THANK YOU FOR SUBSCRIBING
Exponential growth in remote working triggered by the pandemic has led to an unprecedented level of integration between Enterprise IT systems, Operating Technologies (OT) and the Web. Unsurprisingly, this has led to a call for tighter legislation and international standardsto fight cybercrime. However, while good laws have a key role to play, legislation alone is not enough and an overreliance on it can prove counterproductive.
The Covid19 pandemic has increased the world’s reliance on the internet by many folds. The International Energy Agency estimates that in 2020 alone, global internet traffic grew by 40 percent;most of it driven by an increase in video streaming and video conferencing; both key aspects of remote working. This growth comes on top of a 15-fold increase in internet traffic since the beginning of the decade. If current trends are anything to go by, it is very unlikely that the world will return to pre-pandemic working patterns in the near future. This presents unique challenges in relation to cybersecurity to companies, especially public and private utilities.
When it comes to cyberattacks, typically, businesses have focused on protecting their enterprise systems, while governments have focused on protecting critical infrastructure(eg. Water, Electricity, Transport.)However, this distinction has little relevance for utilities, because, for them, protecting enterprise systems includes protecting Operating Technology (software) platforms runningcritical infrastructure. Cybersecurity frameworks often involve partitioning Operating Technologies (OT)systems fromInformation Technology (IT) systems;to protect the former from the latter which are seen as more vulnerable. Most utilities go togreat extents to enforce this separation through one-way firewalls etc, but some even go to the extent of physically separating their OT from IT. It is still common practice to store all OTsoftware onsite, with no remote access at all or access given only through dedicated Wide Area Networks (WANs). Butit is a fact that in the post-pandemicremote-workingworldmaintaining such separations arebecomingincreasingly harder to maintain.
“It Is More Important To Build Capacity; Meaning Expertise To Anticipate, Detect And Prevent Attacks, Capable Of Responding To New Threats On An Ongoing Basis With Agility In The Fast-Changing Global Environment”
In this environment, it is understandable that there are calls for stronger legislation. While there is no denying that strong laws have a role to play in cyber security, relying too heavily on legislation canbe counterproductive. I believe it is equally, if not more, important to buildcapacity; buildingexpertise to anticipate, detect and prevent attacks;capable of responding to new threats with agility in afast-changing global environment. This involves developing threat scenarios based on prevailing geo-political, geo-economic and technological conditions to anticipate threats, on an going basis; something which cannot be achieved in the absence of cooperation between organisations across, governments, civil-society and communities; both nationally and internationally.Because cyberattacks on utilities usually have significant downstream impactsand identifying potential sources of attacks based on motivations is impossible without drawing on the expertise across these areas. For example, a few years ago Australia’s Bureau of Meteorology (BoM), the government agency responsible for weather forecasting, came under a serious cyberattack. Though the real intention of the attack was never established with certainty, it is clear the impact of denial of service by BoM would have had impacts far beyond just weather forecasting,potentially disrupting aviation, shipping and military exercises. It is hard to see how tougher laws would have prevented, or even foreseen, this attack.But collaborative threat assessments that took into account these downstream impacts, would have at least identified the exposure and based on it, identified possible sources
Further, legislation that goes too far, such ascriminalising the mere possession of malware,as opposed to criminalising only their use (current legislation in many countries)can have detrimental effects. As, in the interest of fairness, law enforcement might spend valuable resourceslooking for relatively benign malware, divertingattention away from more serious threats. It might also create multiple backdoor pointsof entry which can be used by hackers. Excessive intrusions can also slow down performance of OT and impede the efficiencyof critical infrastructure.
The Budapest Convention on Cybercrime, with 66 countries participating, is one of the most comprehensive international frameworks availableat the moment to fight cybercrime. The convention gets the balance between laws and capacity-buildingmore or less right. It has three components; (1)criminalising conduct including illegal access, systems interferencecomputer fraud and using the web for illegal activities such as child pornography (2) procedural powers to investigate cybercrime, and (3) enabling international cooperation and capacity building.The convention specifies minimum standards for national legislation,based on acts of crime rather than on things like possession of malware,butit goes much further;developing and enabling frameworksor buildingcooperation between governments,as well as between businesses and governments, enabling the utilisation of a broad range of expertise in building capability.Thus, rather than pushing for tougher lawsorganisations should campaign for the implementation of frameworks enabled by the Budapest Convention on capacity building, to anticipate, detectand prevent attacks. While on the other hand the focus oflegislation should be on defining and criminalising acts of cybercrimes and providing oversight ensuringgovernments and organisations act in the bestinterests of the community.