Recent cyber incidents: Patterns, vulnerabilities and concerns

Event report

Welcoming attendants, Dr Roxana Radu, Programme manager, Geneva Internet Platform (GIP), introduced the main idea behind the event: to move cybersecurity discussions from an abstract level to a practical, solution-oriented one, away from politicised and ideological angles. This event is part of the Geneva Digital Talks series initiated on 12 October and co-organised by the Canton of Geneva, digitalswitzerland, and the GIP. Several focused discussions are planned in this series, including dedicated events later in the month on peace and jurisdiction. The spirit of these discussions is open and interactive. Co-organising the event, the Geneva Centre for Security Policy (GCSP) shared the vision for the event. Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, GCSP, moderated the first session, focused on current vulnerabilities in cybersecurity.

Mr Martin Dion, Vice President of EMEA Services, Kudelski Security, began by criticising attempts to predict cybersecurity trends. Such predictions, he argued, are based on flawed security reference models, which reflect a lack of understanding within the system. Drawing on three cases (Wannacry/ Petya ransomware; Mirai Botnet;  and Equifax/Deloitte breaches), Dion maintained that there is a disconnect between the real problem and how it is perceived. The affected companies spent considerable resources on their security; yet, all attacks could have been avoided by fairly simple measures, such as security patch updates. This, he posited, evinces a cognitive gap. Cybersecurity is conceived as an issue of confidentiality, but is acted upon as a matter of service availability (‘if you have a heart attack, does your privacy matter?’). Inflating the problem, technological solutions continue being developed, to the point of market saturation. However, scientific innovation should not be the main goal. A security system is as strong as its weakest link, and these are its users. To illustrate his provocation, Dion gave one idea and one fact. First, he believes that privacy is ‘an older issue’, since the new, digitally native generation, ‘doesn’t care about privacy’. Second, he stated that there are six times more jobs (90,000) than cybersecurity graduates (15,000) in the United States, his company’s biggest market. These examples, he argued, indicate that we need to address the issue of cybersecurity at its feeblest points: individually and socially.

Ms Päivi Tynninen, Researcher, Threat Intelligence Unit, F-Secure Labs, divided her presentation into three parts. First, she discussed recent supply chain attacks, such as the spy network detected by operation Cloud Hopper, Petya/NotPetya, and the hacking of CCleaner. While explaining Avast’s inability to notice the latter, she noted that since ‘these attacks target organisations through the most vulnerable parts of their supply network, this makes it difficult, even if you are within the industry, to detect threats’. Next, Tynninen assessed the vulnerability of devices connected to the public Internet system, citing the Mirai and ReaperIoT botnets. She also presented original research on information breaches: two-thirds of the stolen data concerned personal information, while the remainder pertained to credit card data. Furthermore, parsing the 30-odd breaches that happened to large companies within the last ten months, Tynninen shared estimates that 90% of them resulted from misconfigurations and years of delayed security updates. Finally, she analysed the issue of spam, observing that, in 2014, it represented two-thirds of the world`s email traffic. She gave as an example spammers’ ability to falsify sender addresses with the John Podesta leaks. Because he responded to a fake Gmail password update request, hackers were able to invade his account. To conclude, Tynninen stated that ‘the Internet is not fit for non-secured services’.

In the ensuing Q&A, speakers were first asked to summarise their recommendations. Dion emphasised the distinction between being a target and being a victim of an attack, extolled netizens to acknowledge their responsibility (and not just their governments’) concerning their security, and proposed that ‘we do the basics’ when it comes to cyber prevention. Likewise, Tynninen also highlighted the need for proper ‘basic hygiene’. She focused on the matters of restricting the upload of unnecessary data and taking the issue of security clearances seriously. Then, the presenters fielded questions on the importance of structural solutions; how regulatory efforts (in particular the EU General Data Protection Regulation) can increase cybersecurity; how big the risk of interstate cyberwar is, and, if the issue cannot be solved immediately, why should society be concerned about it.