Date: 17 Apr 2019
Navigating the Global Cyber Threat Landscape — In conversation with Robert Hannigan, Former Director of UK GCHQ
Robert Hannigan has had an illustrious and varied career, having spent two decades in national security roles in the UK, with the most recent being Director of the Government Communications Headquarters (GCHQ) from 2014 – 2017, the UK’s largest intelligence and cyber security agency. He was responsible for the UK’s first cyber strategy in 2009, and established the UK National Cyber Security Centre in 2016.
Currently, Robert serves as Executive Chairman for Europe of BlueVoyant, a global cybersecurity services company, as well as being a Senior Advisor at McKinsey & Co. He is widely known as a leading authority on cybersecurity, cyber conflict and the application of technology in national security, and writes regularly on cyber issues in the Financial Times.
ICE71 was honoured to host an intimate fireside chat with Robert on 5 April 2019, where he shared his insights with CTOs, CISOs and Senior Executives from Singapore on the global cyber threat landscape, and how companies can protect their data in an unpredictable and fast-changing world. The event was moderated by Ken Low, Director of Cybersecurity (Partnerships) at the Info-communications Media Development Authority (IMDA).
A Shifting Landscape
Alarmingly, in tandem with the changing nature of cybersecurity, cyber attacks are also increasing in volume, complexity and destructiveness. Broadly, the source of cyber attacks can be categorised into three buckets:
1. Individuals or groups of individuals — The traditional image of solo hackers in their bedrooms, company insiders, “hacktivists” (hacker-activists), competitors, terrorists.
2. Organised cyber crime groups — From low-level fraud criminals to highly sophisticated international syndicates, for which cyber attacks are a massive opportunity. These groups are able to pull intel and skilled talent from around the world, and tend to be headquartered in countries with endemic corruption and good connectivity, making them both dangerous and difficult to prosecute.
3. Nation-states — While most people will not experience this type of cyber attack, the fact that some nation-states are engaging in cyber attacks is a worrying trend. Nation-states can make available to crime groups very specific tools and vulnerabilities. This crossover between the resources and protection accorded by nation-states with the network and capabilities of crime groups makes this threat most challenging to combat.
No One is Immune
“Taking down a website is no longer spectacular enough for a terrorist,” says Robert. With the advent of smart technologies, connected devices and AI, there are more vulnerabilities that are vulnerable to exploitation by opportunistic cyber terrorists. The impact of cyber attacks are no longer confined to the virtual realm; they can also wreak havoc in the physical world. At some stage, Robert says, terrorists may have the capabilities to cripple critical infrastructure (e.g. power stations, transportation systems) or even cause deaths. The race is now on to make sure cyber defences are improved.
Europe was faced with a massive wake up call in 2017 when many companies were brought to a standstill by sophisticated cyber attackers, with some even put out of business. A broad spectrum of industries (e.g. healthcare, transport) had to re-think their assumptions that being outside of the financial sector meant they would not be victims of cyber crime. The 2018 reform of European Union data protection regulations is certainly a step in the right direction in raising standards and ensuring information disclosure on data breaches.
With cyber criminals being a moving target, companies need to innovate ahead or risk being outmaneuvered. Robert offers three pieces of advice in this aspect.
1. Collaboration is Key
“Companies in Singapore have to understand that they have a common enemy. And that enemy is not their competitor. Rather, they have to band together against the cyber criminals to stop cyber attacks together.”
Robert says that the average CISO tends to only worry about their company’s security, who their own risks are (e.g. third-party), and who or what they are connected to (e.g. systems, databases, partner organisations). With sophisticated cyber attackers moving up the supply chain, Robert strongly advocates for a pooling of resources, information and intelligence across companies. Event moderator Ken Low shared that IMDA encourages companies to share information with their industry partners when suspicious activities are detected, before a full fledged cyber attack actually occurs. By sharing this information, other security leaders can be aware of potential threats to their own systems.
2. Capitalising on the Ecosystem
With a growing cybersecurity ecosystem in Singapore and the region, opportunities abound for companies. Initiatives like ICE71 can connect startups with disruptive technologies and solutions to big companies, to see the potential in how these innovations can be applied or integrated.
3. Setting Priorities
One thing Robert has observed that firms often struggle with, is where to start and what to prioritise in cybersecurity. Often, Robert says, organisations take the route of buying all sorts of expensive products (of which some are good and others not so) and hope for the best, which just ends up flooding them with data that they do not know what to do with.
Robert recommends that companies should worry as much about cultural or policy change. Businesses should develop a systematic risk management approach that spans every aspect of their company. Companies can consult cybersecurity advisories which can provide tailored solutions for different sizes and sectors of businesses.
Furthermore, the ‘softer approach’ of changing employee behaviour is a long-term process that should be invested in. People should be better trained such that the company culture can change towards a more proactive cybersecurity approach. If individuals can do more at the national or company level to raise awareness of cybersecurity, no matter how small it may seem, the situation will improve greatly.
Prevention Is Better Than Cure
Speaking about supply chain risk, Robert emphasised that perfection is not a realistic option. “All software has vulnerabilities. All companies get things wrong. You need to be realistic about designing networks that are going to be resilient against basic software failure.”
According to Robert, organised crime groups care about easy wins and higher returns on investment — if someone is too hard a target to crack, they will go somewhere else. Hence, cybersecurity does not have to be perfectly secure; it just has to be robust enough to serve as a deterrence.
While companies may have made mistakes in the past, or continue to grapple with fixing legacy systems, Robert says that we will get to a point where we create things with security built in, before these systems are fully established and running.
With cyber attacks being “80% what we can prevent”, getting the basics right will reduce the cost to companies to combat the majority of cyber threats. These preventable mistakes include poor patching, poor engineering and opening malicious e-mails. When an attack does occur, having procedures for speedy and effective remediation is also crucial in limiting the impact of the attack.
Robert acknowledges that not all businesses will have the scale or capacity to develop their own systems; many will need to outsource — buying a managed cyber security service. However, for small businesses, he says that simple things can still be done to quickly raise a company’s cybersecurity baseline to an adequate level — for instance, implementing two-factor authentication, and educating employees about cybersecurity best practices.
When asked about the future state of cybersecurity, Robert is realistic that cyber crime, like with any other crime, will never be completely wiped out, but “we can suppress it to a reasonable level so that it meets our objective.”
Security baselines (a defined set of basic security objectives which must be met by any given service or system) are rising as the nature of cybersecurity grows in complexity and breadth. In the near future, Robert expects that this will make it harder for companies, who need to keep up to date with these changes, while struggling with adding processes to an already insecure infrastructure. Legislatures across the world also need to act quickly in order to combat these ever increasing threats.
It is vital that companies and governments fight these battles now, in order to ensure a more secure future for all in the decades to come. As Robert cautions, “In the long term, I’m optimistic. In the short term, I think it’s going to get worse before it gets better.”