3 ways to fill worrying cybersecurity gaps

If humanity ever needed reminding of our interdependence, the pandemic has brought that home. As we scale up our response to the crisis, through largely digital means, our interconnectedness grows exponentially. And with it our vulnerability to the risk exposures of the virtual world. In fact, businesses of the future are evolving to be more digital and more shared. The need to prepare to avert a cyber pandemic – with potential even more than the coronavirus to upend our lives – has never been more urgent.

For a moment, let’s think of the unthinkable. A world without phones and internet, with idling trucks, trains and planes because fuel pumps and charging stations are incapacitated; banks shuttered; food supply chains broken; and emergency services made all but unavailable. This bleak vision would be inevitable if electricity supplies are cut off by a cyberattack.

In a scenario such as this, we know, that the ensuing swift blackout would be crippling. Unfortunately, we also know that a crisis of this scope, sophistication and impact is not just possible but something we are currently dealing with – albeit in a different context.

Last month, a group, believed to be Russian, gained access to over 18,000 systems – belonging to government and corporations – through a compromised update to SolarWinds' Orion software. We were unprepared to prevent the attack because the bad actors slipped through the exact whitelisted software supply chain we trust. Even more regrettably, the software supply chain allowed them to access the network of FireEye – the US-based cybersecurity giant known for investigating and remedying some of the world’s most high-profile breaches.

While FireEye’s customers remained largely unimpacted this time, the moral of the story is that no one and nothing is immune. Our sources of cyber-protection – software updates or defending partners – can be the Trojan Horse where everything around us devolves into chaos.

Well before we learnt these tough lessons in the final weeks of a rather challenging 2020, the World Economic Forum questioned whether our individual and collective approach to managing cyber risks is sustainable in the face of the major technology trends taking place.

Although there’s an array of resources to manage cyberattacks, we still have a long way to go before we can, as a whole, effectively counter these threats. We need to strengthen our strategic response to the risks before we invest in tactics. Our plans must work harder and smarter to address capability gaps in three areas:

1. More coordination

Consider the SolarWinds attack. It did not directly hit its intended targets. Instead, the attackers surreptitiously built a chain of offence, that included non-government agencies, security and technology firms along with educational institutions, to inch unnoticed towards their real targets for espionage.

They knew they’d find their mark through our digital interconnectedness. We can turn this same intertwining of infrastructure to our advantage. Research tells us that hackers attack computers with Internet access—every 39 seconds on average. If we all shared threat intelligence, across borders, across the private and public sector, across industries and competitors, the collective intelligence could only move us forward faster.

An invaluable first step would be to develop more open systems, while adopting common standards and taxonomy in cybersecurity. This will serve us better to integrate and train our teams to drive holistic security. Global spending on cybersecurity solutions is projected to exceed $1 trillion cumulatively over the five-year period from 2017 to 2021. We must reprioritize these budgets to align with shared goals including collaborating to overpower organized cybercrime and the private-sector technology nexus with nation-state attackers.

2. More sophistication

The Global Risks Report 2020, articulated how the digital nature of the Fourth Industrial Revolution technologies is making our landscapes vulnerable to cyberattacks. For example, it is estimated that there are already over 21 billion IoT devices worldwide, slated to double by 2025. Attacks on IoT devices increased by more than 300% in the first half of 2019 alone.

The report, observes how “using ‘security-by-design’ principles to integrate cybersecurity features into new products continues to be secondary to getting products quickly out into the market.” Our current approach of bolt-on security needs to be reimagined to create stronger build-in standards, including SDLC-security quality certification, that makes software partners more accountable for security assurance. Along with this discipline in securing the supply chain as meticulously as we secure our products, we need better design architecture to tackle the challenges at hand.

3. More human capital

At the same pace that AI is growing useful in cyber defence, it is also enabling cybercriminals to use deep learning to breach security systems and harness data sets to improve response to defence.

While we can battle machine with machine, nurturing a strong pipeline cybersecurity talent, will give our defence an edge. We need better problem finders in greater numbers to work with our problem-solving machines. And this time, they need to be embedded in the complete lifecycle of our processes. Every person in the ecosystem must understand his or her role with respect to cybersecurity and be accountable to deliver to metrics and standards for cybersecurity quality. As of 2019, there were an estimated 2.8 million cybersecurity professionals worldwide, against a need for over 4 million.

If there is one lesson from dealing with the pandemic, it is the need to take each other along as we move forward into a more secure future. The very nature of a pandemic is such that no one is really safe unless everyone is safe. A cyber pandemic is no different. It is in shared trust and a common agenda that we can build the confidence and competence to achieve the resilience we need.