Navigating Geopolitical Risk in Cybersecurity
By Dr. Thomas P. Keenan, FCIPS, I.S.P., ITCP in collaboration with Ron Murch, I.S.P., ITCP – both with the University of Calgary.
In a session conducted by David Masson, Director of Enterprise Security, Darktrace and moderated by Martin Kyle, CISO of Payments Canada, a group of CISOs explored the globalization of computer security risks and what CISOs can do to manage it.
ATTRIBUTION – DOES IT EVEN MATTER?
Whether it’s a wallet stolen from a gym locker or gigabytes of data exfiltrated from a corporate system, the victims of crime almost always want to know “whodunnit?” So attribution was the first meaty topic tackled in this session – but it is something that is extremely tricky to do. Cybercriminals and nation-state actors have access to a wide range of attack tools, many of which are sold and distributed on the Dark Web. This means that danger is imminent in the form of cyber-threats – with so many tools at attackers’ disposal and attribution being so hard to do, it is already difficult to stop cyber-attacks. As the sophistication level increases, the defensive side is increasingly at a disadvantage. Once threat actors start to use artificial intelligence (AI) on the offensive side, we could potentially see attacks similar to the Sony Pictures attack in style and scale happen much more frequently.
Nation states like to attribute cyber events to whoever is responsible in order to be able to take retaliatory action, whether that’s legal or extra-legal. If they get attribution wrong, however, they can cause an awful lot of trouble. They must be absolutely sure who they are accusing because it might mean they are retaliating in the form of a counter-attack. It is possible that even a private company’s actions can cause international repercussions in the foreign and military domains.
It is worth noting that an active “hack back” attack is illegal in most circumstances for Canadian individuals and organizations. Even the Canadian Military uses caution with what they call “active defense,” and as noted in their Strong, Secure, Engaged policy document published in 2017: “The employment of this capability will be approved by the government on a mission-by-mission basis”.
Will knowing the perpetrator help you to defend yourself the next time? Well, it might, but bad actors will usually show up again – this time using different techniques. You’ll be regularly disappointed if you think knowing who the culprit is will save you from future attacks because threat actors will almost never do what are expecting or hoping them to do.
WHO GETS ATTACKED?
It’s dangerous to get into the mindset of, “I won’t be attacked because I’m too small or “unimportant.” That assessment will be made by the threat actor – if a criminal thinks you’re worth attacking, they will attack. The sad truth is that if a major nation state has chosen you as a target, there’s is not much you can do about them as a threat. However, you can do something about your vulnerability to the threat, and how you spend your security budget. If your organization spends all of its money on threat intelligence, all that does is scare you and your security team.
What you really need to focus on is what you are trying to defend. People often say the advantage is in the hands of the attacker, but maybe it should be the other way around. Hackers are complete strangers to the network, but we are on our home turf when attacks take place in our networks and we should know it best. Defensive cyber security must be stronger and at the end of the day, that is not possible without AI.
ALLIANCES AND THREAT INFORMATION SHARING
In response to a question about international alliances, it was noted that Canada belongs to the G7, the Five Eyes, and NATO, although the current U.S. President has disparaged the latter. Martin Kyle noted that “industry alliances have been helpful to us in collecting indicators of threat intelligence”.
In 2018, the Government of Canada established the Canadian Centre for Cybersecurity (https://cyber.gc.ca ), which is administered by the Communications Security Establishment. Canada also has a national cybersecurity awareness site https://www.getcybersafe.gc.ca/en/home which is worth a look. The U.S. Federal Bureau of Investigation also posts regular alerts at https://www.fbi.gov/investigate/cyber which often include Canadian cases. Tom Keenan mentioned https://www.ixmaps.ca/transparency.php which provides answers from ten major Canadian telecom companies on privacy-related criteria. Of the ten, seven got “no stars” for their answer to “transparency about where personal information is routed”, though to be fair the latest survey is dated 2017.
This brought up the question of data residency, which first became an issue in October 2001 after the 9/11 attacks with the passage of the U.S. Patriot Act, which was replaced in 2005 by the USA Freedom Act. Many Canadians expressed concerns that their corporate and personal data stored in remote facilities could be subject to U.S. data inspection. Other countries, notably China, also claim powers to inspect data that resides in their country, and this was one of the security issues for Zoom early in the pandemic.
Remove this line in red -Dave Masson noted that “Canada needs to take action in this area” and in fact some public sector data, though certainly not all, comes with requirements for storage and use only in Canada. Dave Masson advises “go to a cloud that is in Canada.” Microsoft Azure and Slack, among others, have recently announced options to control data residency.
Bringing together Information Technology(IT) and Operational Technology(OT) makes a huge amount of sense, because OT benefits from the advances in IT but also brings new risks since, as Masson said, “all the problems that come with IT can now affect OT.”
Still, he said, “if you’re paying for a data centre that you only use 1/3 of, it might make sense to employ more modern technology. But just remember that, if you go to the cloud, your data goes over the horizon”.
THE HUMAN SIDE
COVID-19 has certainly increased our geopolitical cybersecurity exposure since important business processes are being carried out in the “Work From Home” (also known as “Live at Work”) environment. Several participants noted that employees with access to sensitive information are given enhanced screening and education.
There was general agreement that better user education and asset classification are powerful tools to protect from cyber risks, no matter if they are internal, domestic, or international. Instead of blaming people for cybersecurity breaches, we should be educating and training them better and giving them better technology. Cybersecurity is a lot like high performance athletics. Excellent training, high intensity workouts, regular evaluation, and perhaps even competition is needed to keep everyone sharp.
As a final zinger, it was pointed out to one of the presenters that, for the whole session, his computer screen was clearly readable from the reflection in his eyeglasses. After a bit of laughter, one of the other participants, in complete seriousness , said “In case you’ve been wondering why you never see me on video, that’s exactly why — we have a policy of not turning it on for just that reason!”
You never know who may be watching (now…or later)!