Matthias Gruber

Cyber Security – the underlying Problem

The tools and practice of cybersecurity are the defining architecture of enabling business continuity in the digital age. Emerging from the domains of information security and electronic warfare, cybersecurity today embodies technology, tactics and standards that remain strongly associated with IT.

The world’s first publicised CISO was appointed in 1995; since 2009, Chief Informationi Security Officers have risen to become a fixed feature of companies in every sector. The critical role of cyberspace in the global economy was illustrated by the 2017 ransomware attacks that temporarily disabled logistics firms and utility services. Estimates by global insurers place the potential losses from a single attack on a leading cloud service provider at €43 billion.

Cybersecurity is a €100 billion global business, driven by increasingly sophisticated threats across an ever-expanding attack surface: by 2017, 600 million malware variants have been identified. The advent of the Internet of Things (IoT), connected Industrial Control Systems, digital finance and the mobile workforce have created a deep marketplace for cybercriminals to exploit. Delays in threat detection and remediation augment the impact of a single breach, while poor security auditing of third-party providers extends the attack surface well beyond the organisation. An international menace, cyber criminals exploit differences in the capacity and authority of companies and governments to respond. Current estimates suggest that cybercrime costs the global economy approximately €485 billion.

In this fast-moving industry, the technologies and tactics are personality-led among innovative companies, rather than government R&D; the global cybercrime business is similarly sophisticated, using many of the tools and tactics employed by nation states and corporations. International alliances and shared threat intelligence, e.g. in financial services and in the Internet of Things (IoT), have emerged only in the past five years. The tools and tactics that enable cyber attacks are also part of today’s cyber defence; among them, deception, encryption and Artificial Intelligence are likely to feature prominently in 2018 and beyond.

Cyberspace and the cybersecurity industry can today be viewed as transposing to the digital realm the familiar geopolitical threats and business risks that are well known in the physical world, with similar consequences for global trade and risk management. The cyber threat landscape is evolving faster than most organisations can adapt too; therefore, the strategy is containment and resilience, rather than total threat elimination.

In evaluating their cyber risk posture, companies typically assess (i) their valuable assets and knowledge; (ii) vulnerable endpoints, assets and people; (iii) costs and insurance liability; (iv) in-house knowledge and skills that can be readily applied to cybersecurity. The responsibility audit considers proportionality, jurisdiction, response and corporate citizenship. At the helm, the modern CISO must understand not only the technologies and tactics in building an effective defence, but also the business context. Much more than ‘just’ the IT, the CISO must be skilled in conflict resolution, collaboration and influence to enable rapid adaptation of the company’s human and digital systems. Today it is widely acknowledged that at any scale, effective cybersecurity is primarily an organisational change problem, requiring the rapid implementation of new technology, language, tactics and business processes.

The problem

What is cybersecurity?

Cybersecurity describes the activities and technologies that collectively defend the assets and interests of an organisation (or a nation state) in cyberspace. A global industry, valued at approximately €100 billion, the business of cybersecurity includes the operations, tactics, network systems, software, algorithms and devices that protect organisations against security breaches, data theft and sabotage of computer networks.

At the scale of a nation state, cybersecurity extends to the protection of critical infrastructure, public services and transport systems. Vital to sustaining ‘business as usual’, many countries including France, Germany and the UK today consider cybersecurity as part of their national security. In 2016, the official designation by NATO of cyberspace as a zone of operations in which international laws apply((NATO [http://www.nato.int/cps/en/natohq/topics_78170.htm])), elevated the critical role of cyberspace in the global economy.

[table id=1 /]

 

The term cyberspace encompasses public and private networks, the surface and dark web, cloud storage, Industrial Control Systems (ICS) and the Internet of Things (IoT). Any system or device that is connected to the internet, or otherwise exposed to connection (including sensors, mobile and data storage devices) is vulnerable to exploitation and attack.

Figure 1: Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025 (in billions). Source: Statista((Statistika of ‘Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025 (in billions)’ [https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/]))

Across and through this virtual terrain, criminal networks utilise the advantages afforded by pervasive internet technologies and ubiquitous communications to obfuscate their identity and build criminal networks — at relatively low cost compared with conventional international crime.

Cybercrime describes broadly two types of activity: (i) criminal activities in which IT systems and devices are both the tool and the target; and (ii) crimes which are increased in their scale and reach by cyberspace (such as terrorism, crimes against children, fraud, theft of data and/or assets, trafficking)((INTERPOL [https://www.interpol.int/Crime-areas/Cybercrime/Cybercrime])). Cyber criminals use a range of tools and techniques (including Advanced Persistent Threat, Distributed Denial of Service, malware, ransomware, domain hijacking and botnets) to enable and augment the effects of their activities. The same techniques are used by nation state actors in cyber warfare.

In 2016, cybercriminals launched one million attacks per day((2017 Internet Security Threat Report, Symantec [https://www.symantec.com/security-center/threat-report] )), with the average cost to fix a breach at €130 per data record. In just the past two years, major hacking incidents, data thefts by rogue insiders and data losses through stolen devices include Equifax (143 million data records lost), Anthem (80 million), Telegram (15 million) and Instagram (6 million)((World’s Biggest Data Breaches’, Information is Beautiful, 2 February 2018 [http://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/] )).Cybercrime is today a sophisticated global ‘business’((Anderson, R. et al (2013), ‘Measuring the cost of cybercrime’, ch. 12, in Bohme, R. (ed., 2013), The Economics of Information Security and Privacy, Springer : Berlin. [DOI: 10.1007/978-3-642-39498-0_12] )), worth an estimated €120 billion in 2017. In 2017 the cost to the global economy was approximately €370 billion((data from a survey of 3,000 individuals in a cross-section of industries. Hiscox Cyber Readiness Report 2017, Hiscox Global [http://www.hiscox.com/cyber-readiness-report.pdf])); by early 2018, estimates place total losses at almost €485 billion – one percent of global GDP((CSIS (2018), ‘Economic Impact of Cybercrime’, 21 February 2018 [https://www.csis.org/analysis/economic- impact-cybercrime])).

Worldwide, internet access has grown from about 6.7% of the global population in 2000, to 52% by January 2018((Naughton, J. (2016), ‘The evolution of the Internet: from military experiment to General Purpose Technology’, Journal of Cyber Policy, 1:1, 5-2 [http://dx.doi.org/10.1080/23738871.2016.1157619])). Initially created as a research tool, the internet has grown rapidly since 1995 to serve every sector of the global economy. Embedded in global commerce, entire industries are today based on this virtual world. Financial services apps, encrypted messaging and other mobile platforms serve an increasingly large population, with an estimated 70% of the global population using a smartphone by 2020)((Ericsson Mobility Report, November 2016 [https://www.ericsson.com/mobility-report] )). For companies of all sizes and activities, cybersecurity is the cost of doing business in the digital age.

“Cyber threats exist wherever human error, opportunity and ingenuity allow it.“

Twittern WhatsApp

In May and June 2017, ransomware made headlines with a single attack propagating rapidly through global supply chains, while cyber attacks on healthcare systems in the US and the UK demonstrated the vulnerability of public services. Deception is key to the success of cyber attacks at scale: in Switzerland, 2017 saw an increase in incidence of encryption Trojans launched by faking the identities of trusted federal services and global brands((‘Encryption Trojans and malicious emails in name of authorities on the rise’, Semi-Annual Report, 2 November 2017, Swiss Reporting and Analysis Centre for Information Assurance [https://www.melani.admin.ch/melani/en/home/dokumentation/reports/situation-reports/semi-annual-report-2017- 1.html])).



In Germany, companies are increasingly the target of ransomware, APT attacks and cyber-espionage((‘The State of IT Security in Germany 2017’, Federal Office for Information Security [https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html])). The ransomware threat is likely to persist through 2018, along with attacks on cloud security, Internet of Things (IoT) and the Android operating system((Gartner (2018), ‘5 Trends in Cybersecurity for 2017 and 2018’ [https://www.gartner.com/smarterwithgartner/5- trends-in-cybersecurity-for-2017-and-2018/])) which is used in most of the world’s smartphone devices.

Speaking cyber

For all its technology-bound image, the world of contemporary cybersecurity is strongly influenced by individual people, the IT veterans who have become the voice of the industry and its challenges. Cybersecurity is a global business, yet its knowledge networks and conversations are concentrated in the US and Europe. Regional dialogue in the Middle East and around Asia’s financial hubs has visibly emerged only in the past few years.



The cyber threat landscape is advancing more rapidly than the security architectures can devise attack prevention solutions. Sharing of threat intelligence and innovation in not only technical solutions but also methods for implementing organisational change – knowledge about ‘what works’ – is vital if industry is to neutralise the risks and build a cyber-secure economy. The geographical bias in the contemporary debate around cybersecurity creates two challenges for the knowledge ecosystem: (i) avoiding group-think around threat characterisation and solutions; (ii) avoiding transplant of organisational change methods from one geography to another locale, without adaptation to, or redesign for, other business cultures, traditions and communications. To mitigate pan-industry ‘group- think’, cybersecurity requires a more nuanced, adaptive and inclusive dialogue, far beyond sharing threat intelligence and debating compliance standards.

Beyond measures of financial value, innovation within the global cybersecurity business is indicative of the rate of change in the industry. Cybersecurity Ventures produces an annual list of the top 500 most innovative, visible and active cybersecurity firms across a broad range of services((Cybersecurity Ventures (2017), Cybersecurity 500, updated August 2017 [https://cybersecurityventures.com/cybersecurity-500-list] )) (see table 2). 74 of the companies featured among the CV500 Index are based in Europe (see A1: Companies and indicators). While none of the top ten firms are Europe-based, noting that innovation in cybersecurity is strongly influenced by strength of interpersonal networks and leadership, it is likely that there is knowledge flow between discrete geographies (e.g. from Israel to the US and Europe) that is not represented in this index: further research is needed to investigate the structure of the knowledge architecture that underpins global innovation in cybersecurity.

[table id=2 /]

 

Viewed through the lens of the global dialogue on cybersecurity, the most innovative companies may not be the most influential((Martin, S. (2016), ‘10 Cybersecurity Twitter Profiles To Watch’, Dark Reading, 7 April 2016 [https://www.darkreading.com/vulnerabilities—threats/10-cybersecurity-twitter-profiles-to-watch/d/d-id/1325031] )). Twitter provides an indicator of the cybersecurity conversations that are shaping the business. 2016 analysis by Onalytica((Onalytica, 6 April 2016 [http://www.onalytica.com/blog/posts/cyber-security-and-infosec-top-100-influencers- and-brands/]; Onalytica, 20 May 2015 [http://www.onalytica.com/blog/posts/cybersecurity-2015-top-100- influencers-and-brands/] )) identified the top 100 brands in cybersecurity, based on their Twitter activity (see table 3 and A1: Companies and indicators).

[table id=3 /]

 

Cybersecurity is a fast-changing knowledge network, predominantly based in the US and Europe, but with increasing visible contributions from the Far East, Middle East and Asia. In the space of a year, identifiable thought-leadership evolves as new challenges emerge and new companies take form or gain recognition through the plethora of conferences, hackathons and cyber summits. Themes and issues also trend over time. A good indicator of ‘what’s hot’ in cybersecurity is the annual RSA Conference, among the leading forums worldwide for thought-leadership on cybersecurity. Recurring themes in recent years include: threat detection, AI and big data, insider threat, standards and compliance and the cyber skills shortage((RSA Conference [https://www.rsaconference.com/events])). Yet despite this fast-paced dialogue and continual information flow, very few names feature more than once in the annual rankings, suggesting that:

What do companies need to know about cybersecurity and why?

Every company that uses the internet, stores data in digital formats or communicates using smartphones, is at risk from cyber attack and data theft: it is not currently possible to totally eliminate all risk. Beyond IT, cybersecurity is principally an organisational change problem, requiring a risk management solution.

Threats and issues

Rapidly expanding attack surface

The global attack surface describes the public and private networks, servers, data encryption services, cloud storage, mobile devices, Industrial Control Systems (ICS), sensors and monitors, IoT, satellite networks and maritime communications systems that serve the digitally-enabled economy. Rapid innovation in digital services, cryptocurrencies and communications is expanding the opportunities in cyberspace for criminals who are equipped to exploit vulnerabilities – old and new.

The digitisation of the world’s finance systems opens new vectors for cyber attack.

Venture funding in digital finance doubled worldwide from 2014 to 2015, to just over €117 billion((‘Ensuring Cybersecurity In Fintech: Key Trends And Solutions’, John Villasenor, Forbes, 25 August 2016 [https://www.forbes.com/sites/johnvillasenor/2016/08/25/ensuring-cybersecurity-in-fintech-key-trends-and- solutions/]; ‘The World’s Top 10 Neo- and Challenger Banks in 2016’, FintechNews, 3 September 2016 [http://fintechnews.ch/fintech/the-worlds-top-10-neo-and-challenger-banks-in-2016/6345/] )). Advocates of cryptocurrencies claim that digital finance has security ‘built-in’, “because security and privacy are central to the protocol”((‘How blockchains are redefining cyber security’, Information Age, 14 December 2015 [http://www.information- age.com/how-blockchains-are-redefining-cyber-security-123460713/] )) and Bitcoin maintains that Blockchain is secure by default, because it’s decentralised((‘Blockchain is the next line of defense for cyber security’, Bitcoin, 19 June 2016 [https://news.bitcoin.com/blockchainn-next-defense-cyber-security/])). Attacks in 2016 on Dao and Bitfinex cost approximately €41 million and €53 million respectively((Cyber attacks raise questions about blockchain security, Financial Times, 12 September 2016 [https://www.ft.com/content/05b5efa4-7382-11e6-bf48-b372cdb1043a])), while in January 2018, a €435 million raid on a cryptocurrency exchange in Japan is the largest-known heist to date((Center for Strategic and International Studies (2018), ‘Significant cyber incidents, 2006 – 2018’ [https://www.csis.org/programs/cybersecurity-and-governance/technology-policy-program/other-projects- cybersecurity])). As with any new technology, problems are likely in the early phases of its evolution, but these incidents raise questions about the assertion that digital finance is secure by design.

The advent of IT-enabled Industrial Control Systems (ICS) and advanced sensor networks has increased exposure of the world’s critical infrastructure – the water, energy, telecommunications and other services that enable civilisation to thrive – particularly in cities. ICS that are internet-connected but predate internet in their design are particularly vulnerable, e.g. hydropower controls and radiation monitoring systems. Disruption or failure of one or more critical infrastructure services, even for a short time, can have serious consequences for populations.

As observed in the attacks on the Ukraine’s power grid in December 2015, which cut power to 80,000 people for three hours((Zetter, K. (2016), ‘Everything we know about Ukraine’s power plant hack’, 20 January 2016, Wired [https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/])). An attack on Germany’s Deutsche Telekom in November 2016 disrupted services for 900,000 customers((BIS (2017), op. cit.)). Many governments now mandate cyber attack reporting from companies within their critical infrastructure sectors: for example, Germany’s IT Security Act introduced mandatory reporting for telecommunications and energy companies (from July 2015), food and IT (from 2016) and healthcare, transport and finance (from June 2016). Up to June 2017, 34 incident reports had been received by Germany’s BSI((ibid.)).
Unsolved vulnerabilities, slow response

The first line of cyber defence requires characterisation of risks and vulnerabilities, whether at the scale of a single device, a household or an entire company. Investing in cybersecurity is of little value if weaknessesremain unknown or unsolved. Software vulnerabilities must be identified and patched or remedied, as far as possible; the CVE database((Common Vulnerabilties and Exposures database [https://cve.mitre.org/])) (a reference of known weak spotsused by cybersecurity professionals worldwide), while useful in building collective defence, is not a comprehensive reference((BIS (2017), op. cit.)).

Failure to detect a security breach is now recognised as among the principal factors compounding the cybersecurity challenges faced by companies, particularly in healthcare and financial services. In 2016, the industry’s most comprehensive global survey (2,260 analysed breaches from 82 countries) reported that web app attacks accounted for 48% of all security incidents afflicting financial services firms, with exfiltrated data stolen within minutes in 78% of all incidents((Verizon (2016), ‘2016 Data Breach Investigations Report’ [http://www.verizonenterprise.com/verizon-insights- lab/dbir/2016/])). Yet 54% of the firms surveyed took several weeks to discover that a security breach had occurred.

Sophisticated attackers

Malware infection is a common basis for many forms of cybercrime. By 2017, 600 million variants of malware were known (see figure 2); from January to May 2017, 280,000 new variants were observed per day((‘The State of IT Security in Germany 2017’, Federal Office for information Security, June 2017 [https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html])). Malicious code embedded in Microsoft Office files (as email attachments) and infected download links are common vectors through which sophisticated and sustained attacks are launched. Today’s cyber attacks are not limited to breaking and entering: combined with techniques from more conventional forms of corporate espionage, social engineering and exploitation of digital finance, the effects of cybercrime can be rapid, extensive and expensive.

In 2016 and 2017, cyber criminals were particularly successful in their use of ransomware (a form of digital blackmail) to either encrypt and lock corporate data and/or block an authorised user’s access to a device or system. The high-profile WannaCry and NotPetya attacks of June 2017 were forms of ransomware that used the configuration of global supply chains to inflict damage across multiple sectors and geographies, in a very short timeframe((‘Maersk says global IT breakdown caused by cyber attack’, Reuters, 27 June 2017 [https://www.reuters.com/article/us-cyber-attack-maersk-idUSKBN19I1NO])).

Figure 2: Increase in variants of malware, 2006-2017 (source: BSI, 2017)

 

Expensive to fix

2016 analysis by IBM and the Ponemon Institute reported that the average cost of a security breach, per data record, was €130, with total costs proportionate to the scale of losses (ranging from approximately €1.7 million for breaches affecting less than 10,000 data records, to €5.5 million for 50,000). Remediation costs were highest in the US and Germany and varied by industry, with a per record cost (i.e. the total cost of a data breach divided by the size of the data breach) of €181 in the financial services industry((Ponemon Institute / IBM (2016), op.cit.)).

Response

The scale and activity of cybersecurity investment varies by industry. Some emphasise compliance and risk mitigation, others focus on IT defence. A 2016 survey by Accenture and Oxford Economics measured firms’ cybersecurity performance across 33 indicators in 12 industries, worldwide((Accenture / Oxford Economics (2017), ‘The Accenture Security Index’ [https://www.accenture.com/gb-en/insight-accenture-security-index])), concluding that overall, companies performed acceptably well in only eleven out of 33 indicators. Banks ranked second (after telecommunications) with a high rating in eight of the 33 capabilities, including threat scenario analysis and utilisation of third-party solutions providers.

Governments are limited in their capacity to respond, either through technology or laws, by: (i) risk of exposing their cyber warfare capabilities; and (ii) timeframe required for investigating, drafting and enforcing legislation. Companies are in the front line of cyber defence and are leading the cutting- edge of cybersecurity research. Cybersecurity is the cost of doing business in the digital age and is principally about managing risk((‘Cyber Security: the cost of immaturity’, The Economist, 12 November 2015)). The four questions companies everywhere typically ask are:

(i) what’s valuable?; (ii) how / where do we need to protect our assets and interests; (iii) how much will it cost?; and (iv) do we have enough people who ‘speak cyber’? At the scale of a single organisation or an entire economy, cybersecurity requires a blend of technology, people and process.

Why ‘information security’?

Contemporary cybersecurity has evolved from the worlds of information security and defence((von Solms, R., van Niekerk, J. (2013), ‘From information security to cyber security’, Computers & Security, 38, 97-102)). Electronic warfare (EW) was an established field, thirty years ago. With the advent of digital communications, EW gave way to the age of information warfare (IW), as outlined in the published military doctrines of Russia (1991) and the UK (2003). While there is still no single definition of ‘cyber warfare’, either in popular use or in international law, today’s use of cyberspace in the battle for geopolitical advantage is generally understood to describe activities that augment – or precede – the effects of conventional warfare, using data, devices and networks to accomplish acts of war that cannot be done using only conventional weapons, people and espionage((Daultrey, S. (2017), ‘Cyber warfare: a primer’ [https://sdaultrey.net/downloads/Daultrey-S-Cyberwarfare-09- 2017.pdf])). Nation states define the term differently, for example, China uses the term ‘information operations’, while Russia refers to ‘information warfare’.

As in other stories of technology adoption (e.g. satellites, solar power), innovations initially intended for military use have rapidly gained currency in commercial and civilian spheres. Defence companies quickly recognised cyberspace as a new dimension to their information security practice and responded accordingly: among the best-known examples is the Cyber Kill Chain, a response framework based on conventional military strategy and published by Lockheed Martin in 2011((LockheedMartin, Cyber Kill Chain [http://www.lockheedmartin.com/us/what-we-do/aerospace- defense/cyber/cyber-kill-chain.html])).

In the corporate world, the era of information management (circa 1970 -1990) gave way to the age of digitised knowledge management (1990 – 2010) with the widespread use of service platforms such as SaaS, AWS and Google. With the increasing use of machine learning and big data, the business of information security is experiencing a new phase of innovation. Corporate data is not only digitised, it is blended with information about geolocationas well as price and network performance, to deliver the goods and services on which today’s global, connected economy depends. Algorithms use data about the behaviours and preferences of private citizens to suggest and enhance products and services, manage transportation networks and combat financial fraud. Data is no longer a static entity in a filing cabinet that can be locked or permanently archived. Decisions about information security begin not with auditing the value of data holdings, but with identifying which nodes and networks of the digital infrastructure contain the worst vulnerabilities.

The dominance of technology firms in today’s global cybersecurity conversation suggests that the image of information security as primarily a technology business, is likely to persist. IT companies such as CISCO, IBM and Microsoft have evolved from global providers of technology platforms, software and services, to become the principal architects of the digital age.

The cyber era

Cybersecurity is a pre-requisite for enabling business as usual: it is a core requirement for both securing the information technology that powers standard business operations and creating a stable environment for innovation. Today’s cybersecurity industry is influenced by two trends that have evolved only during the past five years: (i) increasing sophistication, scale and visibility of cyber attacks; (ii) emergence of international coalitions of companies, sharing threat intelligence and best- practice. Concurrently, bilateral and multi-lateral agreements among nation states on combatting threats to cyberspace((Carnegie Endowment for International Peace, Cyber Norms Index [http://carnegieendowment.org/publications/interactive/cybernorms])), signal that the time of international cybersecurity laws is near.

In 2017 the International Telecommunications Union (ITU) (a specialised agency of the UN) surveyed the performance of 193 nation states against five metrics((ITU Global Cybersecurity Index 2017 [http://www.itu.int/en/ITUD/Cybersecurity/Pages/GCI-2017.aspx])): (i) legal (cybercrime laws, regulations); (ii) organisational (collection of metrics on cybersecurity, national strategy); (iii) technical (industry standards); (iv) capacity building (training for cybersecurity professionals, public awareness); (v) cooperation (international, interagency and public-private sector). The top ten countries included Singapore (at #1), the US (#2), Estonia, Georgia and France.


The profile of cybersecurity in the decisions and priorities of nation states has evolved at different rates, driven by opportunity and threat: for example, in Singapore, the critical importance of international financial services to the national economy coupled with an urban infrastructure that is data-driven, places cybersecurity among the core concerns for Singapore’s national security. Georgia’s experiences of cyber attack in 2008 coupled with military incursion by Russia, were likely an early formative phase in developing Georgia’s responsive national cybersecurity strategy.

Incentives among companies to ‘take cybersecurity seriously’ are evolving at different rates across industry verticals. An early example of corporate leadership on cybersecurity was the Cyber Security Industry Alliance, which took form in 2004 and was essentially a lobbying and advocacy group in Washington, DC((CISCO Security Activity Bulletin, CSIA, 27 February 2004 [https://tools.cisco.com/security/center/viewAlert.x?alertId=7301]; ‘Cyber Security Industry Alliance Kicks Off Sarbanes-Oxley Compliance Initiative’, HelpNet Security, 15 December 2004 [https://www.helpnetsecurity.com/2004/12/15/cyber-security-industry-alliance-kicks-off-sarbanes-oxley- compliance-initiative/])). By 2015, industry alliances had begun to form around pragmatic action to reduce collective vulnerability. The Cyber Threat Alliance((The Cyber Threat Alliance [https://www.cyberthreatalliance.org/membership/])) features many of the brands identified in the ‘most influential’ voices of contemporary cybersecurity, with its primary mission to share threat intelligence between commercial cybersecurity providers. The secretive Cyber Defence Alliance was created in 2015 by five leading international banks and is based in London, near the headquarters of the Metropolitan Police. In the style of NATO, the CDA views “an attack against one bank is an attack against them all”, working closely with the Police to share threat intelligence and combat banking fraud((‘Banks join forces to crack down on fraudsters’, Financial Times, 9 August 2017 [https://www.ft.com/content/6c9030ca-7937-11e7-90c0-90a9d1bc9691])).

Responding to the globally-acknowledged security problem created by the rapid evolution of the IoT, the IoT Cybersecurity Alliance gained momentum in 2017((IoT Cybersecurity Alliance [https://www.iotca.org/])) and also features many of the leading names in network systems and mobile device security. Individual sectors that have experienced serious security breaches are developing their own cybersecurity compliance standards, for example in maritime security((IMO (2016), ‘Interim Guidelines on Maritime Cyber Risk Management’, MSC.1/Circ.1526 1 June 2016 [http://www.imo.org/])) and insurance((‘Ten Key Questions on Cyber Risk and Cyber Risk Insurance’, The Geneva Association, November 2016)).

 

Cyber and global risk


Is this a new problem? Or an old problem in a new context?

In the Autumn of 2016, selected organisations in London’s insurance industry conducted ‘stress tests’, simulated ‘what-if’ scenarios that analysed the possible outcomes for the UK economy of a major natural or man-made disaster. Cyber attack was among the risks considered, both as a single event and as a stress multiplier. The events of summer 2017 vividly demonstrated the cascade effects of a cyber attack on a single network or software that serves global supply chains: the global costs of WannaCry ransomware, which affected at least 100 countries, are estimated at €6.5 billion, while the total cost of the NotPetya attacks of 2017 to Maersk and others is estimated to be at least €480 million. Hypothetical estimates by Lloyd’s of London suggest that a single attack on a cloud service provider could cost the global economy €43 billion.

“We are living with the consequences of a global supply chain that relies on digital.“

Twittern WhatsApp

Chernobyl nuclear power plant:
Radiation monitoring systems affected

Merck:
Business systems of the second-largest drugmaker in the United States affected

AP Moller-Maersk:
Business systems of the Danish transport and energy company compromised; operations stalled at a Mumbai terminal – India’s busiest container port

Rosneft:
Business systems of Russian oil producer comrpomised

Ukrenergo and Kyivenergo:
Operations of two Ukraine state-owned power companies affected

Borispol Airport (Kiev) and Ukraine metro system systems compromised

Oschadbank:
business systems of Ukraine’s state-owned bank affected

Mondelez:
supply-chain business systems of American food and drinks giant affected

WPP:
Client lists and communications compromised at one of the world’s largest advertising agencies, based in London

DLA Piper:
Communications and computers downed at a leading global law firm

Saint-Gobain:
Business systems at a French material construction company affected

Heritage Valley Beaver and Heritage Valley Sewickley hospitals:
business systems compromised at care facilities in Pittsburgh, US.

Cadbury:
Bsuiness operations affected at a chocolate factory in Tasmania, Australia (owned by Mondelez)

Deutsche Post:
Operations stalled at Germany’s postal services

Evraz:
Business operations compromised at a Russian steelmaker

List of known organisations affected by NotPetya, June 2017

Renewed calls for an international response placed cyber threat among the top five global risks for 2018, earning cybersecurity headline status at the 2018 World Economic Forum. The phenomenon of cyberspace and the cybersecurity industry can today be viewed as:

 

Issues and challenges

Cybersecurity has evolved from the world of information security: it is technology-driven and operationally reliant on standards, policies, best-practice, implementation procedures, information hierarchy and shared knowledge networks. These standards and languages are differently interpreted among discrete industries, geographies and business functions: a CISO in, say, the energy sector may advocate different solutions and frameworks than his peer in healthcare or finance. The emergence of a ‘common operating language’ within the domain that is owned and shaped by the professionals on the ‘front line’ enables rapid understanding of new threats and risks at scale, even if we still lack the technology and social behaviours to eliminate the threat and mitigate the root-cause.

The cyber era transposes into the digital realm the geopolitical challenges, threats and risks that are well-known in the physical world, such as corporate espionage, protection of civil liberties and organisations’ capacity to adapt to new technologies. What differentiates cyber is the scale of adaptation and collaboration required to implement organisational change, at a rate not experienced since the European industrial revolutions of the late 19th century. Effective cybersecurity requires adaptive technologies, people and processes.

 

Continual digital innovation creates a ‘marketplace’ for threats, but also for solutions. Companies and governments share common enemies in cyberspace, but the scale and pace of the threat is out- smarting the rate at which technology can naturally adapt: across industries, a form of artificial adaptation is needed to rapidly adopt and develop cyber defence. This requirement explains the trend toward outsourcing cyber defence. Even more critically, the threat landscape is evolving faster than the rate at which organisations can adapt their corporate ecosystem. Cybersecurity does not fit into a five-year plan or quarterly budget review: the rate and scale of the evolving threat landscape means that there is no time to defer or wait and see.

Pervasive data services create pervasive vulnerabilities. The vulnerability of the connected economy was exposed in vivid detail by the ransomware attacks of 2017. In energy, telecommunications, financial services and transport, we are living with the consequences of creating a global supply chain that relies on cyberspace. The tools and practice of cybersecurity are the defining architecture of doing business in the digital age.

A1: Companies and indicators

In 2016, Onalytica analysed more than 817,000 tweets, from November 2015 to January 2016 (for keywords “Cyber Security” OR CyberSecurity OR Infosec OR “Information Security”), identifying the top 100 influential brands and individuals in cybersecurity, worldwide. Table A1 lists the leading cybersecurity companies in Europe (data source: Cybersecurity Ventures 500).

[table id=4 /];

Are you protected?

Me and my team protect you, your business and your data against cyber threats by analysing risks and developing early detection and protection concepts.