Why We Need a European Cyber Threat Summit

www.CyberThreatSummit.com

Register Here for the European Cyber Threat Summit on Oct 24th 2017 in Dublin

So of course in an era of hyperbolic cyber stories in the media it is difficult for people to filter through to what is real and what is not. The term “cyber” itself seems to be placed on front of every story to highlight a cyber angle. Why? Because the reality is there probably is a cyber angle.

We are all users of the Internet and we use it because we want to exploit its advantages which include instant contact with clients, suppliers, marketing, reducing costs, global trading and social networking. With mobile devices and broadband we can now access anything, from anywhere, from any device at any time. Real power!

Society has become dependent on the Internet, we see this fact recognised in instruments such as the NIS (Network Information Systems) Directive. IoT (Internet of Things) means we may have 50 billions “things” connected to the Internet by 2050. That is everything from a baby cam to your electricity meter. Yes we are dependent on the Internet.

The open protocols of the Internet meant it developed as a network of networks. Today anyone can write and launch an app, this openness is the power of the Internet but potentially it’s greatest weakness. This ecosystem of 3 billion people of course has limitless commercial potential. We all accept the Internet is now irreversibly involved into our commercial and social life and has already delivered substantial benefits.

However for those seeking criminal gains it provides a way of conducting both traditional crimes and conducting new forms of Internet enabled crime. We have seen this with the likes of ISIS and their call for a Cyber Caliphate. The Internet provides a mechanism for those wishing to spread violence and hateful ideologies with an unparalleled opportunity to try to radicalise new audiences.  Old stuff in a new way!

The Internet was designed to be a resilient network NOT a secure one. I have touched upon the aspect of protocols and standards. When entrepreneurial Internet pioneers started developing code, standards and applications, todays risks were not envisaged or contemplated. Thus security was not the priority! Today “cyber threats” are recognised in the top echelon of threats to nation states, alongside terrorism.

The latest reminder this week was yet what seems to be another disruption by Russian hackers of a major part of the Ukrainian electricity grid. This following large parts of the Internet itself being closed down during the US Trump/Clinton elections. The geopolitical aspect of cyber threats is simply too obvious not to recognise.

So adding security to this ecosystem often means the challenge of retrofitting. This is a more difficult and more expensive challenge. Baking in is always less complicated and less expensive. The interdependency of the Internet model means a “service” being delivered is only as secure as the weakest link in the trust chain. By this I mean for example if you consider the amount of entities involved in delivering the service of an app to your mobile phone, you can appreciate these entities are essentially a “trust chain” that you depend on. The phone hardware, the OS on the phone, the app market place, the app developer, your mobile data provider, etc, etc the links in the trust chain keep growing. It only takes one vulnerable link to be compromised.

In last years Cyber Threat Summit, I mentioned I felt in many ways we had “done a deal with the devil” in relation to using services on the Internet. When something is free, you are the product and people are realising they have paid a significant price with privacy and security in order to use “free” services. A realignment of your privacy rights is potentially arriving in May 2018 with the GDPR but with many of the “providers” being US based and the cyber cacophony coming from the Trump administration means nobody is really sure how this will play out. BREXIT of course a major factor to consider in domiciling data and processing online services. 

We now have evidence every day of cyber attacks, key factors being the availability of PII (Personally Identifiable Information), the ability to access infrastructure systems (ref: Shodan), the ability to effect reputation and spook markets. These factors are magnified when you consider new technologies such as blockchain and ubiquitous expanding technologies such as IoT, Apps and Wireless networks make for a greater attack surface for the bad guys.

Most organisations recognise the commercial risks they run if they do not invest in cyber risk management, they include:

·     Reputational Damage (Qualitative Risk)

·     Loss of Competitive Advantage

·     Lost Customer Confidence (Trust)

·     Loss of Shareholder Confidence

·     Disruption to Critical Infrastructure

·     Costs Related to Regulatory Inspections and Penalties

·     Consumer and Shareholder Lawsuits (Cyber Litigation)

·     Business Disruption

·     Financial Loss

·     Personal Accountability

Financial markets can expect further criminal examples of attempts to spook the market with false rumours spread through social media. Remember when the Syrian Electronic Army hacked a Twitter feed and reported explosions at the White House that injured US President Obama. Again this is old scams in a new way, criminals could “short” stock trades in anticipation of such rumours. In that case, the Dow lost more than 140 points in 6 minutes, with the S&P 500 alone losing market cap of $136.5 billion. Now imagine what a hacked or unhacked tweet from Donald Trump could do!

The EU has two new instruments coming into play, the NIS Directive and the GDPR “Privacy Regulation”. Apart from their complimentary timing, both of these pieces of legislation include mandatory breach notification and eye watering fines based on significant percentages of your global turnover. The fines are not for being breached, it is recognised that breaches are inevitable but the fines and the naming and shaming will come about if organisations fail a due diligence review. In other words, can you prove you had appropriate controls in place from a protective, detective and reactive perspective.

Fines based on global turnover and publicly being called out in relation to mandatory breach notification will certainly hurt large corporations potentially even impact share prices. However, for SME’s it may be worse.  Small companies cannot afford IT or cyber security departments. The fact is, SME’s are the companies that form the supply chains that support the major industrial enterprises and that support the critical infrastructure companies.

The Cyber Task Force therefore believes that a new cyber security ecosystem involving government and the private sector has to evolve to provide support right across our economy.

Most cyber security threats can be mitigated with basic cyber hygiene but in our hyper interconnected model on the Internet we need to ensure all links in the chain are strong. 

Our closest neighbours the UK last week saw the Queen launch the National Cyber Security Centre in London, yet another initiative in a multi billion euro program of cyber resilience.

The ICTTF International Cyber Threat Task Force was set up seven years ago as a positive initiative, it recognised that cyber threats have no borders and the “bad guys” were well networked. One of the main keys to success of the world of cybercriminals is their underground economy and ecosystem. The ICTTF recognised that the “bad guys” all helped each other, shared intelligence, trained and mentored each other. The "bad guys" believe a rising tide lifts all boats! What is good for one bad guy is good for another. The ICTTF launched a networking platform www.icttf.org with the mantra “It Takes a Network to Defeat a Network!” . Very quickly the ICTTF gained thousands of members from over 100 countries. Local “Task Forces” from locations such as Indonesia started to have local chapter meetings and develop the concept.

The ICTTF has run an annual Cyber Threat Summit from Dublin every year. Now in our seventh year, this year's Cyber Threat Summit will have a very  European focus. The largest event of it's kind, it will attract cyber security experts from all over Europe to discuss all aspects of cyber security including issues such as  GDPR, the NIS Directive and of course BREXIT.

We have three distinct streams running concurrently; 

"Strategic", "Operational" and "Technical".

2017 will also see the introduction of a Cyber Startup Zone giving innovators a chance to shine and network with potential investors.

The strategic debates will be chaired by Miriam O’Callaghan and will include topics such as:

-The Cyber Safety of Children

-Is Ireland ready for the EU Cyber Legislation

-What does Cyber Brexit mean?

-The Cyber Skills Gap

-Evolving Ireland's Cyber Security Ecosystem

-The Trump Factor and Cyber – Should we be concerned?

The "operational stream", will cover the “How to” of cyber security. Example of topics include:

-How To Get ISO27001 Certified

-How To Implement an Enterprise DLP Solution

-Understanding Cyber Insurance

-Developing an Cyber Incident Response Capability

-How to Implement a Cyber Risk Framework

The “Technical” stream will host demonstrations of innovation technology including:

-Block Chain

-IoT Security

-Cognitive Computing

-DDoS and TDoS Mitigation

-Threat Monitoring

We hope you avail of the early bird ticket options and we see you at the European Cyber Threat Summit More info www.CyberThreatSummit.com

#CTS2017 www.CyberThreatSummit.com@TheCyberSummit @ICTTF