| || ||Satyamoorthy Kabilan |
National Security and Strategic Foresight
One of the biggest challenges we face in cyber security is the swift evolution of the threat landscape. With increasing complexity, rapid adoption of new technologies, and emerging risks such as zero-day vulnerabilities, it is impossible to guarantee that any system is 100 per cent secure. While it can be difficult to pinpoint an exact attack vector or vulnerability, understanding the motivation and potential targets of malicious attackers can provide a useful framework for cyber security. This can allow organizations to identify and protect critical assets and systems that are likely to be targeted in a cyberattack. Unfortunately, the targets of cyberattackers are also changing. As I look back at the last two decades, I see a distinct evolution that has occurred in three broad stages.
Stage 1: Show Me the Money
Money was the primary target of early cyberattacks. Whether the cybercriminal was perpetuating fraud, diverting payments, or attacking payment systems, the ultimate aim of the attack was to make money. Most cyber security professionals now treat the targeting of financial transactions and systems as a no-brainer. As a result, anything that comes into contact with such transactions tends to have robust protection. While money remains a significant target for malicious cyberactivity, organizations are aware of and, in most cases, well-prepared for this threat.
Stage 2: Data Is the New Oil
As the recognition of the value of data has grown, malicious actors have shifted their focus to this new commodity. Data can be monetized in various ways by cybercriminals, either through the sale of stolen data or by holding access to the data for ransom. But monetization, particularly by cybercriminals, is not the only motivation for attacking data. The ability to access the intellectual property, knowledge, and know-how of organizations and even nation-states can be very valuable. This means that a host of new actors, including nation-states and private companies practicing corporate espionage, are getting involved in hacking data. There are also those who want to access corporate or government data in order to hold them to account or embarrass them. Multiple motivations exist, but data, not money, is now the ultimate target.
As with money, cyber security professionals are very aware of the interest in data and the potential motivations of attackers who might target it. This has created new cyber security challenges, resulting in the need to protect a larger segment of the information technology landscape beyond financial systems.
Stage 3: I Have the Power
About seven years ago, as part of a strategic foresight exercise, I was involved in examining the evolution of cyber security. A key question was what hackers might target next, beyond money and data. One suggestion I put forward at the time was computing power. While individual devices were getting more powerful, we were starting to see the emergence of large clusters of computers with significant computing power, due to the growth of cloud services. If malicious actors could gain access to vast amounts of computing power, I suggested it might be possible for them to use it in a number of ways, including as a tool for brute-force attacks. This was one of the emerging threats that I flagged for cyber security professionals.
Enter the cryptojacking phenomenon, which seems to have grown rapidly in the past year. Essentially, it involves hijacking some of the computing power of a system to “mine” cryptocurrencies—providing the computing power to validate cryptocurrency transactions and receiving a payment for this service. Malicious scripts in browsers have been implicated in this process, but more recently, reports have emerged of organizations such as Tesla and major utilities having their systems cryptojacked. What makes this type of activity difficult to detect is that it can use a small proportion of the computing power in a major system without targeting data or money, areas that are normally well-protected and heavily monitored.
Although the ultimate motivation for cryptojacking is monetary, other motivations for hijacking computing power may emerge over time. A new target for hackers has emerged, making it necessary to protect computing power in addition to data and finances.
Understanding the potential targets and motivations of attackers can provide a good basis for formulating an effective cyber security strategy. No organization has unlimited funds to protect every aspect of their systems from all potential attacks, but we are better able to invest our security resources wisely if we understand the areas that are likely to be targeted by malicious actors. Protecting money and data are already priorities for cyber security professionals, but we may need to add computing power to that list. While it is possible to build a good picture of emerging cyber security challenges using tools like strategic foresight, the bigger challenge is to proactively deal with these emerging threats, rather than waiting for them to become a significant problem.
Join The Conference Board of Canada’s Cyber Security Centre for regular, in-depth discussions on the latest trends and challenges in cyber security.
Satyamoorthy Kabilan will be running Strategic Foresight training workshops on March 27 in Ottawa, Ontario and April 24 in Calgary, Alberta.
Follow My Team