As billions of people and gadgets become connected via mobile devices, the threat and potential impact of cyberattacks have grown exponentially. Danielle Kriz, Senior Director, Global Policy at Palo Alto Networks and member of the Global Future Council on Cybersecurity, says cybersecurity needs to become more automated and preventative in order to maintain trust in the digital age.
Why should the world care about cybersecurity?
Things have changed a lot in the last decade or so. Up until this point, cybersecurity hasn’t really been an issue to most consumers; it’s been managed by the back-room IT security teams of organisations. But now, as so many parts of our everyday lives are digital, cybersecurity has evolved into something that is important to every single person on the planet.
Cybersecurity affects everyone from the top CEOs of the Fortune 500, all kinds of companies that worry about their brand, companies we use to deliver electricity, air travel - all of these companies are now dependent on improving their overall cybersecurity posture. This notion even extends to all governments, as their processes go online and they need to protect their information and intelligence; as well as those who use the internet for social networking. So we all really need to have a good handle on cybersecurity best practices in order to maintain trust in the digital age.
How do you see the cybersecurity environment evolving in the coming years?
One thing that is apparent is that the number of attacks will only continue to grow. With the Internet of Things, the Fourth Industrial Revolution, and so many more devices coming online, the number of targets is growing. It’s important to think about preventing successful attacks; we can’t simply detect and respond to them. We, as a company, philosophically believe that prevention is possible if you have the right combination of people, processes and technologies. The challenges will continue to grow but if we focus on preventing cyberattacks, trust in the digital age will continue to grow with those challenges.
To what extent are technologies of the Fourth Industrial Revolution driving change in cybersecurity?
Cybersecurity will always be a math problem. The cost of computing power required for cyber criminals and adversaries to launch sophisticated attacks is decreasing every day. Attacks are becoming more advanced and prevalent. A lot of companies are relying on decades-old cybersecurity technology; different types of products that do separate things cobbled together. That just doesn’t scale, and therefore the math equation in trying to fight these adversaries is completely lopsided. If we continue to rely on a decades-old response to a threat that is moving ahead quickly, we are not going to get ahead of this game.
Overall, attacks tend to follow the same seven or eight steps. Despite the fact that there are many different types of malware that exist and are changing constantly, attackers typically use the same set of steps. For example, bad actors will conduct a reconnaissance on your system, go in and put something on your network, have it call back to them so that they can launch their attack, and then they’ll launch it. We don’t see that changing over time. Having a response that tries to prevent success at each stage of the attack needs to be the strategy regardless of whether you have one connected device or we’re thinking about the billions of devices that we’ve seen and will continue to see emerge in the Fourth Industrial Revolution.
What needs to be done to improve cyber-resilience across the globe?
More and more companies and governments are realizing that cybersecurity is not just an IT issue, and they are treating cybersecurity as a business risk. Corporate directors and board members worldwide are starting to understand now that cybersecurity is clearly their responsibility in running their companies.
Helping to promulgate that way of thinking is something that all of us can do to help improve cyber resilience. Palo Alto Networks has taken a leadership role in this area. In October of last year, we published a book with the New York Stock Exchange, called ‘Navigating the Digital Age’ and it’s aimed at corporate boards and the C-suite. The book is meant to inform and educate top-level executives who are working to improve overall cyber resilience.
What role should different stakeholders play in bolstering cyber-resilience?
Cybersecurity is a shared responsibility and we ask government to take an approach that very much involves industry in helping to create cyber policy solutions. In the US, the National Institute of Standards and Technology worked in an open and consultative process to develop the Framework for Improving Critical Infrastructure Cybersecurity (“NIST Framework”). The Framework divided cybersecurity into five buckets that makes it easy to think about it as a risk: identify, protect, detect, respond and recover. That is an example of a policy where government and industry came together to help companies think about cyber resilience.
Governments around the world are making legislative or policy changes that promote greater voluntary sharing of information on cyber threats between companies, as well as between the public and private sectors. In order to best protect their systems and to prevent against the threat of cyber attacks, we have to know what the threats are; but no one company, no one government will ever know all the threats that exist. Sharing threat information allows everyone to put the pieces of the puzzle together and act quickly to prevent against the latest threats.
How do we ensure that civil rights and liberties are protected as we step up our efforts in cybersecurity?
This is certainly a topic that has been and will continue to be under a lot of scrutiny. A lot of the concerns about rights have to do with who you are and the worry that somebody out there will take your personal information and do something with it – it’s all about a concern of the unknown. In reality, good cybersecurity protects the personal information that we hold and store online.
Cybersecurity and privacy are mutually reinforcing. The truth is, the more cybersecurity we have, the more civil rights and liberties are protected because the more your information is secure, the more privacy you have. Overall, cybersecurity can help protect civil rights and civil liberties.
What is the future of cybersecurity? Where will we be in 2030?
There will be increasingly frequent and sophisticated cyber incidents and it will leave many to question whether there are deeper structural flaws in the technological foundations that we’re building our future on, i.e. smart homes, self-driving cars, etc. As our digital age is evolving and we’re finding more efficiencies, we will continue to find new challenges and vulnerabilities.
But, at the end of the day, we can stay ahead of this issue and be cyber secure. The criminals will continue to get more sophisticated, their attacks are being automated, so it’s imperative that we respond in kind with automated prevention that aims to thwart attacks at every stage of the attack life-cycle.
What technology or gadget would you most like to see by 2030?
I’m interested to see what continues to develop around self-driving cars. Obviously some are getting on the road now but there’s a lot of work to do to create entire systems and cities around self-driving cars. I live in a city and I often rely on taxis and buses and other people to drive me around. It would be fantastic to be able to walk out my door and jump in a self-driving car and get where I need to go.