future signals Global Cybersecurity Report – June 2021

Q1. Is future cybersecurity a technical, government, business or societal issue?

📡 Signal cluster: Cybersecurity responsibility crosses all levels of society, from government to users. But increasingly we need to consider it at an individual level, be it as citizens in society, as employees at work or our private lives as customers and users.

• Dan Shefet: I think that the most important stakeholder in all of that is us; me, you, the users. We need to understand that it applies to us and it affects us directly.
• Audrey Tang: Cybersecurity is a cross-sectoral issue centred around norms. That is to say, what is permissible and what is a good habit. In Taiwan, we have so far encountered the pandemic with no lockdown and we have shaped a very different norm, based on cross-sectoral collaboration and what I call People-Public-Private Partnerships. In some jurisdictions, they take a view where the state concentrates all the power, administrative power in the name of cybersecurity or counter pandemic, but there are also democratic policies that would prefer that it is the social sector, the people who work on the core of the internet itself, to settle on the norms; that the business and the government are just part of the multi-stakeholder regime.
• Chloé Messdaghi: We need to look at cybersecurity as a human rights issue as if we are not secure online this can be considered an invasion of our privacy and our lives.

📡 Outlier signal: We are not winning; our cybersecurity adversaries are getting stronger. Collectively, in public/private partnerships and between teams or staff in small companies and startups, we need to be working more proactively towards cybersecurity.

• Mike S. Rogers: I have come to the conclusion, that the ecosystem as constructed for the last decade or so at least, clearly is not achieving the desired outcomes in the sense that cybersecurity is weakening. Adversaries, whether they be a criminal group, individuals, nation states, in many ways seem to be emboldened. My attitude is that it is not working. It means we're always late, it means we're always responding after events. I think the future is much more about integration. How can the private sector and governments partner in an integrated way, 24/7, to ask how we achieve cybersecurity?

Q2. What will change identity, trust and security in the near future?

📡 Signal cluster: 'Zero Trust'.

• Mike S. Rogers: I think we're going to be driven to a zero trust strategy as a foundation. Zero trust, which I am supportive of, is built around the fundamental premise that you must ensure identity every time there's interaction, and that should be the identity of individuals, users, identity of devices and endpoints. I just think that's what we've got to get to - this idea that security becomes this constant repetition and not that, okay, once you gain access I'm going to assume you're a valid actor. That's not going to work. As I forward 18 to 36 months, the identity challenge becomes ever more difficult, but also more important, particularly as we're dealing in a world in which we have been more and more physically dispersed. The idea that we're going to build cybersecurity around a well established perimeter with a central security stack, and we're all gonna operate behind that, boy COVID just blew that up. The trend was already going that way but it just blew that up.

• Audrey Tang: When I think about zero trust Sandstorm.io comes to my mind; it is a Free software, with a capital F, so you can set up your own Sandstorm instance. It allows any public servants in Taiwan to self service and install any open source software within the public service. Sandstorm treats each and every of those applications as hostile, and malicious and very strongly sandboxes each application running, actually changing the domain every time a new instance is made to prevent cross site script attacking. Also, it doesn't have an allow list or block list. It's based on capability sharing, so that we always maintain an audit trail of who shared which instance of which document to what person and so on. This allows us to trust verify. In zero trust configurations we don't trust the applications, we don't trust the user at the edges.

Q3. What is the one thing businesses should start doing, or be doing more of, to better ‘future protect’ their stakeholders (customers, employees, shareholders, investors)?

📡 Signal Cluster: Understand your business, identify your weak spots and assess your risks.

• Dan Shefet: There are some good ideas in the GDPR and one of those is the Data Impact Assessment. This data impact study can be downloaded very easily from the European Commission's platform and tells you, step by step, how to perform this exercise. ; How to produce the flowchart of what happens with data you collect. Where do you get the data from? What do you do with it? Where does it go? Who do you speak with? How do they get in touch with you? In doing this you will probably find out that there's a lot you didn't know, or realise. Once you've done that data impact study you will learn where your weak spots are; then you can start addressing them.

• Mike S. Rogers: The number one thing I tell any organisation is you cannot defend that which you cannot see or that which you are unaware of. Everything starts with an accurate picture of what your network structure is, where your data is, what's your supply chain, and your partner relationships. With accurate insights and knowledge you can create cybersecurity strategies that have a much higher probability of success. It's easier to do this up front when you're smaller than it is to wait until you are much larger.

Q4. Which one of these is going to be the most critical to protecting startups and small businesses that don’t have cybersecurity expertise or budgets: Policies, policing, or education?

📡 Signal Cluster: Create strategies, policies and awareness based on your most recent reality, and keep them up to date! And create good, clear norms that enable people to follow and build good habits.

• Chloé Messdaghi: Policies are one thing but practising these policies actually is the most important thing. People have plenty of plans but in reality they don't take action and these are not updated so make plans and make sure you keep them up to date.
• Mike S. Rogers: If your strategies are not matched to the reality of your network, you are doomed to fail. So take the time to make sure you truly understand your network’s structure, your data, all of your remote connectivity, what your endpoint, typography looks like and your supply chain.
• Audrey Tang: I think good, clear norms and good habits are the most important. Just like when people ask me, what about digital technologies to counter the pandemic, I say digital only plays an assistant role. The true technologies are soap and sanitisers and these technologies don't work unless people build a good habit to use them regularly.
• Dan Shefet: Awareness is critical - If you're not aware of it, you don't tend to deal with it. When we're talking about startups and small businesses, the most efficient way of acquiring this awareness is to look at actual examples of incidents - what happens in real life is wonderful in terms of educating and raising awareness. If you start with the risks, people will be polite and listen and they will forget, but if you start with an actual example that really affects the audience then you have their attention. This is when they start asking, 'Oh, can we go bankrupt?', 'How can we take out insurance?', or 'What about the legal implications?' and 'What about my reputation risk?'.

Q5. Covid-19 and remote work has radically changed cybersecurity perimeters & practises. How must cybersecurity management evolve given that hybrid working is here to stay?

📡 Signal Cluster: There are multiple strong signals, from the technical: the need for resilience, segmentation (network, data, access) and randomness, to the human and recognising that we are each increasingly responsible for cybersecurity - that includes not checking our emails and that we’ve had enough coffee in the morning and are fully alert to phishing attempts. There is however consensus that we are each responsible for our company's security. Make sure you also check out the outlier signal on how cybersecurity is increasingly a differentiator in your company's value.

• Chloé Messdaghi: Being breached is a big deal, especially for small companies and startups - It’s very hard to recover. Each one of us holds the key to our company's security. The human element plays the biggest role in security and the pandemic really highlighted this as we saw a 300% increase in breaches over this period, usually originating from phishing. We need to consider how we, as individuals, take proper stances with regards to cybersecurity. For example, don't check your email until you’re fully awake because you’re more likely to be phished.
• Mike S. Rogers: I think you've got to build your cybersecurity strategy with two components, both defence and resilience. Secondly, it must be built around acknowledgement that developing a centralised perimeter is probably unlikely to work. So it drives you into things like, ‘How do I segment my networks? How do I segment data?’ When I'm thinking about resilience, ‘How do I put randomness into my processes?’ Trust me, as an individual I used to penetrate networks for a living as well as defending them and I loved adversaries who were very predictable and who did their updates every Tuesday at nine o'clock eastern time.
• Audrey Tang: Again, drawing a parallel to the counter pandemic work, the key word is resilience. If you bet everything on defence, as long as new variants come then you cannot anticipate how that variant behaves. On the other hand, if we prepare the capacity without prescribing any particular playbook, we basically say, okay, as soon as a new variant develops, we can actually sequence it in a couple of days and adjust our playbook to work in a resilient way to counter against whatever the impact that particular variant has. So early proactive work and active detection, as well as building around resilience and continuity, instead of building around a specific playbook, or defence can protect oneself against these unknown dangers.

📡 Outlier Signal: You have to bake cybersecurity in at the beginning of your business and build it into your capital development strategy.

• Mike S. Rogers: As somebody who penetrated networks for a living, I'd love systems where security was a bolt on. I think for startups and others, I believe that increasingly over time, cybersecurity becomes a differentiator for you. I believe that, increasingly, it will be a criteria that investors, customers, partners will use to assess you. ‘Should I buy this product? Should I invest in this? Should I partner with this company, particularly as you're thinking about supply chain’. You have to bake cybersecurity in at the beginning of your business and build it into your capital development strategy.

Q6. In cybersecurity we say there are those who know they've been hacked and those who don't yet know. Who should you call when you need help?

📡 Clear signal: Be prepared. Know, in advance, your legal obligations, who you need to contact and who will do what.

• Dan Shefet: As a lawyer, I recommend immediately that all firms put in place a protocol for when there is an incident. Having a plan so that everybody in a company knows what to do and who to call, is really something that you should do immediately. There is also a legal obligation, under the GDPR, that you have to share that information of an incident within 72-hours. You have to write to inform all the people that may be affected that there has been an incident and what are you doing about it. So the first thing you need to have is a protocol in place, so if something happens you know exactly what to do.

Q7. What one thing have you not told me that startups and small businesses need to know?

Mike S. Rogers: Two things: Don't forget about people. Don't forget about culture.

As a CEO, as a leader, ask yourself ‘What kind of culture do you want?’ and that includes cybersecurity. How do you want your workforce and your team to think about cybersecurity? What sort of messages do you want to send?

The human piece is that, as a leader you will spend a lot of time focusing on getting the right developmental engineers, the right people to develop this value proposition that I've created. I would urge you to spend an equal amount of focus on what kind of people you need to ensure you’ve got the right cyber security moving forward. Don't start by thinking, ‘Oh, well, all that matters is product development’; success in cybersecurity is predicated on your ability to maximise a team, not on if you have the best CIO or CSO, or IT department.

Audrey Tang: To give no trust is to get no trust. In Taiwan we empower the people closest to the edge with the full view of the system. Instead of security through obscurity, we invite everyone to serve as white hats and to report which lines of code cause potential resilience challenges. If you search for HitCon ZeroDay, then you can see the templates and kind of scoreboard; their real-time reports of responsible disclosures of zero days.

We trust our public this way and they trust back by alerting us. I believe a good relationship with the white hat community is essential; in Taiwan, white hats are national heroes, they meet the President! Even as small and medium enterprises, you can still participate in Bug Bounties and other activities to create goodwill with the white hat community.

Chloé Messdaghi: We need to acknowledge that 2 parties exist: hackers and attackers. Hackers are security researchers, not extortionists. Attackers use the same skills as hackers but with criminal intent. Hackers can help and serve you; to protect you from attackers. Vulnerability Disclosure Policies are needed so if hackers do find a vulnerability in your systems they can easily report it to the right people in the organisation. Often when we find a vulnerability we have no way other than social media to reach out and this often ends up on the wrong desk and sometimes even in legal action. I’d recommend every organisation to create a framework for building communications and relations with hackers that is transparent, has limits, and that enables you to work together to help identify and address flaws and to protect one another. You can find examples of best practices of creating disclosure policies at disclose.io.

Also stalkerware is an increasing problem around the globe. We have seen an increase in the rise of use, including from nation-state actors, trying to access and steal IP. Stalking is a criminal activity and online stalking is too. To find out more go to overstalkers.org. We have built this as a resource to help the public learn more about stalkerware, signs of stalkerware and resources and organisations that help victims.

Dan Shefet: Keep training, training, training. Make training and awareness part of your monthly in house meetings using real life security breach examples - it can even be good fun, because these stories can be really very very interesting.