[ConfTech #4 discussion summary] (Cyber)Security and the shift to online

While the sudden global shift to an online life has brought unprecedented changes to our social and work habits, it has also faced us with certain cybersecurity risks. Could the COVID-19 crisis lead to an increasingly insecure cyberworld?

DiploFoundation’s ConfTech Lab organised the webinar ‘CyberSecurity and the shift to online’ for analysing the cybersecurity challenges of the COVID-19 crisis. The panellists for this occasion were Mr David Koh (Commissioner of Cybersecurity and Chief Executive, Cyber Security Agency (CSA) of Singapore), Dr Serge Droz (Security Lead, Proton Technologies; Chair, Forum of Incident Response and Security Teams (FIRST); Senior Advisor, ICT4Peace), Ms Anastasiya Kazakova (Public Affairs Manager, Kaspersky), and Mr Stéphane Duguin (CEO, CyberPeace Institute). The debate was moderated by Mr Vladimir Radunovic (Director, E-diplomacy and Cybersecurity, DiploFoundation).

Which assets need protection during the COVID-19 pandemic?

The assets that are traditionally considered to be part of the critical infrastructure remain important and need to be protected, discussants noted. However, there is now a new class of assets that must be protected and that were never thought of as critical infrastructure and were not designed with security in mind. These include platforms that support online grocery shopping, communication infrastructure (especially new platforms like Zoom), and certain financial infrastructure (money transfer) in developing countries.

Managing the risk profile has also changed. Some actors have changed their risk profile without realising it, as sensitive data is being moved from ‘safe environments’ (companies, banks, and institutions) to ‘unsafe environments’ (homes and roaming devices) so that services can continue to be delivered.

The computer security incident response team (CSIRT) community considers the concept of critical infrastructure to be very relative, as every user’s computer could be used by a malicious actor to cause damage to critical assets (e.g. botnets such as Mirai). This is why cyber hygiene of every user is crucial.

Are we more vulnerable now than before the crisis?

Discussants agreed that humans remain the weakest link in the security chain, especially in a time of crisis when attackers abuse people’s increased anxiety, uncertainty, and need to access data. However, this is nothing new. Cybercriminals have impersonated medical institutions and government agencies in previous crises, such as the Ebola and Zika outbreaks, and abused the trust of both citizens and companies to carry out cyber-attacks.

An increasing number of citizens is spending time online due to lockdowns. This includes individuals who previously did not spend much time online, but are now exposed to usual risks which are unknown to them.

The sudden shift to remote work and the emergence of new platforms such as Zoom have not left enough time for implementing necessary cybersecurity measures. Remote workers now access corporate networks from their homes, but there is a lack of security awareness and an inability for security officials to extend security policies quickly.

Are there new threats?

The panellists agreed that the threat landscape has not changed during COVID-19. According to Kaspersky, the key attack vectors are phishing attacks, social engineering attacks, and e-commerce scams exploiting shortages of products such as masks. Social engineering attacks have become more frequent because people are falling for the simplest tricks and because cybercriminals are very good at exploiting emotions.

Another trend spotted by Kaspersky’s researchers is the correlation between countries on lockdown and the increase of cybercrime in those countries. Both criminal groups and state actors are using the COVID-19 information overdrive to conduct cyber-attacks against citizens. Additionally, there is an increase in ransomware and other attacks on medical institutions and the health sector.

There have been reports of states using the COVID-19 crisis for espionage and political attacks. The modus operandi of the attackers and their choice of recent targets help derive their intent and can now be affiliated with political interests of certain countries. However, an evidence-based framework for the accountability of politically driven attacks requires methodology.

Panellists have also highlighted that the shift to remote work combined with the lack of awareness of necessary cybersecurity measures bring about more risk, as home environments are less secure than corporate ones.

Remote work has also raised privacy concerns on whether corporate security policies can be ensured in homes and whether data that used to be stored on corporate networks can now be secured and insured in terms of integrity and security.

Concerns were also raised over citizens’ privacy, particularly regarding the tracking of habits by states to control the infection, which may remain even after the crisis.

Another issue is the disruption of state supply chains. Entities which need to quickly scale up their delivery capacities (of, for example, respirators) often create interfaces without looking at security profiles. Some entities and companies are now diverting production to product delivery, which is closer to critical infrastructure, but are simultaneously not implementing security by design.

What are institutions and stakeholders doing in response, and what can/should they do?

The private sector has stepped up with free services and extensions for critical infrastructure sectors. For example, Kaspersky has offered free cybersecurity protection for 6 months to institutions and hospitals around the globe and has already received 600 requests. Industry-led volunteer groups, consisting of private sector entities and law enforcement agencies, for helping hospitals have already been formed.

Private companies can help through cybersecurity training (securing that everyone can work from home), sharing threat data, and supporting computer emergency response team (CERTs), CSIRTs and law enforcement agencies such as Interpol and Europol.

Small and medium-sized enterprises (SMEs) should be encouraged to implement the minimal level of product security and security by design from the outset, as they will otherwise be forced to patch their products later on. Other industry actors can train SMEs in these areas.

The industry should provide more affordable security devices and software. It is also possible that users will now be willing to pay for premium security devices. However, implemented security solutions should not endanger privacy and data protection. Security should be embedded into processes and products in order to be prepared for potential new crises.

Additionally, a new global framework is needed to make attackers accountable. States should also strengthen digital co-operation and a venue where they can do so is the UN Open-Ended Working Group (OEWG).

What can we expect after the crisis is over?

The panellists were optimistic, noting that the COVID-19 crisis is a stress-test and wake-up call for everyone. It has given us a free awareness campaign and has mainstreamed cybersecurity, which could very well bring a change in people’s digital hygiene.

An important lesson learnt is how vulnerable critical sectors are due to outdated software, poorly secured devices, lack of security policies, etc. As the shift to teleworking showed, remote workers should be protected.

Communities have been mobilised and there is heightened solidarity and unity among security professionals. This crisis will probably prove that the multistakeholder approach is the way to go.

After the COVID-19 crisis, one of the key questions will be whether to keep the heightened risk profile or to recalibrate and re-institute certain privacy and security control measures.

A sneak peek of the chat discussion

Participants exchanged news on Zoom’s new security measures. They discussed the underdeveloped nature of online food shopping in developing countries and expressed concern about the safety of remote workers. They underlined the importance of training opportunities that could help in improving cyber hygiene and touched upon the exploitation of the COVID-19 agenda by state actors. Participants also agreed that the COVID-19 crisis will create a more secure cyberspace.