(L-R) Dr. Jean-Luc Vez, Head of Public Security Policy and Security Affairs, Member of the Executive Committee, World Economic Forum; Jürgen Stock, Secretary General, INTERPOL; Cheri McGuire, Group Chief Information Security Officer (CISO), Standard Chartered Bank; Stanislav K. Kuznetsov, Deputy Chairman of the Executive Board, Sberbank; William A. Maheu, Senior Director, Qualcomm Cyber Security Solutions
At the ongoing INTERPOL World 2017, Dr. Jean-Luc Vez, Head of Public Security Policy and Security Affairs, Member of the Executive Committee, World Economic Forum, moderated a panel discussion on cybercrime, looking at the broad global landscape, approaches in the private sector (with focus on financial industry), the role of INTERPOL and the need for greater coordination and information-sharing between governments and between governments and private sector.
The participants in the panel were:
- Jürgen Stock, Secretary General, INTERPOL
- Cheri McGuire, Group Chief Information Security Officer (CISO), Standard Chartered Bank
- William A. Maheu, Senior Director, Qualcomm Cyber Security Solutions
- Stanislav K. Kuznetsov, Deputy Chairman of the Executive Board, Sberbank
Dr. Vez kickstarted the discussion with a few alarming statistics. In 2016, cybercrime cost the global economy over USD 450 billion. The estimated economic loss due to cybercrime is expected to reach USD 3 trillion by 2020. Around 74% of the world’s businesses expect to be hacked in the coming years.
Against this backdrop, Dr. Vez posed two sets of questions. The first is regarding the actions taken by businesses to fight cybercrimes. What are they doing? Is it possible at all to fight against such terrible threats?
The second set revolved around cooperation between public and private sector organisations. He asked, “Is it time for public and private sector organisations to work together and if yes, then how?”
Ms. McGuire brought up the old adage of ‘people’, ‘process’ and ‘technology’ in her reply to the first question category. She advocated a holistic approach, saying that all three are critical to securing not just your own organisation’s environment but for also controlling the risk that you introduce into the broader ecosystem worldwide, given that cybercrime and cybersecurity is borderless.
For instance, skills development and awareness has to go just beyond your own employees. It has to extend to customers, clients, vendors. In terms of processes, the various legal mechanisms for sharing information between organisations have to be considered. The privacy policies in place within the organization also need to be looked at. Similarly, in terms of technology, the full panoply of information and data protection and security has to be dealt with. This includes protection tools, forensic capabilities, as well as platforms for information-sharing between the organisations.
For Sberbank, which is the largest bank in Russia and Eastern Europe, Mr. Kuznetsov outlined three layers of security. The first is the protection of the bank’s core systems. This is done through a special centre of counter-actions. Their KPI is ‘0’ successful cyberattacks. The second is to protect the clients through a fraud monitoring centre. It contacts clients and provides them security information to help them deal with risks such social engineering. He quoted a 95-97% efficiency. The third is building a security operations centre. Sberbank is building the centre with support from IBM and incorporating cognitive intelligence in the form of Watson.
Mr. Kuzentsov stressed that trust is key to the bank’s success and that is gained if customers believe in the reliability of the bank’s products.
The human factor
Dr. Vez asked the tricky question of how to enhance the security awareness of bank clients, who might find security measures too inconvenient and cumbersome. They might try to find workarounds. They might keep obvious passwords, with names and birthdays of family members for instance.
Ms. McGuire brought up basic safety measures, such as multi-factor authentication and maintain good cyber hygiene. She admitted that bank customers might find it difficult to keep track of everything. “It is incumbent upon us and the industry at large to make things simpler for customers. But there also has to be a higher level of awareness that they own a part of the security as well,” she said.
Mr. Maheu also talked about shared responsibility for security within Qualcomm. Employee awareness is tested regularly. He said, “The greatest vulnerability is the employee trying to do the right thing.” They might be trying to make it easier for the customers or trying to find a more efficient way to do the right thing.
In terms of technology, he said that instead of looking at the current 7 billion connected devices, soon to increase to 30 or maybe 50 billion devices connected devices, as vulnerabilities. Why not flip that paradigm and make each and everyone of those into an alarm? Start with the hardware with built-in trusted environment, so that only known devices are connecting in, then build an architecture which has continuous observation to detect anomalies.
The public sector view
Dr. Vez asked Mr. Stock (above) about what the INTERPOL’s activities and the public sector view on fighting cybercrime. Mr. Stock replied that fighting cybercrime consists of ‘prevention’ and ‘investigation’.
He highlighted the enormous positive developments for society brought about by technological developments, such as Industry 4.0 and the Internet-of-Everything. But these same technologies also provide unprecedented opportunities for criminals to attack systems globally just with the click of a mouse from the comfort of their homes.
Today, the Darknet[1] provides huge opportunities to criminals to hide their activities. Cybercriminals are increasingly ‘professional’, as seen from ‘cybercrime-as-a-service’ offerings. A non-IT expert can buy or rent a botnet or ransomware to carry out attacks.
Mr. Stock went on to talk about a problematic trend in cybercrime reporting. Around 85-90% of crime goes unreported, which hampers both aspects, prevention and investigation. He felt that the low rate might be partially attributable to a misconception that these cases are too complex to be solved. But in reality, most investigations are tremendously successful, especially with international coordination through INTERPOL’s platforms.
There is a need to encourage victims in the private sector to report cyberattacks to the police and judiciary. The private sector typically holds more detailed data on cyberthreats, attacks and victims than traditional law enforcement agencies, particularly in the immediate aftermath of an attack. Information exchange between police and private industry is key to developing a comprehensive global response.
Another issue which he highlighted as requiring more debate with wide involvement is the conflicts arising between anonymisation/ encryption and law enforcement. If anonymisation/ encryption by design becomes the norm, what are the implications for investigations by law enforcement. It is a matter of achieving the right balance between freedom and security.
INTERPOL believes that strong platforms are required at the national, regional and global levels to effectively fight
cybercrime.
INTERPOL platforms enable experts to share information with each other in real-time. Secondly INTERPOL is providing over 200 analytical reports every year, which are disseminated among members. The third element is building capacity among police officers. Many police departments around the world do not have the means, capabilities, equipment, training and any weak links can compromise the global chain against cybercrime.
In addition, INTERPOL continues to develop its proactive collaboration with the private sector in the fight against cybercrime, with industry partners already working alongside INTERPOL cyber experts at the INTERPOL Global Complex for Innovation (IGCI; OpenGov recently interviewed Mr. Noboru Nakatani, Executive Director of IGCI) in Singapore. Additional information sharing agreements are being developed to ensure INTERPOL has access to the broadest range of data in order to provide member countries with accurate, critical analysis of current and evolving threats.
Mr. Stock said that there is a need for a collective approach and coordinated response. And while looking for new solutions, some of the basics must not be forgotten. For example, the damage from the recent WannaCry attack could have been limited through mere updating of the Windows operating system.
A ‘glocal’ approach
Based on the discussion till this point, Dr.Vez said that maybe we need to think global and act local, adopting a glocal approach.
Cybercrimes pose a global and complex problem and the answers will also be global and complex. While global thinking and coordination is necessary, local action is also required. Mr. Stock said that the national initiatives, the national coordination mechanisms have to be connected. If systems are not there at the national level, they have to be built.
As for information-sharing from the private sector, law enforcement should take the initiative in educating corporates on what exactly do cybercrime investigations entail and what actions might be taken subsequently. Lawmakers in some jurisdictions have been setting up regulations making it obligatory for private sector to disclose cyberattacks. But leadership and convincing will play an important role.
The private sector can also be engaged for joint development of tools and for providing training.
Significant challenges remain in terms of legal and regulatory requirements, varying across jurisdictions to ensure that the private sector can share information with law enforcement worldwide. Then there is the ability or willingness of the public sector to share information with private sector in reciprocal arrangements.
As the discussion wound down, Dr. Vez noted that both public and private sector are ready to fight, to collaborate, to share key information in order to efficiently fight the bad guys. But the platforms at all 3 levels, national, regional and global, have to be strengthened further and connected better.
[1] Darknet is any overlay network that can be accessed only with specific software, configurations, or authorisation, often using non-standard communications protocols and ports. It is a part of the Deepweb, which is the part of the Internet is not indexed by standard search engines. The Deepweb is estimated to be around 500 times the size of the visible Web.