Cybercrime causes as much damage as drug trafficking combined, and is set to rise. With 5G, the connectivity will be instant, and therefore cybercriminals will be scanning networks for vulnerabilities much faster, Algirde Pipikaite, a cybersecurity and digital transformation policy expert at World Economic Forum (WEF), told CyberNews.
Cybercrime is destined to rise as workplaces move online and the economy slumps because of the coronavirus this year. Moreover, 5G will ensure seamless access for criminals to scan networks for vulnerabilities and exploit them.
“Cybercrime has been predicted to rise regardless of the pandemic. We’ve seen numbers that show cybercrime damages becoming as high as all drug trafficking combined,” said Algirde Pipikaite in an interview with CyberNews.
As our lives move to digital spaces faster due to the pandemic, what new challenges arise?
Challenges and risks are increasing on an everyday basis. As we like to say in the cyber community, many companies that had digitalization plans for 5 years, 2 years down the road, had actually implemented them within a week or within two weeks, when COVID-19 pandemic started. The random ping of digitalization, putting employees and customers connecting online, happened very quickly to ensure that business and government operations could continue working seamlessly. And that provides the incredible number of avenues for hackers to enter networks. A majority of employees that work from home are using their own modem device that we have no idea when was last updated. That gives cybercriminals a lot of entry points. A lot of employees do not use VPN, because VPN capacities are just not prepared to handle hundreds of millions of employees.
There are many challenges that a lot of organizations are facing, and while they are doing that, we have seen a rapid increase of COVID-19 related social engineering attacks by cybercriminals. And that serves two purposes. One, at least at the beginning of the pandemic, people were super eager to learn more and more facts about what the virus is, what it contains, how you can prevent it, if you can prevent it, and how you can safeguard yourself and your family. By playing in those spheres, it is very easy to socially engineer an email, a text, or a call and actually have malicious purpose of accessing personal or corporate data. Those were on the rise. The combination of us spending much more time online, for private and professional purposes, actually allows cybercriminals more time for us to make a mistake. So they sit and wait, they basically go fish.
Read more: Dealing with cybercrime during COVID19
The quarantine might be over for now, but COVID-19 is certainly not. What is going to happen in the near future? What is the trend?
At least until the vaccine is here, I do not see us coming 100 percent back to the physical office, and that means we will need to rethink digitalization, as it’s not only a couple week or couple month solution anymore. It will have to stay for at least a couple of years. Companies like Apple, Google, and Facebook, have announced to the employees that they are not coming back to work, to the office environment, at least until next summer. So that means at least another year we will be operating in whatever digital capacity across multiple locations.
Especially when large multinational corporations create their employment policies, they do it globally, they don’t do it on a place by place basis. And that means that the mechanisms to protect ourselves have to be rethought, training of employees has to be put in place, to remind employees on a constant basis the importance of staying vigilant, critical, looking at every single communication very critically, and questioning if that is something malicious, or just presuming immediately whether this email or this communication is good to answer and whether to fully obey any task or requests therein. Actually, employees become this security perimeter. Previously, we had very physical security perimeters because you could secure your physical environment, now your employees are branching out to their own safe places - homes, summer houses, and we need to ensure that the human factor does not interfere with security measures.
You’ve mentioned such companies as Apple and Google. They are definitely prepared for these challenges better than small and medium sized companies that fall for ransomware and are not skilled enough in cybersecurity? Is there enough time for those companies to learn how to secure their data?
Well I hope that they learned that much earlier. Way before the corona pandemic. If you are a company that holds any kind of private data, there’s no excuse of not being able to protect it. Otherwise, just don’t collect it, don’t hold it. You don’t have any business to be in the data business if you are not thinking about security. I don’t think we should find excuses for not being secure, depending on the company's size. You might be a small company, but you might hold enormous amounts of data. Especially, if you are in healthcare, travel industry, if you are in fintech. Many of those industries are quite well regulated in many geographies. In other geographies, they are less regulated, because their regulators are just catching up, but size should not matter in this domain. What matters is how much cybersecurity you actually put in your culture, how much you emphasize it in your internal matters, internal policies, and as well how you communicate with third parties. So how much do you emphasize cybersecurity with your suppliers when you sign contracts to buy cloud or service providers.
Data protection should be on everyone’s mind. Corporate giants not only have legal capacity to protect themselves in case of lawsuits, but they also have the capacity and enough cash to pay any fines that might come their way and basically barely feel a sting. Cyberattacks and big governmental fines might be actually too heavy to small and medium enterprises (SMEs). So they should be even more vigilant when they are thinking about data protection than big giants. Otherwise, statistics says, around 60% of SMEs could go bankrupt in the event of a successful a hack.. The prevention of the hack should be on everyone’s mind.
Corporate giants not only have legal capacity to protect themselves in case of lawsuits, but they also have the capacity and enough cash to pay any fines that might come their way and basically barely feel a sting. Cyberattacks and big governmental fines might be actually too heavy to small and medium enterprises (SMEs),says Algirde Pipikaite.
Would you say that cybercriminals are getting smarter, the attacks more sophisticated, or are criminals just fishing for fools?
Cybercrime is one of the fastest growing activities globally. That’s mostly because you can perform crimes without leaving your own premises, and be quite sure that in most cases you won’t be caught. Less than one percent of cybercriminals or cybercrime activities get investigated. So, the chances of profit are very high.
There are cybercriminal groups that got very automated, have orchestrated playbooks of their criminal activities, automated emails coming out, automated scam networks. That is getting more sophisticated. Still, up until today, 98% of cyberattacks come from social engineering. It’s much easier to go and social engineer Jurgita’s profile, and try to get into her social or corporate network through her human vulnerability rather than finding technical vulnerabilities, understanding what kind of operating system you are using, etc. Companies and organisations need to think how to prevent cybercrime, they need to focus on their employees, their people, to focus on preventing cybercrime. To have a vigilant workforce that is able to understand, or at least is aware if they see something wrong so they forward it to their IT department. You need to develop that critical thinking muscle if you want to stay ahead of cybercriminals.
End-to-end encryption provides us a more secure way to communicate, but there are incentives around the world - both in authoritarian regimes and Western democracies - to restrict it for the sake in law enforcement. Could you elaborate on the latest trends in encryption? Would you say that encryption is in danger?
End-to-end encryption is the most secure way for us to communicate privately, to ensure that communication between me and you is actually staying between me and you, and there’s no middlemen involved. It’s really important to ensure that we have and continue having trust between users.
That creates a lot of challenges for law enforcement, investigating or preventing criminal activities from happening. The debate will not go anywhere, and will stay until countries finally implement regulations as Australia did last year.
My only worry is that when we think about end-to-end encryption, we think about the part of preventing and solving criminal activities and having access to that information that supposedly is encrypted. If we leave backdoors, we leave the same backdoors for cybercriminals.
When we consider and develop a technology for using digitally, we can’t just think that if we leave an entry point in technology, it will be used only by the good guys. That’s not the case. Criminals are really one, if not two, steps ahead in many many ways. They cooperate much better, they don’t have any legal obstacles of actually communicating with each other, so they exchange information much faster. At the same time, any information exchange between law enforcement agencies, especially if they are in different countries, is happening at a much slower pace. So we are already at a massive disadvantage when we think about the bad guys and the good guys. Putting entry points in technology can just endanger users of being exploited by the cybercriminals. That’s my only worry.
Read more: WhatsApp leader: people are being spied on in horrifying ways
What about VPN clients? In Belarus, we saw how they tried to ban even VPNs, which especially for some countries is essential to express opinions freely?
The VPN user base has been increasing enormously due to the coronavirus. Many organizations have actually difficulties amplifying and increasing the capacity of their VPN usage, so I think that VPN usage will only be increasing. Hopefully, the capabilities will be improving as well, and I encourage everyone to use VPN as one of the safest ways to access information and make sure that you encrypt your communication between you and the source of that information, and broaden the access that you are trying to gain. So everyone should be aware of using VPNs, and hopefully everyone is using them.
What do you think about 5G? It’s definitely going to accelerate the Internet of Things, usage of the internet in general, and it will probably pose new challenges to our security and privacy.
Your connected devices are constantly surveilling and collecting data because that’s what they are designed to behave. It has been happening and it does not depend on the speed of the network. Now, with the arrival of 5G, what changes is the actual pace. The connectivity will be immediate, we will not have any lag between the communication device and network. The pace is increasing enormously. What that means is that cybercriminals will be able to scan everything and find vulnerabilities much faster. And that’s what we should be thinking about on the international, regional, and national level, and even as an organization.
Five years ago, manufacturing plants most probably didn’t have to think a lot about cybersecurity because most of their machinery was not connected to the internet. And even if it was, the connection was so slow that if there was anything happening you could definitely catch it by looking at your network. Now, think about the same manufacturing facilities five years from now, with brand new equipment that constantly communicates and sends update information, basically operating independently. Very rarely will they need an operative involved in the manufacturing process because of the connectivity, the speed and the ability to quickly take decisions, scan the network and update themselves.
The same connectivity and the same pace will be provided for cybercriminals if they get on that network. We need to think about the measures we are putting into catching any random or unexpected activities, because we need to catch them quickly. Because cybercriminals are getting the same speed and the same ability to access networks much quicker than we are doing right now. And we rarely see that debate taking place, but luckily we are seeing more and more policy makers and tech experts talking about the dangers of the pace for cybercriminals that 5G will provide.
Would you say that the scale of cyberattacks depends on the economic outlook of the world, and we could see more cyberattacks as, for example, GDPs slump this year because of the coronavirus?
Cybercrime has been predicted to rise regardless of the pandemic. We’ve seen the numbers: cybercrime damages are becoming as high as all drug trafficking combined. So the rise in damages that cybercriminals are causing to our economies are enormous. To some countries, we are counting to a couple percent of GDP, in other countries it didn’t reach one percent of GDP yet, but it definitely will be on the rise everywhere you can think of. Will it be on the rise because of the pandemic? Of course. And you can already see that. What we have noticed by looking into the networks in the last couple of months is that the numbers of cybercriminals or cybercriminal groups have not increased. However, the number of attacks has increased drastically. And mostly those attacks are using COVID-19 related messaging, activity, websites, etc. Because it’s such a concentrated demand for one piece of information, cybercriminals are just riding that horse. And most of the attacks are also focusing on that messaging.
Once the interest level in COVID-19 will decrease, cybercriminals will be very creative. They will come up with new avenues, new messaging, new interest points. Part of that will be elections that are coming around the world. Another avenue will be unemployment benefits that a lot of countries are providing, as well as education related activities. Because everything is moving online, cybercriminals will be trying to think of new ways to exploit that. And any new hot topic inour societies across different regions will be exploited by cybercriminals.
Once the interest level in COVID-19 will decrease, cybercriminals will be very creative. They will come up with new avenues, new messaging, new interest points,says Algirde Pipikaite.
Is there a coordinated response and strategy worldwide, or is each country left on its own to deal with cyber attacks?
We at the World Economic Forum, the platform for shaping the future for cybersecurity and digital trust, focus on bringing private sector leaders and public sector leaders and actually foster these debates and come up with actionable items of how we can improve information sharing between countries and private sectors, how can we encourage law enforcement to better cooperate, and how we can create avenues for cooperation between law enforcement and private sector actors, how can we improve cooperation on regional and international levels.
The challenges that law enforcement is facing are very different from those healthcare cybersecurity providers are facing, and manufacturers of new technology, and financial sectors are facing. So what we are aiming to do is to bring these leaders together to learn from each other so what are the best practises, what does work already and how can we scale solutions so that hopefully we can prepare better for the next attack.
Is cybersecurity, infosecurity a buzzword in Davos? I have followed it for many years but haven’t noticed many discussions about the topic.
Regarding the annual meeting at Davos, right before every meeting the World Economic Forum releases the global risk report. This year, we released the 15th edition, and out of 15 years of survey that we run where we survey more than 1,000 global corporate and public leaders, cybersecurity related risks have been on the rise for the last 8 or 9 years. So since digital became part of our economy, our society, our education system, cybersecurity has been on the mind of leaders, which is very encouraging to see. It has been among the top-10 risks for many years.
I think this year, cybersecurity has become a much more prominent topic because of the quick digitalisation that had to happen because of the pandemic. Now having said that, we also have to acknowledge that other risks like societal risks, inequality risks, climate change risks have become even more important, while healthcare, pandemic risks have become even more prominent than they were before. Comparing 2019 and 2020 opinions of global leaders, those two would be very different because a little number of countries were able to face global healthcare pandemic, and definitely that became a very prominent topic in any leaders or any citizens mind. As my mother likes to say, “what the hell did we discuss before corona came,” because it seems all the topics everywhere. You can see spikes of interest in cybersecurity when a big attack happens. That brings a lot of attention, and then it dies out. It’s a very dynamic topic, many more citizens are aware of it than five years ago, and it’s just continuing to rise. So everyone who’s looking for a career, definitely should consider cybersecurity.
A recent report by WEF stated that there are a lot of vulnerabilities in the public sector, especially in the healthcare sector. Elaborate a bit about these challenges: can the healthcare sector deal with these kinds of attacks? Has any large scale attack happened yet?
Vulnerabilities are across technologies. The challenge with the healthcare sector is that in many cases, either public sector or even privately owned, the margins are very small. To sustain profitability in healthcare, you have to be very vigilant of your costs. Cybersecurity was not a very prominent topic in the healthcare sector until the NHS in the United Kingdom was massively hacked, and then it raised awareness about how it can be damaging if hospitals get crippled because of a cyberattack. Due to this cost efficiency, a lot of cybersecurity solutions and services are not yet mature in healthcare providers’ capabilities.
If you think about big clinics, especially in the United States, they actually hire a lot of hacking teams and invite them to their facilities and let them hack to actually understand what can be hackable, what can be broken, what threats and what risks they are facing Then, they are communicating that to the suppliers and manufacturers of blood supply pumps, or pacemakers and let them know - hey, this is what we found, this is how your device can be accessed, we would like that to be fixed. But not every hospital and clinic is able to do that, or is doing that, because they have other priorities in mind.
When you buy your machinery, you buy it for the next 15 years. How do you ensure that the manufacturer will provide software updates with a vulnerabilities account 9 years later? These are devices cost millions, you cannot buy them every year or update them every year. You need to ensure that healthcare providers update their software and respond to any potential vulnerabilities that can be found. And a lot of countries are amplifying their efforts in regulating and improving cybersecurity in healthcare services, and hopefully that will be happening quicker than hackers will be able to exploit it.