A tale of two digital futures, which way will we go?

The SingHealth breach last year shocked the Singaporean public. It is the worst cyber attack to hit Singapore. Yet it is only the latest in an escalating trend of dangerous attacks on global power centres.

Today nation-state and non-state attackers steal, destroy, and manipulate data in and through cyber space. Adversaries flourish in the “grey space” below the level of outright conflict and appear undeterred in pursuing their goals.

Consider just a few examples: China’s campaign to steal United States intellectual property, including data for the Joint Strike Fighter (F-35); North Korea’s 2015 theft of US$81 million from the Bangladesh Central Bank and US Federal Reserve; China’s theft of 21.5 million federal personnel records from the US Office of Personnel Management (OPM); and Russia's destructive attacks on the Ukrainian electric grid in 2015-2016.

As bad as the story looks today, we are still in part one of our global cyber security story. Internet access will expand by over a billion users in the next five years and most of that growth will occur in Asia.

Yet Asian economies lag behind their global counterparts in cyber security spending and, more importantly, in providing institutional protections to vulnerable groups. Fostering resilience in a rising digital Asia and other emerging economic regions will require a mix of political and technical solutions.

The world faces two potential futures as nation-states and non-state groups try to manipulate societies through cyber space.

In one, hostile attacks exceed that which the world has seen to date; digital technologies surface vulnerabilities in societies and organisations fall victim to a range of attacks.

Society may also see a rise in Internet-enabled violence like that which is presently unfolding in India through fake news and hate speech spread on WhatsApp.

In a second future, cultures of resilience and cyber security take root as societies learn to manage the challenges of life in the digital age. Companies invest in better cyber security to blunt data attacks; political and national leaders aim to undercut extremism and quell online-fuelled anger.

How do we ensure this second future arrives?

READ ALSO:

The Big Read: As more cyber attacks loom, Singapore has a weak ‘first line of defence’

SingHealth cyber attack: Can parties involved learn from COI findings?

For a start, corporate and government leaders should focus on reducing risk for two key areas – critical infrastructure as well as data manipulation and influence operations.

Critical Infrastructure includes companies that power much of the global economy, from financial institutions to law firms to energy companies. 

North Korean hackers hacked the weak defences of the Bangladesh Central Bank to use the SWIFT systems to steal from the New York Federal reserve.

The SingHealth and Office of Personnel Management hack both show that traditional cyber-security measures are not enough; companies need to protect their networks from the inside to restrict intruders’ lateral movement across data centres and cloud environments.

Countries and organisations need to focus on identifying and securing their “crown jewels.”

This is why since 2014, the US government has conducted an annual assessment of the critical infrastructure across the country that, if disrupted through cyber space, would lead to a significant national impact.

Only by identifying its crown jewels can a country prioritise its security investments and regulations to secure the assets that matter most. Most countries haven’t gone through this analytical process.

Neither have many large corporations. In the case of SingHealth, for example, the organisation’s “crown jewel” applications included the cloud database that stored personal information for SingHealth’s clients.

Data centres and cloud environments are largely insecure and vulnerable to breach; once inside a network, an intruder can dwell inside a data centre or cloud for an average of six months.

It is not a question of if but when a breach will occur.

To drive down risk, organisations need to invest in internal micro-segmentation controls to prevent breaches from spreading from server to server.

The Russia campaign against the 2016 US presidential election revealed there is another segment that is potentially more worrisome for a nation’s overall socio-political stability: political and media organisations.

The more politically divided a society, the riper it becomes for exploitation and data manipulation. News media can be hacked or shut down, polling organisations can have their data manipulated, and ‘fake news’ can spread throughout non-discerning populations to trigger violence – as has happened in India.

To undercut large-scape manipulative operations, national leaders have a key role to play in educating society through a clear narrative about risks and solutions.

Outside of government, non-profit organisations can play a significant role.

For example, Harvard’s University’s Defending Digital Democracy Project has taken a lead role in educating US state and local government officials about the risks of data manipulation, particularly for the electoral system, and ran exercises and published papers to educate key leaders.

Cyber security has moved from the domain of IT departments and computer scientists to a problem that affects all of us — yet as a recent TODAY Big Read highlighted, individuals still struggle to understand the nature of the threat and what to do about it.

How do we get to a place where individuals take seriously every phishing email or potential breach?

Cyber security requires cultural change; it requires executives to invest time and resources to alter organisational behaviour; it requires managers to promote security best-practices on their teams; it requires individual vigilance within a dangerous digital landscape.  

The historian Arthur M. Schlesinger Jr. once spoke of technology’s march as “the challenge of change,” and his lessons still resonate. “Science and technology may revolutionise our lives,” he said, “but memory, myth, and tradition frame our response.”

Asia and other emerging economies have the opportunity today to learn from the lessons of the past and build in cybersecurity at the foundation.

Leaders can start by understanding their most important assets and risks, setting clear priorities, and assigning talent to drive change.

The choices they make will shape the world for years to come — and hopefully help countries to avoid some of the challenges the US faced in 2016.

ABOUT THE AUTHOR:

Jonathan Reiber is Head of Cybersecurity Strategy at Illumio, a software company, and a Visiting Scholar at University of California, Berkeley’s centre for Long-Term Cybersecurity. He was former Chief Strategy Officer for Cyber Policy in the US Department of Defense.