(Featured Image: EnglishAlmanar)
In an increasingly digitised world, the prevalence of cyberattacks comes as no surprise. With greater connectivity also comes vulnerability to malice and abuse. Cyberattacks can take a wide array of forms, but they are essentially socially, politically, or financially motivated operations to manipulate, disrupt, or destroy information stored in computers and computer networks. Given the high level of digital penetration worldwide, almost any individual or organisation (government, military, and corporation) can fall victim to cyberattacks. The recent wave of cyberattacks by the WannaCry ransomware that affected as many as 300,000 computers worldwide is just the latest in a recurring pattern of cyberattacks. The attacks, which were discovered in May this year, disrupted computer networks of governments and industries from as many as 150 countries.
Trend Micro, a cybersecurity solutions firm, reported in its 2016 Security Roundup that cyber threats reached an all-time high in 2016; its protection networks blocked more than 81 billion threats for the year, a 56% increase from 2015. Singapore too experienced major attacks in 2017. Government- and research-related data stored in the systems of the National University of Singapore and Nanyang Technological University were targeted by hackers in April 2017. Even the Ministry of Defence was not spared as it experienced its first cyber breach in February when personal details of 850 of its personnel were stolen in a “targeted and carefully planned” attack. These developments warrant a closer look into the nature of cyberattacks and the impact they make at present and in the future.
The ‘Who’ & ‘What’ of Cyberattacks
The parties behind cyberattacks can range between state and non-state entities. When pursuing an objective of national interest, states often deploy cyber capabilities for reasons like espionage, intelligence gathering and sabotage. The pervasiveness of the cyber dimension means that almost every country has or wants to have the edge in cyber power; Russia, North Korea, US and China are just some state entities that are known to have well-developed cyber capabilities.
Among non-state actors, cyber criminals often use cyber tools to illegally access computer networks for financial gain. Juniper Research estimates that cybercrime will cost businesses over US$2 trillion by 2019. What makes cyber criminals so ‘successful’, is their ability to exploit the weakest link in any computer network – the people who use it.
Hacktivists, a combination of “hacker” and “activist”, usually use computers and networks to push a political or social agenda. The most popular example of a hacktivist group is Anonymous, a collective known for cyberattacks on organisations like the CIA, Ku Klux Klan and PayPal.
The cyber domain can be seen as a cyber ‘arms race’ between the ‘good guys’ – security firms, government organisations and other specialists – and the ‘bad guys’ like cybercriminals who use a range of “weapons” for various types of cyberattacks.
Some cyberattacks are targeted attacks geared at particular organisations or individuals to obtain information of value. This involves studying the target well and tailoring an attack that exploits the target’s vulnerabilities. An example of a sophisticated targeted attack was the use of the Stuxnet worm, a malicious software program, allegedly by the US and Israel to sabotage a uranium enrichment facility in Iran as part of disrupting Iran’s nuclear program.
An advanced persistent threat (APT) is a kind of targeted attack that is carried out continuously and persistently using a variety of means in order to gain access to the target. APTs can be carried out through servers and websites, or social engineering that deceives users into accessing malicious programs or websites. The cyberattacks on NUS and NTU earlier this year are an example of APTs as they were customised to get around security measures and possibly carried out by individuals associated with the entities.
Phishing is a common form of deceptive attack in which a phony webpage that looks like the legitimate one tricks users into revealing sensitive information such as credit card details. There have been a growing number of phishing attacks in Singapore involving fake government websites being set up to phish for personal data.
A botnet (also called a “zombie army”) refers to a collection of software robots, or ‘bots’, that run automated tasks over the internet at the command of the cyberattacker. Compromised computers are frequently used to launch Distributed Denial-of-Service (DDoS) attacks against websites. An example of a zombie army in action was the Mirai botnet attack in October 2016 that is thought to be the largest of its kind in history. It took down much of the internet in the US by attacking the servers of Dyn, a company which controls much of the internet’s domain name server infrastructure. The Mirai botnet, estimated to involve as many as 100,000 malicious devices, was twice as powerful as any similar attack on record.
As mentioned above, a Denial-of-Service (DoS) attack is an attempt to make a computer resources such as a website unavailable to users. One common method of attack entails saturating the target with external communications requests to the extent that it cannot respond or responds too slowly to be effective. Although simple, DoS attacks can be very effective; they were reportedly used by Russian hackers in 2007 against government, bank, and media websites of Estonia, and succeeded in disrupting internet communications for several days throughout the country.
Cyberattacks at what Cost?
Cyberspace has become such an integral part of modern life that its ‘dark side’ of cyberattacks have made significant impacts on different aspects of society. The political and economic impacts are worth highlighting for the ill-effects they have brought on.
In the political sphere, suspected Russian hacking of servers belonging to the Democratic Party and of one of its senior officials in the US, and the subsequent release of the server’s contents such as emails via Wikileaks greatly undermined the Presidential election campaign of then-candidate Hillary Clinton. It asked serious questions of the integrity of the democratic process in the US, not to mention damaging America’s standing on the world stage. Notably, the leak of 10 years’ worth of emails of the senior Democratic Parry official John Podesta, who at the time was the Chairman of Clinton’s election campaign, was due to a phishing scam that allowed hackers to get hold of Podesta’s password.
The Russian government has denied any involvement in the attacks, though in June 2017, Russian President Vladimir Putin hinted at Russian involvement by saying that the attacks could have been done by “patriotic citizen-hackers” from Russia. Regardless of whether there was Russian involvement, the cyberattacks have already done their damage. Investigations and media coverage on the attacks continue to dominate political affairs and the news cycle in the US and elsewhere, distracting politicians from tackling other important issues.
Cyberattacks have made huge dents in the business sphere. Although it is hard to put an accurate number on the financial cost of cyberattacks, studies such as those by specialist insurer Hiscox have estimated that cybercrime, a major objective of cyberattacks, have cost the global economy $450 billion in 2016. Costs may be incurred for a multitude of reasons: technical investigations into attacks, legal fees, investment in cybersecurity system improvements, increase in insurance premiums, operational disruption and loss of customer confidence.
There is a strong case for businesses to allocate more resources to protect themselves and share more information with the industry and authorities so a collective cybersecurity strategy can be developed. Companies often tend to avoid reporting cyber breaches for fear of reputational damage.
Looking beyond the Cyberhorizon
The nature of the cyber threat is that it constantly evolves. Moving on from phishing emails and ransomware, what will the next generation of cyberattacks be like?
According to forecasts, the evolution of cloud and mobile technologies, as well as the emergence of the “Internet of Things” (IoT) will comprise the next generation threat. Mobile devices like the ubiquitous smartphone present the biggest risk category. Smartphones are an attractive target to cybercriminals because of the sheer number in use and the multiple ways they can be compromised such as through malicious apps and web browsing. A smartphone user can be a victim of a “drive-by attack” if he or she visits a malicious website that can ‘fingerprint’ the phone when connected to the site and capture information on the phone’s vulnerabilities.
The emergence of IoT, which refers to devices that are connected in a network and communicate with each other, presents an unprecedented opportunity for hackers. Technology research firm Gartner predicts that by 2020, there will be more than 20 billion connected devices. And according to an AT&T cybersecurity report, there has been a 458% increase in the number of times hackers search IoT connections for vulnerabilities. The powerful Mirai botnet attack mentioned earlier was unprecedented in scale partly because it attacked IoT devices in addition to computers.
As the volume, frequency, sophistication and variation of cyberattacks grows, the world faces a shortage of cybersecurity experts to fight the cyber ‘arms race’. The ISACA, a non-profit information security advocacy group, predicts that there will be a global shortage of two million cyber security professionals by 2019. In Singapore, where the shortage also exists, the government is taking steps to increase the pool of cyber talents in the public sector over the next few years. But more needs to be done. Based on 2015 figures, there are 15,000 vacancies in Singapore’s information and communications (ICT) sector.
One suggestion from industry observers to fill this shortage is to diversify the search for cyber talent away from traditional disciplines like computer science. Since cyber security affects just about anyone connected to the vast digital commons, talent and solutions should also be sought from a diverse pool including those from non-traditional backgrounds to bring greater numbers and newer ideas to beat cyberattacks. After all, if cyberattacks are a ‘new normal’ in our everyday lives, there needs to be a new way to secure ourselves as well.