At a time when companies are switching their business models to digital, cybersecurity has become a boardroom concern, for its implications now directly affect the balance sheet. However, it’s becoming increasingly difficult to objectively quantify a company’s cyber risk considering the dynamic nature of an organization’s perimeter, which in most cases cannot be distinctively defined thanks to BYOD (bring your own device), BYOA (bring your own access) and Dynamic DNS set-ups among others. The other component hindering quantification is the known unknown attack vectors.
Reports estimate that the overall cost of cybercrime will touch $2 trillion (around Rs135 trillion) by 2019.
Very recently in India, we saw 3.2 million debit cards being hacked; we have seen the largest bank in the world—JP Morgan Chase—being hacked even though it spends $300 million on cybersecurity annually. We have seen companies headquartered in the Silicon Valley, built by the best tech minds from around the world, being hacked—among them Yahoo and Twitter. These examples clearly indicate that there is no such thing called 100% security. As in the physical world, the digital world also cannot be secured completely; it will be all about managing and mitigating risks.
Cyberspace is continuously changing and evolving. In the future, companies will have to look at a three-dimensional approach of proactively protecting their digital stacks via technology and process-level controls, continuously monitor incidents and events and respond in the quickest and most efficient way possible in case there is an incident. Clear heat maps of data sets versus threat actors such as insiders, competitors, hacktivists, state-sponsored hackers, terrorists, script kiddies and organized criminals will be mapped specific to the industry and the company to prioritize security efforts.
At the government level, recognizing the strategic dimensions of cyberspace, the Prime Minister’s Office (PMO) created the position of national cyber security coordinator in 2014, which is a great move. I feel Reserve Bank of India initiatives such as ReBIT (Reserve Bank Information Technology Pvt. Ltd) will enable the much required streamlining of financial services, IT and information security from a regulatory compliance standpoint. The recent push to have an independent payments regulator highlighted in the recent budget by the finance minister is another positive step in this direction.
The future of hacking from a techie’s lens looks very, very exciting. We have already seen an explosion of on-demand hacking services like Haas (hacking as a service), and this will only expand in the future. From script kiddies to a bustling underground marketplace of tailor-made targeted DIY (do-it-yourself) exploits that have 24x7 support, along with the release of continuously enhanced and more sophisticated versions of a malware—it’s all now just a few clicks and a few hundred dollars away. With other hack enablers such as bot nets readily available to be purchased by the hour, the possibilities of a normal tech enthusiast executing a successful hack go up exponentially.
With faster and cheaper computing power readily available, we will see the rise of more complex crypto algorithms with longer key values. This isn’t all good news, for complex crypto is always a double-edged sword—on the one hand, it does make it hard for a hacker to decipher the data both in motion and at rest; on the other, it becomes extremely difficult to decrypt system files affected by ransomware or doxware.
We have been hearing about the shift from a signature-based analysis system to a behaviour and context-based system for quite some time now, but thanks to machine learning and artificial intelligence, I feel we will be able to take tangible steps towards this very soon. AI (artificial intelligence) and ML (machine learning) will also play an extremely important role in real-time learning about individuals from available data over the Internet to create a mind map (which will get more accurate as the data set increases) of an individual you might meet for the first time—taking the entire privacy debate to an absolutely new level. Not to forget the possible implication of an artificial intelligence attack on the Internet—something that’s only a “matter of time”, in the words of SpaceX’s Elon Musk.
There will be a clear shift to objective and quantized cyber risk management techniques that will incorporate the known unknowns to make cyber risk an informed business decision. The attack surface will not be restricted to internal IT but will extend to third parties, cloud providers and social media, among others. The focus in the future will not only be on security products but on building secure products from the ground up.
The way we are adopting digital, with a clear push coming from the top in both private and public set-ups, technology is going to take centre stage in the success of most new initiatives. And while this happens, the key for the industry will be to learn from cyber attacks and embed the learnings into our defence systems as quickly as possible. To err once is human, to err twice is lazy.
Saket Modi is the CEO and co-founder of Lucideus
This is part of a series of articles in Mint’s 10th anniversary special issue that look at India 10 years from now. The entire list of articles can be found here