We are justly proud of the new opportunities of online services and networks – but there’s an iceberg that risks holing the digital flagship beneath the waterline, and we’re just beginning to see its tip. Last year, the WannaCry malware attack did not just cause computers to freeze, but entire hospitals to close.
It has brought the issue of cyber resilience into the mainstream of public consciousness and political discourse; though in fact, Europe faces an average of 4,000 ransomware attacks per day. Elsewhere, we’ve seen attacks and other cyber-enabled threats take place for political reasons: hacks targeted at political parties, purposefully orchestrated fake news, and state actors destabilising neighbours with cyber tools and technologies.
The sad truth is that criminals and other malicious actors have never had it so good. Robbing a bank has never been such an un-kinetic activity – what once involved sawn-off shotguns and stocking masks can now be done from the comfort of home; a major attack can cost as little as $5. We now need to show the party is over: making these attacks harder to commit, and easier to trace and punish.
Public policy measures like improving judicial authorities’ access to digital evidence would raise the stakes of cybercrime. But much of the answer lies with the private sector, which ultimately owns most of the internet, hence much of the threat surface. To assure our cyber security, the industry needs to make a switch: from being security consumer to security provider, and from seeing security not as a cost, but as a competitive advantage.
In the “gold rush” to be the first to get products to market, security is – unfortunately – not always first on manufacturers’ minds. Relatively simple measures – encryption; eliminating redundant code; unique passwords – get forgotten about, even if they are actually vital to our collective security.
The consequences are already apparent: the Mirai botnet, the first significant attack originating from the Internet of Things, recently took control of around 150,000 routers and CCTV cameras; a few years ago, 600,000 homes in Ukraine lost their electricity, after a deliberate cyber attack was used in a Death Star-like demonstration of power.
These vulnerabilities need to go. The tech industry has a duty of care to its customers to ensure products are not just secure by design, but kept up to date as new threats or weaknesses emerge.
The private sector has plenty of reasons to start taking this seriously. As people become more aware of the grave consequences, there will be a growing clamour for secure products. Cyber resilience will become part of what customers value in a brand; companies with lax standards will see reputational damage. Corporate governance will soon start providing a push, too: recent incidents at Equifax and Uber caused public and political outcries aimed at board level.
According to a recent PWC survey, the proportion of CEOs worried about cyber threats as a major concern for growth prospects leapt from 24 per cent to 40 per cent in just one year. Meanwhile, the cyber insurance market, whose value in Europe is likely to treble to nine billion euros by 2020, will start to enforce its own discipline, rewarding those who take the right precautions.
The public sector can support this market shift. The rules set out in new EU data protection legislation – including fines of up to €20m for breaches – reflect the seriousness with which EU citizens treat their personal privacy, and offer a powerful incentive for businesses to act accordingly. That is sorely needed: over 12 months, two billion personal records were reported as breached, according to the EU police agency Europol.
New EU network and information security laws will also oblige national governments to ensure that critical infrastructure is protected from electronic attacks. Major sectors such as banking and transport will have to assess and take action against cyber risks – and ideally others should too, especially the public sector. Once they start doing so, there will be a large scale market to supply cyber secure products.
These pull factors must be combined with a push. EU economies of scale mean we are working with the private sector in a €1.8bn partnership to develop new cyber technology – a partnership we intend to extend and develop.
We have also just announced we will be supporting a voluntary framework for certification, so suppliers of new connected devices can assure potential customers their wares are cyber secure, across the largest single market in the world. Currently some EU countries have such standards, and others don’t; in some cases, businesses must submit to separate
tests in each EU country they want to sell in – a cost most can ill afford.
With 95 per cent of cyber incidents enabled by some kind of human error, this “big picture” security needs to be accompanied with the most basic cyber hygiene – ensuring everyday internet users have the digital savvy to avoid putting themselves at risk, choosing decent passwords, backing up their work and so on.
Ultimately, keeping us all secure will require the market to change its model. Upgrades are expensive – and we end up with a situation where, for example, forces like Greater Manchester Police try to squeeze as much juice as they can from the lemon, and hang on to obsolete systems such as Windows XP.
If they are not sufficiently secure, we all pay the price. Cash-strapped public services, in particular, would benefit from a more flexible approach – for example, where you can get a residual trade-in value for out-of-date software, just as you would for your old car.
Malware and cyber attacks sit alongside a host of other cyber-enabled risks: online terrorist propaganda, election tampering, and “fake news”-style misinformation. Each of these threats needs a different, tailored response, which will in any case have to recognise fundamental rights like free speech. But, here again, the private sector has a major role to play.
The EU is working directly with internet platforms small and large to ensure terrorist material from Da’esh and others gets taken down immediately, or is prevented from upload; we will consider EU legislation if it is needed.
On fake news, we want to support a free and quality media, while ensuring people have the digital awareness and critical thinking skills to separate fact from fiction.
Looking to the future, like many of the other security threats we face, cyber risks are not targeted against any one European nation, but against all of us, and the values we share; they travel easily across borders. The products and services we use online are sold in many different countries; so are their vulnerabilities, and the internet value chain is only as strong as its weakest link.
So ongoing cross-border cooperation will continue to be the best way to manage a cross-border threat – something which both sides in the current Brexit negotiations have recognised. None of that is to say it will be easy: there are legal, political, technical and financial issues to resolve.
The coming months give both major parties the opportunity to work out, in detail, how they want the future relationship to look. Security, online and off, should be a major element.