Understanding the true nature of cyber-threats is critical in enabling organizations to protect themselves, according to Ciaran Martin, Founding CEO of the National Cyber Security Centre and Professor, University of Oxford.
During a session at IRISSCON 2021, Martin said it is important to be more realistic about the true threat cyber-attacks pose to society. For example, he had recently re-watched the classic movie WarGames, which “set a tone about the catastrophization of cybersecurity in a way that just doesn’t match reality.” In WarGames a hacker could set off a nuclear war, and Martin commented: “nothing remotely like this has ever actually happened” in the 38 years since it was released.
In reality, the vast majority of threats are “small scale,” impacting individual organizations. Martin then set out the three main categories of cyber-threats:
1. Getting Robbed
- Cash theft – this can range from scamming individuals online to large-scale bank heists
- IP theft
- Data theft
2. Getting Weakened
- Espionage – this normally involves nation-states accessing and stealing confidential data about governments and major organizations. A recent example of this is the SolarWinds attack in 2020.
- Political interference – this encompasses a range of tactics, including hacking to ferment political discourse and leaking data about political figures e.g., Hillary Clinton in the 2016 Presidential election.
- Prepositioning – this is where threat actors intrude into key systems, ‘implanting’ themselves on a network. Martin said this often occurs during times of peace, ensuring that should tensions escalate between nation-states, there is the capability to undertake espionage activities or launch attacks.
3. Getting Hurt
- Destructive – this is where cyber-attacks cause physical damage to organizations. This might be reckless and accidental, such as Wannacry in 2017, and deliberate, as seen in the NotPetya attack in 2017.
- Ransomware – Martin noted the reason ransomware has come to the attention of mainstream media is due to the physical damage these types of attacks have caused recently. For example, the recent disruption to food and fuel supplies in the US.
Board members and decision-makers should use this categorization to understand “where in this matrix is your organization? Is it a data-rich organization? Or is there a piece of IT that is strategically significant in the political system?” according to Martin.
Reducing Harm
Martin believes there is currently not enough recognition of the limitations of law enforcement in respect of cybersecurity. “We need to understand that because it limits what we can do.” This is largely because major cybercrime gangs operate from regions like Russia, China and the Subcontinent, where it is almost impossible to get traditional law enforcement mechanisms to work. Martin added: “For the first time in human history, you’re able to cause large-scale harm to a society without ever setting foot in it.”
Given this reality, the focus needs to be on defense, and Martin outlined four areas of priority:
1. Importance of basics – Martin noted that “every major incident, even the most sophisticated ones, at least part of the story, there’s some element of basic vulnerability.” Therefore, the vast majority of incidents would be prevented by basic steps, like patching and enforcing multi-factor authentication.
2. Resilience – this relates to preparation for incidents and the way systems are built. “We don’t want to be in the position where we have to rely on the heroics of people,” commented Martin. He highlighted the Colonial Pipeline ransomware attack as a key example of lack of preparedness. He pointed out the incident emerged as a result of an attack on the enterprise rather than the pipeline itself, which did not have sufficient isolation measures. “This really shouldn’t be happening – we need to design security into the systems,” he added.
3. Conversations with boards – security professionals need to ensure boards understand the reality of harm from cyber-attacks. This includes providing them with technical insights they so often lack to ensure security basics are followed. For example, “educate them about counter-phishing strategies, about how to interpret the ethical phishing stats,” said Martin.
4. Protect the digital environment – Martin stated: “I strongly believe we shouldn’t be talking about cybersecurity in militaristic terms.” Instead, it should be seen as an environment which everyone needs to live in. Therefore, it requires a clean-up, such as taking more steps to take down maliciously-hosted websites. This is especially pertinent with the growth in areas like IoT, AI and quantum. He added: “Look at the technology that’s coming and clean up the digital environment.”