In the aftermath of COVID 19, the world is witnessing a significant rise in cyber-attacks due to near-total dependency on the internet by most businesses.
Mr Ciaran Martin is the First Chief Executive Officer of the National Cyber Security Centre, UK. From 2008-11, before joining GCHQ, Martin was Director of Security and Intelligence at the Cabinet Office, helping to agree on the framework for the Scottish independence referendum. His public service career has also included a series of roles elsewhere in the Cabinet Office and HM Treasury and the National Audit Office. Martin was appointed Companion of the Order of the Bath (CB) in the 2020 New Year Honours for services to international and global cybersecurity.
To analyse the threats to critical infrastructure (CI) in a post-COVID 19 world, Synergia Foundation conducted a webinar 6th of May, putting together a panel of eminent cyber experts. Mr Ciaran Martin dwelled upon the resilience of security measures and the importance of flexible and adaptable cybersecurity.
There is also the need to understand how targeting of threats would change, and enterprises need to make it a point to understand data security instead of just 'leaving it to the professionals'. To allow a model like this work in democracies would require transparency and showing a positive net footprint.
Dynamic Profile of Emerging Cyber Threats
Narrating anecdotal data to highlight the changing profile of cyber threats, Claran Martin emphasised upon a “flexible definition” of critical infrastructures as the changing perceptions are giving rise to totally new threats. Citing the fire incident in a night club in Glasgow which rang alarm bells right up to the top because located just next to the night club was a building housing the systems to run ATMs servicing over three million citizens. This gives rise to another principle of cybersecurity “dependency.” Similarly, the logistics systems of food supply chains have also become CI during this period
With the increase in empty offices and working from home situations, there has been a rise in cybercrime as well. A report by Barracuda Networks, a leading provider of cloud-enabled security and data protection solutions, states that there has been a variety of phishing campaigns using the pandemic as a distraction to distribute malware, steal credentials, and scam users out of money. Between March 1st and 23rd, the report states that it detected 467,825 email attacks, 9,116 of which were related to COVID-19.
With the onset of the pandemic, the WHO has reported increased attacks towards its staff, scamming campaigns. In the 4th week of April, it saw some not active WHO staff email addresses and passwords being leaked, along with thousands belonging to others working on the coronavirus. Hammersmith Medicines Research (HMR), which carries out tests to develop the Ebola vaccine and performs early clinical trials of drugs and vaccines in the US, was also attacked by ransomware that broadcasted personal details of former patients after HMR declined to pay a ransom.
Following this thread of events, it can be seen that while cyber-attacks have increased, they have also been increasingly targeting healthcare and pharmaceutical firms more. This is something that Mr Ciaran Martin also focused on. "I think targeting will change. Healthcare, intellectual property, pharmaceuticals, vaccines and so forth will become vulnerable, but who's making cyber-attacks and why they are doing it, the mixture of economic, strategic and propaganda advantage will majorly remain the same," he says. "I think the vulnerabilities will change, and critical infrastructure will migrate towards different sectors partly because we are all working differently and, this forum is a very good example of that, sudden disruption of organisational models carries risk."
Resilience and agility of security
Cyber resilience is part of cybersecurity. While cybersecurity deals with the overarching concept of security, cyber reliance is the concept that is focused on adaptability to changing conditions and preparation to withstand and rapidly recover from disruption. Cyber-resilient organisations do not depend on traditional technology solutions (firewalls) and processes (such as user and access management controls) to achieve this; they also focus on resilient leadership, networks and readiness of change to create a sustainable advantage over cybercriminals and other malicious actors.
Mr Martin highlighted the lack of understanding of cybersecurity by top leadership. "What I think we need to get past is mythologising that the subject of cybersecurity is so technical and difficult that cannot be understood by normal leadership teams. I see a lot of energy and oil companies who say that this cybersecurity risk is so complicated and they do not understand it. I say you dig fossil fuels from the sea bed in the middle of the ocean, you do that safely, economically and manage hugely complicated politics and so forth and you are telling me that you can get someone to understand a bunch of computer networks and risk accordingly, this is ridiculous So, you need to understand and get a little bit technical to understand the risk. That is squarely in my view: the responsibility of any self- respecting state which is serious about defending itself has to have some level of government capability through the law, proportionate action through some really good people and enough capabilities to try to defend against themselves."
The sharing of information in a group is the critical ingredient for organisations with the most success at understanding and mitigating intrusions in their systems. Organisations also need to realise the interdependent relationships in their increasingly complex networks. Key relationships to consider should include all players, not just the core partners. Intelligence sharing and coordinated cybersecurity activities are good ways to build and collaborate approaches in larger organisations, which can lead to a resilient ecosystem around their supply chain.
Local and global threats
A one-size-fits-all approach naturally would not work the same for countries with populations of one million compared to those with one billion. 'Different countries have different risk profiles, and if we are to design our networks both nationally and together where an attack in one country is an existential threat to a whole bunch of countries, then we have got it wrong. This is because we do need to be mindful of localised threats," says Mr Martin.
Public-Private Partnership in Cyber Security
This emphasises the need for collaboration between the private and public sectors. Speaking from the perspective of handling the security in the UK, Mr Martin says, "I just think the private sector is built into our model and our whole model of cybersecurity cannot work if it doesn't have the in-built partnership with the private sector. If the cybersecurity of a bank is not compatible with its business model then it's not going to work it's not going to be of the same posture for an energy company as it is for a bank as it has industrial control systems, variations and so on. So, we need to learn from the industry and give them information."
Quoting the example of the UK, he described how without private sector partnership, cybersecurity is non-achievable. The partnership goes beyond routine commercial ventures and is embedded even in strategic plans. In his own government organisation (National Cyber Security Centre, UK.), over 100 staff working on cybersecurity are paid for by the private sector. The maximum learning in this field has actually originated from the private industry. The partnership contributes to national wellbeing as a well-protected industry/ business is more productive.
Democracy and cybersecurity
In a democracy -- which was represented by all the countries in the webinar -- an offensive approach to investigating data would be criticised, as people are not comfortable with their data in the hands of a select few. Joseph Nye stated that democracy depended on open information, and could lead to countries doing both too little and too much to either deal with the threats at hand and to build trust amongst their citizens. The challenges that democracies face in managing cyber security are now a defining domestic and foreign policy issue with direct implications on human rights. In this regard, Mr Martin states that "there are two parts to these concepts, one is transparency, The second thing that democracies and open societies have to show that their net footprint on the internet is a positive one. We have to show that sometimes our law enforcement agencies need special access to get bad people misusing technology for various harmful ends. We need to show that we are trying to protect and secure technology."
- Information Technology is a ubiquitous part of our lives, a fact reiterated so vehemently during COVID 19. While our CIs are threatened, the pandemic is also an opportunity for states and organisations to assess the vulnerability of their CIs and seek robust and advanced solutions.
- COVID 19 clearly demonstrated the overlap between two seemingly diverse fields like public health and cybersecurity in ways never imagined before. The positive is that it has generated sobering reminders of the underlying problems and the neglect which both these fields were subjected to till the virus struck. Faced with this stark reality, governments have little choice but to invest in strengthening both systematically. The need of the hour is a layered deterrence involving prevention by norms, denial and punitive action.
- However, at the end of the day, the real security responsibility lies with the individual user, firstly through the practice of cyber hygiene and secondly by using all available tools like Encryption, Multi-factor authentication (like OTP, digital signatures, biometric), VPN among others.