As the digital economy grows, so too does the need for sufficient security to safeguard its operations and its user base. The very nature of such an economy is one of global reach, and the safeguards put in place need to span continents and their respective jurisdictions. Forming unified data-security protocols can become more complex when dealing with respective countries’ own legal frameworks, but also their differing cultures.
For every innovation that is pioneered, new security concerns are clearly going to follow. This is not to paint a picture of the malevolence of mankind, but merely to reflect the reality of vulnerabilities being a natural accompaniment to virtually any system or process.
The issues of data security are a key concern for world leaders, and with the ever-increasing propagation of products and services that utilise user data in large quantities, the need to protect said data is key.
At the Binary District ‘Data security in digital economies’ event in Moscow on August 30th, a panel of leading cybersecurity experts shared their insights into the latest solutions, and what needs to be done further down the line.
The Scare Tactics of Cybersecurity
Marco Gercke, Director of the Cybercrime Research Institute in Cologne, was quick to point out the adverse effect of the discussion more usually had about cybersecurity at conferences:
“I believe the security industry did themselves no favors by using the approach of scaring people and telling them how bad things are”
“I guess a lot of people will have the expectation that when we're speaking about cybersecurity, we should first of all talk about how bad things are – that it’s getting worse every day, there are more threats, the damage is increasing, the capacity of offenders is increasing – and this is usually what you hear at conferences.
“I believe the security industry did themselves no favors by using the approach of scaring people and telling them how bad things are.”
Gercke noted that this is a common mistake, and that it paints the state of the digital economy as far more volatile and vulnerable than it actually deserves. Instead, he believes companies and governments should be focused on key areas of development – namely, quantum computing.
This is an area that he thinks will likely have a massive effect on the state of cybersecurity in the future. With the amount of raw computing power required to adequately deal with developing security protocols and infrastructure, it’s something that quantum computing will be able to deal with down the line, Gercke claims.
When it comes to the public sector, though, there is work still to be done: “When governments approach me, they say, ‘How can we find out if we’re ready for the new digital economy?’ And I ask them, ‘What's your quantum-computing strategy? But a lot of them are looking at me blankly and saying, ‘What do you mean by quantum-computing strategy?’”
Hacking the Mind
This is not to say that quantum computing should be viewed as some miraculous cure-all for the various matters of cybersecurity. As it stands, there are other forms of digital attack that rely far less on raw processing power, and prey more on the intricacies of human behaviour and our interaction with the digital sphere.
A key area of concern, Gercke said, is the spread of what he calls ‘micro-manipulations’. These don’t focus on exploiting weaknesses in code, but rather in people’s brains. A form of social engineering, micro-manipulations are a way of influencing people in ways they may not even realise.
Using the example of fake news in the 2016 US elections, Gercke pointed out that dedicated hackers can potentially influence user behaviour by recognising what actions or materials affect a person’s mood, for instance. The increasing ability of sensors to detect elevated stress in voices or facial motions may be one avenue that they will use to target the human aspect of the digital economy, rather than the machine.
“We kind of know what to do with cyber espionage and informational leaks, but with the manipulation of public opinion, as an industry, we don't know what to do, really”
Other experts share this concern. Yury Namestnikov, Head of the Global Research & Analysis Team, Russia, at Kaspersky Lab, said, “We kind of know what to do with cyber espionage and informational leaks, but with the manipulation of public opinion, as an industry, we don't know what to do, really.”
The People Problem
The reality is, computers and digital infrastructure are not the core problem. “We know that one of the weakest points these days is the person sitting in front of the computer system, as he or she is making mistakes,” said Gercke.
His fellow experts on the panel at the event agreed. However, that is not to say the user is viewed as a hopeless entity doomed to repeat his/her mistakes – Gercke believes education is key in addressing the human weak point in data security.
Vasiliy Lukinykh, Head of the Strategic Development Division of Rostelecom-Solar, concurred: “Security needs hands and eyes,” he said. “Your most important assets are the people, like your employees, who will ensure your security.”
What it comes down to is establishing a code of practice among users that takes into account basic security common sense. The ease of connection to both business and entertainment resources online through an ever-increasing selection of daily-use devices such as smartphones is a boon for convenience and multitasking, but brings with it a blurring of security lines.
Lukinykh pointed out that users need to be aware that mixing password-sensitive financial transactions with illegal downloading is unwise, with this message needing to be relayed to the younger generation in particular:
“You cannot access your bank account with the phone you are downloading torrents. Don't enter your bank plan from the computer you're playing video games on. And please explain this to your children.”
Mariya Voronova, Director of Consulting and a leading expert on information security at InfoWatch Group, agreed that security breaches and hacks are often carried out not because of a pre-planned and dedicated plan to compromise a system. Instead, they are because of a chain of wrong decisions. Careless uploading of data on to social media, or taking sensitive data from the office to continue working on it at home are just two examples she gave, with no malicious intent behind either by the user.
Tackling this issue must be a joint effort by employees and their employers, in her view. “This is the responsibility of your cybersecurity or IT department,” she said, “but also an individual responsibility. You have to think who you are sending this data to, or where you are planning to upload it, and to try to minimise your stupidity.”
The People Solution
But data security in the digital economy is not affected just by careless users or proactive hackers. There are subsets of technology’s user bases that play an important role in the development of security infrastructure and procedures. Keren Elazari, author and Senior Researcher with the Blavatnik Interdisciplinary Cyber Research Centre, used Barnaby Jack as an example of the benefits of ethical hacker intervention.
Jack was a security expert and programmer who achieved worldwide fame in the technology industries for hacking ATM machines, making them dispense money for free. He then went on to research vulnerabilities in medical equipment, and ended up hacking motorised insulin pumps.
“I believe we're going to need more accidental heroes like him – people not necessarily with a traditional background or a traditional education, but who are curious enough to go down that rabbit hole. Cybersecurity is not about the secrets or about data theft anymore – I believe it's about a way of life,” Elazari argued.
Private companies can also have a part to play in this ethical hacking model. Elazari uses the example of ‘bug bounty’ programs – deals offered by software developers and companies that offer recognition and even reward to individuals who discover bugs and vulnerabilities in proprietary systems and report them. Mastercard and Uber are two examples of companies that have participated in such schemes.
“Recent studies have shown that the world realistically requires at least a million more digital security experts than currently exist in the market”
Broadening the scope of user participation in data security may not be enough in and of itself, though. Elazari noted that recent studies have shown that the world realistically requires at least a million more digital security experts than currently exist in the market.
The Role of Governments
Because of the rapid development of technology, and its reach into areas of society that may not originally have been intended or foreseen, the matter of legislating for this is a complex issue. There are some who believe governments are too slow to develop legal frameworks for new technologies, while others comment on the over-regulation of the digital economy.
Eduard Fosch Villaronga from the Microsoft Cloud Computing Research Centre and the Centre for Commercial Law Studies (CCLS) at Queen Mary University of London, noted that there are pitfalls for introducing legislation both early on and at a further developed stage of a technology’s lifecycle.
He explained that, “In the early stage of a technology, developing a hard law might lead to over-regulation because we don’t really know what the impacts or the risks are of this technology. Then, at a much more mature stage of its development, applying non-binding guidelines might lead to an under-regulation scenario. This is called the Collingridge dilemma.”
Dmitry Samartsev, CEO of BI.ZONE, went further, saying, “Unfortunately, at an international level, lawmakers don't understand anything in technology.” This is not simply an issue of leaders who are behind the times; Samartsev believes there is a far deeper problem, both at a national and international level, relating to the lack of cooperation and collaboration between governments around the world.
He refers to the building of ‘digital walls’ that are preventing global unity for the digital economy. “We have political turbulence – countries are not talking to each other, they are not exchanging information between each other, and they're trying to put in obstacles for each other,” he said. “This geopolitical turbulence is assisting cyber criminals.”
“If we follow today’s trajectory, maybe in 70 or 80 years we will participate in a Mad Max film rather than a Star Trek movie”
Samartsev called for greater openness between nations, with the concept of automatic data exchange in matters relating to security being an important first step. “There will be a new digital economy,” he stated, “and if we follow today’s trajectory, maybe in 70 or 80 years we will participate in a Mad Max film rather than a Star Trek movie.”
However, not everyone on the panel agreed with Samartsev’s call for closer cooperation between governments. Keren Elazari commented that it is important to remember the differences that exist between nations, and while she agreed that more cohesive cybersecurity is needed, she was pessimistic that it can be achieved through increased international cooperation.
Marco Gercke added that the concept of efficient cooperation is a difficult one to quickly adopt, commenting that there aren’t “globally applicable similar rules when it comes to the legal framework”.
There is also a case to be made for increasing transparency in the digital sphere. As stated previously, the general citizen user base of technologies have an important part to play in the formation and maintenance of a digital security roadmap.
“I think we can make our industry more transparent,” said Yury Namestnikov. “We can give ordinary people access to the ways we process data so they can understand what happens. GDPR is the first such step.”
Building a Workable and Scalable Data Security Plan
Deciding on a course of action for enhancing data security is clearly a complex matter. When regulations have to transcend borders and cultures with an historic lack of cooperation already in place, the prospect of a harmonious infrastructure of data-sharing and safeguarding can seem fairly distant. It is important not to forget the immediate incentives to persevere with the securing of the digital economy, however – Dmitry Samartsev references Royal Economic Forum statistics, with cybercrime costing economies around the world billions of dollars.
Vast sums are being lost because of the fluid state of the digital economy, and the threats to it. As technological adoption progresses, it is increasingly not a case of stolen passwords or corrupted data, but the overriding and interconnected impact that these problems have on the digital economy as a whole.
“The future of cybersecurity is not about theft of information or secrets… It's also about disruption of digital access, and I really think this is something we need to prepare for now”
“The future of cybersecurity is not about theft of information or secrets,” concluded Keren Elazari. “It's also about disruption of digital access, and I really think this is something we need to prepare for now.”
Not everyone takes cybersecurity seriously. In May 2011, Fox.com was subject to an attack from Lulzsec - a portmanteau of internet slang Lulz (laughter) and Sec (security) - a group formed in the chatrooms of hacking group Anonymous. The reason? An objection to Fox calling rapper Common ‘vile’ on air.
The group hacked the FBI, Scotland Yard, Sony, News International, as well as the CIA, laughing all the way. The motto of the group was “Laughing at your security since 2011!”. Many posit that the group exists to make others aware of poor cybersecurity in their organisations. Others think it was all just one big laugh.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]