This acceleration of the rate of cybercrime attacks on critical infrastructure changed the mindset of governments, as it threatens economic activity, military preparedness, and social dislocation, according to Michael Daniel, president, and CEO of the Cyber Threat Alliance.
Increasingly diverse technological ecosystems have brought unparalleled efficiencies and capabilities for businesses, but are vulnerable to constantly evolving, sophisticated cybersecurity threats, he said
Daniel, former Special Assistant to President Obama, told Digital Nation that the cyber threat is evolving to be more organised and complex, with high payouts for criminal’s comparative to a low risk of arrest or prosecution.
The risk is compounded by the actions of nation-states for whom cybercrime is a way of advancing their national security goals.
The shift in the threat landscape towards large scale operations, rather than individual hackers, is one that Daniel cites as a risk for potentially catastrophic loss for organisations.
“[Threats] are more organised, it comes back to this idea of the hacker as a guy in a hoodie, in his mother’s basement, that is not the reality of most of these operations,” he says.
“It’s not just individuals hacking for the fun of it or the challenge, that still exists, but many of these are very highly organised groups that run it like a business.”
An accelerated digital shift due to the COVID-19 pandemic left many businesses exposed to criminals praying on rushed, expanded cybersecurity networks.
Daniel expects to see the adoption of strategies such as zero-trust architectures as a response to the complexity of dealing with uncontrolled devices or poor cybersecurity habits by staff.
“Back in 2012, 2013 most ransomware attacks were on individuals or small businesses… [now] the intensity of ransomware has reached a point where it is actually, in fact, a national security threat. It is a public health and safety threat.”
“You really have to treat those very differently than just, you know, a standard sort of street crime problem. That's certainly where the mindset of the US government is.”
Coalition of convenience
Governments intent on using cyberespionage to advance their agenda has also recognised the advantages of utilising the skills available in the cybercrime marketplace. The extent of the overlap remains a matter for debate but Daniel says that the use of criminal organisations as proxies by governments is undeniable.
Using criminal tools provides a far superior operational model, says Daniel, providing a pre-built infrastructure, allowing governments to keep their own tools in reserve, and producing a level of obfuscation as to who is carrying out an operation.
“I think there's very much an interaction between a lot of those groups. But there is one way where they are distinct, and that is their goals and objectives, which is that the criminals are really in it for the money. That presents some interesting ways to think about what you do to try to thwart them. Whereas a nation-state has other goals that are different and how you dissuade and deter a nation-state is very different than how you to dissuade or deter a criminal group,” he says.
In tackling an issue such as this, improvements to a broader incentive structure are necessary, however, Daniel says that this is difficult as cybersecurity is fundamentally a human behavioural problem and a business problem, rather than a technological one.
Restructuring tax codes and instructing regulatory frameworks to encourage investments into cybersecurity are all methods he recommends, with disruption to criminal infrastructures likely to be more effective than seeking arrests.
“On both sides of the equation both for the defenders and for the malicious actors, you're really talking a lot about incentives and how do you actually structure the economics to favour investments in cybersecurity?”
“Everything is faster, bigger stronger… everyone recognises that fact and so that part of the landscape has changed tremendously. Now we’re having much more conversations about what we do with it, rather than arguing about whether or not it’s actually an issue.”