Navigating the new landscape in cybersecurity
Martin Sorrell, CEO of the giant marketing services firm WPP, usually has a handle on the global zeitgeist in business – as an advertising man, it’s his job. So when he told the World Economic Forum in Davos in January that he identified ‘cyber’ as one of his top six worries, I listened up (his other anxieties: China; the fall in the oil price and its effect on tax receipts, and the EU, its migrants and a possible ‘Brexit’ – UK exit from Europe).
Hackers, Sorrell said, “are getting cleverer and that’s a big issue for companies stampeding into digital”. Is he right?
Well, near the end of last year I chaired five sessions attended by Chief Information Security Officers at the annual world congress of the Information Security Forum. Held in Atlanta, US, with all but keynote sessions under the Chatham House rule, the ISF is now in its 27th year: it’s independent, not-for-profit, and gathers together more than 400 leading world companies to share research and best practice.
Listening to speakers there, I’d tend to agree with Sorrell. According to PwC, for instance, cybersecurity breaches neared 60m in 2016.
In successive ISF congresses, one particular speaker has established a reputation as a kind of youthful cybersecurity rock star. This year was no different. Cyber-attacks now often take the form, the speaker said, of sexualised and thus inviting domain names, or emails from supposed CEOs. Often, he showed, they target Microsoft’s Windows Management Instrumentation tools for accessing information, and VPNs.
Who are today’s attackers? The congress underlined that they’re ‘hacktivists’ such as Anonymous; kids hacking for the hell of it; stressed-out employees making mistakes; resentful employees or contractors (for example, Edward Snowden), and Bad Guys in the Ukraine. There are also, in cybercrime, important distinctions between low-level Infectors, mezzanine Analysts and moneybags Investors. Law enforcement only usually bothers with the Investors.
Adding to this rogues’ gallery, Misha Glenny – looking every bit the rumpled journalist – made a brilliant keynote taking off from his 2012 book, DarkMarket: How Hackers Became the New Mafia. Mainstream criminal gangs, Glenny stressed, are now into cyber, often assembling teams of individual criminal entrepreneurs to work, horizontally and assisted by virtual currencies, on a project basis – Crime-as-a-Service (CaaS, and yes, that’s new to me too). (PDF here.)
Glenny’s solutions were admirably human, and not just technical. For him, careful psychology both before and after cyber-attacks, as well as good human intelligence and corporate communications, were just as important as clever code. Get bad news out early, he wisely advised.
Attacks are growing in mobile. There, as a speaker from a leading US telco underlined, the most popular apps are mostly the work of unique developers, who typically lack expertise in security. What to do? A speaker from a Spanish telco upheld the need for independent security testing and certification of mobile apps, and showed some clever ways of tracing the originators of threats. His main message: Know the Enemy… Through His Mistakes.
Salvoes are also on the up, I also heard, among companies running Open Source. They’re multiplying, too, in the Internet of Things. Here as elsewhere, security needs to be designed in from the beginning, not as an afterthought.
There is some good news. Organisations have gradually got better at defending themselves. Perhaps cybersecurity is poised to lose some of its military culture, language and acronyms, and become instead a mainstream, demystified profession.
One of the best things about the congress was the honest, straight-talking style of both speakers and contributors from the floor. At a workshop on the ISF’s publication Threat Horizon 2018, for instance, brainy ISF staffer Martin Fell was candid about what the ISF had got right and wrong in its earlier published overview, Threat Horizon 2017. Had ‘tech rejectionists’ – those dismissing the benefits of technology-enabled globalisation – caused chaos? Had the internet become more Balkanised? No: the ISF’s latest survey of its members showed that these dangers had turned out less worrying than predicted. But on other issues, Threat Horizon 2017 was on the money. As Glenny had emphasised, crime syndicates have indeed taken a quantum leap, and the impact of data breaches had risen dramatically.
Stefan Lueders from CERN, aka the Large Hadron Collider, delivered the most charismatic keynote. Blessed with 2,250 employees and 10,000 users, but in charge of 27km of particle gun running 11,000 amps at -271°C, Lueders faces innumerable attempted breaches daily – yet he wore them well, with fantastic English, self-deprecating humour, and no-nonsense answers to questions. His story, very relevant to the IoT: get the safety, inventory and component lifecycle regimes for such a large piece of infrastructure right, and information security will be much stronger.
A final development brought out by the congress related to my old friend, design. Here two very popular speakers from the Netherlands and South Africa brought us back again to psychology. They asked: why on Earth should harassed employees bother to get behind corporate edicts on cyber-security, if the ergonomics and graphics of passwords and all the rest are irritating when they’re not demoralising?
Clearly it’s essential to build good, sympathetic design into security systems from the beginning. Moreover all the main forces relevant to well-designed IT security systems need to collaborate together, not simply Chief Information Security Officers and designers.
I suspect we’ll be hearing a lot more about design for cybersecurity over the next few years. Meanwhile, I’m certainly looking forward to this year’s ISF congress, to be held in late October in that old city of intrigue… Berlin.
Good luck to the #farmers on their march today!
I probably don't need to tell you to wrap up warm. But please remember that no part of the UK's green agenda is your friend. All of it is intended to deprive you of your livelihood, one way or another. That is its design.
Brilliant piece by @danielbenami. RECOMMENDED
Articles grouped by Tag
Bookmarks
Innovators I like
Robert Furchgott – discovered that nitric oxide transmits signals within the human body
Barry Marshall – showed that the bacterium Helicobacter pylori is the cause of most peptic ulcers, reversing decades of medical doctrine holding that ulcers were caused by stress, spicy foods, and too much acid
N Joseph Woodland – co-inventor of the barcode
Jocelyn Bell Burnell – she discovered the first radio pulsars
John Tyndall – the man who worked out why the sky was blue
Rosalind Franklin co-discovered the structure of DNA, with Crick and Watson
Rosalyn Sussman Yallow – development of radioimmunoassay (RIA), a method of quantifying minute amounts of biological substances in the body
Jonas Salk – discovery and development of the first successful polio vaccine
John Waterlow – discovered that lack of body potassium causes altitude sickness. First experiment: on himself
Werner Forssmann – the first man to insert a catheter into a human heart: his own
Bruce Bayer – scientist with Kodak whose invention of a colour filter array enabled digital imaging sensors to capture colour
Yuri Gagarin – first man in space. My piece of fandom: http://www.spiked-online.com/newsite/article/10421
Sir Godfrey Hounsfield – inventor, with Robert Ledley, of the CAT scanner
Martin Cooper – inventor of the mobile phone
George Devol – 'father of robotics’ who helped to revolutionise carmaking
Thomas Tuohy – Windscale manager who doused the flames of the 1957 fire
Eugene Polley – TV remote controls
0 comments