Dublin 2050: Experts Discuss the Future of Cybersecurity
A smart city, automated cars, transhumans. What kind of technology do we expect to see in the Dublin of 2050?
Thirty years may be a short time to develop vital infrastructure, but it’s a lifetime in cyberspace. “In the cyber world, 2050 is ten to nine tonight,” said Dublin Chamber director Aebhric McGibney in his introduction to the latest event in the Chamber’s Dublin 2050 series.
We are racing at intimidating speed into uncharted territory. It’s an exhilarating ride, throwing up plenty of opportunities, but it also poses many dangers. At last Thursday’s event at the Westbury Hotel, expert speakers Michael Gubbins, head of the Garda Cyber Crime Bureau, and Paul C Dwyer, president of the International Cyber Threat Task Force, provided some fascinating insights.
Tony O’Malley, CEO of series sponsor Fujitsu Ireland, said recent technological advances had unlocked huge potential: the move from basic internet to mobile services, wearable devices, smart cars and the current transition into robotics, AI, automation. However, these exciting developments come with a rider: the more we move into a digital world the more value that resides there, and the more motivation for criminal activity. “We’re at a bit of a crossroads,” he said. “Are security concerns now the greatest barrier to technological advancement?”
“We’ve done a deal with the devil,” said Dwyer. “We want all of the data, anytime, anywhere, on any device, and now we’re going to pay a price … People want to create new business models, new customer models and so on but the trade-off is security.”
Who might attack you and why? It can be criminals after your money or, what’s far more valuable, information. It can be ideologically motivated hacktivists trying to cripple your system. It can even be nation states spying on your business methods as a part of an ongoing political battle for economic advantage.
In some instances, it’s the same old story. Old crimes, new tools. “There will always be fraud, just different ways of doing it,” said Gubbins. “Years ago, criminals used the phones and faxes. That was new technology at the time. They’re using emails now. But they’re still socially engineering people … I don’t think that is going to change.” Likewise, bitcoin is just another form of currency to forge.
A moving target
However, there are also fundamental differences. “In the physical world if your laptop is stolen, you’ll notice it’s gone,” said Dwyer. “The Garda will investigate, someone may see the thief and they’ll end up in court. In the cyberworld, if somebody steals from you, you may not even notice because they will copy your data.” [You can have an intruder hopping in and out of your system for a year or more without your knowing, siphoning off information or biding their time until they decide to make a crippling attack.]
Also, perpetrators are far more elusive, based in any location, hiding behind sophisticated encryption software: “Imagine you’re a victim of cybercrime here: but actually your servers are somewhere else, and the IP address for that attack came from another country; and if it’s a DDoS or ransomware and you’ve paid up, the funds went somewhere else… we’ve only got a small bit of the picture,” said Gubbins
What can go wrong?Apart from ransomware, you can have invoice redirection, or a distributed denial of service (DDoS). “It’s not pleasant to come in some morning to find out none of your customers can come online to you. You can’t carry out your business; you’re dead in the water. Why? Because maybe you didn’t invest that few bob in putting a mitigation service in place.”
Data breaches can crush a company’s reputation overnight. If there is an incident, “It’s going to get out there faster than you’d think because people talk; they’re going to go and put it on boards or Twitter: ‘can’t get through to X, something’s happened there’.”
Ironically the problem is directly linked to the success of our technology, its popularity. Gubbins pointed to the plethora of mobile devices we use, the multiple users of common networks, open wifi services. “Your surface area for attack has just gotten bigger and bigger.”
“We don’t have a ‘lean process’ in relation to data: we love creating it, storing it, keeping it… Irish people used to be very good at minding their own business, but now we like to tell everybody where we are, what we’re doing.”
This greed for data, combined with our lax attitude to sharing information about ourselves, reusing passwords etc is like leaving a full wallet hanging out of your back pocket. “Data is the new cash,” said Dwyer. “Data you can sell many, many times”.
“Everything has a value. It’s not just your credit card details. It’s you, your personage,” said Gubbins. “Look at Equifax: 140-odd million peoples’ data accessed. No cash but their details are all in there; all that has huge value.”
Businesses need to understand their responsibilities to employees, customers, clients – even the general public. “You’ve occupiers’ liability if someone comes in off the street. It’s the same on your website: is the security up to date? Is it hosting malware, harvesting credentials?”
“Criminals are essentially entrepreneurs” said Dwyer. “They will look at what’s involved in a scam, a project, an effort, and if they’re not going to get the return they move on; it’s a numbers game.”
However, it is not always as simple as this. More and more attacks are orchestrated by nation states colluding with criminals to spy on each other, often for economic gain. Advanced persistent threats (APTs) are generally caused by “a nation state of some kind that wants all of your industry information and you happen to fall in their crosshairs because you’re in that industry … Why spend billions on research and development when you can just work out how somebody has done it and how the business operates?”.
And there are other motivations: “WannaCry was not a criminal act. It was an act of warfare, because it was an act of disruption; it was not about money. … It was within 24 hours of Mr Trump releasing his executive order on cyber security; it was a fortunate distraction from what was going on with Russia because now they could blame north Korea. So there are geopolitical aspects to a lot of these things."
What we see of the internet is only the tip of the iceberg. The rest is what’s known as the deep web, part of which is the darknet. On the darknet criminals offer a priced list of services, from assassinations to accessing drugs. “You can’t ignore any of this because the guy who is hacking into your network is probably involved in some or all of these things: warfare, espionage, and straightforward cybercrime. These guys work together; they collude, they share information…”
So what can you do?
“Learn from the bad guys,” said Dwyer. “Share information, collaborate, train; help each other.”
“You’re going to have to come out from behind the moat and the wall and go if ‘I was a criminal what would I do?’ Start thinking of security by design,” said Gubbins. Build your defences, but always have a plan to respond rapidly to any incidents – the quicker you deal with them, the less damage that’s done.
The only way society will beat cybercrime, he said, is through cooperation between “the three pillars” of law enforcement, industry and academia, at home and abroad. It’s a similar concept to community watch; to have each other’s back. He urged businesses to report incidents to the Garda. We need to get used to sharing information, because that’s exactly what the criminals do.
The human interface
Spear phishing is still the number one form of infection. At work people think their emails are safe. But firewalls and other security systems won’t catch everything. The criminals know that, so they play the percentage game: even if only 1% of 1% gets through, they’re going to make money. So create a culture of awareness within your company: monitor, educate, train your employees.
Nation state attacks also use spear phishing. It’s no problem to create the malware, but how do they get it on your system? Through people in your organisation – either malicious insiders, or innocent conduits unaware of the damage they are doing. “And that’s not going to change in 2050. It’s still going to be the human interface; the human being is either going to be a liability or your best opportunity: you decide.”
The good news, said Dwyer, is that most threats can be dealt with through basic cyber hygiene. “Anti-malware, patch your systems, strong passwords; that’s going to stop most of the threats that are hyped up out there. WannaCry would have been prevented through such things.”
The cyber threat is not the end of the world, said Dwyer. It’s just another business challenge. “Business people every day manage risk. It’s no different in relation to cyber. The answer lies in leadership.” And of course, there are all those opportunities to pursue.
“You look at financial services sector where they’re saying how can we use AI to improve our service, how can we use blockchain…machine learning, automation etc. That’s the entrepreneurial challenge, to embrace all of that but make sure that it’s wrapped up with cyber security.”
Investing in cyber security will also give companies a competitive edge. “If your company keeps getting hit, what’s going to happen? People are going to go somewhere else, they’re going to lose faith in you.”
The trick is to stir it in as a fundamental element in your company, rather than tack it on later. “It’s far, far more expensive to retrofit cybersecurity”. It’s not the icing on the cake, but a basic ingredient. “Bake it in, don’t add it on.”