Bringing innovation to the cybersecurity fight

It’s no surprise that today’s breed of cyberattacks are doing more damage than ever before — with the likes of Stuxnet, WannaCry and the Equifax hack affecting the functioning of physical infrastructure and compromising the privacy of millions of people.

To keep up with these evolving threats, cybersecurity practitioners and policy-makers need to be one thing: Innovative.

“Innovation is for all of us, whether you’re in technology, whether you’re a consumer, or whether you’re in policy,” said Mr Richard Iau, Director (Cybersecurity) at the Government Technology Agency of Singapore (GovTech).

“Even a boring guy like me who works in policy can try to be innovative,” he quipped.

Mr Iau was speaking at a session on cybersecurity for public sector leaders, held at GovInsider’s Innovation Labs World conference on 26 September 2017.

He was joined by Mr Yum Shoen Yih, Deputy Director of Critical Information Infrastructure at the Cyber Security Agency Singapore (CSA); and Mr Earl Matthews, Vice President of Enterprise Security Solutions at DXC Technology.

Less is more

Because the field moves so quickly, policymakers in the technology space must endeavour to be less prescriptive, said Mr Iau.

“Being prescriptive is fine if you have very mature industries. But in tech, you have to ask yourself: if we are so prescriptive, how are people going to have the leeway to manoeuvre within that framework of doing things right without getting hurt?”

In cybersecurity, instead of setting out detailed step-by-step instructions for everyone to follow, a higher-level approach that takes into account the different levels of risk faced by various government agencies could be more effective, said Mr Iau.

In addition, government agencies should also develop a defined strategy that focuses on defending what is most important.

“We can’t protect everything on the network; the days of trying to protect everything are over. With the internet and mobile phones, data is overflowing all over the place,” explained Mr Iau.

In his talk, Mr Yum from CSA also advocated a strategic approach to cybersecurity that focuses on design — and not just on compliance with rules.

“We start with what understanding what exactly we are trying to enable in a business or an organisation. Once we have finalised this, we can then determine what are the threats that will impact this business, the environment or the people.”

This will then guide each organisation’s risk management or risk avoidance approach, Mr Yum added.

Inside out

Combating cyberattacks doesn’t just involve being on the lookout for external threats.

People within an organization can also compromise sensitive data, whether unwittingly or with malicious intent.

For example, before internet separation was implemented, nearly one in two public servants would fall for phishing scams, said Mr Iau.

“Anyone is susceptible to phishing. It’s good to continue training staff on the dos and don’ts of good behaviour on the web and on email,” he said.

DXC Technology’s Mr Matthews also emphasised the importance of tackling ‘insider risk’ during his talk, noting that 43 percent of all data loss is caused by employees.

If steps are not taken to curb such leakages of critical information, cybercrime is expected to become an eight-trillion-dollar business by 2020, exceeding the combined value of the drug trade and human trafficking combined.

To make matters worse, the methods used by cyberattackers are rapidly evolving.

“Spear-phishing [phishing attacks targeted at individuals] is still the number one attack factor. I will tell you that even though I’ve been a professional in this business my entire life, last year I was almost spoofed by someone pretending to be my bank!” quipped Mr Matthews, adding that such attacks are now extremely sophisticated.

For governments, cybersecurity is not just about protecting their own systems, but also about winning the confidence of citizens, said Mr Matthews.

“An important issue is the loss of citizen trust in their governments. This can actually influence elections or bring down governments, so cybersecurity has far-reaching consequences,” he added.

Attack, Protect

In addition to getting creative on policy, Mr Iau also spoke about the importance of innovation in technology.

For example, he has recently formed a ‘red team’— essentially a team of hackers — at GovTech to help improve the security of IT systems.

“The philosophy is quite simple: I don’t want hackers to break into my network, so I hire a group of hackers who are on my side. I pay them a salary, and they try to hack into my system. They know my network well, so when I do get hacked, they can help with the defence,” he said.

“We’re building the capabilities for this kind of defensive skills.”

Mr Iau stressed that change is the only constant in the cybersecurity fight.

“I think from the technology perspective, you have to change in order to keep up. Ultimately youll get some pushback, but my response is to push back harder, especially if you know that you’re doing the right thing,” he concluded.