Despite headlines of exponential escalation in the cyber attacks on governments and corporations, an expert says the core threats have remained largely unchanged in the past decade with only subtle shifts emerging today.
Speaking at the Fiduciary Investors Symposium, former founding chief executive of the UK government’s National Cyber Security Centre, Ciaran Martin, said Western economies still persistently face the four types of cyber threat they’ve been dealing with for a long time: espionage from China; disruption from Russia; hacktivism from Iran; and political interference from North Korea.
“The cyber security industry loves to say the threats are going up exponentially, and hackers are getting increasingly sophisticated and so forth. We say that all the time, every day, it’s not essentially true,” said Martin, who is now professor of practice in the management of public organisations at the Blavatnik School of Government, University of Oxford.
What changed is these attacks’ efficacy and their ability to “inflict pain” on corporate or state victims.
“[For example], the North Koreans have become very sophisticated cyber criminals… they account for a large part of the 20 per cent of unrecovered crypto heists,” he said.
“They’ve stolen $3 billion this year alone, mostly from bridges because they’re innovating. That’s how they get past sanctions, and they’re very good at cashing it out before it can be traced and recovered.”
Cyber criminals have also become better at squeezing companies to maximise disruption. Martin recalled the Jaguar Land Rover cyber attack in the UK in August, which forced the car manufacturer to cease all production for weeks and order staff to stay at home.
The nation’s Cyber Monitoring Centre estimated that the incident led to a £1.9 billion ($2.5 billion) financial hit to the British economy.
“They [the cyber criminals] really know how to inflict pain,” Martin said.
“AI has not transformed cyber threats, not yet, and maybe it won’t. But it’s making it a bit cheaper and a bit more efficient to be a cyber criminal… the business model of criminals has got really good and that’s very worrying.”
For financial institutions, there are three cyber security considerations to keep in mind: newer forms of assets such as crypto tend to be more vulnerable than traditional finance such as banking; sensitive information in the sector has more value and is therefore more monetisable; and the disruption of services to clients or transactions can carry greater consequences.
Financial institutions can manage these risks by getting better at determining which types of data breaches matter the most.
“At the moment, in terms of the way public policy is framed and the way public discourse is framed, it’s just ‘here’s a large number of data breaches’, whereas actually it’s just your name and your email,” Martin said.
“If you go to the General Counsel and ask what’s our legal obligations, there’s only one: personal customer data. So if you take a legalistic approach to what your duties are, you’ll prioritise personal data.”
While cyber attacks have rarely directly resulted in the loss of human lives, there are cases where that is a very plausible outcome. The Five Eyes – an intelligence alliance consisting of Australia, Canada, New Zealand, the UK and the US – has warned that the Chinese government has infiltrated critical infrastructure which could be used to their advantage if there is a significant escalation of tensions, Martin said.
Martin also rejected suggestions that the superior power of quantum computing will dismantle cryptography as society knows it.
But the risk lies in considerations such as which country gets there first – getting to that point three or five years ahead of international competitors would give a country a great advantage geopolitically.
“It’s almost mathematically and engineeringly impossible to have something that can just break all of the modern cryptography and RSA algorithms without being able to write similar things that are equally secure,” he said.
“There’s a lot of work in secret about quantum-resistant cryptography, and there has been for many, many years. Most people would say that when the quantum world comes in with this mind-boggling ability to calculate at scale, the security will be there.”
