In an increasingly digitised world, the stakes in the battle to defend computer systems against cyberthreats are higher than ever before, say experts at the inaugural SMU Cybersecurity Forum.
Back to Research@SMU Events Feature Series
By Sim Shuzhen
SMU Office of Research & Tech Transfer – In December 2015, hackers gained remote access to computers in power distribution centres in western Ukraine, taking them offline. The attack – believed to be the first to successfully target utilities – left some 225,000 people without power in frigid winter conditions.
In an increasingly digitised world, where the emergence of the Internet of Things (IoT) has resulted in the computerisation of everyday objects, everyone from individuals to government organisations must take threats to cybersecurity even more seriously, said Professor Robert Deng of the Singapore Management University (SMU) School of Information Systems (SIS).
“With the integration of cyberspace and physical space, anything that goes wrong in cyberspace will not only have an impact on data and information systems, but also on the physical world – including human safety and critical infrastructure,” he cautioned.
Professor Deng was delivering the keynote address at the inaugural SMU Cybersecurity Forum on 17 April 2017, at which he was also conferred the AXA Chair Professorship of Cybersecurity.
The Forum also featured a panel discussion on the future of cybersecurity, moderated by SMU Vice Provost (Research) Professor Steven Miller, and comprising Professor Deng; General Insurance AXA Asia CEO Mr Jean Drouffe; Government Technology Agency of Singapore (GovTech) Senior Director (Government Cyber Security Group) Mr Chai Chin Loon; and StarHub Chief Business Development Officer Mr Mock Pak Lum.
Levelling the playing field
In the cybersecurity arms race, defenders invariably find themselves a step behind, said Professor Deng. “We are fighting an asymmetric battle, which is to the advantage of the attackers,” he said.
He outlined several reasons for this. First, today’s commercial operating systems are extremely complex, comprising tens of millions of lines of code; this translates into an increased number of vulnerabilities. Second, many legacy systems, designed in an era when security was not a major concern, are still in use. Third, there are not enough qualified cybersecurity professionals to design and implement new security measures.
On top of that, the defenders’ job is inherently more challenging than the attackers’. “Defenders have to control all vulnerabilities, whereas attackers only have to exploit one,” Professor Deng pointed out.
“The entry barrier for attacking is also very low – you only need a few people with expertise to come up with the attacking code. The rest can just purchase or rent stolen data, malware and attacking services on the internet, where there is a huge trade in these things.”
What can the good guys do? “Most importantly, we need strong public and private collaboration,” said Professor Deng. “In cyberspace, government agencies, tech companies and private organisations are all on the frontline.”
The public and private sectors, he said, should continue to invest in cybersecurity research and training. Researchers at SMU SIS, for example, work on various aspects of cybersecurity, including applied cryptography, network security, data security and security management, often in collaboration with industry, he added. In addition, the School’s bachelors, masters and doctoral degree programmes all offer cybersecurity tracks.
It will also be critical to raise awareness among the general public, he said. “Today, 90 percent of security incidents are due to a lack of user awareness. Internet users should be able to recognise danger signs – for example, we should have enough basic knowledge to verify that we are not transacting with a phishing site.”
Sharing is caring
For Mr Chai, a key challenge is determining the appropriate level of security to enforce. “Security involves balancing three axes: how secure we want to be, how much budget we have, and how much functionality we want to deliver,” he said. “These run counter to each other – if you need more security, you pay more and lose functionality, for example. We help government agencies craft security profiles depending on how much risk they are prepared to accept.”
Drawing a parallel to the air travel industry, which greatly improved its safety record through sharing information about faults and incidents, Mr Mock said that the cybersecurity field would benefit from doing the same. “I think it's imperative that we as an industry do more sharing,” he said. “Perhaps there could be a platform for people to share securely, without damaging the reputation of parties who have been compromised.”
Mr Chai agreed, but said that sharing had to be done carefully. “Over-sharing could let the attacker know precisely how much you know, and how good your sensors are,” he said. “But being a community, we still have to share. There are automated protocols that allow threats to be shared quickly, and we should continue to promote these.”
Mr Drouffe said that information sharing would also be useful for the cyber-insurance industry. “There is little public awareness about the consequences of cybersecurity attacks,” he said. “On the insurer’s part, we don’t have enough data to be clear about how to price products, and what to give as a cover. With more data, we can be clearer about the risk.”
Analytics and automation
“Instead of physical assets, companies’ value is now increasingly in intangible assets such as data,” added Mr Drouffe. As such, business interruptions are now more commonly caused by cybersecurity-related incidents, with small and medium enterprises being particularly vulnerable, he noted.
To defend against ever more sophisticated threats, new tools such as the use of deep analytics to understand internet traffic patterns and user behaviour are needed, the panel agreed.
With the IoT becoming more widespread, it is now also critical to protect data integrity, in addition to data confidentiality, said Professor Deng. “Confidentiality refers to keeping data private; integrity refers to making sure that it is not changed or delayed during transmission,” he explained. “If confidentiality is compromised, a company’s reputation could be damaged. But if data integrity is compromised, there will be an impact on the real world – driverless cars, for example, could be affected.”
Building security measures into the sheer number of devices predicted to make up the future IoT presents a huge challenge, said Professor Deng. “We cannot have piecemeal solutions, each operating in isolation,” he reasoned. “That is not acceptable –we need automation and a unified system.”
Back to Research@SMU Events Feature Series
Image credit: Sim Shuzhen