Organisations should consider state-sponsored attacks as a possibility in their risk assessments
The world is changing, and with it so is the internet. Or perhaps it’s the other way around. The internet continues to create new business and social opportunities that massively scale and widely interconnect. The increasing depth and volume of personal and corporate data make it a more rewarding target for cyber crooks and state-sponsored espionage or sabotage. At the same time, greater connectivity provides more potential attack vectors.
This makes industry, governments and individuals uneasy and unsure how to prepare. Predicting the exact nature of future threats and how to combat them is difficult, but a new study from The Internet Society (ISOC) offers credible insight. ISOC was founded by internet pioneers Vint Cerf and Bob Kahn in 1992 “to promote the open development, evolution, and use of the Internet for the benefit of all people throughout the world.”
This week, ISOC released its Paths to our Digital Future report, which sheds light on how the development of the internet might continue to service everyone.
The report is the result of surveys, phone interviews and roundtables conducted in 2016 with more than 3,000 ISOC members and partners, outside experts, and users in both the private and public sectors. It focuses on six “drivers of change” that will impact the internet in the coming years: the internet and the physical world; artificial intelligence; cyber threats; the internet economy; networks, standards, and interoperability; and the role of government. Although only one of the drivers targets cyber security, findings in all areas have a direct or indirect impact on it.
The report reflects respondents’ questions and concerns relevant to the future of the internet as an economic driver and social medium. A central theme is that for the internet to continue to be successful in both areas, it must be trusted, safe, and easy to use. Below are a few of the security-relevant issues the report raises.
What effect will government action (or inaction) have on cyber security?
Respondents expect legacy governmental and regulatory policies will continue to be counterproductive. Technologies such as artificial intelligence (AI), internet of things (IoT) and blockchain—all of which play significantly in the cyber security space—will further stress policy frameworks. “Neither government nor the private sector can deal with the scope and scale of cyber threats alone. It will require collaboration,” says Constance Bommelaer, senior director, global internet policy at ISOC.
Bommelaer says that many people expressed concern that governments make take actions that undermine cyber security. “Governmental interest in national security will continue to manifest in regulatory actions, which inevitably compromise personal privacy and security,” said one participant in the study.
“Policymaking that is reactive and not long term may fragment the internet along nation-state boundaries and also undermine human rights,” says Bommelaer. "Technically, this fragmentation will happen if governments try to limit the ability of the system to fully interoperate and exchange data packets in an end-to-end way — undermining one of its fundamental properties, and keys to its success. We see a worrying trend in this direction in some parts of the world that prioritize short-term national interests — sometimes referred to as ‘cyber sovereignty’ — over longer-term interests and shared responsibility.”
Some government actions might prove to be positive. “There is also a scenario where, for example, data protection laws, liability, and consumer protection laws are supportive of cyber security strategies, and where governments promote and enable the most efficient solutions,” says Bommelaer.
Another trend that alarmed participants in the report is the rise of state-sponsored cyber attacks as the internet is becoming increasingly intertwined with national security. “[An] uncertain prospect is the use of cyber arms and cyberwars to achieve political gains between major powers. This is already happening but it is uncertain whether it will lead to major disruptions to the network and perhaps reduce confidence by internet users in it,” said one participant in the study.
“Society is becoming increasingly dependent on the internet, in anything from political processes to our economies, and this makes cyber attacks an attractive means for malicious actors — including state sponsored attacks,” says Bommelaer.
With no political solution apparent, Bommelaer cites the need for international norms to help control this type of state behavior. “Organisations should consider state-sponsored attacks as a possibility in their risk assessments. Understanding what assets, whether in terms of data or infrastructure, that might be a target for politically motivated attackers needs to be considered,” she says.
Not a time for complacency in the security space! https://t.co/cVKAGEozMN— School Info Mgmt VUW (@imVICnz) September 20, 2017
The rise of cyber security haves and have-nots
As cyber security risk and complexity increase, so do the resources needed to respond to them. Some study participants see this creating “security divides” where some entities won’t be capable of dealing properly with threats. This is expected to occur among nations, individuals in society, and businesses.
“One of the most alarming issues we see in this report is the risk of an emerging security divide – both within and between societies,” says Bommelaer. “This security divide can play out at the individual user level, with some users having the skills and resources to protect their data, but it can also become a divide at the organisational level where new businesses from developing countries are at a disadvantage due to security.”
While an organisation may have adequate skills and resources, its partners and providers may not, and that will create vulnerabilities. “It may be the ecosystem of banking services that your business depend on, your ISP, or the legal framework in your country that puts your business at a security disadvantage,” says Bommelaer, who adds that collaboration among all the actors within an ecosystem is required to promote security.
How will the IoT impact organisations?
Study participants expect what Bommelaer characterized as “an explosion” of new devices connected to the internet. This suggests that the range of attack vectors and vulnerabilities will increase. “This will not only increase the risk of attacks, but potentially also the severity of the attacks as they connect to the physical world,” says Bommelaer.
That risk is compounded by the nature of businesses adopting IoT technology. “We will also see a range of new or traditional business entering the digital world, some of which might lack the experience, awareness and skills to effectively secure their devices,” says Bommelaer, adding that ISOC encourages organisations to adopt the Online Trust Alliance’s (OTA’s) IoT Security Framework. It provides best practices and security principles to guide the deployment of IoT.
Will securing the internet make it harder to use?
Again, the report emphasizes that the internet must remain safe and easy to use. Users today complain about some basic security measures such as two-factor authentication, so it’s reasonable to question whether future security measures will discourage users. “There’s lots of talk surrounding security and encryption, but users aren’t willing to use anything that’s even slightly inconvenient. I suspect in five years we’ll still be talking about how important security is, and things will be even more insecure,” said one participant in the study.
Bommelaer says that doesn’t need to be the case if organisations focus on security awareness and take a solution focused approach. “The biggest concern we see today is a lack of security, which translates into undermining trust in the internet. Users and businesses need to feel confident that the integrity of their data is protected, and a trend towards increasing attacks against the network and its services is likely to undermine this confidence and trust. The key here is risk management, and to minimize the risks through better security practices and at the same time strive to optimize the benefits inherent to the internet’s open and global nature. Collaborative security is key to efficiently minimize that risk.”
Meeting future security challenges
If there is a cyber security lesson in the findings of the ISOC report, it’s that organisations need to review and rethink how they conduct business and protect their assets and data. “The underlying issue is that many businesses’ first priority is to collect data, not secure it,” says Bommelaer. “Lack of end-to-end encryption, and as in some cases neglecting to encrypt stored data, are just some of the factors that exacerbate the problem, and the impact of a data breach on the users.”
Although report participants expect investments in cyber security to rise, Bommelaer believes money alone is not the answer. “The biggest hurdle is not necessarily money, but security awareness and security as a priority. The OTA did a report two years ago that showed that over 90 percent of the breaches they studied could have been prevented, and that 29 percent of those were actually caused by employees—accidentally or maliciously—due to a lack of internal controls."
Collaboration and communication are also critically important. “Underpinning all of these issues is the challenge for many industries, and other stakeholders, in considering the need for collaboration in cyber security,” says Bommelaer. “The internet is a highly interdependent system, and no single actor can adopt a fix-all solution. It will require collaboration among vendors and manufacturers to ensure that devices are secured by design, and that users can interact with the device to confirm or perform updates, make configuration changes, and so on.”
The study’s findings also reinforce the notion that security needs to be embraced from top to bottom within an organisation, especially those who collect the personal data of individuals. There is growing sentiment that organisations need to do more to protect personal data and take more responsibility when there is a breach. “Organisations that handle private data need to clarify their accountability and have full transparency on how date is handled. If there is a breach, the weight should be on the shoulders of those handle the data,” says Bommelaer.
This article was originally published in CSO.
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.