Issue 004 | December 2018
AWS Re: Invent –
Creating A Whole New World
What is in Store for Cybersecurity 2019?
2019
7TH CHINA INTERNET SECURITY CONFERENCE AUGUST 21ST - 23RD, 2019, BEIJING, CHINA
Internet Security Conference (ISC) has been held for six consecutive years. It is a widely recognized industry summit with top-notch industry speakers, and far-reaching influence in the Asia Pacific region. 2
The 7th Annual Internet Security Conference will again include a wide range of global security institutions and security experts sharing the latest security technology and industry wisdom, providing a global platform for dialogue on internet security in the Asia Pacific region. Issue: 004; December 2018
Publisher’s note
Dear Readers, When we were little, it seemed as though we had all the time in the world. Eager to grow up, we’d impatiently wish that the clock would tick faster and the years would pass quicker. Then, when we did finally grow up, and actually grew old, we suddenly realized with much regret that each year passed much too quickly. For some reason, 2018 has been a year just like that. It zoomed by and, in the blink of an eye, here we are ready to ring in the new year. Then we see that this mirrors the pace of our world—changes occurring faster and faster without us even realizing it. We see more digitalization and more entwined connections, oftentimes leading us to feel somewhat out of the place. In business, it is prudent to pause every now and then from our day-to-day operation to allow us to see what has changed around us, in order to reevaluate our direction and make the wisest choices. Additionally, while conventional wisdom has long held that we must learn from the past, it seems this hasn’t always proven true in the fast growing economy of late. Our current world is such a dynamic place, constantly evolving and moving forward, that past experiences which may have benefited us in the past may today present obstacles hindering our progress. We sometimes must unlearn skills from the past, and learn new ones that may enable us to move forward and grow under a new set of market rules, especially with respect to cyber security. While there is no denying that the world in which we live is a busy and exciting place, most aspects are deeply connected due to digital transmission. We are more reliant upon our hand-held devices than ever and while this allows us to work more conveniently and efficiently, it simultaneously presents an issue of less security. I recently attended AWS Re: Invent, a conference with 50,000 visitors and 2100 educational sessions speaking on Cloud Computing, Software as a Service, Platform as a Service, and more. I felt dazzled by these terms, mostly foreign to me. That made me wonder how out of place I may be in this new economy. So my question to you is: do you ever feel it this way too? If so, it may be the time to unlearn the old logic and learn the new in order to remain in the playing field. As we ponder our strategies and resolutions for 2019 in this last month of the year, laden with holiday spirit and cheer, I wish you all a Happy and Cyber-safe New Year.
Ms. Sunny Sun Publisher
Issue: 004; December 2018
3
内容概括
Table of Contents Feature Ar cle My Conversation with
Karen Eldor AWS re:Invent – Crea ng a Whole New World in the Cloud!
10-15 VP of Product Management at CyberArk Israel
Cybersecurity Policy
John McCumber
6–7
Duncan Greatwood
Xage Security Launches First Decentralized Cybersecurity Solu on
Cybersecurity Industry Faces Huge Talent Shortage. What’s To Do?
18 8
16 6
The Paris Call: Much Ado about Nothing or a Step in the Right Direc on?
4
Lubor Ptacek
Emmanuel Macron
The Era of Servi za on Has Begun
20
21
Issue: 004; December 2018
Cybersecurity Needs to Be Built Into IoT Devices
Bruce Schneier
Cybersecurity Advisory
My Conversation with
28 8 25
David Maman
What’s In Store for Cybersecurity in 2019
5
at Binah.al
Risky Areas
8–9
22 2 Mari me Industry Could Teach Others How Cybersecurity is Done
26
13 Cybersecurity Facts and Figures
27
Discrepancy between IT and Marke ng in Cybersecurity is a Problem
29
Ar ficial Intelligence Kai-Fu Lee
Time to Enter the Zero Trust Era in Cybersecurity
Don’t Worry, AI Won’t Take Over the World: Expert
32
Gartner’s
Tech Trends Cybersecurity Outlook for 2019 Remains Grim
for 2019
30
33 5
CEO Corner
My Conversation with
Karen Eldor VP of Product Management at CyberArk Israel
by SUNNY SUN Editor’s note: In order to have a good understanding of the companies in the global cyberspace arena, from my experience, one must begin in the city of Tel Aviv, Israel. In my capacity as an industry analyst, I have met numerous cybersecurity companies and one common denominator stands out: many of the strongest players are from Israel. Addi onally, these companies, while ini ally founded in Israel, usually team up with talent from the Silicon Valley with the vision of going global. This past June, I a ended the world-reknown Cyber Week at Tel Aviv University. While there, I had the opportunity to chat with Karen Eldor, VP of Product Management at CyberArk Israel, an incredible cybersecurity firm headquartered in both Israel and the US. CyberArk is one of these successful stories with the goal of making a difference in the global security market. The company applies its advanced cyber knowledge toward protec ng an enterprises’ network system with extra layers of security--privileged access protec on.
6
By way of background, CyberArk was founded in Israel in 1999 by Udi Mokady and Alon Cohen, who were trained by military technological elite units, and, as such, had become very skilled in cyber defense. In 2014, CyberArk went public, trading on NASDAQ. It was described as the most successful technology IPO of the year and as Israel’s best cyber security IPO of the decade. As a publicly-traded informa on security company, CyberArk provides Privileged Access Security. The company’s technology is u lized primarily in the financial services, energy, retail and healthcare markets. When I had the opportunity to sit down with Ms. Eldor, VP of Product Management for this amazing company, I was able to get a clearer understanding of its products, solu ons, newest developments, and the company’s vision of managing everincreasing cyber threats.
Issue: 004; December 2018
Privileged ACCESS protec on Additionally, Ms. Eldor indicated that CyberArk offers priviMs. Eldor stressed that leged Access security by building a digital vault as the new and ever-growing the most protected place in the network space, as well digital economy calls for new as layers of security – for the infrastructure, applications, norms. With this in mind, here are humans, etc. – on premises, in the cloud and for hybrid orsome numbers for us to ponder: ganizations. CyberArk’s assumption has always been, that Cyber criminals / attackers will always find their way into the enterprise network. Therefore, it is crucial to protect the most sensitive assets – 51% specifically the privileged access to those resources - as this acof security cess is exactly what attckers are looking for. They need that professionals says access to be able to do the lateral movement within the there is no relation75% network and reach their destiny, e.g.: steal customer ship between IT secuof organizainformation, damage / expose company assets rity and business tions do not have etc.. According to Ms. Eldor, implementing innovation; a privileged access privileged access security will dramatically security strategy in reduce the risk of attacks. place for DevOps;
Furthermore, the world is quickly moving toward big data, and in the Cloud the fundamentals of our economic structure is transforming into the digital. However, the infrastructure of networks is sometimes developed without security measures in their initial design processes.
50% of organizations do not have a privileged access security strategy in place for the Cloud.
What are best prac ces? From the very beginning, the CyberArk team was ambitious, creating a company that would become not merely sustainable, but an industry flagship. Their growth has been strategic and steady, a unified goal of staying put for long-term developments. In other words, the best practices for CyberArk is by far the people, the team, the personalities of the team that creates a culture where small decisions are made together in an open atmosphere. With the right team, a unified team, and its commitment to technological innovation, they can indeed accomplish the impossible.
Issue: 004; December 2018
In sum, it is common knowledge that Israel has come to be considered the capital of cybersecurity. It is said, if you want to buy a quality watch, you go to Switzerland; but for reliable security products and solutions, you go to Israel! And CyberArk is no exception. It is a cutting-edge cybersecurity leader providing one of the leading solutions in cyberspace for enterprise companies. Ms. Eldor asserts, and I concur: CyberArk continues to be your partner in your digital transformation and secure your privileged access with zero trust security in mind.
7
CEO Corner
My Conversation with
David Maman at Binah.al by SUNNY SUN Editor’s note: Throughout my many years of working within the industry media, I have had opportuni es to interact with scores of people, many of whom are industry innovators, pioneers and entrepreneurs. I find that although their skills and exper se vary greatly, one thing holds true for each of them: a persistent passion for innova on and a strong sense of responsibility. These two quali es helped them both navigate the entrepreneurship route with all its unpredictable twists and turns, and remain resilient enough to weather the inevitable unexpected storm. I met David Maman at an industry event. I was instantly fascinated by his ability to create so many startups at his young age, and even more intrigued by his personal experiences in cyberspace, He has to date successfully built 9 startups, all subsequently sold to enterprises large and small. His first was sold when he was 19 for $50,000 and his latest was sold to Huawei, a leading global provider of informa on and communica ons technology (“ICT”) infrastructure and smart devices from China, for a record $42 million. Like many of you feel the same, I am curious, how does he do it, and what has propelled him to successfully journey this far?
It All Started From Playing A Good “Game” Like many typical 13-year-olds, David loved to play video games. Unlike many typical 13-year-olds, however, he created his own. Back in 1991, David said, C++ wasn’t a steady language so, at 15, he problem-solved using “reverse engineering”--a concept he wasn’t even aware of yet. He graduated high school at the age of 16 and went on to major in computer science. He built his first company in 1996, and that initial success set him on the cyberspace journey, creating more startups by providing sound solutions for cybersecurity issues. Now, at 19, while many his age are still figuring out a career route, David has already found his calling: to figured out ways to guard the increasingly-insecure cyber universe in which we must live today.
8
Why Did David Continue to Build Startups? The deep internet space that continues to be more complex and incomprehensible, David said, is usually structured in layers, such as layers of applications, networks, operating systems, databases, or in the cloud space, for example. While the cyber universe gets more layers of connectivity, these multiple layers have thus become increasingly complicated. Therefore, David believes, cybersecurity is multi-dimensional possessing solutions situated within each different layer. David possesses a strong passion to solve problems, Through his logical thought process, he embraces the challenge of obstacles by sorting and dissecting their various parts to identify the weakness. And he never hesitates to openly share his knowledge or extend a hand to those in need of help in dealing with layers solutions. He told me he always has ideas, lots of ideas! This has motivated him to keep doing what he loves to do,
Issue: 004; December 2018
and certainly what he does best: working with individuals and companies to translate his unique ideas into executable solutions. Each of the startups he founded solves problems situated in each of the different layers, implementing innovative methods. In all of the 9 companies he built in the cybersecurity field, he has tested and applied many different approaches. Among them, three of the companies address problems from an offensive approach, whereas the remaining six solutions were developed from a defensive approach. As David puts it, Cybersecurity is a multi-dimensional detection with layered solutions. An offensive approach is a type of strategy that consists of actively trying to pursue changes through a proactive mode. A defensive approach is a type of strategy designed to counteract attacks or threats. In general, cybersolutions are usually taken via the defensive approach, since it is typical to respond after an episode has occurred. There is never a dull moment for cybersecurity, as vulnerability seems to be everywhere. David’s approach is to really see things from the inside out or a whole picture in order to come up with viable solutions.
Cybersecurity is a Myth, Cyber Solution Is An Illusion Cybersecurity is myth, as David points out, because there is little true understanding of what lies in that space. The problems are never consistent and no one will know for sure how many problems are out there, because they cannot be measured. As David puts it, “Such as buying a house, for example. If I ask you to buy a house, but I can’t even tell you how many rooms or windows there are or whether there are plumbing issues, would you buy that house? Therefore, the reality of cybersecurity is that you don’t know what you are getting into; it is unmeasurable and unpredictable. We live in state of illusion,” David continues, “so I stopped selling companies solutions. I don’t want to sell these types of products anymore, despite the fact that I truly enjoyed writing the codes and solving the problems.” David believes that all the solutions out there in the market can be illusions. One can say, for example, that what is being offered is the best of the best. However, there can never be 100% certainty which are the ultimate cyber solutions. There can only be created an illusion of protection simply because one can’t measure the degree of the problem nor, therefore, the protection. “From this viewpoint,” David continues, “I realized it is a myth, and I stopped creating cyber security companies.” As a side note, I can’t help but wonder whether he will come around again to shake things up by implementing a brand new approach to solve the problems we face in the new and ever-changing cyber world.
Issue: 004; December 2018
Now it is Time for Binah.Al to Decipher Using Signal Processing “Artificial Intelligence (AI) is statistical modeling that can be implemented in each layer of everything,” says David. He believes in the usefulness of the Artificial Intelligence or Machine Learning and, as such, he has developed yet another company called Binah.Al. Why “Binah.AI”? In Hebrew, Binah is a process from one “intellectual” dimension to another “wisdom” dimension. It is the ability to use the process to think and act in such a way that common sense prevails and choices are beneficial and productive. I trust that this is the guiding principle David aims for in his newly-established venture. The technique behind Binah.Al is to utilize signal processing. Signal processing is a subfield of mathematics, information and electrical engineering that concerns the analysis, synthesis, and modification of signals, which are broadly defined as functions conveying “information about the behavior or attributes of some phenomenon. David shared with me how signal processing can be effectively utilized via machine learning tools to help predict and detect. Binah.AI is currently working with JP Morgan in the financial sector to predict currency exchange rates with a perfect accuracy and 2.5 minutes ahead of real time in the stock market, in some cases. In the automobile industry, Binah.AI is working with Japanoise company, Denso.com, a 60-billion leading automobile supplier of advanced automotive technology, systems and components for all of the world’s major automakers, using video feeds to retrieve driver or passenger heart rates by monitoring the blood flow on the facial surface, measured at the same level of the oximeter, sometimes even more accurate than an Apple Watch, as David indicated. It is mainly applied in the autonomous self-driving vehicle for the safety of the future drivers. This company started two years and three months ago and has begun selling four months ago. The sales target is 2.5 billion in the coming year and over 11 billion the year after. It is an ambitious but reachable goal, according to David. Once again, his self-confidence and ambition has impressed me. I believe his certainty comes from the applications he has delivered which can reach the highest level of accuracy, stability, and predictability. I must say what a pleasure it was to speak with David Maman. I have never met a person with such accomplishments yet still humble and approachable. In my opinion, David has three of the most important qualities to carry him far: intellect, wisdom, and the big heart. I hope my conversation with him will inspire many other young entrepreneurs to pursuing their own paths for success and to retain their sincerity. I also wish David continued success on his creative journey, and value his contribution to build a better world for our future.
9
Feat Fe Featured atur ured ed Ar Ar cle cle le
AWS re:Invent–
Creating a Whole New World in the Cloud!
By SUNNY SUN
10
Like many people, I have been shopping the Amazon.com e-commerce site as a consumer for many years. For me, it has offered good value, convenience, and reliable service. I never knew, however, of the penetrating influence of Amazon Web Service (AWS) until I attended AWS re:Invent 2018, held in Las Vegas on Nov 26-29. As a non-technical person, my understanding of AWS is that it delivers a comprehensive platform, providing a mix of infrastructure as a service (IaaS) and platform as a service (PasS), and packaged software as a service (SaaS). AWS indicates that users’ needs are the motivation for its developments and the root of all its inventions. Performance and end-users’ experience are key elements that hold true for its performance enhancements. In the cloud service arena, AWS has gradually become the public cloud-computing leader.
Issue: 004; December 2018
There were a few figures of note mentioned by Larry Dignan, Editor-inChief of ZDNet, that can help us understand the landscape of the AWS’ cloud computing: “For the nine months ended Sept. 30, Larry Dignan, Amazon’s North America Editor-in-Chief of ZDNet e-commerce operation delivered operating income of $5 billion on net sales of $97.24 billion. The international e-commerce division had an operating loss of $1.5 billion on net sales of $45 billion for the same time frame. AWS delivered operating income of $5.2 billion on net sales of $18.22 billion. In other words, Amazon’s North America e-com-
Issue: 004; December 2018
merce unit had operating margins of 5.14 percent for the nine months ended Sept. 30. However, AWS had operating margins of 28.54 percent for the same period.” furthermore, it is estimated that long-term operating income margins are likely to top 35% by 2022. From these numbers we are able to get a glimpse into the huge growing potential of AWS in the near future. It was my first time attending AWS re:Invent. I was dazzled by the bustling activities and countless new terms, new software, and builders’ solutions. This year’s event attracted 50,000 visitors, conducted 2100 educational sessions, and offered nine levels of certifications. Andy Jassy, CEO of AWS, said: “We don’t believe in one tool to rule the world. We want you (developers or builders) to use the right tool for the right job.”
11
Featured Ar cle The following key products, rolled out at this event, are briefly summarized by Logic Works as follows:
#4 AWS Lambda: Support for Ruby 2.5, Custom runtimes: PHP, Cobol, C++, AWS lambda Layers, and Lambda with ALBs.
#1 AWS Outposts: VMware vRealize, Cloud Health & Waverfront for Ops & Management, VMware Unified and Security, VMware Unified Data Management.
#5 AWS Transit Gateway: Build a pathway all in one place for direct access to VPC and VPN.
#2 AWS Control Tower: It makes common setup activities much easier, making LZs available to a wider range of users
#6 AWS FXs for Windows Server and Database Improvement.
#3 AWS Security Hub: Quickly assess your high-priority security alerts and compliance status across AWS’ accounts in one comprehensive view. #7 AWS Database Improvements: Amazon Timestream, AWS quantum Ledger Database, Amazon Global Database.
12
Issue: 004; December 2018
“Cloud” is the keyword frequently mentioned during many presentations and on the show floor demos. The hype in the digital space on the show floor once again stated the fact that the data-driven economy is entering into our daily life much faster than we expected. The digitized transformation is in the process of moving forward and a new business model focusing on data and cloud will become the norm in the new and quickly evolving marketplace. Another point was all too clear: It’s time to change. Despite the fact we all know that change is
Issue: 004; December 2018
often hard, it is imperative that we keep up with the times. The question is what to do to be prepared, both mentally and practically? I recently read an inspirational book entitled Unlearn, Let Go Past Success to Achieve Extraordinary Results by Barry O’Reilly. In it, O’Reilly maintains, we must go through the mental practice of unlearning and relearning. In this same vein, a statement made by businessman and author Alvin Toffler also holds true: “The illiterate of the twenty-first century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn”.
13
Featured Ar cle
Andy Jassy, CEO of AWS
A few takeaways from AWS are as follows:
Data is the new oil
Clive Humbly, British mathem matician and author, wisely mused, “D “Data is the new oil, it’s valuable but if fined it can not really be used. It has unrefi to be changed into gas, plastic, chemicals, etc. To create a valuable entity that drives profitable activity, data must be broken down, analyzed, for it to have value.” AWS offers the tools and platform that allows the raw data to be easily transformed into business applications. According to Ramin Sayar, President of Sumo Logic, there will be 16 zettabytes of global machine data growth by 2020 fueling massive analytic data. Big data will dominate our economy. (As a side note, Sumo Logic is the AWS partner in managed service and managed security in the Cloud space). AWS has increasingly become a dominating force, and to understand this new digitized space is to understand AWS and its new business model.
Amazon has grown its Cloud space to enable easy access to all its partners’ and their partners’ customers. Andy Jassy, CEO of AWS, said customers tell stories, and AWS develops customer-driven models that allows all players to excel in this ever-expanding Cloud space. ASW believes that the pace of innovation is
Cloud computing asks us to perceive our business differently Why in the Cloud? The answer is that the Cloud enables market applications to function quickly, flexibly and to scale, meanwhile saving the cost of servers and potential data loss due to the hardware failure.
14
Issue: 004; December 2018
AWS is and will continue to be the central hub for developers to build! AWS puts special emphasis on building a longstanding, sustainable business by following customers’ needs and improving the customer experience. In a word, AWS is present every step of the way to help. The world is evolving with a speed that has outpaced our learned experiences (curves), and our past achievements in today’s modern economy can quickly become our obstacles if we aren’t consciously aware of the fast-moving pace and changes. That is precisely what I felt after attending AWS re:Invent 2018. There is a whole new world of cloud computing and virtualized digitalization. Every business owner needs to step out of their comfort zone and unlearn the old way of thinking and acting, and relearn new methods to help scale and grow in the new economy. One final thought is that we need to both be open to the change and be ready for the changes that surely await us on the horizon. In sum, un-learn the old and re-learn the new, so as to adapt and grow in the new economy. driven by customers, and, as such, they innovate on behalf of customers.Additionally, we will see a growth gap between traditional business and the new data cloud-based business identity. And if we do not become consciously aware of the changing world around us, we will be left far behind.
Issue: 004; December 2018
SOURCE: https://www.zdnet.com/google-amp/article/why-awsreinvent-is-arguably-more-important-than-amazons-black-fridaycyber-monday-bonanza https://www.cnet.com/google-amp/news/everything-you-need-toknow-about-aws-reinvent-2018/ https://www.portal.reinvent.awsevents.com/connect/sessionDetail. ww?SESSION_ID=22930 https://www.youtube.com/watch?v=ASS48l40hk8
15
Cybersecurity Policy
Cybersecurity Industry Faces Huge Talent Shortage. What’s To Do? The world needs 2.93 million more cybersecurity professionals than it has and the problem is not going away anytime soon, a survey from cybersecurity nonprofit (ISC)² has revealed, spurring understandable concern in the business world.
T
he biggest gap between ly of demand and supply ocybersecurity professionals is in the Asia-Pacific, and it staggeringly accounts for almost the whole shortage, at 2.14 million. North America comes second, with its talent shortage at 498,000. Europe is faring considerably better with the Middle East and Africa also not facing much of a shortage although for he different reasons, namely the lower penetration of hi-tec businesses, perhaps. her agencies So, companies and other bl in some parts of the world have a grave problem and there is no quick solution. On the positive side, we have a growing number of educational institutions that are launching cybersecurity programs, educating a whole new generation of professionals but this is, first, not happening fast enough, and, second, not happening everywhere it is needed. Problems are rife in the companies that need this cybersecurity talent, too. According to the (ISC)² survey, almost two-thirds (63%) of the respondents in its survey had no dedicated cybersecurity team on staff. They were aware they needed it but surprisingly, most respondents did not know how to acquire this talent.
16
There’s this disconnect between what people can put in a job description, and what people respond with in their resumes,” says (ISC)²’s director of cybersecurity advocacy, John McCumber.
There are apparently many companies that are looking for the hire that doesn’t exist, someone who has a lot of expertise but is young and driven, and has asked for a low salary. It’s fascinating this sort of thinking still exists in the business world and with regard to such an essential area as cybersecurity has quickly become but there it is. Yet even the companies who are aware that this perfect hire does not exist are having trouble finding existing talent because they don’t know what skills they need in their cybersecurity teams as the cybertech landscape is changing so fast it becomes hard to keep track of everything that’s happening and responding to it adequately. Yet there are attempts, of course. Gartner research vice president Tom Scholtz recently detailed in an article for IT World Canada a way to apply the lean approach to cybersecurity resources in a bid to simply go around a problem that cannot be yet scaled successfully. Scholtz’s suggestion involved transforming the role of cybersecurity teams and distributing the responsibility for an organization’s security across more departments and stakeholders.
Issue: 004; December 2018
Tom Scholtz Research vice president, Gartner
Simply put, Scholtz proposes to apply three principles of business security in a digital environment to deal with the shortrs age. First, turn the members rom of the cybersecurity team from tators” “protectors” into “facilitators” elevant to helping decision-making relevant security across the various departments of the organization. Second, break down the idea of a central security hub and integrating relevant practices across processes. Third, spread the responsibility and accountability around. This way, the idea seems to be,
everyone involved would be a lot more motivated to engage in better cybersecurity practices and reduce the scop\e for mistakes and failures. The solution is certainly worthy considering although it does not come without its problems. The biggest among them is that the distribution of the responsibilities pertaining to cybersecurity across more Ned Finkle, VP of External than one unit and more than one team increases theAffairs at Nvidia risk of p problems with coordination, especially for international inter companies and organizati organizations that have time and space considerations to take into account. Yet this should be easily fixable, says Sc Scholtz, through strong ggovernance and good p program management. Another way of dealing with the problem is, of course, automation. A senior FireE Eye executive in India, th the country head and senio nior director Shrikant Shitole, said in a recent interview w with w Dataquest India that automation is one relatively easy automatio
Issue: Issue: 004; 004; December December 2018 2018
way organizations could employ to reduce their cybersecurity risks. Sadly, the application of automated solutions is quite limited for the time being: Shitole suggest it be used for overhead processes such as ticket creation to spare the human personnel time and effort better invested elsewhere, such as additional training. And AI? AI capable of handling cybersecurity tasks better than humans is still years away, says Shitole.
In more bad news, there is a worrying fact for the future of cybersecurity talent and it comes down to this: many people with the talent would rather become cybercriminals. The idea was detailed by Symantec Canada’s Vice President and General Manager Ajay K. Sood in an overview of the problem for CPO Magazine. Many young people with a flair for IT in places like India simply do not have access to cybersecurity university programs. But they do have access to software and hardware and cyberattacks often generate quick returns, much quicker than the attractive salaries of cybersecurity professionals and all the other benefits desperate businesses are willingg to offer. ortage In other words, the shortage of cybersecurity talent is not a root cause of the growingg problem with data security. It is rather a facet of it, and although it is a big facet, it is just one of many. The others, Sood argues, are the amount of data that is being dumped online constantly, and the proliferation of connected digital devices that make this data vulnerable nto attackers. In such a conrity text, the future of cybersecurity ic. does indeed look problematic. Ajay K. Sood Vice President and General Manager, Symantec Canada
Shrikant Shitole Country head and senior director, FireEye India
17
Cybersecurity Policy
Xage Security Launches First Decentralized Cybersecurity Solution By IRINA SLAV
Xage Security, a California-based security and Internet of Things company, last month launched the first automated and decentralized, blockchain-backed cybersecurity product in the world aimed at helping businesses operating critical infrastructure secure this infrastructure and at the same time facilitate their compliance with new, tougher regulation.
Duncan Greatwood CEO, Xage Security
T
he Xage Policy Managerr will probably device networks using blockbe the start of a flurry of such solutions chain. It also integrates with Xage Policy Manager rity threats in amid growing cybersecurity existing network protecScreenshot industries that operate critical infration systems without structure as they the need to modify become increasthem. ingly digitized. This certainly Think oil and gas, sounds like somefor example, or thing these industries utilities, or transwill have growing port and logistics, need for as they find or manufacturing. themselves forced to All of these indusup their cybersecurity tries are going diggame. We’re talking ital at a breakneck about companies with pace to navigate hundreds of devices, intensifying comwith thousands of sopetition but with called distributed asdigitization come sets—from laptops more threats and and smartphones to this is not going voltage controllers in utilities—that utilities—th are normally exposed to cyberatto change anytime tacks. The winners winn in the cybersecurity war will be soon. This environthose who can offer a combination of easy-to-use, rement is fertile ground for liable, and flexible exibl solutions. security solutions such as h bleak bl the Xage Policy Manager. So, how is the future of cybersecurity and What does it do? Well, according to the company, it makes the Internet of Things? CyberAsia360 caught up with Xage life for critical infrastructure operators a lot easier by providing chief executive Duncan Greatwood for some insight. them with a single-dashboard solution that can automatically “It’s true that cyberattacks on IoT systems are a glaring replicate regulation-compliant security requirements across threat,” Greatwood says. “Security breaches on industrial con-
18
Issue: 004; December 2018
trol systems specifically have seriouss implications omic success, on our daily lives, companies’ economic ysical safety. and employees’ (and civilians’) physical However, there is hope for a safer Internet of vely.” Things, both proactively and reactively.”
Automated Policy Enforcement
Big Regulatory Step from FERC RC “The United States Federal Energy Regulatory Commission took a bigg step nt of forward through the development ey’ve NERC-CIP regulations, which they’ve egurecently updated. The improved regutillations aim to protect connected utilld ities’ distributed devices and field networks from dangerous comproThe Policy Manager enables customers to define and enforce mises, and ensure security requirements for all transient devices – devices, apps and users fieldtablets, personal lapwide from a single dashboard. tops, smartphones – which have access to systems, but aren’t secured as if they’re part of power grid last year, or the discovery of Russian remote-access the critical network, can’t become entry points for malware or trojan malware (RATS) in U.S. utility networks. Due to the cenother attacks,” Greatwood explained. tralized or unmanaged security of legacy systems, the hack of “Companies should read the tightening of regulations as a single device can impact an entire network, spanning tens or a warning, not just to comply in a timely manner, but also that hundreds of thousands of connected devices.” these regulations are needed in the first place because our devices are simply not secure. Look at the hack of the Ukraine
So, how gloomy is the future?
Role-Based Access Control
“This could be read as gloomy, but there are methods that companies can take to secure devices, using an automated security solution with decentralized enforcement. Using decentralized approaches such as blockchain to tamperproof security systems removes single points of security failure, allowing companies to enjoy the benefits of a connected network, while avoiding the significant risk that comes with linking devices.
Blockchain to the Rescue
With Xage RBAC, se ng device passwords is automated, and passwords are complex, hidden and regularly rotated.
Issue: 004; December 2018
Can blockchain help brighten up these prospects? According to Greatwood, yes. “Blockchain can certainly change the game and help companies catch up to both regulations and hackers wishing to infiltrate networks,” the Xage CEO told CyberAsia360. “Blockchain-protected solutions are distributed by nature, making them a uniquely suited approach for decentralized IIoT security. Built on an immutable ledger based on consensus, blockchain’s structure creates a network that gets more secure as more devices are added––a perfect fit for industries with large operational networks. Distributed security underpins continuous edge-computing operations, even in the face of irregular connectivity, and enables controlled and managed access to both new and legacy industrial systems, blocking the hackers’ access.”
19
Cybersecurity Policy
The Paris Call: Much Ado about Nothing or a Step in the Right Direction?
French President Emmanuel Macron gave a speech at the Internet Governance Forum at UNESCO in Paris GettyImages
An initiative of French President Emmanuel Macron announced in November has been endorsed by as many as 50 governments, almost a hundred non-profit organizations and educational institutions, and over a hundred private companies.
T
he Paris Call apparently seeks to encourage countries and organizations to work together to establis h trust and security in cyberspace, a noble endeavor that some believe is no more than a grand gesture because there is nothing prescriptive about its ideas. They are rather a list of things that everyone is encouraged to do to make the internet a safer space. As to how this should be done, it’s up to whoever takes up the endeavor.
THE SUGGESTIONS MADE IN THE DOCUMENT INCLUDE: increase prevention against and resilience to ma
licious online activity; the accessibility and integrity of the Internet; cooperate in order to prevent interference in electoral processes; work together to combat intellectual property vi olations via the Internet; prevent the proliferation of malicious online programmes and techniques; improve the security of digital products and ser vices as well as everybody’s “cyber hygiene”; clamp down on online mercenary activities and offensive action by non-state actors; work together to strengthen the relevant interna tional standards. protect
20
It is obvious these are very broad, very general recommendations that need a lot of “filling” to become effective, so the impressive number of signatories is not that impressive, after all: anyone would subscribe to recommendations for a safer internet. However, there were several notable exceptions to the signatory list: the United States, Russia, China, Israel, and Iran did not sign the document. Wired wrote about the news noting the Paris Call “lacked teeth” since it did not oblige the signatories to take any specific steps to advance the trust and security of the internet. And yet, author Louise Matsakis notes, it mattered that the biggest of the big in information technology all signed the document: Microsoft, Google, Facebook, IBM, and HP. These signatories, according to Matsakis, may in fact be more important than the country signatories as companies take on responsibilities once reserved for nation states in the cybersecurity field. We all remember how Twitter and Facebook publicized their efforts to take down accounts allegedly used to spread disinformation and influence the latest U.S. elections, for example. Microsoft, for its part, earlier this year announced another document, the Cybersecurity Tech accord, which it called the Digital Geneva Convention and which was signed by more than 60 companies. Both of these activities—fighting cybercrime and securing elections—normally belong with governments rather than private companies. But the internet has changed a lot of things and
Issue: 004;December 2018
Cybersecurity Policy the shift of responsibility is just one facet of these changes. Also, there are worries the Paris Call might have a harmful effect on things such as the freedom of expression or rather, could have them if there was a binding aspect to it. Matsakis quotes a free and open internet NPO, Access Now, as arguing some of the suggestions made in the document could be interpreted as data sharing between companies and governments without a court order. Also, the NPO worries the intellectual property theft stipulation could end up curbing freedom of expression. But then, as Techdirt’s editor, Mike Masnick, wrote in a blog post on the topic, the Paris Call is “a mostly meaningless document of fluff.” Big tech companies got some more media coverage as proponents of a safer internet, so did a few governments, the opponents of the current U.S. administration got another chance to hit at it for being isolationist, and nobody was surprised Russia, China, Iran, and Israel didn’t sign it, either.
The internet is a space currently managed by a technical community of private players. But it’s not governed. So now that half of humanity is online, we need to find new ways to organise the internet,” Reuters quoted a French government official as saying at the launch. “Otherwise, the internet as we know it today – free, open and secure – will be damaged by the new threats.” These words suggest that the Paris Call for Trust and Security in Cyberspace may, for some, be the first step of many towards that elusive internet regulation that a lot of people are talking about but few have any specific ideas as to how it should be approached, let alone implemented in such a way as to no encroach on basic human rights and freedoms while pursuing its goals. Be that as it may, that French official is right about one thing: the internet as we know today will be damaged by cyberthreats. It is already being damaged, and trust has fallen victim in an environment where “fake news” seems to be the definition of everything someone doesn’t agree with. Perhaps IT companies could find a way to strengthen the internet’s cybersecurity defenses. What they won’t be able to do, however, is eradicate this culture of simultaneous trust and lack of trust that now dominates online interactions to the disadvantage of everyone involved, spurring censorship and the shunning of the principle that every voice should be represented in an argument.
Issue: 004; December 2018
The Era of Servitization Has Begun Technology has already changed the way we do business in all sorts of ways. Predictive analytics, the Internet of Things, and artificial intelligence are more than just buzzwords: they are upending industries. And in manufacturing, there is a special way all these things are changing the industry: they are ushering a new era of what insiders call servitization.
Servitization basically means offering customers not just a product but a product plus maintenance care for it over its lifetime, Forbes Insights reports. But that’s only half of the story. The other half is that predictive analytics, the IoT, and AI, are turning hitherto useless data kept in silos into a revenue stream for the manufacturer. In an interview with Forbes, the VP of a GE Digital unit, ServiceMax, said a top priority now was learning what to do with the data that IoT sensors in products collect, how to make it useful. The manufacturing industry, Lubor Ptacek says, has still a long way to go towards a complete transformation but it has begun. Lubor Ptacek What’s interesting is that VP of a GE Digital unit, this servitization trend would ServiceMax benefit both small and large companies, as long as the products they make require regular maintenance that could be servitized, which means most. The new model enhances the competitiveness of the manufacturers in an increasingly competitive environment. There could be different approaches to leveraging the potential of this trend. A company could either add its own predictive analytics and AI team to the workforce or outsource the service. Ultimately, it needs to convince its customers to buy a service rather than a product and for this any manufacturer would need an attractive pricing structure and a set of clear benefits for the customer.
Yet it all depends on the product, ultimately. For manufacturers that make products with long lifespans, such as, say, jet engines, the servitization model would certainly make sense. For makers of short-life products it would probably not be as beneficial.
21
Cybersecurity Advisory
What’s In Store for Cybersecurity in 2019
5
Risky Areas
2018 saw a substantial increase in cyberattacks of all sorts and severity. Unfortunately, as security efforts continue lagging behind cybercriminals, 2019 will be no different, except if it turns out to be worse than 2018 in the cybersecurity field. As the end of the year is traditionally not just a season to be merry but also to make predictions for the new, year, here hare five areas that will be top priority for cybersecurity professionals in 2019.
ARTIFICIAL INTELLIGENCE Challenges surround artificial intelligence with humans still a safer bet than algorithms: cybersecurity industry watchers seem to agree on that. This is not least because what we call AI today is not, in actual ustry playfact, intelligence. Rather, what media and a lot of industry man players. ers call AI is algorithms that need to be fed data by human The quality of the data, logically, reflects the quality off the work y. the machine does with it and this includes cybersecurity. tate A recent Deloitte report, the second edition of its State WHAT’S of AI in the Enterprise, found a third of respondents in its TO DO? survey had experienced an AI-related breach within the last two years. As many as 51% of them cited AI as onee of With 82% of Deloitte’s retheir top three cybersecurity concerns, likely on the spondents reporting positive returns on grounds that AI involves machines and humans their investment in AI and with 88% planare good at cheating machines into doing their ning to spend more on IA next year, chances bidding unlike the other way round, at least are algorithms and machine learning will conuntil we manage to create a genuine artitinue to be a cybersecurity concern. The only ficial intelligence. thing that can be done realistically is continue trying to leverage the capabilities this technology offers in the very same field while making sure there is no overreliance on AI for cybersecurity.
22
Issue: 004;December 2018
CLOUD Cloud is getting increasingly popular and, unfortunately, increasingly insecure, Ian Kil-d in patrick, chief executive of IT firm Nuvias Group noted an overview of the top 10 cybersecurity trends for 2019. The red cloud is simply too imperfect to be safe because of shared infrastructure while shared responsibility has yet to mature despite efforts to distribute it across more stakeholders. “Increasing amounts of data are being deployed from disparate parts of organizations, with more and more of that data ending up unsecured,” Kilpatrick explained, adding efforts to secure this data have yet to catch up to cyberattacks. Another industry insider, Gadi Naor, CTO and vice co-founder of Alcide, a cybersecurity for the cloud service ud provider, noted in a recent story for Forbes that as cloud nts applications multiply and cloud-native environments ay spread, the challenges multiply, too, so the only way to reduce the risk is for all participants in the cloud environment to work together on its security.
WHAT’S TO DO? Everyone in the cloud needs to take responsibility for its security rather than assuming another stakeholder along the supply chain will, says Naor. Forcepoint, in a recent report on what to expect from cybersecurity in 2019, said more control over the hardware and software of a cloud environment is necessary for a more successful cyberthreat management.
INTERNET OF THINGS The cloud and the Internet of Things are close relatives relativ and the risks they come with are of a sca only with the IoT these are multiplied similar scale, by the num number of devices connected to a network. This means the IoT simply expands the attack surface and WHAT’S ma device security harder because every device makes TO DO? is a potential weak spot vulnerable to attacks. Automating in cybersecurity Like AI, a lot of organizations that have when we talk about industrial networks gotten a taste of the benefits offered by IoT may well turn out to be a safer path than will be unlikely to be willing to go back to relying on human teams but not exclusively. pre-IoT times. That’s fine but, says KilData encryption is also in order where personal patrick, little thought has been given data is concerned, according to one expert, Ian to date to the dangers inherent in the Christofis, a consultant with Thales eSecuIn Internet of Things. As a result, it will rity said recently at an event in Hong Kong. remain an important risk area. Still, as Forcepoint notes in its report, IoT will continue to be a top concern for cybersecurity professionals.
Issue: Issue e: 0 004; 04; De 04 December eceemb mber e 201 2018 018 18
23
Cybersecurity Advisory
AUTHENTICATION Unbelievable as it may sound, there are still ll ena lot of organization relying on single-factor authenick tication such as a password. Nuvias Group’s Kilpatrick calls these the Middle Ages, adding single-factor authentication is a handy tool for cybercriminals looking for access into a system. The problem is even multiple-factor authentication have weaknesses. The Forcepoint report notes the fact that two-factor authentication, for instance, involves the use of smartphones, a weak point in a network as seen from experts’ comments regarding the Internet of Things and the cloud. Biometric authentication is an increasingly reliable alternative but leven with it there are problems thanks to technology allowing for the reproduction of unique features such as fingerprints.
WHAT’S TO DO? Behavioral biometrics, say Forcepoint’s experts. A U.S. State Department’s acting director of the department’s enterprise network management division, Gerald Caron, agrees. These include anything from a person’s gait, as captured by sensors in their mobile phone, to keystroke speed and patterns, scroll speed, and phone manipulation patterns.
TRADE WARS AND ESPIONAGE A
WHAT’S TO DO? Both companies and state agencies on all sides of any conflict need to gain a better understanding who has access to critical data that could be used in a cyberattack and what their normal behavior is. Only in this way, Forecepoint’s head of special investigations Luke Somerville says, can espionage attempts could be prevented: whenever a change in the normal user behavior is detected. Nuvias Group’s Kilpatrick adds cybersecurity teams would need to pay more attention to breach detection technology.
24
Trade conflicts, notably the one beTra tween the United States and China will add momentum to industrial espionage and infrastructure disruptions s as state actors seek to undermine each disruptions, oth th using a multitude of cybertools availother aable, b Forcepoint said. Nuvias Group’s Kilpatrick said in his overview of major cybersecurity risks that few business organizations or state agencies are prepared for this sort of attacks so they are unpleasantly vulnerable and this is unlikely to ch change significantly next year.
Issue: 004;December 2018
Cybersecurity Advisory
Time to Enter the Zero Trust Era in Cybersecurity
I
n a time of constantly expanding cyberthreats with cybersecurity efforts invariably lagging behind cybercrime capabilities it seems clear that the time for focusing on zero trust security has come. This is the view of at least one industry insider, enterprise software strategist Louis Columbus, after the release of Wipro’s State of Cybersecurity Report 2018. Some of the findings of the report were that the healthcare industry is the top target of cybercriminals, with 41% of breaches during 2017 aimed at it, with banking and finance coming in second, with 18% of cyberattacks targeting banking institutions last year. Yet these are by far not the only two industries facing a looming crisis with regard to cybersecurity. Cybercriminals are getting bolder and more inventive. It is time for zero trust security, according to Columbus. ZTS comes down to securing all points of a network that involve identity management. Humans and their data are the weak links in any network, so making these weak links as secure as
Data breaches distrib on across industry ver cals – 2017
While in 2016, 30% of the attacks targeted the healthcare industry, in 2017 the number jumped to
41%
possible should indeed be a top priority for any company. No wonder then, that Wipro’s report found security architecture and design will be the top-ranked security competencies for the future. Right after them are artificial intelligence and machine learning as the industry realizes machines are probably better at handling cyberthreats than humans.
Malware by type – 2017
https://www.forbes.com/sites/louiscolumbus/2018/10/14/the-current-state-of-cybersecurity-shows-now-isthe-time-for-zero-trust/?ss=cybersecurity#44dc1fac5f15; Charts: Wipro’s State of Cybersecurity Report 2018
Opportuni es to improve threat detec on – 2017 vs. 2018
Exploits distribu on – 2017
Issue: 004; December 2018
25
Cybersecurity Advisory
Maritime Industry Could Teach Others How Cybersecurity is Done Maritime transport is one of the industries where a cyberattack could have devastating effect. Just imagine for a moment a hacker telling a crude oil tanker to dump its load in the sea. It’s a hypothetical situation, of course, but still scary. Because of its importance, however, the maritime industry has been quick to regulate cybersecurity, Norwegian quality assurance and risk management services provider DNV GL says in a new report.
T
he third edition of the Tanker Management Self Assessment, for example, now includes a whole section dedicated to security, including cybersecurity. Another document, the Vessel Inspection Questionnaire also features requirements for cybersecurity. Both documents, DNV GL notes, are critical for gaining charters, so vessel owners have been quick to comply with the requirements. Regulation, one might say, is hardly enough to safeguard a whole industry from cyberattacks but it is nevertheless an important element of these safeguarding efforts if only, at a minimum, for its awareness-raising aspect. The International Maritime Organization has joined the party and has added a Maritime Cyber Risk Management requirement to the list of ISM Code requirements. The Maritime Cyber Risk Management requirement enters into effect in 2021, so there is just two years for non-tanker vessel owners to catch up with tanker owners in the cybersecurity area. Cybersecurity, says the report, is a moving target. While initially most attacks targeted
26
IT systems at offices but now the attackers are shifting to operational technology: systems governing the operation of various machinery. These systems are getting increasingly complex and so are attacks.
Patrick Rossi, Mari me Cyber security Service Manager
But cybersecurity is just a risk like any other, the Norwegian company’s Maritime Cyber security Service Manager, Patrick Rossi, says. While the stakes are certainly high and the potential consequences of an attack could be critical, the approach, Rossi says, remains the same. Software updates to control systems on vessels, for example, need to be planned and carried out carefully rather than
on a whim, as so often happens with vessels because IT engineers rarely board vessels and want to be as helpful as they can on each of these rare occasions. Vessel owners are also at different stages in their acceptance of the risk and the ensuing preparation. “Some are bewildered by the scale of the problem,” Rossi says, “and don’t know where to begin; others have introduced some countermeasures but are uncertain whether they’ve covered everything they need to cover.” In response to this situation, DNV GL is already offering anything from training and educating personnel on cybersecurity to practical measures to be taken to strengthen a company’s defenses. It will hardly remain the only one offering such services. It is everyone’s opinion that cyberthreats will continue to multiply and become more dangerous across industries.
Issue: Issue:004; 004;December December 2018
Cybersecurity Advisory
13
Cybersecurity Facts and Figures Iden ty the numbers are on the rise: in the U.S. versus 15 million a year earlier.
60 million
The United States is the target of the most cybera acks. It accounted for of the total in 2018.
38%
By 2023, the number of records stolen by cybercriminals will hit from 12 billion this year.
33 billion, The average cost of a data breach has risen to
$3.86 million globally. The average me it takes to iden fy a breach was a stunning
196 days.
As connected devices in the
99.9%
As much as of discovered malware for mobile devices comes from third-party app stores. The financial services industry bears the biggest cost burden of cybera acks at per company.
million
$18.3
Internet of Things
increase in number, so will vulnerabili es.
Coin mining is rising at breakneck rates: last year alone ac vity shot up by
34,000%.
The U.S. government will need to cough up more than for cybersecurity next year.
$15 billion
By 2020 humans and machines will have created
300 billion passwords.
Ransomware a acks are
rising by 350% a year.
Small and medium business have it bad:
67% suered a cybera ack in the last 12 months.
SOURCES: https://us.norton.com/internetsecurity-emerging-threats-10-facts-about-todays-cybersecurity-landscape-that-you-should-know.html https://www.varonis.com/blog/cybersecurity-statistics/; https://www.techradar.com/news/cybersecurity-the-latest-news-and-statistics
Issue: 004; December 2018
27
Cybersecurity Advisory
Cybersecurity Needs to Be Built Into IoT Devices
Bruce Schneier, Resilient chief technology officer, IBM Photo: Sue Bruce
The Internet of Things is growing at such a rapid pace it’s hard to follow this growth. But with it cybersecurity risks are also growing, which has made the need to enhance the cybersecurity of all these connected devices very urgent. IBM Resilient’s chief technology officer Bruce Schneier recently wrote in an article for CNN that the way to do it was to develop more advanced security features and build them into the devices.
T
his, like almost everything else in life, however, is easier said than done. According to Schneier, product makers simply don’t
have the fi nancial motivation to develop and build these features into their products. Con-
sumers, he says, are buying gadgets without strong security anyway, risking their data, so what’s the point for the product makers to invest in cybersecurity feature development? All the more so since legislation in this segment does not stipulate invariable accountability for bad cybersecurity for the product makers. It is up to the government, says Schneier, to make sure devices connected to the Internet of Things are secure, and this has been demonstrated recently by the state of California, which became the first one to introduce IoT device regulation. Under the regulation—SB327 law—that will come into effect in two years, every device connected to the Internet of Things must have “a reasonable security feature.” Now, on the one hand, it’s good news that the law covers all connected devices. On the other hand, the vague definition of “reasonable security feature” could provide product makers with a loop via the argument that this definition makes the law impossible to enforce, Schneier says. The definition in question says a reasonable security feature is capable of protecting the device and the information stored on it from various threats and also be appropriate to the nature of the device and the information collected on it. The power of interpreting this definition will lie with the California Attorney General. Although Schneier admits this law is far from the best there could be, it is a step in the right direc-
28
tion. It is a slo a move that will have industry-wide reverberations. The thing is that software makers, says Schneier, will have no incentive to customize their programs for Californian users whose devices would need to comply with the new law. Instead, they would likely rather just make their software compliant with the California law for all markets where they sell it, a lot like GDPR prompted all sorts of websites to up their personal data protection defenses even if only theoretically. In more good news, Schneier says the California law and any other similar laws the future holds will drive more cybersecurity innovation. “Right now,” rthe CTO of IBM Resilient says, we have a market failure. Because the courts have traditionally not held software manufacturers liable for vulnerabilities, and because consumers don‘t have the expertise to differentiate between a secure product and an insecure one, manufacturers have prioritized low prices, getting devices out on the market quickly and additional features over security.”
The Internet of Things is more dangerous than other networks, Schneier concludes on a cautionary note. They sense the world around us, the physical world and they affect it physically, so a cyberattack would also affect the world physically. More regulation is needed and it shouldn’t be put off for too long, the expert warns.
Issue: 004; December 2018 018 01 8
Cybersecurity Advisory
Discrepancy between IT and Marketing in Cybersecurity is a Problem There is a discrepancy in the perception of cybersecurity between IT and marketing departments that could be problematic, the latest CMO Cybersecurity Survey from the Cyber Threat Alliance has suggested.
Some of the highlights of the survey include: • Five out of six respondents in the survey believe their marketing departments comply with cybersecurity protocols and procedures • But marketing employees are often unaware how often their work connects with the IT department. • Still, six out of ten respondents believe the collaboration between the marketing and IT departments is very or even extremely effective. • On the gloomy side, IT employees are twice as worried as marketing employees that the latter are prone to exposing the company to cyberthreats. • What’s more, IT has greater confidence in marketing’s understanding of its own responsibility in mitigating cyber risks. • Even so, marketing employees are less concerned about cyber threats than IT, which is only to be expected.
Issue: 004; December 2018
The chief change in the results from the survey from last year seems to be that marketing departments are becoming increasingly aware of the fact they also have a responsibility for reducing cyber risks in the company rather than leaving it all to the IT crowd. Yet the two departments still tend to not see eye to eye when it comes to cybersecurity, whether because of the different perceptions of the extent of risk the company is exposed to on a daily basis or lack of understanding of the proper ways of collaboration between these departments. Based on all this, the Cyber Threat Alliance came up with a set of
recommendations for both IT and marketing departments, including: • Foster a closer relationship between them to help employees from the two departments understand the other group’s perspective better. • Raise awareness of cyber risks where needed, on the basis that cybersecurity is not simply an IT problem but a company problem. • Following the awareness raising, make everyone accountable for the company’s cybersecurity—a recommendation espoused by a lot of industry professionals.
29
Cybersecurity Advisory
Cybersecurity Outlook for 2019 Remains Grim There seems to be precious little good news in the cybersecurity news stream and the latest 2019 outlook from Palo Alto Networks is no exception. Here is what the cybersecurity major predicts for next year as per a report by Enterprise Innovation.
EMAILS WILL CONTINUE TO BE A POPULAR ATTACK VECTOR The past five years have seen business email compromise cost companies as much as $12 billion on a global scale and cybercriminals are unlikely to switch their preferences anytime soon. Attacks will continue to rise in numbers, with the criminals getting better and better at bypassing checks and controls through mimicking corporate websites, using personal social media accounts of employees, and a host of other ways to enter a company compromising its security.
ADVICE Automation is key here as there are many cybersecurity tools at the disposal of IT teams and these often require a lot of workforce to be efficient/. This workforce is in short supply, so automation would make more sense along with the integration of these tools into a flexible system.
30
ADVICE Palo Alto Network advises companies to take a closer look at their internal information flows and boost their mix of checks and approval procedures with a focus on passwords—the weakest link. In 2019, the company expects increased implementation of two-factor authentication and biometric identity verification systems.
CLOUD SECURIT Y SHOULD BECOME MORE DISTRIBUTED In what’s more of a recommendation than a forecast, Palo Alto Networks notes that the advent of cloud services has become one more factor increasing the gravity of cybercriminal threats. Yet companies and other organizations have yet to fully process the fact that the security of the cloud is not the sole responsibility of the company providing the service but of everyone using it as well.
Issue: 004; December 2018
CRITICAL INFRASTRUCTURE IS EXPANDING AND SO ARE THREATS Once, critical infrastructure included roads and pipelines and telecoms networks but now, with the inexorable digitalization of all aspects of life and industry, it has come to encompass also things like banks and media outlets, and supervisory control and data acquisition systems as well as industrial control systems. As the infrastructure grows, so do its weak points.
ADVICE Companies’ focus on the confidentiality of the data they collect has led them to overlook two more essential aspects: the integrity and availability of information security. With the rise of telemetry data collections in anticipation of the autonomous vehicle era, zero trust systems are the only way to secure data collection.
DATA PROTECTION REGULATION GATHERS PACE
ADVICE
It would be smart to use GDPR as a baseline for regulatory efforts and the identification of the main challenges that need overcoming. Minimizing data collection is the most obvious way of reducing the risk of data compromise.
THE GLOBAL SUPPLY CHAIN WILL REMAIN VULNERABLE Everything that has made it easier for companies to connect with suppliers and outsourcing services providers has made it also easier for cybercriminals to enter this globalized digital supply chain and attack various points of it. The Internet of Things, Palo Alto Networks says, is turning into the internet of cyberthreats.
Issue: 004; December 2018
After GDPR went into effect this year, regulators in the Asia-Pacific are the next to double down on regulation efforts in the field of cybersecurity. In a rare piece of good news, Palo Alto Networks expects many watchdogs in the region to initiate a regulatory framework addressing data protection.
ADVICE Companies need to pay more attention to their networks and who uses them. Use of third-party apps and systems cannot be eliminated so companies would do better to enhance the security of their internal systems, which is the part of that supply chain they have greater control over.
31
Ar ficial cial Intelligence Intel elli llilige genc ge ncee
Don’t Worry, AI Won’t Take Over the World: Expert The AI revolution is a real thing but it won’t end with robots taking over the world. That’s the opinion of a prominent industry insider as shared with CNet during a recent industry event: the Technotomy 2018 conference.
Kai-Fu Lee, chief executive of Sinovation Ventures a former senior executive at Microsoft and Google, told CNet that although artificial intelligence will certainly disrupt the business world and the labor market on a global scale it will not take over everything simply because AI cannot be creative or strategic. Also, AI cannot be compassionate, which will become a more in-demand skill for humans in the future when they will closely work together with artificial intelligence. “Jobs like doctors will require more EQ [emotional intelligence], more compassion, more human-to-human interaction, while AI takes over more the analytical, diagnostic work,” Lee said, noting that for all its benefits and the risks many other tech industry insiders see, AI will remain with limited potential and applicability that will ensure there is place for humans on the labor markets of the future as well. Yet this doesn’t mean nobody needs to worry about their job, although Lee did not provide a timeline for the AI-driven
Kai-Fu Lee Chief execu ve of Sinova on Ventures
disruption of labor markets. “Anyone whose work is routine and has not much human-to-human interaction, those jobs are prone to be totally displaced.” By inference, people who work with people regardless of their area of expertise have not a lot of reason to worry for their jobs. Another participant in Techtonomy 2018 offered more optimism about the AI revolution. Paul Daughterty, the CTO of Accenture and author of “Human + Machine” told CNet “We see AI changing 90 percent of the work people do. “Fifteen percent of jobs will be completely automated and replaced. But the major of jobs will be improved.”
This improvement will take the form of machines partnering with humans to optimize their performance, as exemplified by Daughterty with a daily routine in the oil and gas industry: with the help of AI, an oil well drill operator would get immediate feedback about the well and this will help them steer the drill into the optimal direction. Currently, rig operators direct drills based on decisions made by human company executives, who, needless to say, lack tensile resistance and torque sensors as well as the ability to interpret such data fast. Whatever the limitations of artificial intelligence, however, companies would do well to start preparing early on, including by devising retraining programs for their employees and taking other necessary steps to adapt to a future workplace that would have a lot more machine participation in it.
We see AI changing 90 percent of the work people do. “Fifteen percent of jobs will be completely automated and replaced. But the major of jobs will be improved.” Paul Daughterty, CTO of Accenture
32
Issue: 004; December 2018
Gartner’s
Tech Trends for 2019
Gartner is out with its new set of technology predictions for 2019 and it identifies ten areas that will likely draw the most attention. Some of these are unsurprising and others are only emerging now, but all of them are fascinating. First there is automa on and First, autonomy, one of the unsurprising trends. Selfdriving cars are s ll a focal point of efforts in this area and a rac ng a lot of investment. Advancements in this direc on will naturally be combined with developments in AI and the Internet of Things, Forbes’ Steve Andriole notes in an overview of the trends. Yet, however a rac ve this topic is for discussion and forecasts, we have yet to see an autonomous car on the road although it is unclear where things will be in five years. Factoring in regula on, which will be very touch, rest assured about that, they may just remain where they are right. Safety is a huge concern. Augmented analy cs is one of the less obvious trends listed by Gartner. The firm only men oned this concept for the first me last year in a report aptly tled Augmented Analy cs is the Future of Data and Analy cs. Basically, augmented analy cs means using machine learning and natural language processing to automate the process of gaining insight from data. Again, the various tech solu ons bundled under the name AI will feature big here. In fact, Gartner says that by 2022 some 40% of the process of developing new applica ons will involve AI alongside human developers. Inf act, AI will, hardly surprisingly, have a wide, far-reaching impact on all sorts of other technology, basically enabling the crea on and applica on of various new solu ons. One kind of these would be digital twins. A very Black Mirror-esque term deno ng digital replicas of en es, including humans, digital twins can be used to create simula on models of the en es copied for various purposes. They can be used to predict future developments and events as well as behaviors.
Issue: 004; December 2018
Speaking of digital replicas, Gartner also sees augmented/mixed reality gaining trac on next year. The company calls it immersive experience and believes as much as 70% of companies that make products or offer services that can benefit from the enhanced experience are already playing with the technology. The empowered edge is another trend Gartner expects to see next year. It refers to the migra on of compu ng from centralized facili es to the edge of the network, which would substan ally increase compu ng power, Andriole says. In fact, he adds, compu ng power could be extended indefinitely by u lizing edge devices. Smart ci es, buildings, and companies are another trend that will see further development next year as will blockchain: Gartner expects the technology to reach a market size of $3.1 trillion by 2030 as it enters the mainstream. Finally, Gartner iden fies quantum compu ng as an important trend for next year. Calling quantum compu ng an emerging trend, however, would be an overstatement. Nascent would probably be a be er word since it will quite a while before we could derive some actual benefit from it. But the idea of a computer using superposi on instead of binary code is definitely fascina ng and will draw more a en on going forward.
SOURCE: https://www.forbes.com/sites/steveandriole/2018/10/22/gartners-10-technology-trends-for-2019-thegood-the-obvious-and-the-missing/#3e26a6f05999
33
LET'S GET
SOCIAL! Let CYBER SPACE ASIA and CyberAsia360 help you improve your social network: global trade events, monthly print magazine, weekly email marke ng, video promo on, and daily social media posts.
