Here is a brazen burglar story: A wealthy man calls the cops to report a burglary at his house. He alleges thieves have stolen a big bag of cash that he was planning to deposit in the bank the next day. After a long and tiring search, the police nab a suspect and bring him to trial. The suspect pleads not guilty. The trial drags on for a month, and the judge dismisses the case for lack of evidence. “You’re free to go,” the judge tells the suspect. “Thank you, your honour,” the relieved man smiles. “Does this mean I get to keep the money?”
If that story made you chuckle, this prediction should make you buckle: Cybercrime as an illicit industry will rake in US$10.5 trillion (RM47 trillion) annually by 2025, compared to US$6 trillion in 2021 and US$3 trillion in 2015. In gross domestic product (GDP) terms, cybercrime would be the world’s third-largest economy, after the US and China. That prediction comes from Cybersecurity Ventures, a US cyber-research agency.
“This represents the greatest transfer of economic wealth in history,” the firm says. “It is exponentially larger than the damage inflicted from natural disasters and more profitable than the global trade of major illicit drugs combined. Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, deals in personal and financial data, embezzlement, fraud, post-attack disruption, forensic investigations, restoration and deletion of hacked data and systems, and reputational harm.”
Research house Gartner defines cyberattacks as those that fall under operational technology (OT) or cyber-physical systems (CPS). “The financial impact of CPS attacks will reach US$50 billion by 2023,” Gartner predicts. “The costs for organisations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant. We believe most CEOs will be personally liable for such incidents.”
The humongous profits that can be made via cybercrime have lured organised crime and nation states into the fray. “The stereotypical hacker working alone is no longer the major threat,” notes McKinsey & Co. “Cyber-hacking is now a multibillion-dollar enterprise, complete with institutional hierarchies and R&D budgets. Attackers use advanced tools, including AI (artificial intelligence), ML (machine learning) and automation.”
The fear? Over the next several years, hackers will expedite — from weeks to days or hours — the end-to-end attack lifecycle, from reconnaissance to exploitation. For example, Emotet, an advanced form of malware targeting banks, can change the nature of its attacks. In 2020, leveraging AI and ML techniques to increase its effectiveness, it used an automated process to blast out contextualised phishing emails that hijacked other email threats — some even linked to Covid-19 communications.
“Ransomware as a service and cryptocurrencies have substantially reduced the cost of launching ransomware attacks, whose number has doubled each year since 2019,” McKinsey says. “Other types of disruptions often trigger a spike in these attacks. During the initial wave of Covid-19, from February 2020 to March 2020, the number of ransomware attacks globally spiked by 148%, and phishing attacks jumped 510%.”
What can governments and enterprises do proactively to mitigate the risks? In July 2022, the US tabled a bill to boost coordination across the federal government to address cybersecurity vulnerabilities. Once passed, the Proactive Cyber Initiatives Act of 2022 will give the National Cyber Director the authority to resolve risk conflicts between agencies that have overlapping cybersecurity jurisdictions and would require penetration testing for moderate- to high-risk government systems.
Meanwhile, Singapore has asked all telcos to roll out automated filters to weed out potential SMS scams. From Jan 31, 2023, companies that wish to communicate with their customers via SMS need to register with a government-backed central registry; the sender IDs will bear their brand names.
Singapore’s SMS Sender ID Registry, which started operations in March 2022, can detect and block spoofed SMS messages. So far, its use has been voluntary. From January to June 2023, all non-registered SMS Sender IDs will bear the header “Likely-SCAM”. From July 2023, messages with non-registered SMS Sender IDs will be blocked by default.
Some cybersecurity professionals are taking the game a notch higher by exposing the loopholes in licensing and personal authentication. For instance, every country — and every state in the US — has different regulations for getting a driving licence. Modern driving licences incorporate laser perforation, a UV image of the licence holder, micro-printing of tiny text, and a hologram. All of which would make it tough to forge one, right?
“Let’s just say that it’s not very difficult,” says a senior cybersecurity professional. “The proof of the pudding is in the authentication. Is the spoofed card accepted by the authorities? Does it pass through semi- or fully automated electronic scanning systems? Can it be used to apply for a bank loan or a passport?”
To prove his point, he worked with scammers and got his mugshot added to fake (or real) driving licences in a couple of states in the US, and one each in Canada and Australia. He also contracted a movie special effects professional to create a realistic facemask with tiny holes for the eyes and nostrils. To complete the fake equation, he had fake fingerprints etched on elastic silicon. Put together, he could pass off as an altogether distinct individual with a fully authenticated identity that could open bank accounts and cross national borders.
He says he did this to prove the ease with which it can be done, if you are ready to invest a few thousand dollars in creating a new, fake, you. It cost him under US$10,000 to create one. He says he never used his fake identity, but that it is important that governments, especially law enforcement, work in concert across borders to nab cybercriminals who might pass off as being who they claim to be.
“In the cybercriminal word, this is called synthetic identity,” says Rajat Maheshwari, Mastercard’s vice-president of digital identity and cybersecurity for Asia-Pacific. “The scammer uses both real and made-up data to create a new identity, thus making it harder to detect the fraud. When your identity is amalgamated with some other individual’s personal information, banks can fall prey to synthetic identity theft, since much of the information criminals provide them is legitimate. For example, a criminal may get away with applying for a credit card using a fake ID.”
Is it possible for companies to be truly cyber-secure, given the expanding breadth and depth of cyberattacks? The odds favour the threat actors; they only need to exploit one security vulnerability to succeed, whereas the victim companies must continually and proactively keep their defences secure.
Foo Siang-tse, NCS Cyber senior partner for cyber, advises companies to adopt a “zero trust” and “assume breach” culture. “Never trust any person or device implicitly, always validate and assume the company has been cyber-breached,” he says. “Companies can prepare proactively by practising basic cyber-hygiene, including regularly patching vulnerabilities, securing privileged accounts, and identifying anomaly alerts from potential incidents.”
How does NCS keep its own systems secure? “Humans are the ‘final’ firewall,” Foo says. “We conduct regular security awareness training and readiness exercises, such as phishing training. Given our geographical coverage, our clients expect us to comply with standards from various jurisdictions. NCS goes through annual audits to ensure we meet those standards, such as ISO27000.”
Gartner recommends that organisations adopt a framework of 10 controls to improve security posture across their facilities and prevent incidents in the digital world from having an adverse effect in the physical world:
Define: Roles and responsibilities. Appoint an OT security manager for each facility, responsible for assigning and documenting roles and responsibilities related to security for all staff and any third parties.
Ensure: Appropriate training and awareness. All OT staff must have the required skills for their roles. Train staff to recognise security risks, common attack vectors and what to do in case of a security incident.
Implement: An incident response protocol. Ensure each facility implements and maintains a security incident management process: preparation, detection, containment, eradication and recovery.
Backup: Ensure proper backup, restore and disaster recovery procedures. Do not store backup media in the same location as the backed-up system. Protect backup media from unauthorised disclosure or misuse.
Manage: Scan all portable data storage media such as USB sticks and laptops, even from external parties such as subcontractors. Only media free from malicious code or software can be connected to the OT.
Have: An up-to-date asset inventory. The security manager must keep a continuously updated inventory of all OT equipment and software.
Establish: Proper network segregation. All traffic between an OT and any other part of the network must go through a secure gateway solution, such as a demilitarised zone (DMZ). Deploy multi-factor authentication.
Collect: Logs and implement real-time detection. Appropriate policies or procedures must be in place for automated logging and reviewing of potential and actual security events.
Implement: Secure configurations must be developed, standardised and deployed for all systems, such as endpoints, servers, network devices and field devices.
Deploy: A formal patching process. Implement a process to have patches qualified by the equipment manufacturers. Once qualified, apply the patches on systems with a pre-specified frequency.
Since we started with a burglar story, let us end with a burgling one. Many decades ago, as a student, I shared an apartment with a friend. Since we were always short of money, we often kept leftover food in the fridge in the kitchen. One night, after a boisterous party, we went to bed and forgot to lock the main door. In the wee hours, I heard sounds of utensils.
“Bro, I think there’s a burglar in the kitchen,” I shook my friend, who was sleeping on the other bed. “I think he’s eating the fried stuff that I made two days ago.”
My friend, half asleep, told me off. “You’re a lousy cook, so don’t worry about the crook,” he yawned. “We’ll call an ambulance in the morning.”