19 July 2019
Econ 4.0: How hyper is your cyber?
Here is a timeless tech tale: A doctor, an engineer and a software programmer are arguing about which is the oldest profession on earth.
“Medicine was the first,” says the doctor. “According to Christian philosophy, God pulled a rib from Adam and created Eve. This proves genetics and surgery was the first profession on earth.” The engineer is enraged. “You’re missing the point,” he says. “Before God created Adam and Eve, he built the heavens and the earth from chaos. That proves civil engineering is the oldest profession in the world.”
The software programmer raises an eyebrow. “And who do you think created chaos?” If you are not laughing at that joke, you have probably been a victim of a cyberattack, either from an online virus, a malware or a hacker. Board members now consider cyber-risk to be the biggest threat to their business. According to a recent McKinsey survey, 75% of experts consider cyber security to be a top priority. That is true even of industries like banking and automotive, which one might think would be preoccupied with other enormous risks that have emerged in recent years.
“While awareness is building, so is confusion,” a McKinsey study reports. “Executives are overwhelmed by the challenge. Only 16% say their companies are well prepared to deal with cyber-risk. The threat is only getting worse, as growth in most industries depends on new technologies, such as AI (artificial intelligence), advanced analytics and IoT (Internet of Things). This will bring all kinds of benefits, but also expose companies and their customers to new kinds of cyber-risk.”
The problem? Mismatched priorities. McKinsey cites the case of a global insurance company that budgeted US$70 million (RM290 million) for a comprehensive cyber security programme. One year later, only a fraction of the planned measures had been implemented. Why?
“Business units put pressure on the IT department to prioritise changes they favoured, such as a sales campaign and some new reports, at the expense of security measures, such as email encryption and multi-factor authentication,” McKinsey says. “The business units also took issue with the restrictions that came with cyber security measures, such as the extra effort that went into data-loss prevention and limitations on the use of third-party vendors in critical areas.”
Late last month, I attended CyberWeek in Tel Aviv, one of the top global conferences on cyber security, which attracted 8,500 participants from 80 countries. The diagnosis of the current state of cyber-readiness? Gloomy.
Check Point Research said it found 16,555 vulnerabilities that could impact enterprise servers, storage and networks last year, compared with 6,447 in 2016. As for mobile applications, there were 736 vulnerabilities discovered last year that could harm Android and Apple devices. The numbers this year could be exponentially higher.
“In the late-1980s, the common attacks were against PCs and the most effective solution was to install an anti-virus software,” says Gil Shwed, founder-CEO of Check Point Software. “In the mid-1990s, as the Internet boomed, so did attacks on corporate networks. The ideal solution then was to install firewalls to keep out suspicious traffic. From the early 2000s, complex applications were being installed by companies to cater to people on the move, using either laptops or mobile devices. The security solution that helped to an extent was installing the Intrusion Prevention Systems.”
What is the current status of global corporate cyber-health? “With the proliferation of IoT and intuitive applications, the attacks have become polymorphic,” Shwed notes. “Polymorphic malware constantly changes its identifiable features in order to evade detection. They can mutate to handle complex scenarios. The only possible solution? Use AI and behavioural analysis to try to counter it.” The big concern? Nation-states carrying out targeted attacks against other countries or even conglomerates. Cyber security company Cybereason recently unveiled results from its Nocturnus team’s “Operation Soft Cell” investigation into the hacking of several global telecommunications companies, leading to espionage and a web of theft targetting specific individuals on different continents likely working in government, law enforcement and politics.
“Operation Soft Cell was a global, nation state-backed operation against multiple cellular providers that has been underway for years,” says Lior Div, Cybereason’s co-founder and CEO. “With this campaign, attackers took over the telco’s IT network and were able to customise the IT infrastructure for their convenience, complete with their own VPN (Virtual Private Network) inside of the network.”
Asia and Malaysia
Such concerted attacks are a huge risk to enterprises and government agencies — and a big opportunity for cyber security vendors. Companies in both the private and public sectors are therefore set to spend a whopping US$16 billion on security-related hardware, software and services this year, up 20% over 2018, says market intelligence firm IDC. This rate of annual growth will continue until 2022, by which time, security spend will cross US$28 billion.
“The Asia-Pacific region outside of Japan recognises that breaches, hacks and legislation is crucial,” says Simon Piff, IDC’s vice-president for security and blockchain research for Asia-Pacific. “For too long, business leaders were under-investing in this category. We see this changing lately — but a bit late — to be able to find the needed skills in the market and hence, the incremental growth expected in the services segment. Governments prioritising this as part of their agenda is good, but it could also be backed by better legislation in many markets.”
The biggest spenders? Banks. They are collectively set to almost double their investments in cyber security solutions — from US$2.4 billion in 2019, to US$4.2 billion by 2022. “We have observed that industries such as state governments, resource-based industries, utilities, telecom and transportation may see the fastest growth in security spend,” notes Swati Chaturvedi, IDC’s senior market analyst for Asia-Pacific. “Governments and critical infrastructural agencies alike will be putting in extra effort and investment in the right security solutions to preserve data integrity and maintain strategic relevance.”
The moot sectors? High-impact, high-value services in a country, usually called CNII (critical national information infrastructure). Each country defines its CNII differently. Malaysia has listed 10 sectors under CNII: banking and finance; energy; emergency services; food and agriculture; government services; health services; information and communications; national defence and security; transportation, and water.
Malaysia set up its National Cyber Security Agency (NACSA) in February 2017 to secure and strengthen the country’s resilience to face cyberattacks. The agency coordinates the nation’s experts and resources in cyber security. It also publishes the latest threats and vulnerabilities to help Malaysia-based businesses keep updated on how to find and resolve them.
Security is one side of the coin, the other is privacy, and they need to be balanced, especially with new technologies such as AI, ML (machine learning) and BDA (big data analytics) that can diagnose, monitor and/or prevent the abuse of privacy and security.
But not all BDA is detrimental, and not all data captured is harmful. For example, if there is a major fire in a specific locality in Kuala Lumpur where many people can potentially be trapped, LBS (location-based services) and identification of people to alert them via social media could potentially save thousands of lives.
The same goes for infectious disease prediction and management, and for tracking criminal activities. So the key is not to enhance privacy for its own sake, but to ensure that the “actionable intelligence” is not being abused — nor any legal regulations breached — for commercial gain.
Here is an example of AI even saving lives: In 2016, AI engineers at the Houston Methodist Research Institute developed software that could accurately diagnose a patient’s breast cancer 30 times faster than doctors could. When fed mammogram results and medical histories of 500 patients, the software diagnosed breast cancer with 99% accuracy, according to an IEEE (Institute of Electrical and Electronic Engineers) report. The software also produced fewer false positives than doctors did. Another example? More than 20 million people each year are sold worldwide into prostitution, according to a Fortune article. “Researchers at the University of California, Berkeley, have developed AI tools to identify sex-trafficking rings, making the leaders easier to target and prosecute.”
The US has taken the lead in this space. On Aug 1 2018, the Senate introduced a bill that would set baseline security standards for the US government’s purchase and use of a broad range of IoT devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyberattacks in 2017 that were fuelled for the most part by poorly secured IoT devices.
The IoT Cybersecurity Improvement Act of 2017 uses the US government’s buying power to signal the basic level of security that IoT devices sold to government agencies need to have. For example, the bill requires vendors of IoT devices purchased by the federal government to ensure that the devices can be patched when security updates are available. The devices should not use hard-coded (unchangeable) passwords and vendors should ensure that the devices are free from known vulnerabilities when sold.
The bottom line: Should you be hyper about cyber? Yes, especially if you are offering public services. “Government agencies are prime targets for attackers looking to exploit credentials and knock out weapons systems, shut down critical infrastructure or infiltrate data stores with sensitive information,” says Udi Mokady, founder, chairman and CEO of Nasdaq-listed CyberArk. “Restricted access and privileges could be a possible solution.”
CyberArk was named a leader in the Gartner Magic Quadrant last year for “privileged access management”, for both execution and vision. Its solution helps eliminate cyber threats by identifying existing accounts across networks, locking them down, and detecting and isolating anomalous behaviour to stop attacks.
Three other ways to protect your enterprise? One, restructure the firm’s IT by assessing every application for its ability to detect, report and isolate malware. Two, look for solutions that integrate multiple vectors, such as firewalls, spyware, malware, hacking attacks and bots, since no vendor has solutions that cover all aspects of cyber security. And three, implement zero tolerance policies for staff and suppliers who flout security regulations.