Legislation against cybercrimes as they exist now can very quickly become obsolete as technologies and criminals evolve.
The hit TV show Mr Robot introduces us to Elliot, a mentally disturbed but immensely talented vigilante hacker with vengeance on his mind. He wants to take down the mega corporation responsible for fatally poisoning his father and his best friend’s mother. He has more grand plans, too. He also wants to wreak havoc on the world’s financial systems, apparently because he believes erasing the accounting records of people’s debt will free them from an insidious form of social control.
A big part of the show’s critical acclaim has been its realistic portrayal of hacker culture and the disillusionment many people feel with the inequalities of the modern world. People with Elliot’s skill levels, and his capacity to justify his otherwise illegal activities, do exist and regularly penetrate the cybersecurity systems of individuals, organisations and governments with as much ease. But seldom do they have his seemingly noble, although misguided, intentions.
Rather, the most prominent cybersecurity threat individuals, organisations and government institutions face today is cybercrime. This threat emanates largely from organised cybercrime syndicates interested in enriching themselves financially. In some instances, the syndicates operate with the backing of nation states in cyberespionage operations, and work to steal intellectual property and state secrets of competing economies.
The threat such cyberattacks pose often goes undetected because those targeted fundamentally misunderstand the cybersecurity risks they face. Because of this, they respond poorly to them, and operate under the illusion of being secure and safe when they are anything but. Regulators also misunderstand the cyber threats, preferring to criminalise without having a real understanding of what it would take to reduce the incidence of this type of crime or ensure that perpetrators are caught.
Understanding the problem
Cybercrime, in its strictest definition, is a set of activities that involve using information and communications technologies (ICTs) to gain unauthorised access to another’s confidential digital information, presence or property. Once those who perpetrate this crime gain access, they are then free to do what they will, be it destroy, impersonate with malicious intent or steal. Some of the most prominent cyberattacks at the moment have involved distributed denial-of-service (DDoS) attacks, which take down an organisation’s online services as revenge or as part of a blackmail plot. Attacks using ransomware – software that blocks access to a computer system until its owners pay over a certain sum of money – are also quite common.
The draft of South Africa’s Cybercrimes and Cybersecurity Bill uses a much wider definition that essentially encompasses any crime committed using ICTs, including hate speech posted online and digital piracy. This is too broad to be useful in combatting the problem and illustrates part of why legislative responses to cybercrime have been ineffective. These days, given the spread of mobile, cloud and other technologies into every aspect of our lives, there are very few human activities that do not involve a computer network. Any attempt at legislation has to be more focused.
These technologies are also evolving so rapidly and continue to dematerialise traditional IT environments, creating vulnerabilities that cybercriminals are all too happy to exploit. Where most people fall short of understanding the cybersecurity risks they face is in thinking in tangible-world terms. To keep others from damaging or stealing your tangible personal possessions, you build a wall around them and install a gate that only you can unlock.
This approach to security is ineffective in the digital realm. Over the past couple of decades, there has been a virtual arms race between people and organisations building cybersecurity walls around their most valuable digital possessions, and cyber criminals keen on breaking through these defences. The more defences the former puts up, the more ways the latter devises slip past them.
Criminal syndicates have also proven more adept at finding new ways to get past cyber defences, forcing many organisations to adopt a reactive response that unfortunately is unlikely to foil the next attack. This is why, despite the huge sums being spent on cybersecurity, vulnerabilities remain. We are at a stage where no one can say that they are completely secure, yet many routinely do anyway because the sophistication of the attacks evolve at a rate that current defences cannot possibly keep up.
Part of the reason why this is the case is that cyber criminals routinely exploit the weakest point in traditional approaches to cyber security: the human element.
Weakest link
A large number of cyberattacks involve what is known as social engineering – scams and ruses criminals use to make a user believe they are co-workers, customers or other legitimate parties. This is how the hacker group Syrian Electronic Army took control of Associated Press’s Twitter account in 2013. They sent a phishing email to the news agency’s staff and a user with access to its social media accounts clicked a link in the email, believing it to have been sent by a colleague. Clicking the link allowed the hackers access and they immediately posted a tweet claiming that there had been an attack on the White House and American president Barack Obama had been injured.
The tweet was retweeted thousands of times and US stock markets took a brief but massive nose dive, driven in part by automated trading algorithms, before AP could issue a correction and take back their Twitter account. It is unclear if this attack involved a financial motivation (for example, short selling shares in anticipation of the drop in value the tweet would cause), but the majority of attacks these days are financially motivated.
The lure of financial or economic gain has seen these cyber criminals invest heavily in improving their capabilities to evade or avoid being caught. Their goal is to gain undetected, unauthorised access to an individual’s devices or an organisation’s network then wait months, if not years, gathering intelligence the whole time, before pouncing in a single devastating attack. Others gain access to steal data, which they sell into the e-criminal marketplace that has sprung up on the dark web – the part of the internet accessible using specific software and network protocols. This latter group can operate without ever being detected, meaning that the extent of the cybercrime problem is probably understated. Most estimates report only the attacks that have been uncovered and disclosed.
Nonetheless, by most estimates, South Africa is a top global cybercrime hotspot. Cybercrime across the continent is also a growing threat, meaning that people, organisations and governments on the continent must begin developing effective responses.
A risk-based approach
Responding effectively to the threat of cybercrime requires moving away from the singular focus on building more ‘walls’ and access controls. This approach is needlessly expensive and, as I have said, not always effective. A risk-based approach to cybersecurity threats helps organisations focus on what matters most. It requires drawing up a hierarchy of digital properties based on value and importance, identifying the vulnerabilities that compromise the security of each, and then selectively deploying cybersecurity tools and techniques around the most valuable and important properties.
The approach allows organisations to prioritise the risks and allocate resources to mitigate them more efficiently. To identify what tools and techniques to deploy, organisations should continually gather and analyse intelligence on their own processes and activities, and use that as a basis to assess where the weaknesses lie.
User education is also an important part of the risk-based approach. Technological solutions alone will not mitigate the threat. The approach should also form part of an organisation’s overall risk-management strategy. It should be assigned the budgetary and operational resources it needs, and should be on the agenda of every management and board meeting.
Cybersecurity is not an event. It is a never-ending process of identifying risks as they emerge and developing layers of security that incorporate technological and behavioural tools and techniques. The financial and reputational damage an organisation can suffer when their data is compromised is simply too great for its leaders to allow themselves to believe that they are completely secure and there is no further work to be done.
At a policy level, regulators would do well to consider adopting a focused, principles-based approach to legislating against cybercrime. Current attempts at legislation, like our own Cybercrimes and Cybersecurity Bill, are merely a list of prohibited actions and associated penalties. They do not take into account the fact that cybercrime continues to evolve rapidly in terms of modes and techniques. By the time this type of legislation is promulgated, cyber criminals would have changed their modus operandi, rendering the list of prohibited actions largely obsolete when it comes to combatting the more sophisticated forms of the crime.
Policy should also have a strong focus on disclosure requirements. Cybercrime continues to thrive because there is currently too little information disclosed on attacks, making it difficult for others at risk of a similar attack to realise how vulnerable they are. And while websites such as haveibeenpwned.com are useful in helping individuals know if their personal data stored in the networks of organisations has been compromised, there needs to a more systematic approach to empowering people to take action in the aftermath of a cyberattack at the companies they transact with.
Competitive advantage
Ultimately, the most significant benefit of adopting a risk-based approach to cybersecurity is that it provides a competitive advantage. It compels organisation that adopt it to continue evolving as the risk environment changes, greatly improving their chances of surviving an attack. The approach also allows them to continue making innovative use of the deluge of new technologies without compromising the integrity and safety of their most valuable assets. These organisations can be agile without being fragile.
Tiaan van Schalkwyk is associate director, cyber risk services, Deloitte Africa