“The biggest threat we face is not ransomware but romance scam— which is super boring and has been there for hundreds of years. It is a scam in which one pretends to be interested in you and then scams you,” said Serge Droz, the Security Lead at Proton Technologies, during the 2021 Cyber Stability conference organised by the United Nations Institute for Disarmament Research (UNIDIR).
The panel discussion, moderated by Giacomo Persi Paoli, Programme Lead, UNIDIR, was convened to discuss existing and potential threats in cyberspace. Anastasiya Kazakova, Senior Manager for Public Affairs, Kaspersky, and Klára Jordan, Chief Public Policy Officer, Cyber Peace Institute were the other panelists.
It is important to understand the scope of threats that afflict cyberspace so as to understand the mechanisms one needs to put in place to protect victims and mitigate damage to assets including financial ones.
Future-proof norms are a challenge, says Serge Droz
Information Bias: “…a lot of discussions today seem very reactive. A recent study, for example, investigated the victim landscape in various reports and the findings were quite shocking because most of the reports of commercial companies cover attacks on other commercial enterprises and leave out civil society, not because they’re not interesting but because these are victims are not potential customers,” said Serge Droz in response to a question on gaps in the threat landscape. He highlighted that the private sector had a strong bias. “It is one of the two challenges we face and we must accept the fact that information is biased,” he added.
Traditional notions of conflict: “The line started to blur 50 years ago wherein espionage would be something in the state domain. The criminals and other separate issues were left to law enforcement but it seems to be converging these days. For example, the vulnerabilities in Microsoft Exchange servers were used by a state to run an espionage campaign and then it was taken over by criminals who deployed it for ransomware,” Droz said.
Drafting laws for the future: “It is a challenge to make future-proof norms and regulations. It’s important that these conversations are about the values we share as humans and not so much about technology. The challenge is to find the game changers. No one would have predicted the impact of mobiles 10 years ago. We are talking about norms for responsible behavior and not responsible technology. We have technical capabilities in traditional warfare that we as a society have decided to not use like biological weapons, and chemical weapons. It is the way to go,” he suggested.
Quantum computing: “All we know is that once quantum computing comes into reality, all the cryptographic algorithms we use for security on the internet will be worthless. Quantum computing is only going to be feasible in about 10 years, and you can do a lot in 10 years. Companies are working on quantum-resistant encryption algorithms. There’s a good chance that we are actually going to be in the position to do this in 10 years,” Droz assured.
Militarisation of Cyberspace must be avoided, remarks Klára Jordan
Disinformation: “It is a twofold threat. We need to focus on disinformation beyond the importance of our democracy and political processes and the way it can impact the understanding of the threat. We have to address it as a direct threat to human security and safety. There are not distinct digital threats; they are done in conjunction where cyber attacks are a means to steal or plant targeted information,” Jordan stated.
- Weaponisation of information: “We continue to see hacks and leaks where factually correct information is taken out of context and then used for malicious purposes. We’ve really seen this in the context of pandemic. I hope to see this addressed and ensure we don’t treat these as two separate issues or separate processes,” she told the gathering.
Militarisation of cyberspace: “Ransomware is a scourge, and it’s little surprise that governments are using an array of tools to fight it but now we’re seeing initiatives across the globe where military capabilities or authorities are being proposed to fight cybercrime,” Jordan bemoaned. “It is a concerning response because we believe that this should be a law enforcement matter where law enforcement tends towards gathering evidence, incident response, seeking the arrest and investigations. I think that using the military authorities to fight ransomware sends the wrong signal when we think about reducing risk to peace, stability and security,” she explained.
Forgetting the threat to victims: “The way we think about the threat, we still think about the target and we don’t talk about the threat to the victims. Humans continue to be in the crossfire of geopolitical conflicts. This is key because they impact human safety, security and access to critical services so we are violating the rules and the norms across the board when humans are in the crossfire of these geopolitical conflicts. We’re seeing a proliferation of offensive cyber capability used for violations of human rights and fundamental freedoms,” she affirmed.
Evolution of cyber crime: “We are at a point where the victimization goes beyond the target during extortion. It’s not just targeted attacks but the impact on victims. It’s not only in terms of their immediate human rights, safety and security but if you think about the data and the way it’s held to ransom and it ends up in a dump site, there is potential for lifelong revictimization,” Jordan clarified. She also said that non-state actors now possess capabilities previously available only to governments.
- Belligerent states: “It’s also important to note that some states are using modus operandi of criminal groups to engage in their criminal behavior,” she warned.
Lack of cyber hygiene fuels exploitation, states Anastasia Kazakova
Kazakova underscored the fact that the threats already identified in several reports published in the past by the United Nations’ working groups (GGE and OEWG) should be defined further.
Defining the role of military in cyberspace: “We see more and more states publicly announcing their Cyber Military Operations Command and strategies but I assume the need is to defend themselves and protect their citizens and assets. How is it actually a threat to cyber stability? If we are more clear about this (question) as a global community then we can understand what we need to work upon collectively,” Kazakova asserted in her response.
Framework for cyber emergencies: “The lack of a clear framework guiding the behaviour of state and non-state actors In the event of a cyber attack on critical infrastructure could be a challenge which may lead to more threats,” she concluded.
- Lack of cyber hygiene: “The exploitation of people and exploitation of the lack of cyber education, among people as they continue to be the weakest link opens the door to several attack vectors,” Kazakova said.
- Scant reporting by victims: “We’re not focusing much on the lack of particular processes that also lead to the threats which is the reporting by victims. We need to know what’s going on with the victims and how the particular use of technology increases the threat,” she added.
Threats from existing policies: “Threats would not just emerge from the use of technology but from existing policies and attempts to regulate the technology and specifically existing risks. Photos of men of states approaches to regulate still globally developed, globally distributed, globally consumed and a final note more a structure,” Kazakova remarked.
Keeping in the loop: “It’s important to have a diverse set of people and experts who have different insights to be in the loop constantly about recent threats, intrusions, and threat actors. One must make sure people are coming from different backgrounds—private sector, academia and technical community. They could help and guide states to update threat intelligence and threat modeling,” she concluded.
- AI has been key in automating various cybersecurity practices: Shapoorji Pallonji CISO
- A government project that provides cybersecurity advice to citizens is in the works: Report
- What India should do to improve cybersecurity in Healthcare — Ambassador Latha Reddy, Co-Chair of the Global Commission on the Stability of Cyberspace – #NAMA
Have something to add? Post your comment and gift someone a MediaNama subscription.