Collaboration key to minimising threat

What career advice do you give a young person leaving Cambridge with a double first in Classics and entering a graduate job market dynamited by Covid-19?

Heading into an industry with a Compound Annual Growth Rate (CAGR) of well over 13% has got to be an enticing option. Future projections are even more optimistic on the back of the coronavirus revolution in leisure and working practices. In fact, the cybersecurity market is already worth around $120bn, similar to the GDP of Morocco, while the cost of cybercrime is estimated at up to $2tr.

Back in 2019 Microsoft CEO Satya Nadella tweeted that cybersecurity is the central challenge of our digital age. His warning is amplified by the vast increase in online activity since the pandemic struck. The biggest vulnerability for companies is now a cyber breach via staff working remotely. For individuals, there has been a 667% increase in spear fishing attacks (a targeted scam) helped by the fact that “everyone’s grannie is now doing yoga online, a whole new population for cyber criminals to prey on,” quips Andy Bates, Executive Director at the Global Cyber Alliance (GCA).

In his 25-year career working with organisations ranging from the security services to NATO and telecoms group Verizon, he has seen cybercrime constantly mutate, adapting to where defences are easiest to breach and the largest opportunity lies. The unholy alliance of rogue states, criminal gangs, and individuals in their bedrooms is behind everything from the Facebook data breach earlier this year, where 267 million user profiles were hacked and then sold for a measly $540 on the dark web, to the TalkTalk hack in 2015 where two young men stole the banking information of over 150,000 customers. This was then followed by other criminals piling in to try and blackmail the CEO. Total cost to the company: £77m.

As financial services and other large firms build up their cyber defence at vast cost ($600m at bank behemoth JPMorgan Chase), criminals have moved to easier victims. “It is simpler to steal £100 pounds from 100,000 people or SMEs across hundreds of different legal jurisdictions than a million from a well-defended bank,” notes Mr Bates, speaking at a webinar hosted by the Worshipful Company of International Bankers.

In 2015 the proceeds of known cybercrime exceeded known physical crime, leading to the foundation of the Global Cyber Alliance in two of the largest financial cities in the world. The three founding partners, the City of London Police, the New York District Attorney’s Office and the Center for Internet Security, were soon joined by others including Bank of America and Lloyds Bank. Chaired by the head of Security Policy at Microsoft, Scott Charney, in its 5 years of existence this cybersecurity knight in shining armour has created free tools worth around £5000 per individual.

A not-for-profit organisation, GCA works across borders and sectors to enhance collaboration. It seeks to learn more about data to remove criminal web infrastructure. Its recently announced strategic partnership with ICANN is a case in point, aimed at cutting back on Domain Name System (DNS) abuse.  

The auburn-haired graduate mentioned earlier did not find his lack of a computer science degree an impediment to landing a job in cybersecurity. “Hiring the usual suspects into your IT department makes no sense because they don’t think like the Russian Mafia,” says Mr Bates. Whether a Cambridge education is the best training for understanding an uber-criminal is a subject for discussion; it has historically proved a great education to become a spy. The collaboration between the security services of countries like China and North Korea and professional crooks means a Cambridge education may not be entirely wasted.

A few years ago the military realised that to recruit in-house hackers they would need to relax military discipline and dress. Covid-19 has lifted the stigma from working at home, so hiring somebody who wears a Motorhead t-shirt and has dreadlocks may no longer be such a stretch for corporates, notes Mr Bates. This is essential given that the average time to hack a company is 56 days while the average time to discover the hack is 190. Individuals are attacked on average 150 times a day.

While we hear about the major hacks, such as the recent one that saw requests for Bitcoin donations emanate (purportedly) from the Twitter accounts of famous people like Kim Kardashian and Bill Gates, the press doesn’t cover the millions that occur to individuals, SMEs, and larger companies that manage to avoid all media coverage. GCA’s free toolkit, which already protects around 150m people, can reduce the risk of cyberattack by 85%.

The financial services sector is the most obvious one for criminals to attack, while the electricity infrastructure is most likely to be attacked by enemy states.  There were four failed attacks on the UK electricity grid last year, three by the Russians and one by the North Koreans. GCA, which counts a former head of European policing agency Europol on its board, is intent on encouraging intelligence sharing between the banks and the utilities to foster best practice and reveal more details on attackers.

Similarly, more collaboration between the private sector, the government and NGOs is crucial in the fight against crime and spying. Not least because distinguishing between criminal networks and country attackers is problematic: the latter often outsource their dirty work to the former, a shadow version of an economy’s supply chain.

And mistakes happen. Moller-Maersk, the world’s largest shipping container company, saw its computer screens go black on 27 June, 2017. To understand the scale of the disaster, it helps to know that every 15 minutes one of its massive ships docks in a port somewhere in the world, a complicated logistical and digital exercise. Recovery took ten days. The cost to the firm is estimated at $300m. To cap it all, the Danish company was not the intended victim. The Russian ransomware, known NotPetya, was aimed at Ukrainian businesses as part of the troubled relations between the two countries, but Moller-Maersk’s office in Kiev accidentally caught the virus.

A much larger issue for internet security over the next five to ten years is quantum computing, which would break all known encryption. Although quantum computers currently lack the necessary processing power, the industry is advancing in leaps and bounds.

With over 4 million unfilled vacancies and the demand for neurodiversity to understand better an ever-changing threat, the cybersecurity sector has opened its arms to bankers, doctors, and a host of other professions, as well as the auburn-haired Cambridge graduate, my stepson, who is due to start his new job for a top cybersecurity firm this autumn. I wish him well.

END

GCA is looking to partner with financial services and other firms to help them combat fraud and create a safer internet.