As consumers, we receive the same rudimentary cybersecurity advice every year – don’t reuse the same passwords, log out of shared computers, and don’t answer any obscure princes’ pleas for assistance in shifting some spare currency. For enterprise, it is a more complex and fast-evolving situation. And the damage done can have even more severe ramifications.
As the world becomes ever more connected and new digital technologies such as AI and blockchain emerge, the cybersecurity threat mutates and grows. Cybersecurity practitioners need to match this threat every step of the way and use every tool at their disposal.
Binary District Journal spoke with Marco Essomba, founder and CEO of iCyber-Security Group, and Dr Tim Stevens, lecturer in Global Security at King’s College London, about the cybersecurity trends that businesses and consumers are likely to encounter over the next year.
Consumer Awareness is Heightened, but Not in Every Area
Thanks to the increasing global reach of digital connectivity, the potential for exploiting and compromising devices and user accounts is a longstanding issue that cybersecurity experts have to face. However, the obvious weak link in the chain – the user – isn’t necessarily as vulnerable as it may have been in previous years. Tim points out that the level of consumer awareness around cybersecurity is actually now very high.
“Post-Snowden heightened awareness about privacy and personal data protection, exacerbated by persistent data breaches and reports of cyber criminality and state-sponsored cyber operations is undoubtedly a good thing.”
“This is being driven by two main factors,” Tim explains. “One, post-Snowden heightened awareness about privacy and personal data protection, exacerbated by persistent data breaches and reports of cyber criminality.
“Two, the frequent headlines about state and state-sponsored cyber operations, particularly those that support wider strategies of misinformation and subversion. Increased awareness of these issues is undoubtedly a good thing, as are the plethora of schemes to support consumers in improving personal security and adopting safer online behaviours.”
The IoT Elephant in the Room
There is no shortage of consumer support schemes being offered by both the private and public sector. These are important to help educate the public about the diverse nature of cybersecurity and making simplest habitual changes.
However, this does not necessarily translate into private and public entities readily admitting to the existence of security issues within the technologies they’re invested in. Tim points out a potential correlation between the heightened awareness of data leaks and cybersecurity threats, and the concerted push for consumer adoption of hyperconnectivity.
“I think there is far less appreciation of why these issues are becoming increasingly salient. For instance, the level of public discussion around the negative aspects of hyperconnectivity is very poor. Neither governments nor firms seem prepared to challenge the prevailing view that more connectivity between users and platforms is necessarily a public good.”
“Neither governments nor firms seem prepared to challenge the prevailing view that more connectivity between users and platforms is necessarily a public good.”
Concerns surrounding the logistics of an IoT-connected world are shared by many in the cybersecurity field. Marco points out that security agencies at a national level are already putting in place procedures to cater for this technological shift.
“GCHQ said recently it was encouraging IoT providers to have a certain standard when it comes to security,” Marco says. “You have essentially 50 billion devices, that’s the estimation around the world, all of them have connectivity, they have software, they’re like mini systems and most of them have some sort of vulnerability. So if that's exploited en masse, that's gonna be a huge problem because we just brought a challenge at the enterprise level, we’ve now brought it into people's homes.”
Government agencies like GCHQ are now in a position where they must swiftly address the potential security issues with these devices, partly because of the scale and speed of their rollout in different markets around the world. The excitement around the potential of IoT has led to a frenzy of device manufacture, often without the necessary level of unified security infrastructure and protocols to cater for it.
“Greater thought should have been given to putting security ahead of profit governments are now engaged in damage limitation exercises for legacy systems, whilst attempting to promote best practices to manufacturers and distributors.”
“Given the demonstrable insecurity of many of these mass-produced devices, which are deployed in quantity and at scale, greater thought should have been given to putting security ahead of profit,” Tim says. “That boat, however, has sailed, and governments are now engaged in damage limitation exercises for legacy systems, whilst attempting to promote best practices to manufacturers and distributors.”
So Much to Do, so Few Experts
It is unsurprising that another of the current cybersecurity trends that Marco points out relates to the sheer scale of the industry.
“From what I've seen in a lot of companies, it’s a major challenge to deal with the amount of events and alerts,” Marco says. “A lot of companies are getting overwhelmed by the amount of alerts and threats that they are receiving because of the increased amount of attacks.”
An increase in the number of attacks does not necessarily correlate with an increase in the number of attackers. Because of the emerging nature of hyperconnectivity in the consumer market – especially with the onset of IoT devices – there is greatly increased potential for the formation of botnets and sophisticated networks utilising compromised systems. This could be either through direct system infection, or because of poor admin-level security relating to network connections and base passwords.
“A lot of companies are getting overwhelmed by the amount of alerts and threats that they are receiving because of the increased amount of attacks [and] we may well see IoT networks leveraged for nefarious purposes far more often before we see the situation improving.”
“We may well see IoT networks leveraged for nefarious purposes far more often before we see the situation improving,” Tim adds.
The potential scale of attacks stemming from corrupted IoT devices is difficult to predict. What is clear though is how stretched companies are already from existing cyberattacks – whatever their origins may be.
“That’s the frame of the challenge in terms of business,” Marco says, “but in terms of the technology, companies are using a lot of automation to try to keep up, simply because they cannot hire fast enough. So even if you had the money, you just haven't got the means to be able to hire experts because, very simply, there is quite a shortage in terms of experts.”
Working in cybersecurity today is more complex than just being able to fix systems corrupted by worms and trojan horses. As various digital technologies become further embedded into the fabric of public and private life, there is an emerging need for new classifications of cybersecurity experts.
“Cybersecurity [needs] people that understand the technologies but whose job it is to think through the social, economic and political aspects of cybersecurity, and develop effective and socially productive law, policy, regulation and strategy.”
“Yes, there are shortages in technically qualified people that can design, run and fix complex computer systems and networks,” Tim notes. “However, I would argue that the real dearth of experience and expertise is in the ‘soft’ side of cybersecurity: people that understand the technologies but whose job it is to think through the social, economic and political aspects of cybersecurity, and develop effective and socially productive law, policy, regulation and strategy.”
The Emergence of AI
The importance of AI is of great concern to the cybersecurity industry, and it is a debate that is starting to be heard in any business with digital infrastructure that requires safeguarding from attacks – be they brute force attempts, DDoS attacks, or other kinds of vulnerability exploits.
As Marco explained above, a lot of companies are facing such a large number of attacks. These are being forced to consider augmenting the more traditional human-led response with AI systems. But it is more than this.
“I think the impact will be great,” Marco says. “My experience working with clients is that they have no choice – a lot of our clients have to embrace this automated AI simply because with the rate of events and alerts, humans just can't keep up.
“Automation is going to play a significant role, because we get into some companies with 70% in efficiency in terms of the rate at which they are detecting attacks and defending. Having humans working at that level just isn’t practical, so I think it's going to be significant to the point even that we have a fully automated defense system – that's something that we're working on.”
“A lot of our clients have to embrace this automated AI simply because with the rate of events and alerts, humans just can't keep up to the point even that we have a fully automated defense system – that's something that we're working on.”
A crucial aspect of AI integration, not just in cybersecurity, is a sufficient level of human-led oversight from the very beginning. This may sound obvious, but in the hurry to adopt new technological advancements, it is easy to miss the dangerous complications that can arise out of a seemingly perfect machine-learning algorithm being produced with restrictive training data.
Marco describes the need for companies to embrace automation for their cybersecurity programs as they are faced with a growing volume of attacks that can’t be countered by a traditional workforce. The key issue is how well they embrace this change.
When asked about the potential role of AI platforms in cybersecurity, Tim explains that although he cannot speculate about the potential long-term impact of any certain technology, he does note the potential of AI – with an important caveat relating to the level of care taken by organisations seeking to utilise it.
“With good design, implementation and maintenance, coupled with organisational willingness to learn and adapt, these technologies can go a long way towards improving overall cybersecurity in the global information ecosystem,” Tim says.
An increase in the number of state-sponsored phishing and cyber attack stories in the media has heightened public awareness about state-level cybersecurity. But what of the state’s role?
“More worrying to me is the increased willingness of states and other actors to explore cyber means to subvert and degrade the networked assets of other states, including their critical infrastructures. This is potentially dangerous experimentation,” Tim says.
Understandably, these events are necessitating an equal state-level response. “At least in the West, the governments are equipping themselves for that ability,” Marco comments. However, as well documented as these state-level attacks have become, Marco points out that they have not replaced other areas of illegal digital activity as the main issue being combated across different industries, and by various public sector entities.
“State-sponsored [cybercrime] is definitely growing [in] Russia and China but cybercriminals – the criminal enterprises of making money – are still higher in terms of volume because it’s a fully-fledged enterprise.”
“Let me say that the state-sponsored aspect is definitely growing, and there are specific facts about Russia and China which are well-known and well-documented in terms of the ramp up of state-sponsored activities. But cybercriminals – the criminal enterprises of making money – are still higher in terms of volume because it’s a fully-fledged enterprise. The two are still at the top of the list, but at number one I’d probably put cybercrime as the leading factor in causing challenges in terms of volume.”
Ongoing State-Level Policies
Tim identifies another trend of particular interest to him – one that is long established, relating to the connected responses of officials to state-level cybersecurity issues.
“The high degree of bipartisan political agreement on cybersecurity issues often doesn’t translate into effective policy and legislation.”
“A long-standing question in cybersecurity that continues to intrigue me is the high degree of bipartisan political agreement,” he says. “This often doesn’t translate into effective policy and legislation, of course, but speaking as a political scientist, whenever we see politicians agreeing on a policy issue, there is usually more going on beneath the surface.”
Educating the Next Generation
Both Marco and Tim agree that a basic grounding in rudimentary cybersecurity behaviours is an important aspect of modern life to include in school curriculums around the world. These are, in many places, an ongoing trend: “These are not new – I was a beneficiary of such schemes in the 1980s!” Tim says.
“Basic grounding in rudimentary cybersecurity behaviours is an important aspect of modern life to include in school curriculums around the world.”
There is the opinion, though, that an increased awareness of cybersecurity risks in the public consciousness has led to an oversaturation of cautionary advice directed towards children.
“People young and old should be encouraged to navigate online environments in possession of sufficient tools and knowledge to keep them safe and alert,” Tim says. “What has happened is that personal safety and cybersecurity are bleeding into one another and I am a little concerned that pushing ‘security’ down to children is neither ethical nor desirable.”
The trend of children being more tech-savvy than their parents is not likely to stop, especially given the continued rapid onset of new technologies. Whether or not the younger generation is equally savvy in their cybersecurity behaviours is another matter though, given the enterprise-level threats and responses that filter down to the consumer level of the market. Should it be left up to children to know the best cybersecurity practices? “It’s not their job,” Tim says, “it’s ours.”
There is one key weakness in all cybersecurity protocols, one factor that pervades almost every data breach, hacked email or phishing attempt: people. Machines are built to be infallible, but put a human being in control of choosing the password for an entire company’s data store and there is no guarantee they won’t simply choose ‘p4ssw0rd’ or even a1b2c3d4e5.
This is why it’s imperative that governments across the world introduce cybersecurity training into schools. Not only will the addition - which is being trialled the world over in a variety of different forms - save companies and government organisations a lot of stress, it will also protect those using the services. Think of it less as an intensive cybersecurity course and more as teaching children good ‘cyber hygiene’ as they learn to use digital products.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]