Navigating the new landscape in cybersecurity

Martin Sorrell, CEO of the giant marketing services firm WPP, usually has a handle on the global zeitgeist in business – as an advertising man, it’s his job. So when he told the World Economic Forum in Davos in January that he identified ‘cyber’ as one of his top six worries, I listened up (his other anxieties: China; the fall in the oil price and its effect on tax receipts, and the EU, its migrants and a possible ‘Brexit’ – UK exit from Europe).

Hackers, Sorrell said, “are getting cleverer and that’s a big issue for companies stampeding into digital”. Is he right?

Well, near the end of last year I chaired five sessions attended by Chief Information Security Officers at the annual world congress of the Information Security Forum. Held in Atlanta, US, with all but keynote sessions under the Chatham House rule, the ISF is now in its 27th year: it’s independent, not-for-profit, and gathers together more than 400 leading world companies to share research and best practice.

Listening to speakers there, I’d tend to agree with Sorrell. According to PwC, for instance, cybersecurity breaches neared 60m in 2016.

In successive ISF congresses, one particular speaker has established a reputation as a kind of youthful cybersecurity rock star. This year was no different. Cyber-attacks now often take the form, the speaker said, of sexualised and thus inviting domain names, or emails from supposed CEOs. Often, he showed, they target Microsoft’s Windows Management Instrumentation tools for accessing information, and VPNs.

Who are today’s attackers? The congress underlined that they’re ‘hacktivists’ such as Anonymous; kids hacking for the hell of it; stressed-out employees making mistakes; resentful employees or contractors (for example, Edward Snowden), and Bad Guys in the Ukraine. There are also, in cybercrime, important distinctions between low-level Infectors, mezzanine Analysts and moneybags Investors. Law enforcement only usually bothers with the Investors.

Adding to this rogues’ gallery, Misha Glenny – looking every bit the rumpled journalist – made a brilliant keynote taking off from his 2012 book, DarkMarket: How Hackers Became the New Mafia. Mainstream criminal gangs, Glenny stressed, are now into cyber, often assembling teams of individual criminal entrepreneurs to work, horizontally and assisted by virtual currencies, on a project basis – Crime-as-a-Service (CaaS, and yes, that’s new to me too). (PDF here.)

Glenny’s solutions were admirably human, and not just technical. For him, careful psychology both before and after cyber-attacks, as well as good human intelligence and corporate communications, were just as important as clever code. Get bad news out early, he wisely advised.

Attacks are growing in mobile. There, as a speaker from a leading US telco underlined, the most popular apps are mostly the work of unique developers, who typically lack expertise in security. What to do? A speaker from a Spanish telco upheld the need for independent security testing and certification of mobile apps, and showed some clever ways of tracing the originators of threats. His main message: Know the Enemy… Through His Mistakes.

Salvoes are also on the up, I also heard, among companies running Open Source. They’re multiplying, too, in the Internet of Things. Here as elsewhere, security needs to be designed in from the beginning, not as an afterthought.

There is some good news. Organisations have gradually got better at defending themselves. Perhaps cybersecurity is poised to lose some of its military culture, language and acronyms, and become instead a mainstream, demystified profession.

One of the best things about the congress was the honest, straight-talking style of both speakers and contributors from the floor. At a workshop on the ISF’s publication Threat Horizon 2018, for instance, brainy ISF staffer Martin Fell was candid about what the ISF had got right and wrong in its earlier published overview, Threat Horizon 2017. Had ‘tech rejectionists’ – those dismissing the benefits of technology-enabled globalisation – caused chaos? Had the internet become more Balkanised? No: the ISF’s latest survey of its members showed that these dangers had turned out less worrying than predicted. But on other issues, Threat Horizon 2017 was on the money. As Glenny had emphasised, crime syndicates have indeed taken a quantum leap, and the impact of data breaches had risen dramatically.

Stefan Lueders from CERN, aka the Large Hadron Collider, delivered the most charismatic keynote. Blessed with 2,250 employees and 10,000 users, but in charge of 27km of particle gun running 11,000 amps at -271°C, Lueders faces innumerable attempted breaches daily – yet he wore them well, with fantastic English, self-deprecating humour, and no-nonsense answers to questions. His story, very relevant to the IoT: get the safety, inventory and component lifecycle regimes for such a large piece of infrastructure right, and information security will be much stronger.

A final development brought out by the congress related to my old friend, design. Here two very popular speakers from the Netherlands and South Africa brought us back again to psychology. They asked: why on Earth should harassed employees bother to get behind corporate edicts on cyber-security, if the ergonomics and graphics of passwords and all the rest are irritating when they’re not demoralising?

Clearly it’s essential to build good, sympathetic design into security systems from the beginning. Moreover all the main forces relevant to well-designed IT security systems need to collaborate together, not simply Chief Information Security Officers and designers.

I suspect we’ll be hearing a lot more about design for cybersecurity over the next few years. Meanwhile, I’m certainly looking forward to this year’s ISF congress, to be held in late October in that old city of intrigue… Berlin.