The lines between cyber-criminals and state-sponsored attacks, monetary gain and political influence are becoming increasingly blurred, according to speakers at this year’s Cyber Security Congress in London. The event – convened under the Chatham House Rule – was often not so much about cyber-criminals, but the growing issue of politics and nations getting involved in cyber-based activates.
Politics vs business
One intelligence expert claimed that we have entered a new era, where politics, rather than business, was the driving force of many of these activities.
Russian 'fake news' efforts during the US elections were "much more extensive" than most know, similar campaigns are currently happening in France, and more will continue around Europe and further afield this year. But the motivations will not just be to influence elections or perceptions of leadership, but also make countries richer.
We’re told that while there are limits on how much money can be made from the likes of credit card fraud, the amounts that can be made from predicting stock market changes through manipulation are almost limitless.
“I don’t see a way that this won’t be a major force in the future.”
Another speaker said it was “very concerning” that governments around the world are “investing too much in cyber-offensive capabilities rather than defence.”
Various policy makers and public sector workers from Europe and US were present, and concerns were raised around preventing cyber-crime in emerging markets. The lack of adequate laws, processes around digital evidence gathering, and enforcement of punishments means many countries – many within Africa were cited as examples – could become ‘safe-havens’ for cyber-criminals.
There was also concern around certain countries overlooking or actively employing cyber-criminals for state-sanctioned attacks, but there was confidence that international cyber-agreements – aka “Cyber-nonproliferation” treaties could be agreed upon because countries wouldn’t want to become the “cyber North Korea” and be frozen out of digital markets.
Unsurprisingly, GDPR was hot topic. The EU’s incoming data privacy regulations were described as “clunky, but essential, and a long time coming.” Speakers advised to look beyond the fines, and use it not only as an opportunity to tighten processes, improve security and consistency on a worldwide level, but as a chance to give security a mandated leadership role within the company.
Companies that haven’t yet begun preparation should prioritise data mapping and ensuring everything they do from now on is embedded with a “privacy by design” approach.
Outside of politics and regulations, there was some talk around business trends. Although experts IDG Connect has talked to in the past have said otherwise, the audience was told cyber-criminals are not using Machine Learning techniques to infiltrate, explore, and hide within target networks.
Another expert said that he expected ransomware to decline in popularity in 2017, but we would see a massive increase in email and business process compromise. In these attacks, attackers – whether for monetary gain, political motives, or even industrial sabotage – will infiltrate a network, learn how a company works (processes, habits, email styles between workers) and then strike on a weak point.
The Bangladesh Swift and Tesco Banking attacks were cited as examples of process hacks, as was a company whose printers were compromised to change payment details invoices but not on databases. Compromising business processes from start to finish usually takes around four months; around three months just monitoring, one for infiltration and planning, while the final execution happens in one day.
Jon Collins’ in-depth look at tech and society
Phil Muncaster reports on China and beyond