Collaboration Critical to Fight CyberwarRisk Resources' Varshney on Importance of Public, Private Partnership
The cyber threat landscape might never have looked so scary, owing to machine-to-machine attacks, increasing weak links in the network and growing sophisticated attackers. The Internet of Things is only adding to the challenges resulting in discreet attacks.
"What is even more disturbing is the fact that the intention behind some of those massive attacks remains absolutely unknown," says Hyderabad-based Vikrant Varshney, Chairman-Advisory Board and Principal Advisor to banking and financial services at Risk Resources.
"What is not possible through even a nuclear attack can now be achieved in the cyberspace, as we observe definite transition from cyber incidents to what I would call a 'cyberwar'," he says.
"Right from critical infrastructure to hospital systems to a small fitness watch is under threat," he says and argues, "Who is accountable for security' thus becomes a very difficult question to answer."
He says that there is a strong need for collaboration with effective public and private partnership in place. "Besides, enterprises and government at large need to lay emphasis on building awareness and education with a focus on effective response mechanism".
In conversation with Information Security Media Group, during its recent 'Data Breach Summit Asia 2016', in Bengaluru, Varshney, says that all these new threat vectors are leading to a new cyber war. He shares insights on:
- Evolution of IoT opening up opportunities to hackers;
- Building an effective response mechanism;
- Missing links in building a security framework.
Varshney has more than 20 years of cumulative experience in enterprise & operational risk management, BCM, IT, operations, quality & business strategy.
His latest assignment has been as Global Head of Security & Fraud Risk function for Global Operations, Services & Technology of one of the largest financial services company.
The Onset of Cyberwar
RADHIKA NALLAYAM: You have been emphasizing that the threat landscape is changing fast, resulting in a cyberwar. Can you elaborate?
VIKRANT VARSHNEY: The cyber landscape is changing very fast and there is a definite transition from cyber incidents to what I would call a 'cyberwar.' The attacks are happening between cities or specific set of people, as opposed to attacks in the past, which were against organizations. The intent of such attacks is to cause a massive damage to the target. In the past, the purpose was pretty simple - bring down the reputation of the target while the hacker becomes more famous. Now the objective is to cause collateral damage - irrespective of whether the target is an organization or a person.
So. we are now seeing new kinds of attacks. For instance, targeting hospitals or opening the flood gates of dams or attacking the national power grid. So in a nut shell, what is not possible through even a nuclear attack can now be achieved in the cyber space.
It's now relatively easy to attack any country of the hackers' choice. Cyberspace is borderless. Even scarier - they can even kill anybody without much effort. For instance, they can now control your blood pressure monitoring machine, resulting in fatal incidents. So, cyber threats are not just a concern of a set of people any more. It's a concern of every individual, every public agency and everybody who thought IT is just a system. IT can now be a problem statement.
Most of these companies that are working on incident management plan on business continuity side might have never thought of cyber incidents becoming one of their largest concerns.
Public, Private, Partnership
NALLAYAM: As an expert who has been contributing to the risk domain for many years, what do you think is the need of the hour?
VARSHNEY: There are multiple areas that we need to focus on. However, I would say public-private partnership is a key area. The interdependency between the public and private sector has increased. Government does not know how to solve things themselves, so they need the private sector to help them. Similarly, the private sector cannot resolve every issue without the help of government's authority. So they need to now come together as a team and work on a number of things. Independent or isolated activities are not going to get us the desired results. In fact, it's going to take some time for consensus to build, on what needs to be done. So, unless we define a charter on what the need of the hour is, we will never make a start.
The Response Mechanism
NALLAYAM: Do you think this scenario emphasizes the need to have an effective response mechanism?
VARSHNEY: Absolutely. Let's take the example of healthcare system. Every critical system can now be damaged through cyberattacks - the power system, support systems like oxygen supply and ICU besides stealing critical data about the patients. So organizations now need to look at resilience as the overall solution. It's no more about the availability of one single system. The attacks can occur on multiple systems at the same time and multi-faceted.
Some of the best practices the practitioners need to adhere to in building an effective response plan would include:
- Look beyond traditional approach to address the risks associated with business continuity and disaster recovery;
- Besides having an effective resilience plan at the corporate level, practitioners need to build awareness among various stakeholders;
- The technology providers need to look beyond point solutions;
- Evaluate the breach cases involving private players to understand the gaps.
The Missing Link
NALLAYAM: Do you think an effective response mechanism or resilience plan is missing in many cases?
VARSHNEY: I agree. For instance, we are now seeing a new type of fraud incident in the travel and corporate segments. The targets are mainly the employees of corporates who travel abroad for projects. With tons of information shared as part of social proofing, these employees become easy targets as soon as they land in the new country. They have not only lost all the money from their accounts, they are often left with no clue as to whom to approach for help. There are two different countries and two different cyber laws involved, apart from the private agencies and corporate travel firms. No one really knows how to respond to this syndicated crime. So there are many such areas where the agencies don't even have a plan in place to respond. So as I mentioned, it's no more about just an information risk, it's converting into a war.