Cyber Signals: Shifting tactics fuel surge in business email compromise
Business email operators seek to exploit the daily sea of email traffic to lure victims into providing financial and other sensitive business information.
Over the past decade, billions around the world have benefited from the exponential growth of the online environment and associated economic opportunities. However, this pervasive use of computing has also given rise to the more nefarious elements of the criminal underworld. As a result, cybersecurity is now a major concern for organizations and the global cybersecurity market is forecast to be worth US$170 billion by 2020, growing in step with significant advancements in cloud computing, the Internet of Things (IoT), and other technologies that are changing the way we communicate and work. The IoT security market itself is expected to grow from US$6.89 billion in 2015 to US$29 billion in 2020. Other high growth areas include security analytics, mobile security and cloud security.
The same concerns are also driving government decision makers to develop responses that seek to ensure that the key assets, systems and networks remain protected in this new environment. Today more than half of nation states around the world are developing legislative initiatives that seek to regulate crime online, protect their critical infrastructures, or develop new frameworks for enhancing cloud security. These efforts are beginning to solidify into security requirements for a range of businesses, from information technology (IT) providers, critical infrastructures and users of cloud services.
United States: Securing the government
In United States the focus on cybersecurity has never been greater, in particular if we single out the work done at the federal government level after the breach at the Office of Personnel Management (OPM). In early 2016, President Obama announced the Cybersecurity Action Plan, which aims to raise the levels of cybersecurity across the nation, but particular its high-risk assets. With it, the President is driving a new policy and operational focus, for example by appointment of a Federal Chief Information Security Officer, and by requesting an additional US$3.1 billion from Congress for the “Information Technology Modernization Fund”.
In parallel, the White House continues to drive policy efforts that seek to enhance the levels of cybersecurity across the country. One of the focus areas continues to be increasing the adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, both domestically and internationally. Another is the implementation of the Cybersecurity Act of 2015, which was signed into law in late December. The Act provides a paradigm for one of the essential element of cybersecurity: the sharing of information on cybersecurity threats and defensive measures among private sector entities and between the private sector and the government.
Japan: Preparation for taking the world stage
Japan is poised to take exciting steps towards improving cybersecurity in 2016. A key wakeup call was the May Japan Pension Service Hack, which brought home the realization that as personal information is increasingly stored online, it also needs to be better protected. Additionally, as Japan readies itself to host the 2016 G7 Summit and the 2020 Olympics and Paralympics – these global events will allow the country to demonstrate its technology prowess and its commitment to cybersecurity. In preparation for these events, the government is taking important steps to secure and increase the resilience of the Japanese online ecosystem. In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years. Furthermore, the government is preparing to revise its Cybersecurity Law, as well implement concrete action to protect its critical infrastructures, for example by examining structured information sharing.
China: Focusing on the rule of law
China has over the past two years proposed and passed a number of laws that touch on cybersecurity, including the National Security Law, the Anti-Terrorism Law, as well as the Amendment to its Criminal Code, which exposes the network service provides that fail to comply with certain cybersecurity obligations to criminal liability. The speed with which the laws are being adopted signals the importance the government places in this area.
The speed also led to concerns expressed by numerous multinational companies, as well as governments, who have been urging the Chinese government to reconsider some of the positions it has been taking. The draft Cybersecurity Law, which amongst other things includes provisions requiring companies to store data locally and to provide encryption keys, as well as incorporates an overarching structure for cybersecurity management in the country, was one such example. The latest step in the government push came last month, with the founding of China’s first national non-profit organization for cybersecurity, the Cybersecurity Association of China. It has 275 founding members, including major domestic Internet firms, cybersecurity companies, scientific research institutions.
Europe: Protecting critical infrastructures
After three years of intense negotiations, the European Union (EU) reached an agreement on the Network and Information Security (NIS) Directive this past December. While some of the details remain to be hammered out, the Directive focuses government efforts on creating cybersecurity capabilities and policies, through the obligation that each of the countries affected create Computer Security Incident Response Teams and national cybersecurity strategies. In following a risk based approach it further concentrates government resources on protecting critical infrastructures. The question of how widely or narrowly the 28 EU Member States will interpret that definition will be revealed over the next two years.
The obligations that are being introduced are nevertheless important for a wide range of enterprises, which fall under that definition, including a broad number of digital services providers. While retained in the Directive, it recognizes the transnational nature of the online environment, as well as the need for greater harmonization of security requirements overall. An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.
In the coming months, my team will use this blog to examine these and other policies around the word more closely. It is already clear that 2016 could be the year that shifts cybersecurity from a topic of conceptual debate to a more concrete set of practices, obligations and requirements, in particular for enterprises in the critical infrastructure sectors or those providing services to governments. Whether the different countries will be able to ensure that these policies are successful in increasing security for the broader ecosystem hinges on whether the requirements put in place will be complimentary, able to align to existing laws, as well as able to adapt to new technologies, such as IoT. Watch this space.