More companies are moving their application management and support off local servers and into the cloud, but as technology advances, the techniques to exploit these technologies do too. There is a growing threat to individuals, companies and governments - a threat that could top trillions of dollars in costs within a few years.
This, according to security experts who gathered in Johannesburg in July for the THREAT2019 cybersecurity conference.
As providers of information and communication technology (ICT) services and vendors rush to market with products, incentivised and driven by a ‘first-come’ profit logic, the concept of ‘patching’ flawed products after their release has come to be regarded as acceptable.
A patch is a set of changes made to a program or system to update, fix or improve it. Patches are often released to fix previously overlooked security vulnerabilities.
Despite being commonplace, experts agree that this is a highly ineffective practice and could doom some companies in the short term, especially as ransomware, malware and cyberterrorism increase.
This increase is a noticeable one. For example, between 2017 and 2018, the number of phishing attacks on companies doubled. Phishing is a form of internet fraud and often entails weaponising email correspondence to gain access to sensitive, confidential information such as usernames, passwords, login and network credentials or even credit card information.
According to Melissa Hathaway, President of Hathaway Global Strategies LLC, the idea of selling faulty products then patching them up later (sometimes for a fee) is one of the major fault lines in the current business models.
Melissa Hathaway warned that simply patching faulty products was not enough, and suggested that there may come a time when developers could be held liable for breeches caused by system vulnerabilities. Pic: Potomac Institute
“For example, Microsoft formalised this regular patching process in October 2003— it has become known as ‘Patch Tuesday.’ Other vendors patch on a less frequent basis, with little transparency on the known vulnerabilities that they have transferred to our digital products and services. Patch Tuesday is inevitably followed by 'Vulnerable Wednesday," explained Hathaway.
Hathaway, a highly respected expert in cyberspace policy and cybersecurity, has served under two US presidential administrations from 2007 to 2009. She spearheaded the Cyberspace Policy Review for President Barack Obama after leading the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush.
At the conference, Hathaway told delegates that corporate and government responses to these threats are slow and ineffective, reactive rather than proactive. In a paper titled ‘Patching our digital future is unsustainable and dangerous’ she explains how software developers are using reverse logic to deal with critical design flaws.
“Cybercrime is growing at 26% per year, and is estimated to cost the global economy at least US$2.1 trillion in 2019 — or two percent of global GDP,” she said.
“Moreover, IoT attacks have increased by 600% between 2016 and 2017, in large part because of the ease to exploit connected devices.”
The Internet of Things
The IoT, or Internet of Things, is the extension of internet connectivity to physical devices and everyday objects - think watches, sound systems and ‘smart’ electronics and appliances. Embedded with electronics and internet connectivity, these devices then communicate and interact with other devices over the internet. But this means they can also be remotely monitored, and even controlled. Hathaway says IoT connections makes these devices vulnerable.
While this threatens personal security, Hathaway believes the bigger short-term problem is cyberattacks on large corporates. One example she highlighted was that of shipping giant Moller-Maersk. The company is responsible for the management of 76 port facilities around the world and 20% of the world’s container shipping capacity.
“The company was literally and figuratively dead in the water after the ransomware NotPetya spread across its entire global network. Within minutes, the virus encrypted and wiped the company’s information technology systems worldwide. This included 4 000 servers, 45 000 computers and 2 500 applications across 600 locations in 130 countries,” she said.
“The only thing that saved it from many more months of shut-down was that a few hundred of its computers were offline in Ghana at the time.”
Maersk’s systems were offline for more than 150 hours, leading to losses of at least US$435 million to replace the IT systems that powered its digital business. Due to the attack, the company also lost 10% of its market share to China Ocean Shipping Company. Maersk’s shareholder value depreciated by 30% within nine months.
Maersk is the world's largest shipping container company. Pic: Maersk
Hathaway warned that as the IoT industry expands, companies that use these connected devices will be under increased pressure and will have to take risk management into account. She also says product manufacturers will likely come under more pressure to deliver machines and devices that are better protected, with inherent vulnerabilities to be patched later.
“Software and hardware design vulnerabilities should be addressed in the product design and development phases prior to debuting in active, high-stakes industrial operations,” she said. “Over the last 30 years, we have created a unique and strategic vulnerability to society — an inherently insecure internet supported by poorly engineered products.”
“It is an existential threat to our economy and our sovereign security. To address this immediate threat we need an emergency counter-measures board and mitigation process that is global and convenes the best talent, regardless of nationality.”
Denial of Service or DoS attacks have also increased, with much of the blame being put on nation-state spying, cyberterror and even ransomware attacks.
For example, in the US the ‘smart-city’ of Baltimore has had its main infrastructure shut down, starting on May 7, 2019. This has since been blamed on a ransomware attack. Essential services such as police, fire, emergency medical services and others were shut down, with staff forced to attend to complaints using paper and pencils.
This is the second time in just over a year that Baltimore has been a target of a ransomware attack by cybercriminals. In Autumn 2018 a ransomware attack resulted in the shutdown of the city’s 911 call centre.
Ransomware is software that infects computers and denies access to the affected devices until the user pays a ransom, usually in blockchain cryptocurrency such as Bitcoin.
“The next ten years are going to present us with many more problems - we have to get serious about addressing risk and resilience upfront, as opposed to having it be an after-thought,” she warned.
Facebook’s announcement that it was planning a blockchain payment system called Libra to bypass registered banks has been met with a mixed response. While financial regulators are scrutinising initial statements by Facebook CEO Mark Zuckerberg, behind the scenes cybercrime experts are worried.
“I think Facebook has deliberately launched the Libra concept to deflect attention from its platform’s misuse of data manipulation and its real irresponsibility towards citizen data,” said Hathaway.
“If you had to accept it at face value, Libra is an interesting concept. With 20 different industry backers, in theory it is not going to be Facebook controlled. But one has to think - when one actually has a currency, it has to be backed by a commodity. So what is the cryptocurrency going to backed by, and who controls it?” she asked.
“Will it be our personal data? And if so, then that should be challenged. These are the questions we should be asking,” she explained. “Because we have to place a value against what the cryptocurrency is benchmarked against, and if it is a commodity we value in society.”
Preparedness is key
While cyberterror is increasing, the response by government and corporations has also improved. Hathaway said that while she is concerned about the general speed when it comes to addressing the threats, knowledge about the risks posed by the internet has also spurred some sectors into action, moving extremely quickly to catch up and protect themselves.
Melissa Hathaway addressing delegates on the risks posed by vulnerabilities in cybersecurity. Pic: Desmond Latham
Dimension Data Group VP of Cybersecurity Mark Thomas had some good news for delegates at the same time, explaining that India, the Middle East and Africa performed relatively well in cybersecurity preparedness when compared to other regions.
He said the financial sector in particular had been proactive in managing cyber risks, with all major banks now pushing millions of dollars into anti-cybercrime systems.
Ironically, Thomas said it’s the technology sector itself that faces the biggest threat and that research over the past year showed that this sector accounted for 36% of phishing credential theft. The retail and telecommunications sectors were most heavily impacted by credential theft malware.
By far the most threatened were the cloud services offered by Microsoft Office 365, which accounted for 45% of all phishing attacks globally in 2018.
“This suggests that organisations are increasingly migrating to cloud-based platforms, driven by ongoing digital transformation across all industries, and the recognition by businesses to become more digitally native,” he told delegates.
“However, by doing so, they’re exposing themselves to a number of new cyber threats – credential theft being one.” He said while ransomware attacks have slowed down in the last few months, phishing attacks have increased by 200% globally.
Now, with more companies hosting their services in the cloud, the threats to large corporates are becoming more and more evident - and more and more severe.