The serpent’s tale is a powerful narrative that has captured man’s attention over millennia. The contemporary version of the story goes something like this: the digital garden at first was created as a lush world filled with smart gadgets, useful computer programs, fun games, social networks and great business opportunities. People were delighted with these gadgets and used them freely to their hearts’ content. But then a snake entered this garden and hid in the undergrowth.
This serpent was more cunning than all of the gadgets and programs in the garden. It told people that they could partake in superior knowledge, if they just clicked on its emails and attachments that promised innocent fun and untold riches. But when the people listened to the snake and clicked, viruses and Trojan horses were unleashed and infested the digital garden. Thus, evil was released and proved impossible to eliminate.
In 2017, this ancient serpent is only too real. It is called malware and has reached a proliferation rate that is mind boggling and difficult to comprehend. What does it mean for individuals in the digital world that more than 1 million new malware tools come into existence every three days and that their number keeps growing? Or that more than 500 million personal records were stolen or lost in 2015, according to the 2016 Internet Security Threat Report?
How can an average user visualize, in front of their inner eye, that according to the Cisco Cybersecurity Report 2017, spam email increased from 500 spam messages per second in 2012 to 3,500 spam emails per second in 2016? Moreover, what can one do to protect their mobile phone? At the world’s largest congress for innovation and products in this sector – the Mobile World Congress (MWC) last month in Barcelona – security companies like Intel took this opportunity to turn our attention to the vulnerability of our beloved smartphones and pushed their various solutions, such as multi-factor authentication and home security platforms.
Numbers concerning the impact of breaches on businesses are just as bad. According to Cisco’s report, which was released at the end of January, of the organizations that experienced cyber breaches, more than one-fifth lost customers after a breach, almost one-third lost revenues, and close to one-quarter lost business opportunities. Serious damages – more than 20 percent losses of customers, revenue or opportunities – struck about 9 percent, 11 percent and 10 percent of breached organizations, respectively. There are reports by the bucket, which all have in common that they generally document the steady increase of cybercrime and also show that average costs per breach can be life-threatening for small, medium and large businesses.
Actually, whichever source one checks, all numbers about malware are bad, as malware is growing rapidly. But it is not only mass that matters. The student hackers of before, who did their hacks simply because they could, are still around, as are ideological hacktivists and small-time crooks. Yet the really malignant cyberactors today can be crime syndicates, terrorist organizations and even states. Cyberattacks are no longer like aiming a shotgun on a flock of small birds in the indiscriminate expectation to hit any one of them. They can be as surgical as a remote-controlled scalpel, hitting deliberately sought-out targets that can be a specific bank, government agency, any large corporation, small company, or even a single family or an individual.
With improved organizational skills on top of the high rate of proliferation and the increased sophistication of attack instruments, it is estimated that cybercrime will expand exponentially for years to come. Given a growth rate of internet viruses that would make any ethical company blush with shame for expanding so fast because it would be a sign of being either unsustainable or exploitative, the economic infestation of the digital world with cybercrime is predicted to grow eightfold in impact by the year 2020.
It can hardly come as a surprise, therefore, that there is an increase in cybersecurity conferences in the Middle East this year (the Executive calendar of regional conferences last month listed four conference headers containing the word “cyber” for the period between February and April 2017, up from one event in the same timeframe in 2015 and two in 2016). It is also unsurprising to see the internationally growing flood of alarming reports from the cyberfront, which generally mix dreadful warnings about cybercrime damages, with a pitch for selling this or that cybersecurity service. But, it nonetheless bears repeating that cybercrime is projected to reach $4 trillion in four years time – nota bene about the same magnitude as the GDP of Germany.
Clearly, it has not escaped companies around the world that the only thing we can safely say about our digital lives is that they are not safe. Banks are the biggest prize for many cybercrime syndicates where 2016 and the still young 2017 saw some spectacular international breaches. One large recently reported case involved Lloyds Banking Group in the United Kingdom. Claiming in an overview of its business to be the UK’s largest digital bank with 12.5 million online customers, Lloyds Banking Group has 818 billion pounds in assets (2016) and includes Lloyds Bank, Halifax Bank and Bank of Scotland. It was attacked in a distributed denial-of-service (DDoS) assault in January 2017 and for two days was under heavy data fire.
This breach also got a lot of attention because it had been preceded only months before by another successful cyberattack against a UK bank. In that incident it was TESCO Bank that suffered online thefts amounting to about 2.5 million pounds in total. The bank, which has more than 7 million customers, reported that roughly 9,000 customers each had as much as 600 pounds (approximately $750) siphoned from their accounts and pledged to refund those losses within 24 working hours. But, last year’s biggest incident in the financial markets was the criminal exploitation of the SWIFT interbank messaging network via an intrusion into Bangladesh Bank, the country’s central bank.
According to a December 2016 statement by security company Kaspersky Lab, this incident constituted “the [world’s] biggest financial heist” and used SWIFT-enabled transfers to steal $100 million, of which many millions appear to have not yet been recovered. According to reports, SWIFT has since updated its network through a global payments innovation (GPI) messaging platform and is asking member banks to take better cybersecurity measures.
Banks in Lebanon are clearly awakening to the challenges they face in the digital realm, or they are at least more aware than they were some years ago, said several Beirut-based cybersecurity experts. Moreover, every local cybersecurity consultant or company that Executive talked to said that banks constitute between half and 80 percent of their clientele. However, it seems that there is much room for improvement in the cyberdefense strategies of Lebanon’s banking industry, and there are open questions about the statuses of their cybersecurity measures. Some experts said that they found holes in the protection of some banks, and a surprising number of Lebanese banks told Executive that they preferred not to give interviews about cybersecurity issues, citing their “sensitive nature”.
The state of Lebanese cybersecurity is much foggier when it comes to the private sector economy outside of banking and the public administration in this country. From missing experts to non-existing budgets and weak awareness, the picture of cybersecurity in civilian government agencies is, politely said, dim and very different from developed countries.
In the United States, for example, the federal authorities are major cybersecurity customers. There is even a specific assessment of this market that estimates annual federal investments into cybersecurity with a recent forecast for spending to grow from $18 billion in 2017 to $22 billion by 2022, at a steady compound annual growth rate of 4.4 percent. In the European Union, regulatory cyberframeworks of international consequence have been adopted in 2016 and the EU’s General Data Protection Regulation – with steep fees for violators of privacy – will come into force in 14 months, in May 2018. In the UK, the new National Cyber Security Centre (NCSC) – operating since October 2016 – was inaugurated last month by Queen Elizabeth. The NCSC was created as an authority on cybersecurity, with a mission to improve cyber resilience.
Lebanon seems to be nowhere near similar levels of readiness found in the public sectors of the developed world. This is problematic for a number of reasons. There is no doubt that Lebanon has its share of state-level enemies which have a vested interest in creating any sort of impairment for the country’s development or obtaining sensitive information from public administration units. In addition, 2016 made it clear that age-old hostile behaviors of states (reminiscent for example of the Cold War era) have gone digital, such as seeking to influence a country with propaganda or manipulating elections with fake news.
Government agencies in the Middle East had a very recent reminder about the danger of targeted cyberattacks against them, attacks that were very damaging and possibly involved state sponsors. The Shamoon 2 virus made a repeat appearance in Saudi Arabia in January, after viruses from this family have hit the country twice in the past. Shamoon 2 targeted and disrupted at least 22 institutions, Al-Arabiya reported, including several ministries. Remarks made by government officials from several GCC countries at a cybersecurity conference held last month in Saudi Arabia said that there was an increase in attacks on their countries. Moreover, there are numerous initiatives in Gulf countries to embellish cyberdefenses and legal frameworks.
The defensive wall
In a broader picture, the global landscape of cyberthreats and defenders (see infographic below) has its villains that are growing more powerful and sophisticated from year to year. The malware arsenals of villainy are stocked with a wide variety of tools: viruses, their variants, such as worms which are self-contained malware and Trojans which disguise malware as innocent or useful programs, and further sub-variants from rootkits that give illicit administrator-level access to a computer or network to ransomware that blocks the legitimate owners’ access to a computer.
Across from these cyberattackers and their arsenals stand the other stakeholders in the digital world. They use perimeter defenses such as firewalls, preventive approaches such as assumed-breach policy, early detection instruments such as threat monitoring, forensic tools and skilled defense centers such as SOCs and CERTs, and most of all try to fortify the entities most vulnerable to falling for cyberattacks – the human being in the digital world – through training and awareness building.
All non-villainous stakeholders in the digital world are in one of two general categories: those that are primarily targets, like financial companies, utilities, the industrial sector, education institutions etc., and those that are defenders against cyberattacks, like specialized software companies and cybersecurity consultants. The borders between stakeholders that are targets and those that are defenders importantly are fluid: cybersecurity and defense is everybody’s affair and some of the leading contributors to the protection of the digital world against evil attacks are the large software and systems multinationals, network operators, integrators, device manufacturers and all companies with large IT departments.