Securing the digitised world

Driverless cars, smart homes, computer-controlled power grids and other automated technologies will soon change the way we live and work, bringing added convenience and efficiency to our doorsteps.

But haven’t you always wondered about the worst that could happen? What if hackers got into your smart home system, and turned it against you?

Or if they hacked into your autonomous vehicle, and took you on a not-so-fun joyride?

With artificial intelligence and the Internet of Things (IoT) becoming increasingly pervasive, cyberspace and physical space are set to become more closely intertwined than ever before.

In this environment, both individuals and governments must take threats to cybersecurity even more seriously, agreed a panel of experts speaking on 17 April 2017 at the inaugural Singapore Management University (SMU) Cybersecurity Forum.

The panel, moderated by SMU Vice Provost (Research) Professor Steven Miller, comprised GovTech Senior Director (Government Cyber Security Group) Mr Chai Chin Loon; Professor Robert Deng of the SMU School of Information Systems; General Insurance AXA Asia CEO Mr Jean Drouffe; and StarHub Chief Business Development Officer Mr Mock Pak Lum.

The great cybersecurity game

Defenders are usually the underdog in the cybersecurity arms race, said Professor Deng.

“We are fighting an asymmetric battle, which is to the advantage of the attackers.”

One reason for this: Today’s complex commercial operating systems now comprise tens of millions of lines of code, making them more vulnerable to security loopholes. In addition, many legacy systems, designed in an era when security was not a major concern, are still in use today, explained Professor Deng.

Strong public and private collaboration in cybersecurity research and training, he added, will be necessary if the good guys are to stand a chance of gaining the upper hand.

In cyberspace, government agencies, tech companies and private organisations are all on the frontline,” he said.

The GovTech Cybersecurity Group, explained Mr Chai, works to protect government systems against online threats.

“The level of sophistication of cyber-threats goes up every day, and it doesn’t go up in a projectable straight line—it can really climb exponentially. That is something that keeps us awake all the time,” he said.

A key challenge, added Mr Chai, lies in determining the appropriate level of security to enforce. “We need to balance three axes: how secure we want to be, how much budget we have, and how much functionality we want to deliver,” he explained.

“These run counter to each other—if you need more security, you pay more and lose functionality, for example. We help government agencies craft security profiles depending on how much risk they are prepared to accept.”

Share but with care

Mr Mock suggested that, similar to how the air travel industry greatly improved its safety record through openly sharing information about faults and accidents, the cybersecurity field could also benefit from sharing information about threats.

“It’s imperative that we, as an industry, do this,” he said.

“Perhaps, there could be a platform for people to share securely, without damaging the reputation of parties who have been compromised.”

Mr Chai agreed. “Creating trusted communities where we can share such incidents is ongoing work. Within government, we do make sure that all agencies are in the know about threats and the lessons learned from dealing with them.”

Still, he cautioned that care should be taken when sharing this information.

“Over-sharing could let the attacker know precisely how much you know, and how good your sensors are,” he said.

“But being a community, we still have to share. There are automated protocols that allow threats to be shared quickly, and we should continue to promote these.”

Sophisticated solutions, sophisticated threats

“Instead of physical assets, companies’ value is now increasingly in intangible assets such as data,” said Mr Drouffe.

As such, businesses, especially small and medium enterprises, are now more vulnerable to interruptions caused by cybersecurity-related incidents, he added.

While a company’s reputation could be damaged if the confidentiality of the data it holds is compromised, more serious consequences could result if there is a loss of data integrity, said Professor Deng.

“Confidentiality refers to keeping data private; integrity refers to making sure that it is not changed or delayed during transmission,” he explained.

“If data integrity is compromised, there will be an impact on the real world — driverless cars, for example — could be affected.”

To defend against ever more sophisticated threats, the field needs to take advantage of big data, as well as new tools in deep analytics, to understand internet traffic patterns and user behaviour, the panel agreed.

Analytics can also be used to minimise false positives and negatives during threat detection, said Mr Chai. “We need automation and better analytics to pick out and highlight real threats from out of the mass of routine traffic.”

But there’s just one catch.

“These techniques or products will require extensive real-world testing before we know how well they function.”