Exploring the Future of Cybersecurity
By Kevon Swift, Head of Public Safety Affairs
Step into any major tech event over the past decade, and you are guaranteed to stumble upon fervent discussions about cybersecurity. It is a topic that has shared the spotlight with buzzworthy subjects like cloud computing, quantum technology, the Internet of Things (IoT), and Artificial Intelligence (AI). But amidst this buzzing cacophony, what makes a panel discussion on cybersecurity at the recently concluded LACNIC 39 event so relevant and important? The answer lies in the profound transformations that have reshaped our cyber landscape over the past ten years, revealing unsettling truths about the world’s woefully underdeveloped state of cyber hygiene. Yet, amidst the disquieting revelations, a glimmer of hope emerges. The time-tested wisdom shared in earlier cybersecurity conferences, emphasising the human element and the power of cooperation, remains as pertinent as ever.
At LACNIC 39, I had the privilege of moderating the panel discussion titled “The Future of Cybersecurity”, flanked by Mr Pablo Álvarez, SIIES Government of Yucatan; Mr Sabas Casas, ACCENTURE México; Mr Wilberth Pérez, Head of the CSIRT-UADY (Computer Security Incident Response Team – Autonomous University of Yucatan); Mr John Brown, Team Cymru Senior Security Evangelist; and Ambassador Claudio Peguero, Cyber Affairs Advisor, Ministry of Foreign Affairs of the Dominican Republic. Our five esteemed cybersecurity experts graced the stage, shedding light on pressing matters such as the current state of cyber hygiene, global trends in cyber incidents and crimes, and our most potent defences against the imminent risks lurking in cyberspace. The conversation commenced by delving into the truisms and clichés that have plagued our underwhelming cyber hygiene. One such revelation was the unfortunate relegation of cybersecurity as a mere IT problem, often undervalued by corporate decision-makers who fail to grasp the multifaceted nature of its risks. The panel astutely identified moments of miscommunication, akin to being “lost in translation,” between Chief Information Security Officers (CISOs) and those prioritising short-term financial gains within organisations. It is disheartening that an uninformed view of the information security field may still linger, perpetuating the misconception that security measures boil down to purchasing firewalls and antivirus software alone. In introspection, the disconnect among professionals from diverse backgrounds is not a novel phenomenon. What, then, has truly changed in our environment?
Three compelling reasons spurred us into action for this occasion. Firstly, the global pandemic thrust us into an unprecedented reliance on Internet services and technologies, welcoming a wave of new-to-digital customers with varying levels of technological proficiency and awareness into the digital realm. Alarming trends have emerged, revealing that both young adults and the elderly are particularly vulnerable to falling prey to cybercrime. Their lax attitudes towards data privacy, or limited familiarity with digital tools as is the case among individuals over 75, have made them easy targets. Secondly, the rapid digitalisation witnessed across governments, businesses, and the education sector has outpaced the development of robust security and contingency plans by CISOs. As valuable assets were swiftly migrated to the virtual realm, the critical need for comprehensive security measures became glaringly evident. However, the implementation of such measures struggled to keep pace with the accelerated pace of digital transformation. Furthermore, the surge in remote work and the widespread adoption of ordinary consumer devices as workstations necessitated an immediate and substantial increase in cybersecurity measures. A 2020 report on the business case for enhanced cybersecurity shed light on an unsettling reality: despite the practicalities of working from home, 57% of those surveyed reported feeling more distracted than in a traditional office setting. This distraction had a direct correlation with a heightened susceptibility to cyberattacks, including the insidious threat of phishing scams.
There is another powerful rationale for conducting this focused discussion on cybersecurity at this time. According to Deloitte, in the pre-pandemic era, approximately 20% of cyberattacks employed previously unknown malware or techniques. However, with the onset of the pandemic, this percentage had surged to 35% in that first year. Among the emerging attack methods, some leverage machine learning capabilities to adapt and evade detection. Another concerning trend is the growing complexity of ransomware attacks. Attackers are combining data leakage tactics with ransomware, employing persuasive strategies to coerce victims into paying the ransom.
With innovative models such as malware as-a-service, the cybercriminal economy has been shifting drastically. Seasoned bad actors have commoditised and made their threat capabilities available on criminal marketplaces so that entry-level cyber criminals can easily purchase malware and malware deployment services and in turn sell stolen credentials and data in bulk. This industry practice has massified the number of cyberattacks although the scale and intensity of each attack have shifted as the seasoned criminals have positioned themselves higher up the criminal value chain to avoid detection. Cybercriminal groups have been evolving into organised entities, mirroring legitimate businesses. For example, the Conti criminal group was replete with marketing departments, human resources, and remote staff who might have been oblivious to their involvement in criminal activities.
In our review of cybersecurity preparedness in Latin America and the Caribbean, we focused on three insightful perspectives to assess our region’s cyber capabilities. Among 33 economies in the region, we found that 18 already had national cybersecurity strategic plans in place or were actively developing them. These plans serve as comprehensive, collaborative documents that outline strategic areas for enhancing cyber resilience, responding to cyber threats, promoting cyber awareness, and ensuring legal measures for delivering justice to cybercrime victims. It is paramount that these strategic plans are regularly updated, adequately resourced, and effectively implemented to enable collective cybersecurity efforts. Regarding technical responses to cyber incidents and attacks, a significant majority of countries in the region had established Computer Security Incident Response Teams (CSIRTs). These teams operated at various levels, including national, governmental, military, and sector-specific entities. Additionally, nearly all countries, except for four, had enacted cybercrime legislation. However, it is worth noting that we did not assess the effectiveness of this legislation in terms of the currentness of cybercrime definitions or the adequacy of procedural provisions to facilitate cyber investigations and cross-border cooperation among law enforcement agencies. The snapshot did help us identify important building blocks for cyber resilience at a macro level, which would indeed be required to support anything we do at a corporate level.
At meso and micro levels, our experts stressed the importance of building awareness at multiple levels of organisations and even homes, with a view to engendering a culture of cybersecurity. A culture of cybersecurity refers to a collective mindset and set of practices that prioritise and integrate cybersecurity into various aspects of our lives. It encompasses both corporate practices within organisations and the behaviours and habits that should be fostered in homes and families. In a corporate context, a culture of cybersecurity entails creating an environment where cybersecurity is seen as a shared responsibility among all employees, from top management to frontline staff. It involves promoting awareness, education, and training programmes to ensure that everyone understands the importance of cybersecurity and knows how to identify and respond to potential threats. Furthermore, our experts affirmed that organisations need to establish clear policies and procedures regarding data protection, privacy, and incident response. Encouraging an open and transparent communication culture, where employees feel comfortable reporting security incidents or potential risks, is also essential. At home, fostering a culture of cybersecurity would involve similar principles but with a focus on individual responsibility and family awareness. Parents are expected to educate themselves and their children about online safety, privacy, and the potential risks associated with using digital devices and the Internet. Grandparents should not be left out of the equation, as special attention should be placed on their needs in using digital tools and the Internet.
The interconnected and borderless nature of cybercrime and cybersecurity certainly stood out during the discussion as the experts turned their attention to the issue of cooperation. Cooperation is required on multiple fronts, including creating and nourishing trust communities among technical people with responsibility for security operations, with law enforcement agencies, and across sectors where reputational, operational and legal risks may be exacerbated (banks, for instance). Cooperation must ultimately contemplate fostering cyber confidence-building measures across countries through the use of cyber diplomacy, with the aim of enhancing cross-border cooperation and the predictability of fellow state machinery when attacks happen. With good cyber hygiene and cybersecurity being a collective endeavour, the high-level goals of enhanced cooperation would be to reduce and mitigate the impact of cyber attacks and cybercrimes.
The age-old lesson that remains pertinent since the earliest days of cybersecurity discussions at tech conferences is that the human element—people—must remain at the forefront of even the biggest cybersecurity plans. Our approaches to improving cybersecurity and safeguarding digital assets should be iterative and persistent to keep abreast of and eventually outpace the mutation of cyber risks. In this regard, everyone has a role to play. Cybersecurity is no longer “just” an IT problem.