Combatting cybercrime is not just a matter of installing an antivirus program or running a software update. It’s more like fighting the Hydra of Greek mythology – cut off one head, and two more will grow back in its place.
As such, cybersecurity is not an outcome, but a process, and a vitally important one. But around the world, organisations have been slow to understand what it takes to be cyber-secure. SONY, Citigroup, the Commonwealth Bank of Australia, Ashley Madison and many others have made the headlines after falling victim to cyberattack.
Professor Jill Slay AM is La Trobe University’s Optus Chair of Cybersecurity. She sits on the board of several cybersecurity committees and has worked closely with government and defence to help combat cybercrime around the world.
Professor Slay says that part of what makes governments and organisations vulnerable to cybercrime are the many different systems and devices, often insecure, which connect to an organisation. These systems and devices provide ‘vectors of attack’ that can be exploited by cybercriminals.
The human in the loop
Cybercriminals are always looking for an angle to exploit and often this involves preying on human error. For example, a government or company website might be highly secure, but the personal devices of an employee might be much more easily compromised. Hacking into an employee’s phone or laptop could give up the password that the criminals use to get inside the organisation’s system.
A bit like putting security screens all over the front of your house and then leaving the back door open.
In the past, organisations have failed to understand how the interactions between human and machine make organisations vulnerable to cybercrime. This fixation on ‘technical’ security means organisations have overlooked what Professor Slay calls ‘the human in the loop’.
No single set of security measures can ensure an organisation’s safety and there is no simple way to guarantee cybersecurity. However, Professor Slay says that one place to start for a Chief Information Officer would be an audit of the systems, the development of an enterprise security plan, the establishment of a cybersecurity team or the purchasing of managed services.
Security costs money, and it’s important for each organisation to understand its own risks and requirements in relation to a potential hack. A defence contractor, for example, would spend much more than a garden centre. Professor Slay says pricing your cybersecurity requirements is about valuing assets, determining the effect of a breach, assessing risk and mediating it.
Going on the offensive
Some organisations take a more aggressive approach than closing down attack vectors or establishing lines of defence. Retaliatory cybersecurity is a deterrent by which organisations ‘hack back’ at attackers. This might take the form of a computer virus that travels back along the lines of a breach and infects the computers of those seeking to compromise your system.
As tempting as it might be for organisations to get one back at those who would seek to do them harm, retaliatory cybersecurity presents a couple of serious problems. The first is that hacking, even in defence, is currently illegal. Whatever short term satisfaction gained from hitting back might be undone by trouble with the law. Secondly, there is the risk of escalation. Fighting back might provoke the cybercriminals to wage an all-out war on your system and take it down completely. In the case of a country, a cyberwar could cause hundreds of millions of dollars of damage, and destroy diplomatic relations and lives.
Careers for digital defenders
On one hand, cybercrime is such a new and varied phenomenon that it remains a complex and difficult issue for organisations to come to terms with. On the other hand, it presents a fantastic opportunity for learning and employment for those with an interest in the subject.
Professor Slay says that across the technical, legal, policy, business and behavioural fields of cybersecurity, there are millions of jobs available internationally. In Australia alone, she expects there to be up to 9,000 vacancies in the next few years. So, if you’re after a career in cybersecurity, according to Professor Slay, ‘You’ll never be unemployed’.
What does it take to keep an increasingly interconnected world secure? Find out at La Trobe’s Bold Thinking public lecture, ‘Digital Defenders – Who’s guarding us from cyberattack?‘, on Thursday 21 June, 2018.