The weakest link in cyberattacks

In early September 2017, US consumer credit reporting agency Equifax disclosed that a data breach from mid-May through July may have potentially affected a staggering 143 million consumers in the US.

A vulnerability in a web application gave cybercriminals personal and financial data, in the form of names, addresses, birth dates, and Social Security, driver’s licence and credit card numbers.

Large cyberattacks like this are why industry players and government agencies must evolve to stay ahead of the game, said a panel of cybersecurity experts at the 2017 Milken Institute Asia Summit, held in Singapore from 14-15 September.

Speaking on the panel were Mr David Koh, Chief Executive of the Cyber Security Agency of Singapore (CSA) ; Mr Matthew Moynahan, CEO of Forcepoint; Mr Rafal Rohozinski, CEO of the SecDev Group and Senior Fellow at the International Institute for Strategic Studies; and Mr Silvino Schlickmann Jr., Director of the Cybercrime Directorate at Interpol.

Ms Kim Yun-Hee, Senior Editor at The Wall Street Journal, moderated the panel.

Hacking people

The most nefarious type of cyberattack, Mr Moynahan proposed, is the hacking of people.

“The worst is really an insider attack, where someone who is trusted becomes untrusted… It could be a nation state embedding an employee inside of a company, whom the company trusts and gives credentials to, and who then gets root access to core intellectual property and critical data.”

And with a “demographic bomb” waiting to go off, especially in certain parts of Asia where governance is weak, a rise in cybercrime is simply unavoidable, Mr Rohozinski said.

“In Myanmar, over the last 11 months, we’ve seen ten million brand new Facebook users. We’ve seen countries like Bangladesh, the least developed country in this region, go from the lowest to the highest levels of productivity. Why? Because of 4G and cheap smart phones.”

Meanwhile, in North America, six percent of the population will respond to an email message from an African prince asking them for details of their bank account, shared Mr Rohozinski to laughter from the crowd.

“That’s led to a small but thriving economy in West Africa with jurisdictional protection that allows these 419 scams to continue. Until we work out some kind of global definition around cybercrime jurisdictional sharing, we are going to have this problem.”

Mr Rohozinski to laughter from the crowd.

“That’s led to a small but thriving economy in West Africa with jurisdictional protection that allows these 419 scams to continue. Until we work out some kind of global definition around cybercrime jurisdictional sharing, we are going to have this problem.”

Cybersecurity at the national level

Providing insights from a government regulatory body, Mr Koh shared that the CSA had just completed a public consultation for its first cybersecurity bill.

In particular, the bill will require critical information infrastructure (CII) operators to report security breaches, and also provide key legislation to regulate the growing cybersecurity industry.

“The cybersecurity industry, on the one hand, is not a young industry,” Mr Koh said.

“On the other hand, it is growing very fast. In some aspects, it is almost like the Wild West, and there are many snake oil salesmen around. I think there is a need for us to regulate some part of the market so that buyers are protected, and information asymmetry can be levelled.”

Other efforts by CSA include international partnerships, Mr Koh said.

These memorandums of understanding, which have been signed with countries such as the US, the UK, France, Australia and India, allow for government-to-government coordination on best practices in cyber, CERT (computer emergency response team)-to-CERT exchanges and threat intelligence exchanges, he elaborated.

46 billion ways to be hacked

According to December 2016 data from Juniper Research, the number of connected IoT (Internet of Things) devices, sensors and actuators will reach over 46 billion in 2021.

This rapid expansion of the IoT sector, which is driven in large part by a reduction in the unit costs of hardware, is leaving us more vulnerable to attack, said Mr Schlickmann.

“We are not only exposing ourselves, but also empowering criminals when we install unprotected devices in our homes. Can you imagine going around and patching this equipment every now and then? We won’t stop our devices to put security features on them,” he pointed out.

Refrigerators and home entertainment systems aside, some of these IoT devices will be used in large-scale settings, Mr Koh said.

“These IoT devices control trains, traffic lights and aircraft movements. If an IoT device gets hacked, it is not loss of data or credentials that we are talking about. Real lives can be impacted, including loss of life,” he warned.

To trust, or not to trust

“I hate to say this, but we are moving away from what the internet was originally founded on, which is trust,” Mr Moynahan said, describing the measures taken by companies to stem cybercrime.

“You see the most sophisticated companies implementing zero-trust models; they are air gapping (physically isolating a computer or a network) things, they are not letting people have access. The analogue in the consumer world is defriending people on Facebook.”

In a future rife with cybercrime, education will be paramount to staying safe on the internet, Mr Koh said.

“There is a need for us to ratchet up public education, so that we can train our people, starting from grade school or nursery school, to know what to do on the internet. Otherwise, they are like lambs being led to the slaughter,” he added.