»

Learning the language of cyber security

With tales of how to hack a country, and a government, the ITWeb Security Summit is not for the faint-hearted.


The cyber threat we’re facing is very real and has the ability to bring down countries and businesses alike. Cyber security professionals need to work together to address these issues, and help create a more secure world in which information can be trusted.

This was the standout message at this year’s ITWeb Security Summit at the Sandton Convention Centre.

In his keynote, Charl van der Walt, the chief strategy officer at SecureData and SensePost (UK), spoke about the erosion of trust and integrity brought about by cyber crime and misinformation.

“Our independence and integrity as a nation depend on our ability to ensure the integrity of the digital systems on which modern economies depend. This is not just a problem for the military and government, but for everyone tasked with protecting a system that people in SA use,” he said.

He was followed by cyber analyst Pukhraj Singh, who discussed how campaigns of subversion by nation-state actors and the incitement of domestic movements supported by them, are practices that have been around for hundreds of years, but are now being employed in the cyber realm.

Singh said today’s connected and digital world provides a highly effective new platform for promoting the means of subversion through the weaponisation of information itself, as well as sedition through cyber attacks on governments’ critical infrastructures.

Paraphrasing Alexander Klimburg’s The Darkening Web: The War for Cyberspace, he said: “The apocalyptic fear is not that the lights will go out because of a cyber attack; the real fear is that the lights will never go out, and that you’ll be subjected to a panopticon of surveillance and manipulation from which you cannot escape.” Singh stressed that the world is presently involved in a cyber ‘arms race’.

Continuing this theme, Veronica Schmitt, academic and lead forensic analyst at DFIR LABS, spoke about how governments may not be taking the risk of a cyber attack on critical infrastructure seriously enough. She believes that governments’ approaches tend to be reactive instead of proactive, and that critical national infrastructure that often runs older, simpler systems was not designed to withstand sophisticated attacks.

She believes the key to cyber war is not to cripple key infrastructure one by one, but to take them all down strategically and simultaneously. Her first step would be to cripple healthcare systems, water infrastructure and facilities such as food reserve storage. As citizens tried to flee, she would then lock down all transport and logistics infrastructure, as well as prevent any aid from reaching them. “I’d leave the telecommunications and electrical infrastructure on, to keep my attack alive,” she said.

Evolving threats

Cyber security skills, or the lack thereof, was another topic covered extensively during the summit.

The fact that businesses rely on predictions in order to plan their strategies for the future, yet no one can accurately predict what will happen in 10 or even five years, is making us vulnerable, said Ofir Hason, CEO and co-founder of CyberGym, which is based in Israel. He added that this is particularly true when it comes to cyber security, where threats are constantly evolving, and are increasing in volume and sophistication.

He described how his country was under constant attack, and having technological superiority across a variety of fields was crucial to its survival. “The best way to prepare for this unknown future is to make sure that we have the appropriate skills and enough trained individuals who have the ability to cope with whatever happens, even if we have no clue what form that might take.”

He offered the audience some alarming predictions.

• Larger and nation-state cyber attacks will increase by 40% from 2019;

• Political cyber crimes, such as those involving election fixing and tampering, will rise by 300%;

• Cyber terrorism – both physical and strategic – will be 600% up on the period from 2014-2019;

• There will be a 2 000% increase in artificial intelligence-driven non-human/half-human avatars, such as fake profiles on social media delivering fake news in an attempt to influence people and organisations. This can be a very powerful tool for evil – but avatars could also be used to protect.

Pete Herzog, co-founder and on the board of directors of ISECOM, spoke of how the constant drive for profit is seeing cyber security suffer. Cyber security, he said, is being sold as a way to increase profits, retain customers and keep the stock price up, but, in reality, it’s a cost centre, with a loss motive and no real profit incentive.

He said the common maxim has been that security professionals need to learn the language of business, but business should also learn the language of cyber security. He stressed that there is no incentive for business to learn it, so they won’t. “Business schools still do not need to teach cyber security. Business doesn’t get fired for bad cyber security; they get fired for making bad deals.”

However, Herzog said there is a co-dependency that needs to be acknowledged, but business doesn't realise it. “Business needs us, and we need business. It still thinks it needs to sow its wild oats. Meanwhile, security is getting desperate, and trying like hell to make security sexier so they’ll pay attention to us.

“If cyber security was an animal, it would be a raccoon, protecting the dumpster it eats out of while thinking that washing its hands in the creek somehow makes it dignified.”