it has on their future growth ambitions and prospects.

For Wolverhapton's Pillai, there are four cornerstones of a robust cybersecurity strategy in the time of coronavirus:

We want to make sure our data is always confidential, that we have central data integrity. The next is cyber resilience [...], resilient systems: can you provide a certain level of business continuity or operational continuity when you are under attack? We're also looking at privacy and data protection. How do you ensure that you have the right systems in place, the right policies and procedures - GDPR is an excellent example of being able to facilitate that. And the fourth, of course, is the collaboration that we require within organisations to be able to deal with large-scale attacks.

One of the biggest issues is that many organisations are still are not sure about what are their assets, and who exactly owns them. Also even smaller organisations need to understand what their trust boundaries are. Do you trust the devices that are connecting to you, and the people that are connected to you?

My take

Wise words. And yet more evidence that cybersecurity is primarily a human and policy-based problem - backed by the right technologies, of course, but also a massive dose of common sense.