The seven revolutions in cybersecurity

Back in 1984, I wrote a novel called Softwar that described the upcoming cyber-war between Russia and the United States. It described for the first time the use of "logic bombs" – pieces of code inserted into malware that would only be triggered when specific conditions were met, allowing them to spread silently until they were activated.

Thirty-five years later – centuries, when it comes to cybersecurity – logic bombs are still common, but the risks have diversified and increased, as our volumes of data have grown exponentially. Malicious actors have developed new strategies, and put companies, citizens and states at risk, with potentially devastating consequences.

This is why, in our efforts to shape the digital space, cybersecurity is an essential pre-requisite. How can we imagine living sustainably in a space where danger is constant?

This is the situation we live in today: in cyberspace, levels of danger remains high, for individuals, companies and states alike, all faced with data theft, ransomware and threats to their integrity – whether this integrity concerns their person, their economy, their territory or their very existence.

Atos is ideally placed to report on this: as the European leader in cybersecurity, we are a partner of the European Union and NATO. We are also the global IT partner of the Olympic Games – and, during each competition, we face several million security events every day, with very different levels of complexity. For the Rio Summer Olympic Games, we handled no fewer than 400 security events per second!

This position allows us to identify seven major revolutions that I will share with you today.

• First revolution: cybersecurity is now an integral part of our physical security

In the collective mind, cyber-attacks are often viewed as virtual in scope and consequence, which would make them less serious than attacks on our physical security.

Recent years have shown that this is no longer true. In 2017, the Wannacry attack paralyzed several critical service providers, including hospitals. Other attacks targeted pharmaceutical companies but also strategic infrastructures such as airports, electricity networks or power plants.

The loss of human lives is rarely the intentional consequence, but it still represents a possible outcome. In fact, the majority of the most devastating attacks in recent years have spread opportunistically, infecting whatever vulnerable computers and terminals they could find.

And, in this respect, the Internet of Things (IoT) has been a new playground for hackers, with its unprecedented levels of interconnectedness. Just think of the possible consequences when it comes to connected vehicles (boats, planes…), self-driving cars or drones.

• Second revolution: the explosion of IoT and its consequences for cybersecurity

The Internet of Things is growing rapidly: in 2019, Gartner estimates that 14.2 billion connected objects are in operation. By 2021, the number could reach 25 billion!

And while IoT provides companies with significant benefits, through automation opportunities, increased reactivity and productivity gains, it also makes their risk surface significantly greater – and today, the Internet of Things is often one of the major sources of vulnerabilities.

The 2016 Mirai attack (whose name, meaning "future" in Japanese, may serve as a warning) thus used connected objects, routers and cameras in particular, as a support for a denial-of-service attack. It may only be the beginning.

For hackers and other ill-intentioned actors, the huge number of terminals, their frequently low level of security and the fact that they come from different manufacturers provide a lot of opportunities.

• Third revolution: the extension of the risk surface

But IoT is part of a larger challenge for companies: the transition from closed and known infrastructure to mobile and open systems – several other trends are also contributing to this change, from the mobility of employees and users to the growing involvement of subcontractors, and to the frequent uses of APIs.

But the real shockwaves are still ahead of us. The volumes of data we generate will only grow, and this growth will be massive. According to IDC, the total volume of data generated yearly will reach 175 zettabytes by 2025, a fivefold increase compared to 2018 (33 zettabytes), which means that these volumes will register a 60% growth every year!

And, what’s more, 30% of this data will be real-time data, which will require a profound evolution of the technologies used to process and analyze them. One of its major consequences will be the advent of edge computing. I will get back to this in greater detail in a future post.

• Fourth revolution: cybersecurity by design

These developments will also transform the way organizations implement cybersecurity: in many companies, cybersecurity remains an issue handled by a very limited and specialized audience, who intervene in the last phases of a project or perform audits every once in a while. Some have called this practice "cybersecurity as an afterthought".

This puts companies at risk. And let’s be blunt: for companies, both public and private, cybersecurity risks are life-threatening risks.

One example should suffice to convince us, the NotPetya attack. In 2017, this attack affected several international companies: Maersk, Saint-Gobain, Mondelez... with consequences so massive that they had to report the losses caused by the attack in their annual report. Maersk thus estimated it lost 300 million dollars, while the pharmaceutical company Merck put the number at 700 million!

In addition, insurance companies have been particularly reluctant to shoulder the financial burden, as demonstrated by Maersk's disputes with its insurer to obtain reimbursement for the damages caused by NotPetya. 

These numbers prove that cybersecurity is now a strategic matter, and this comes with three consequences:

-         First, the question of cybersecurity must be raised early on, when the corporate strategy is formulated, when a new business model is conceived, when a new service is designed etc. It should not be considered as something that comes as a final layer, at the end of the process.

-         Secondly, it must be a company-wide discussion that involves executives (and not just the CTO or CISO), the board, employees inside and outside the IT department, but also partners and suppliers. With social engineering being a common tactic, ongoing employee training plays a key role in preventing attacks.

-         Thirdly, it must be considered a priority. Cybersecurity has often been seen as a low-priority budget item, although many companies have increased their investment in recent years. But considering cybersecurity as a priority is not just a matter of budget. It should also reflect in the governance of the company, and in drafting a roadmap for cybersecurity efforts.

• Fifth revolution: unity is strength

And, companies should break with tradition and accept the need to collaborate to face common threats.

The coordination of efforts and the implementation of common cybersecurity standards are indeed two essential areas in the fight against cyber-attacks.

That’s the reason why Atos has partnered with Siemens to create the Charter of Trust, which brings together several leading global companies such as Airbus, Total, Cisco and Deutsche Telekom. Initially, the charter only included companies, but several government organizations, which fully understand that working in silos only helps our common adversaries, have now joined it.

This charter of trust has set several priority areas: employee training, supply chain security, and the implementation of international cybersecurity principles.

In these circles, we hear increasingly about herd immunity - the idea, used initially for vaccines, that a basic level of protection for all actors will help to eradicate the vast majority of attacks. The analogy is not perfect, but it is certain that collaboration is the way to go.

• Sixth revolution: artificial intelligence will help us build our cyber-defenses

Another example of this collaboration between companies and governments: we are particularly proud, at Atos to have been chosen by the State of Virginia to implement its prescriptive SOC, based on artificial intelligence, to protect the state's infrastructure against cyber-attacks.

But, you may ask, what does artificial intelligence have to do with cybersecurity?

Well, when we talk about millions of cyber-attacks every day, as is the case for the Olympic Games, it becomes obvious that humans alone can no longer protect us: that’s why artificial intelligence increasingly plays a leading role to help us learn from every attack and detect "weak signals" that demonstrate bad intentions. In this regard, we now talk of prescriptive safety.

This use of artificial intelligence solutions will allow us to greatly reduce the time needed to detect an intrusion from 190 days on average… to a mere 90 seconds!

This use of artificial intelligence to protect oneself is all the more important because AI can also be weaponized by hackers – whether it is used to hide an intrusion or to switch between different types of attacks.

• Seventh revolution: quantum computing is the future of cybersecurity

But one of the major changes, with spectacular consequences, may be linked to the massive increase in computing capabilities, thanks to supercomputers today, quantum accelerators tomorrow and quantum computers in the future.

Having access to far greater computing power will have a great impact on cryptography: on the one hand, it could make current passwords obsolete... but it could also provide nearly inviolable encryption for communications. In other words, this could create a huge asymmetry when it comes to the confidentiality of communications.

This is one of the reasons that has led China and the United States to invest massively in these technologies. Europe has followed suit, launching the "Quantum flagship" initiative, which aims to dedicate one billion euros to research and development. Atos, the first European industrial player to market a complete quantum programming ecosystem with a simulator, is one of the companies that have been selected to represent Europe in the quantum battle.

This revolution deserves its own article: its potential consequences are huge and they will affect multiple sectors, from banks to connected vehicles.

But one thing is certain: cybersecurity as we know it will undergo radical changes in the coming years, both in terms of technology and behaviors.

These seven revolutions will transform both cyber-attacks and our arsenal of cyber-defenses. Companies must act now to put a strong cybersecurity strategy in place, increase their combat-readiness and make sure that they don’t bring outdated equipment to the battlefield.