How Governments and Cybersecurity professionals will adapt to face the challenge of cybercrime and protect Critical National Infrastructure.
Criminals don’t have to be experts in programming, penetration testing, network security or law, they just need that one opening to achieve their aim. This likely isn’t even a piece of code they’ve written themselves. Far more likely is that they are using existing, freely (or even commercially) available exploits from a thriving cybercrime ecosystem.
The biggest concern for governments will be the increasing frequency and scale of attacks from this industrialisation of attack programmes. Protecting private and public infrastructure in an increasingly hostile environment will be a key priority. Without reducing the number, and severity, of attacks, critical infrastructure and even non-critical infrastructure will be affected, disrupting society on all levels. Imagine an attack on basic internet infrastructure which may affect Amazon or Netflix, our Smart Home systems and our communication networks. The majority of the population would go into revolt!
Even more critically, an attack causing disruption to the delivery of a critical service would be catastrophic for a nation. Imagine an incident having a significant impact on a power distribution or transport network; personal, supply chain and economic activity would grind to a halt. This would not only cause disruption at a scale not seen in current attacks but is likely to have severe implications for a government in the polls.
What is the challenge that governments face?
Government has a dual role in the protection of Critical National Infrastructure (CNI); the propagation of advice and best practice, as well as imposing legislative (and punitive) measures to enforce good security. These are not without challenges, and getting the balance between support and penalisation will be increasingly difficult in a very subjective area.
When it comes to combatting cybercrime through establishing best practices and advice, it’s difficult for states themselves to establish a standard. It’s also difficult to “measure” the precautions in place to ensure that companies are engaging in good cyber practices - a company may spend significantly higher amounts on securing their products, another may do the bare minimum. The company doing the bare minimum might still get lucky and the other might be unlucky in a single incident.
What governments could do, is specify baseline measures a company should comply with, though based on the rapidly developing cybercrime ecosystem, they’re likely to become out of date and irrelevant very quickly. Again, when it comes to enforcing legislative measures it may prove difficult to prosecute organisations that have suffered a breach. Technology moves so quickly and it will be a complex undertaking to work out if a company has “done enough” to protect themselves and their customers. An alternative could be to introduce legislation that is punitive if, for example, too many or too simple exploits are found. Unfortunately, I expect that in many cases, this too will prove too challenging to measure effectively and decisively.
What can we do?
Instead government can, and should facilitate conversation, via working groups, publications and professional bodies such as CIISec.
In addition to collaboration, the field of cybersecurity is so diverse that a wide ranging set of skills are required in order to meet our collective challenges.
A composite cloud team will be required, as it’s unlikely that any individual could master the complexities of each cloud solution.
A final, and increasingly important part of these teams is the technology that they employ – they need the right tools to pool security alerts from these disparate sources.