The world is on the verge of the fourth industrial revolution, which will see the total integration of both the professional and private spheres of our lives with technology, and particularly with the Internet, in the environment known as the cloud. This new reality opens up a whole array of possibilities in fields such as health, communications and mobility, but also entails risks, especially in the area of security. In recent months alone, we have witnessed events that until now we thought were only possible in the realms of science fiction, such as the fact that hospitals were obliged to cease operating because their files had been infected by a virus; or that no less than the German government had to ban the sale of a doll that connected to the Internet, because it could potentially be used to spy on children’s behavior.
Viruses such as WannaCry or Petya have sparked panic among international public opinion to the point that practically no one now dares question the need for cybersecurity protocols within organizations. These are understood as the discipline that groups together all the tools, guidelines, management methods, practices and policies aimed at protecting our own and companies’ assets on the Internet, covering everything from our personal data, the keys and passwords we use, our online purchase history and our banking information. So much so that according to the study on global risks published each year by the World Economic Forum, cyberattacks are now the fourth greatest concern for the global community, surpassed only by unemployment, climate change, the water crisis and conflicts between nations.
A major challenge for governments
The arrival and subsequent expansion of Internet represents one of the greatest revolutions in the history of humankind, with over half the world’s population –over 3.75 billion people– using the internet every day according to the We Are Social 2017 report. Today, most western societies require the use of IT systems for all their economic processes of whatever size or value, such as energy distribution, telecommunications, financial transactions, and the functioning of industry or transport, to give just a few examples. However, this increased dependence on technology has also brought a greater risk of exposure to threats in cyberspace, which pose a danger to the security of the whole system.
In recent months, reports of cyberterrorism have hit the headlines in both the corporate and institutional spheres. The Internet provider Dyn, for example, was the victim of multiple mass attacks that affected the web services of Internet giants such as Netflix, Amazon, Twitter, Spotify and Paypal, in addition to numerous media organizations, including even the New York Times. Simultaneously, the United States government was hacked repeatedly by Russia, which succeeded in stealing confidential information belonging to several officials in the US administration, including Hillary Clinton, which were subsequently leaked to Wikileaks.
We are therefore facing a new type of modern warfare that poses a challenge of enormous complexity for governments in a range of areas, but mainly two: the legal regulation of what is considered a cyberattack or cyberterrorism, and the competences in these areas concerning a type of crime that observes no physical borders; and how to prepare and implement an effective defense strategy against them, in view of the incredible speed with which data travel across the networks. For the delinquents, cyberattacks offer evident advantages compared to other more traditional means, as they require no expensive infrastructure and allow them to act in total anonymity to perpetrate massive and simultaneous attacks in different parts of the world. And according to a recent report by the FBI, all this occurs in a current scenario of extreme vulnerability inbuilt in many of the essential infrastructures of major Western powers.
In spite of the seriousness of its effects and the fact that its existence has been known since the 1970s, international law today can only judge the cyberattacks launched or sponsored by nations, mainly due to the difficulty of pinpointing their origin. According to the principle of territorial sovereignty, countries cannot interfere in cybernetic infrastructures based in other countries, which means they have to invest ever greater sums to protect the security of their ICT (information and communication technology) networks, and to guarantee suitable protocols to enable companies and their users to be confident of the unbreachability of the network infrastructure. Organizations such as NATO, Interpol and Europol play a significant role in devising strategies for security on the Internet involving a significant group of countries.
The exchange of information between the public and private sector is critical for detecting threats and for work on developing applications and technologies that make it possible to counteract and even prevent these attacks. In mid 2016, the European Commission launched a public-private collaboration initiative to enhance the EU’s capacity to resist cyberattacks. In fact within the Horizon 2020 program, the community club has undertaken to invest 450 million euros toward making the network infrastructure more secure. They have created the European Cybersecurity Organization (ECSO), comprising major European companies in the information security sector who will invest around 1.8 billion euros over the next three years.
New systems of cooperation
In spite of these international efforts, the cyberdelinquents appear to be one step ahead of the nations, at least for the time being. According to Cisco’s Annual Cybersecurity Report, based on the responses of over 3,000 chief security officers (CSOs) from around the world, over a third of the organizations that suffered a cybersecurity attack in 2016 saw losses in clients and income of over 20% of their turnover.
Among the main challenges for cybersecurity, a study by the Bankinter Innovation Foundation mentions the need to reduce the global cost deriving from these attacks, which requires European countries to collaborate in common strategies under the leadership of Enisa (European Union Agency for Network and Information Security); and to guarantee the integrity of technology infrastructures and solutions. Other documents in the same vein stress the need to raise awareness among digital consumers of the importance of security, and to develop international legislation to increase criminal liability for perpetrating acts of cyberterrorism.
Cybersecurity therefore requires the joint participation of a multitude of agents who intervene in the whole value chain of the sector, including providers of software, terminals and equipment, through to the end clients and users, both in the public (armed forces, government, legal sector, police, etc) and private sphere, from private citizens all the way through to multinational corporations. To ensure the greatest likelihood of success against digital threats it is essential to promote the closest possible coordination and collaboration and encourage global legislation that transcends geographic borders, and to establish a new international model of governance that takes into account the fourth revolution up ahead.
The legislative challenge
The main challenge in terms of cybersecurity legislation is how to achieve an adequate balance between the needs of countries and companies to implement efficient defense strategies (endowing them with effective legal instruments for investigating and prosecuting these crimes), along with respect for the privacy of people’s communications, while guaranteeing the secrecy of information. These last issues are critical and unassailable in Europe.
Main digital risks in 2018
The consulting company Gartner has revealed in a report that by 2020, 60% of digital businesses will have suffered serious failures due to the inability of its teams to manage digital risk. According to the report, this can only be resolved in two ways: by training specialists in cybersecurity (Incibe, for example, claims that the European Union needs to incorporate 825,000 specialists in this field in the next ten years, whereas IDG calculates that in 2019 there will be a global demand for six million cybersecurity experts), and by improving technology protocols in different fields, including particularly:
- Cars – Smart cars are already on the market and yet they are vulnerable both through direct attacks and from other supports to which they are connected, like smartwatches.
- Wearables – Like smartphones or smartwatches, which are not sufficiently protected and thus expose users’ personal information to vulnerability.
- Cloud services – More and more organizations are using cloud services to store their files but without installing the necessary encryption systems.
- Ramsomware – Two out of every five companies in Spain suffered malware attacks in 2016 which blocked the use of files, obliging them to pay a ransom to release them.
- Hardware – Systems for the protection and analysis of threats are essential for guaranteeing the security of communications, even in local networks.
Conclusions
- To increase confidence in the digital environment it is essential to boost the security of all communications taking place on the Internet, and to do so by encouraging adequate collaboration between governments and private companies.
- Education and awareness continue to be the best tools for preventing cyberattacks as far as possible. Encryption, security protocols and investments in security systems are key in this regard.
- The sector has an urgent need for specialists that are capable of developing systems for predicting and anticipating possible threats. It is essential for universities to train experts to guarantee the security of digital communications.
- In spite of the efforts made in recent years, it is still crucial to define the correct legal framework to guarantee the cybersecurity of people and organizations. International bodies must redouble their efforts to achieve the maximum cooperation between nations.
- The emergence of new technologies further exacerbates the global vulnerability of the system. So along with developing global strategies against terrorism, punishments and criminal sentences must be imposed to sanction the perpetrators of cyberattacks.
Rafael Cabarcos and Carlos S. Ponz are members of IIDC.
Copyright © 2017 IIDC. All rights reserved.
For more information: ponz@iidc.es.
Comments on this publication