Cyjax has partnered with Security Magazine to bring you a monthly Cybersecurity and Geopolitical vodcast hosted by Chief Information Security Officer (CISO) of Cyjax, Ian Thornton-Trump, and Tristan de Souza (Editor and Head of Communications), in which they ruminate on the enmeshing of cybersecurity and geopolitics and the new challenges and intriguing flashpoints these bring to enterprise security and risk professionals. Don’t miss this informative, insightful and entertaining monthly video podcast and find out the latest talking points affecting your industry, your career and the future of security. Listen to Episode One now!
U.S. President Joe Biden has committed to spend $10 billion investing in the Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) to help launch new cybersecurity and IT shared services, as well as other cybersecurity programs around government. This is a large sum, whichever way you cut it, but is it enough and is it going to right places?
The cybersecurity industry worldwide is worth around $150 billion; in the UK the sector is worth roughly $11.3 billion. Losses from cybersecurity incidents – which is a broad category, including everything from ransomware attacks to phishing – is forecast to reach something like $10 trillion by 2025. Clearly, the U.S. administration cannot be expected to bear the brunt of these costs, not least because that is a global total, but could this be a case of throwing good money after bad? The SolarWinds supply-chain attack has seriously impacted several U.S. government departments. The cybersecurity measures in place here were clearly insufficient. As Ian and Tristan note in the podcast, however, industry must take some of the responsibility for ensuring we all operate in a safe business environment. Biden’s investment in cyber is a good start, though, indicating just how important cybersecurity is both in politics and everyday life.
How to solve a problem like Vladimir
Another thing the SolarWinds debacle revealed was just how advanced Russian threat actors are. While it has not been conclusively attributed to Russia, the espionage operation was long-running, skillfully executed, and stealthy, all characteristics of a sophisticated group. Russia has a long history of cyberattacks, and many of its state-affiliated groups have conducted extremely damaging incursions against political targets in the West. How, then, to stop this happening without provoking a full-on kinetic response? Sanctions will hit Putin economically. They also, paradoxically, may strengthen the Russian president politically, because he is able to paint a picture of Russia against the world and malignant, primarily Western forces, looking to bring his country to its knees. So how to solve a problem like Vladimir?
The new US President certainly has a problem on his hands: Russia is happy to play fast and loose with international norms – or disregard them entirely – and Putin does not view the relationship with the US as intact, anyway – “you can’t spoil a spoiled relationship”, he is quoted as saying in December. Russia is also a massive threat to Western democracies, and their cyber capability has been used offensively in several elections over the last five years. With the EU undecided on the best course of action, and China an added, major distraction, this problem doesn’t look like being solved anytime soon.
Pandemic of Phish
Cybercriminals will use lures that are most likely to get recipients to open their emails. Often this is upcoming tax deadline day, offers for deals on good at Christmas, or major sporting events. In 2020, of course, they were gifted a whole new avenue: the coronavirus pandemic. Over the course of the last year, Americans lost almost $100 million in COVID-19 and stimulus check scams. This sickening statistic is mirrored in the UK, where threat actors have used NHS COVID-19 vaccine appointments, government business support schemes, and other benefits related to pandemic survival. Invariably, recipients are asked to enter sensitive information: anything from full name and date of birth to passport or Social Security number. This data could be used to conduct additional phishing campaigns targeting the user, or for fraud and identity theft. Malicious actors will always exploit current affairs, but in a pandemic, this seems more depraved than ever.
One of the major stories of this year centred around the incredible rise in the price of shares in struggling US gaming store chain, GameStop. Much of this appears to have been orchestrated by Redditors who wanted to stick it to the man and undermine the power of Wall Street. Was this the outcome, however, or did the benefits just accrue to the places you would expect? The David versus Goliath narrative of plucky investors managing to get one over the huge financial firms is rooted in the post-2008 financial crash mentality of all banks as evil. As Tristan points out in the podcast, it is notable that in the same month there were two bunches of angry citizens, who mobilized online, to target a major institution, but one was judged to be deplorable (rightly so) and the other as heroic. Clearly, that is a slightly cheeky comparison, but given that a man committed suicide after incorrectly assessing he had lost hundreds of thousands of dollars using the Robinhood trading app, it is a fact that lives have been lost in both cases.
The investors that boosted the prices of GameStop shares were using the financial levers built into the system, so it is hard to swallow the line that they were acting altruistically, or even that they did much good – BlackRock is said to have made in the region of $2 billion as a result of the stock’s price increase. Whether the regulators step in to change the rules, however, remains to be seen. And is that even desirable?
To find out the answer to this, as well as Ian and Ian and Tristan’s takes on all of the above, listen (and watch) here.