The threat of cyber attacks continues to grow, even to the point where it has been reported that nuclear arsenals are vulnerable. Critical national infrastructure needs more investment from a cyber-security perspective.
The warning signs have been there for a long time. Ever since the Ukrainian power grid attack, cyber defences must be improved.
Chairman of Glasswall’s UK Advisory, General John Holly, discussed the threats posed by attacks in the all-encompassing cyber environment with Information Age. He is a recognised expert in the research, development and acquisition of complex Department of Defence systems.
How are nuclear arsenals vulnerable to cyber attacks?
There is not a very clear answer to this, because governments are not going to be traditionally forthcoming on that, because of the sensitivity of the subject.
What you have is reasonably forward looking people in positions of responsibility within the government domain, and they’re continuing to take all of the responsible actions that one would expect them to take.
I think they’re having to, like everybody else, to adapt to a new environment that we’re facing in the cyber world. I would argue that it’s no longer the cyber world. Cyber is an integral piece of the business and operations of any activity, whether it’s government that is focused on nuclear weapons or whether it is a business activity in the medical industry. If you continue to treat cyber as a standalone function or technical issue, then you’re creating your own inherent vulnerabilities. Cyber now is part of the business and operations, it’s all one thing.
In terms of motives, why would hackers target a nuclear arsenal?
The motive would be one of two different vectors. One to prove that they can do it, because that is probably the single most challenging arena that hackers could attempt to attack. And second, you’ve got state actors as well non-state actors that would like to gain access for their own malicious use, via the information they could attempt to gain there.
The cyber environment is a conflict environment on a day-to-day basis, whether you’re in business or in government. The enemy’s motivation and goals are to penetrate systems, and they’re changing their approach every single day, every minute. There were 22 million different malware samples in the first quarter of 2017, so the growth of attack methods is dramatic, and cyber criminals are developing at a breakneck speed, new approaches every single day. So we have to be protecting our information, and our data in way that is routine, adaptive and continuously addressing the changing threat.
Who are the main culprits associated with state-sponsored hacking?
ISIS and Isil were using cyber attacks as a way of sponsoring some of their terror activities. It is an open book in terms of who can do, because everyone is operating in that environment today. To think that you can say only these three countries are the ones you should be worried about, or this particular type of criminal activity is the one that you need to address – I think that is inadequate in every measure, because you’ve got virtually a large number of people that are motivated to try and penetrate the civil sector, hold people and institutions to ransom.
Hackers are just taking advantage of the environment, and the inability of people to be operating in an adaptive environment is the root of the problem. Most people are not proactive in their approach to dealing with the cyber threat, and that’s where we need to get to. We need to be ahead of the timeline that the cyber criminals are pursuing.
Our decision logic on what needs to be done to protect an organisation’s data has to be ahead of where the criminals are operating, otherwise we’re going to be just catching up every single step of the way and we’re going to be reactive in nature. The techniques that are employed need to be non-traditional in many respects – the traditional serves a function, but they’re inadequate in the aggregate – and innovative. They will be the ones that lead the way in the next decade, in how businesses create the proper environment in which to operate, as opposed to being in a reactive, defensive, technical cyber response.
What types of attacks can be expected?
I think the types of attacks are changing, and I think it’s the approach to defence that we have to be very intune with. We’re no longer in a static environment when it comes to business and operations inside government. We’re in a very dynamic environment.
One of the highest threats that remains is an individual clicking on an email. Around 90% – according to one of the Verizon latest studies I read – of malware attacks started with an employee clicking on an email. Of those 90%, 65% said that was the result of opening an attachment. If we continue to use very traditional approaches to set up defences against malware and people with malicious practices, then we’re going to end up in a situation where you’re not going to be able to come up with an effective defence.
What businesses and governments have to do is get into more innovative and non-traditional, dynamic kinds of responses. Businesses in particular – at the board level – have to change their thought process. Many people today look at cyber and assume that it’s another functional area, and I don’t think that’s the case. What we’re facing right now is a situation where the cyber environment is the business environment. And this is the environment in which governments are operating. You have to turn the old approaches on there head, and look at it through a different lense. As you move into the Internet of Things there are more windows of vulnerability that are created. My fundamental premise is; cyber is no longer a technical issue, it is a environment in which business and operations exist and reside, and we have to adapt our thinking to create systems that are resilient inside that environment.
Public and private organisations have to have a full spectrum response, rather than looking at individual vulnerabilities. They’ve got to change the way they think about cyber and think of it as the environment in which they operate.
How can business and government keep up with the ever-changing cyber threat?
I think the new technical developments from a machine learning and artificial intelligence standpoint will be a huge asset. As they continue to evolve going forward, it will enable businesses to look at much of the information that is gained from a defensive posture, to help predict attack trends and vectors.
We are never in a satisfactory state, we are always having to adapt and respond going forward. If you think you have everything in place then you have an instant vulnerability, because people are trying to find new ways everyday and are being very successful in penetrating systems. Organisations have to recognise that it is a dynamic environment, not a static one. You can’t put in place point solutions today, and expect them to be effective in the next decade, and not to be continuously adapted and changed with new solutions brought in to compliment them. That’s one of the areas that corporate governance needs to focus very specifically.
Moving forward what are your closing thoughts on the cyber environment and the threats that exist there?
Governments need to look at critical national infrastructure, and critical national economic infrastructure. What happens if a major corporation is penetrated by a cyber attack, and what happens is very dramatic in terms of the financial cost in containing that particular penetration. There are costs regarding jobs and loss of intellectual property, and these different aspects from a commercial and industry-perspective feed into the critical national economic infrastructure.
>See also: Cyber risks are ‘leaving IT in the dark’
Governments and businesses, therefore, need to be looking at more than just the power grid – as an example. We need to look at the power grid, in addition to threats posed by malware to the economics of a country. The economics of a country are part and parcel to the overall power and strength of that nation at an international level. Cyber can no longer be treated as a technical issue, it is the environment in which we are operating all of our business and government activities.
Then there is the issue of time. The longer it takes to identify a threat, the more difficulty you are going to incur, because that means the threats are active inside a system and given free reign. The identification of the new threats is extremely important, along with the corrective action taken against those threats.
Finally, the Internet of Things is going to open significant windows of vulnerability moving forward. However, taking advantage of machine learning – in particular – and as you look at some of the newer technologies, like quantum computing, organisations will see more opportunities to apply these to the cyber environment and defend it. We are gaining and creating tools everyday that are taking advantages of breakthroughs in technologies to combat the threat.