Many businesses, especially board members, do not understand the scale of the cyber threat, but international efforts to combat cyber crime are being hampered by political barriers.
Cyber criminal operations are more sophisticated than ever before, but some business leaders are still failing to understand the risk, while international collaboration on cyber crime is constrained.
This is the position outlined at a media briefing at the Palo Alto Networks End User Cybersecurity Summit in London by the company’s European chief security officer Greg Day and UK journalist and author Misha Glenny, who has studied patterns of cyber crime for the past 12 years.
Initially cyber criminals and organised criminals operated in parallel with organised crime group showing no interest in cyber crime or even taking advantage of technology because most crime bosses were old school, but that began to change when the Cali drug cartel in Colombia began using accounting software to keep track of their product in the late ‘90s, said Glenny.
Fast forward to today, and organised crime groups like the PCC, operating in Brazil, Colombia and Paraguay, have computerised their entire operation to track associates’ performance and punishments for failing to meet quotas.
At the same time, said Glenny, there has been an “interesting fusion” between traditional organised crime and cyber crime, exemplified by the criminal operation in which a traditional organised crime group coerced some tech entrepreneurs to hacking into the computer system at the Antwerp port to mark containers used for drug shipments as “customs cleared” at the port of exit.
“Law enforcement refers to this trend as the ‘digitisation of organised crime’ where there is both cyber-assisted crime as well as crime that would not be possible without cyber,” he said.
The illicit narcotics market and the trade in people smuggling are two areas of criminal activity that the internet is having the greatest impact.
“We are now at that moment where traditional organised crime is adapting and changing, and where cyber criminal organisations are looking at business structures to become a more effective operation than they have ever been before, with specialised groups for malware development, social engineering, money mule managers, command and control, and so on,” said Glenny.
These are much more sophisticated operations than they were in the past, he said, sometimes even involving state actors. “And the best example of this is the attack on the Bangladesh Central Bank by a group thought to be North Korean in which $81m was stolen as part of a planned $1bn heist, that failed only because of a typing error that prevented the fraudulent transactions from being processed and alerted banking officials.”
According to Glenny, the fact that the cyber criminals came so close to stealing $1bn in the space of a few hours should wake people up to the true scale of the threat. “Yet it remains difficult to get people to focus on these issues,” he said.
At a company level, business leaders often do not have the necessary knowledge and understanding of the cyber security threats their organisation is facing.
What is changing, though, said Day is that in recent hears company leaders have becoming increasing aware that they need to take cognisance of the cyber threat, with this issue creeping into the agenda of the World Economic Forum.
“I have seen a significant shift in the few years with business leaders wanting to understand more so they can have confidence in what their CISO is telling them. But despite this thirst for knowledge, many are struggling with the challenge of how to go about acquiring the knowledge they seek because they are too embarrassed to ask their CISO very basic questions,” he said.
Communication is key
The key issue is communication, said Glenny. “Often boards are reluctant to ask what CISOs mean because board members do not want to expose their lack of knowledge or appear stupid. I think every company should have a ‘digital interpreter’ who understands the tech, understands the security implications, understands the pressures on the board, and can explain to the board what things mean and why the CISO is asking for a particular investment in way that the board can understand.”
Another big challenge at the company level, said Day, is a supply chain challenge, as shown by the WannaCry attack. “Some of the systems that were involved were high-end medical devices, and the NHS was still at the behest of equipment manufacturer as to what they will let you run on it. Organisations may know the right thing to do, but sometimes they may not be able to do anything about it because they are not allowed,” he said.
At an international level, Glenny believe geopolitical considerations are having a negative impact effective action against cyber criminal operations.
At the same time that the FSB (Russian federal security service) began recruiting cyber criminal groups to boost their cyber hacking capacity, he said there was a deterioration in relations between the US and Russia and the UK and Russia.
“The [Alexander] Litvinenko crisis [after his poisoning and death in the UK] led to a complete freezing in cooperation between the MVD [Russian ministry of internal affairs] and the UK’s Serious Organised Crime Agency[Soca] on the issue of cyber, and since then – 2006 – the UK has had no communication over cyber with the Russians,” said Glenny.
As a result, he said the main players are today unable and/or unwilling to come up with a regulatory framework for relations in cyber space, which is leading to the unintended consequence of critical national infrastructure (CNI) being probed by everyone because nation states want to know the vulnerabilities and capacity of their potential enemies, and enemy sleeper viruses are a potential threat to national security.
“The danger is that 90% of CNI is owned by the private sector, and although governments are doing what they can to assist the private sector, ultimately they have not capacity to manage this other than broad monitoring of what is going on,” said Glenny.
Although there have been some positive developments, such as an agreement between US president Barack Obama and his Chinese counterpart Xi Jinping in 2015 to stop commercial cyber espionage and a meeting in 2017 between Interpol and Chinese tech firms and police forces looking for help on dealing with cyber crime, he said the nexus of Russia and its allies and the nexus of Middle Eastern countries like Iran, Saudi Arabia and Israel and their allies, is making collaboration very difficult.
“There is a real onus on governments to try and start talking to each other to come up with some rules of the road so that we do not end up facing a black swan incident impacting someone’s CNI in the next decade, which could be the unintended release of malicious code into the wild because nation states have shown they are not fully in control of their cyber weaponry,” said Glenny. “WannaCry demonstrated how easy it is to impact national infrastructure, when you are not even trying.”
“However, the Budapest Convention continues to be useful as a roadmap for those parties who are willing to engage with the convention, but that does not include the Russians, who essentially want a multi-lateral commitment that guarantees their ability run the Russian internet the way they want to run it, effectively signing into international law the balkanisation of the internet,” he told Computer Weekly.
“Although the Chinese favour a similar approach,” Glenny said they have shown “greater flexibility” than the Russians, adding that the US National Security Agency (NSA) has not helped the situation by failing keeping some of their malware “locked up” properly, referring to the leak of NSA-developed exploits by the Shadow Brokers hacking group in March 2017.
As a result, it is often difficult to separate cyber criminals from nation state actors, said Day, because they often share the same capabilities that have the ability to threaten human life, as demonstrated by the WannaCry attacks that affected the ability of large parts of the UK National Health Service to function.
“And while countries like the US, Russia and China have large cyber teams, just about any nation these days has a number of experts that have very good cyber security skills, and the reality is that you need only a few people with the motivation and skill to have a significant impact wherever they choose, which completely changes the game,” he said.
Nato has recognised cyber as being a military domain and is engaged in efforts across member countries to raise the cyber awareness and defence capability in the military context, and while this is having a positive effect on collaboration, Russia is once again not a member.
Equal information sharing
According to Day, Palo Alto Networks joined Nato’s cyber threat information sharing programme in 2016, which demonstrates Nato’s recognition of the fact that success in cyber defence requires information sharing on an equal basis with as many trusted partners as possible.
“They also run a quarterly threat vector workshop with supply partners and tech industry partners to discuss best practice, and some of the things that they do in terms of dealing with cutting-edge threats that are ahead of the rest of the market,” he said. “Likewise, they can learn from the way private sector business collaborates, and while positive, these are baby steps on a long journey [to a mature and effective exchange of information and practices].”
Europol’s European Cyber Crime Centre (EC3) is another positive area of development because it represents the first time the Europol has had operational capacity in terms of cyber crime, said Glenny, but once again this does not include Russia.
“But EC3 depends on the trust of the members and how they are able to communicate back to their governments, and here data protection concerns create a lot of issues for law enforcement,” he said.
Latvia’s membership of Europol and Nato is also challenging, he said, because almost 50% of Latvia’s population is ethnic Russian.
“That does create an issue for the US when it comes to sharing sensitive material with Latvia because there is a high penetration of Latvia by Russian security services. But despite these challenges, this is absolutely the way things have to go. Without collaboration we would be in much greater trouble than we are, and for that reason I am concerned about Brexit because Europol consists only of EU members.”
According to Glenny, the appeal by the British, French and German intelligence services to allow cooperation in security to continue is very important. “Both sides in the Brexit negotiations have to overcome this to ensure continued cooperation on the policing, intelligence and military fronts.”
Commenting about speculation in the media about whether the tension between the UK and Russia over the nerve agent used to poison former Russian spy Sergei Skripal and his daughter in Salisbury could lead to cyber attacks, Glenny said the most positive the UK prime minister’s response is that Theresa May has given no hint that cyber retaliation will be used.
“There have been some hot-headed voices on both sides suggesting cyber retaliation, but this way madness lies because the sensitivity of Russia to any assault on its cyber territory should not be underestimated, and if the Russians have got sleeper viruses all over the US infrastructure, you can bet they are all over the UK infrastructure as well, so it is not at all wise to start engaging in cyber brinkmanship.”
Read more at Computer Weekly.