As a community, we are facing a threat that is greater than us as individuals or companies; a threat that affects the entire country and society as a whole.
So said Charl van der Walt, chief strategy officer, SecureData and SensePost (UK), during his keynote address at ITWeb Security Summit 2019, in Sandton, this morning.
“For everyone whose role has something to do with risk management or cyber security, mitigating that threat is a responsibility that falls to you. As a community, we need to step up and take the threat seriously.”
Speaking of how SA rates in terms of cyber security posture, he said SA has a deep pool of infosec talent. “We have a number of world-class players that have made a significant impact on the world stage and we can build on that.
“Does that raise us up in terms of how robust we are? Look at the Master Deeds data breach that exposed the details of some 60 million South Africans. Even if you weren’t personally affected, in reality, we all were.”
When we benchmark SA it’s hard to know whether we are better than others, but big breaches do happen to us. “Generally, when we talk about security, we talk about likelihood of the risk equation. How often do events happen? How well are we patched? We don’t talk about the severity. The notion of benchmarking to try and find a technical level is misleading and misses a very important point.”
Security is much more than a financial problem, Van der Walt continued. “Truth is a security problem… If consumers of digital information can’t trust the origin or the accuracy of that information, it threatens the wellbeing and smooth running of society as a whole.
“Integrity is an information security problem. It’s up to us as an industry to help create a world in which information can be trusted.”
Freedom is a security problem. In 2016, US president Donald Trump was elected, and we have learned without a shadow of a doubt, the outcome of the election was in part due to targeted hacking, media trolling and direct attacks against infrastructure. It was a case of one nation subverting the democratic processes of another, he added.
In today’s reality, democracy depends in a fundamental way on the security, confidentiality, integrity and availability of all the platforms and systems that store, process or communicate the personal and private information of citizens. “It’s our job to ensure the appropriate security of data. Every time we fail, it’s a setback for a free and open society.”
Sovereignty is a security problem too. “In 2009, the British government retracted our right to travel without visas. They didn’t believe in our security processes to give citizens authentic passports. So they imposed their own controls. If we want other nations to take us seriously as a nation, then we need to be able to demonstrate to them that we can be trusted with our security, and with theirs.”
Our national security is also a security problem. “Look at the recent compromise of WhatsApp. It was a result of an Israeli company called the NSO Group. They sell exploit kits that sell for up to $60 million. These kinds of exploits are being sold exclusively to governments, which creates an ecosystem of exploit brokers. There are actors who will pay millions for an iOS 5 exploit, for example.”
An ex-Mossad director said we are in a soft and silent nuclear war, and cyber attacks pose the biggest threat to the world. “And hacking to punish is the only way we can protect ourselves. The players in this conflict are highly motivated, well-financed and extremely skilled, and their intent is pursuing national objectives. Nations are grabbing cyber space.”
Our independence and integrity as a nation depends on our ability to ensure the integrity of the digital systems on which modern economies depend. This is not just a problem for the military and government, but for everyone tasked with protecting a system that people in SA use, he pointed out.
The balance of power is another security problem. “Take the recent Huawei, Google conflict between the US and China. US and allies are saying they cannot afford to put Huawei into their country because it will be used by China. They call it a supply chain attack. And this rationale holds for us as well. When we put any other country’s equipment into our networks, we are putting ourselves into their hands, and becoming dependent. Would we still be in a position to assert ourselves once China owns all our data centres?”
He asked: What is the implication for our future as a nation if we are effectively occupied and forced into an allegiance with a new kind of colonial technology super-power? “Cyber space is ‘balkanising’ and security is one of the chief drivers.”
The Internet has a security problem, he continued. “In the face of these nation-on-nation attacks, in which none of us can reasonably defend ourselves, governments are stepping in and saying they have to take responsibility. At the same time, they are using tools that are super-secret, and it becomes opaque. We lose power, independence, transparency to government, because we can’t secure ourselves.”
Because businesses believe they cannot protect themselves, they defer some power to government, and the rest they will increasingly defer to insurance companies.
“Are we comfortable to live and work on an Internet that’s controlled by opposing government, regulated by insurance companies, and dominated by ex-military contractors, or do we prefer to take responsibility for our own, free and open, civilian space?”
“Security has a people problem. The threat we are facing is very real. Like the Deathstar, it has the ability to destroy planets. Forgive my Star Wars analogy, but we as the people in cyber need to step up and address these issues. Forget the stupid hats. White hats, black hats, threat actor labels, exploits. We need to be serious in how we talk about security. We need to talk about serious things, in serious ways.”
We need to be honest and start addressing the problem of incentives. “We exist to make profit as a vendor, or if you’re on the other side, to protect the profits of your shareholders. We need to move beyond that. Security is a societal problem. We need to look at its broader impact on the world.”
Finally, noted Van der Walt, we need to find the right leaders. “If you accept that notion of incentives, it’s because my company has a vested interest in getting a voice on the stage. We need the people who hold the greater good of society in mind, and lead the conversation.”