The growing list of egregious cyber attacks continue to convey a steady and unambiguous message – this threat will only grow wider and grislier. There are several factors spurring the growth of cyber crime. In the following section, I discuss what I consider the top 12 most pressing factors, most of which are explored in my book, The Five Anchors of Cyber Resilience.
- The rapid convergence of cyber crime and geopolitics, denting prospects of any meaningful global cooperation to combat cyber threats. Cyberspace has become a lucrative platform for adversary nations to steal trade secrets, spy on sensitive military programs, debilitate critical infrastructure or pursue other clandestine operations. According to an unclassified report presented to the US Senate Armed Services in January 2017, 30 nations were already involved in developing offensive cyber warfare capabilities as of late 2016. The recent ill-famed Helsinki Conference sums it well. Cyber criminals are aware of this glaring void and know with certainty that the prospects of them facing justice abroad is extremely remote if they target foreign victims while sparing those within their borders.
- Innovative, well-resourced and emboldened threat actors, spurred by a thriving and efficient digital market for stolen digital goods, commercialization of cybercrime services as well as absence of regulations – factors that stifle innovation for legitimate enterprises.
- Widespread reliance on archaic technologies and processes to fight stealthy and self-learning cyberthreats that can easily evade traditional signature-based defenses and remain undetected for several months. As Larry Ellison bemoaned, “We’re losing the cyberwar because criminals are using automated attacks, while those responsible for defending networks rely primarily on human analysts tasked with sifting through mountains of traffic logs with the most rudimentary digital tools.”
- Closely related to Factor # 3 above is the possibility of powerful cyber weapons developed by state-sponsored enterprises falling into wrong hands. These enterprises, as I wrote in my book, “tend to horde security flaws, concealing them from software vendors and preferring to exploit them for their own nefarious purposes, such as collecting sensitive information or disrupting adversary infrastructure. The 2016 incident in which a ghostly group of hackers infiltrated the Equation Group, a complex hacking enterprise believed to be operated by the NSA, provides a chilling example. The cyber weapons were later repurposed to debilitate several institutions, such as the NHS hospitals in the UK, resulting in billions of damages.
- The rapid pace of digital transformation, which, according to the World Economic forum, lacks historical precedent. Each transformative technology – cloud, machine learning, Blockchain, Internet of Things, etc. – brings unique and novel cyber risks, most of which is not yet fully understood. Further compounding this risk, most of these nascent technologies are integrating with infrastructure and systems that underlie vital civilian functions, such as energy grids, hospitals and aviation, exposing them to a new breed of threats. Furthermore, several of these important and pervasive technologies are developed by start-ups, which lack the experience and resources to bake-in strong security from the outset.
- Rapidly dissipating enterprise perimeter as enterprises move critical systems to the cloud and allow employees to connect personal devices (BYOD), is weakening the effectiveness of traditional defenses, such as perimeter firewalls. According to the networking giant CISCO, “By 2021, 94 percent of workloads and compute instances will be processed by cloud data centers; 6 percent will be processed by traditional data centers.”
- The aggregation of critical workloads in the cloud, cited above, leads to another significant risk. According to Lloyds of London, a cyber incident that temporary shuts down a top U.S. cloud computing provider could trigger as much as $19 billion in business losses (for three to six days), only a fraction of which would be insured. When individual enterprises are hacked, the consequences are borne by their customers. When public cloud environments are hacked, however, the stakes can be national or global.
- Emergence of tighter, prescriptive and complex global data protection laws, such as the EU Global Data Protection Regulation, Australia Mandatory Data Breach notification or the Chinese Cyber Security Law. Several jurisdictions will inevitably follow suit, aiming to protect the privacy of their citizens or protect national interests. By forcing businesses to store data within specific boarders and comply with a wide range of jumbled cross boarder privacy laws, the cost of doing business globally will rise, further exerting pressure on already under-resourced cyber security teams.
- Longer and complex supply chains and business alliances as enterprises seek to refocus on their core areas of differentiation, shift costs from fixed to variable and tap into innovative solutions. These arrangements, however, expands the cyber-attack surface and makes the process of securing sensitive customer data or high-value IP complex, expensive and daunting.
- According to NIST, there is an overwhelming sense of security weariness or fatigue among consumers, discouraged by complexity of security solutions, and non-stop barrage of data breaches. Unsurprisingly, a Google Engineer revealed that more than 90% of Gmail users haven’t activated two-factor authentication, seven years after Goggle developed the feature.
- Effective and sustained cyber transformation requires strong support from the top. Left to middle management, cyber security programs are a waste of money, most fail before they even take off. Several boards of directors and senior business executives, however, find this subject highly technical and complex and are ill-equipped to direct cyber security transformation programs or ask deep questions.
- The endemic global shortage of skilled cyber security workforce is not about to get any better. Cyber security Ventures, a leading research firm, predicts there will be 3.5 million cyber security job openings by 2021. This is not just a game of numbers; cyber security has become a broader business issue whose implications transcends the periphery of the IT enterprise. Addressing this dogged challenge will be more nuanced, it requires developing a wide range of soft skills (e.g. business influencing & communication) to hardcore technical skills (such as securing SCADA systems or Blockchains).