Just as a viral pandemic was inevitable, a cyber pandemic in the future is also predictable. As technology is globally interconnected, a cyber virus could move from device to device, much like Covid-19 among humans. A virus propagated through an app could have devastating consequences, with the possibility of a global internet lockdown. The World Economic Forum has predicted that a single day without the internet could cost more than $50bn globally, even before considering the societal damage related to shutdown of essential services. Just as we must look to the future to prepare for the next pandemic, so too must we explore our global preparedness for cyber security threats.
At a recent round-table event hosted online by the New Statesman and sponsored by Fortinet and Hexaware, a group of policymakers and industry experts gathered to discuss cyber pandemic preparedness. They discussed future strategies, how best governments and businesses can promote cyber security, and how we can anticipate, and protect from, future attacks.
They agreed that when considering any strategy, the cyber hygiene practices of individuals needed careful consideration. Matt Warman MP, the former minister for digital infrastructure, drew attention to the consideration of who is behind cyber attacks – not just where the attacks are coming from, but why they are able to happen and where the weaknesses may stem from. “The vast majority of problems come not actually from incredibly sophisticated attackers, be they states or anyone else – they come from the carelessness of individual users who happen to have important jobs where they may or may not have a duty to know better,” he said.
Chris Parker, director of government and defence at Fortinet, agreed, but also added that we should not disregard the seriousness of state-sponsored threats and the need for advanced detection and response systems in order to deal with “very, very aggressive attacks” at a “state-sponsored high level”.
Gaurav Agrawal, vice president and infrastructure management services (IMS) practice head at Hexaware Technologies, warned of the “unknown track” and for any strategy to be prepared for “that absolute unforeseen situation”. As such, strategy should prioritise pre-emption and prevention, as well as focusing on building resiliency and recovery programmes for when cyber attacks do succeed. Khalid Mahmood MP, member of the All-Party Parliamentary Group on Cyber Security, agreed with Agrawal that prevention is of the utmost importance, but also felt that any strategy should prioritise current vulnerabilities. He pointed to previous attacks on colleges and other vulnerabilities in the public sector, and that this needed to be addressed before we start to look at prevention.
When considering what businesses and governments can do to promote cyber security, Warman felt that there should be an awareness, but not a complacency, in the emergence of future technologies and the risks associated with them. For Warman, the emergence of future technologies drew up questions about the security of legacy systems in government and business. “It’s partly how we address those legacy weaknesses, but it’s also how do we try, in the future, to automate improvement?” he said.
Mahmood stated that though he was pleased to hear the UK government had pledged to invest £86m as part of funding for local governments and councils to ensure their cyber defences were robust, more needed to be done to educate the public and small business owners about the risk of cyber threats. “We really have got to have a national public campaign to make people aware of this,” he said. “People are doing a fantastic job, but it’s got to extend out to the wider community.”
When it came to anticipating and reacting to future attacks, the attendees agreed that AI has a key role to play, acting as a kind of “arms race” against attackers. Parker talked about the uncertainty of future threats, and the prospect of a threat that no one has seen before: “You can build a very large fence that someone will build an even bigger ladder.” However, he was positive about the capability of sophisticated AI technology to “patrol” security systems and keep future threats at bay: “Good technology, good systems proven around the world, are available, and they’re not going to cost the earth for the taxpayer.”
Mahmood compared the race to a never-ending game of chess, where one is trying to defend and the attacker is trying to overcome that defence. As such, Mahmood suggested that we protect our knowledge and consider licensing our learnings in order to restrict other actors from joining in. “You wouldn’t be giving your codes to nuclear submarines to anybody else, so why are we doing this?” he asked.
Agrawal was also positive about the capabilities of technology to determine future threats; however, he pointed out that there are still major security and compliance concerns around these new technologies: “There are tools and technologies missing [protections around] enabling and applying security, compliance and guardrails across your private clouds, public clouds and data centres.”
The round table concluded with a discussion of what IT managers and policymakers can do to ensure their systems are better protected. Agrawal suggested that identifying the motives of attacks right now was the best method of prevention, giving us an understanding of user behaviour and patterns. In terms of training employees, Parker suggested that companies make the most of the training provided by good cyber security suppliers, as well as the National Cyber Security Centre’s training programmes. Warman also suggested that a kind of regulation of cyber security qualifications may provide people with a map for their future careers, in addition to softer forms of promotion and advertising of cyber skills by the government.
As the round table wrapped up, the mood was cautious but hopeful. As Parker concluded: cyber security is the “duty and responsibility of us all” – although the risk is getting bigger and more automated, there are multiple resources out there for the nation to equip itself and fight off future threats.