The Australian government recently announced there has been ‘sophisticated, state-based cyber attacks’ on Australia. This is something that’s been on the radar for cyber security expert Peter Coroneos for years – and something he questions our readiness for.
Peter comes with a long list of accolades – International Vice President for the Paris-based Cyber Security Advisors Network, renowned cyber-policy author, and one-time advisor to the Obama administration’s National Cyber Security Leadership Team. With the COVID-19 pandemic still impacting communities and organisations around the world, we spoke to him to learn more about the risk of ‘cyber epidemics’ and the human cost of a cyber breach.
Never has this conversation seemed so relevant.
What would happen if there was the equivalent of a ‘cyber epidemic’ in Australia at the same time we were in lockdown due to COVID-19? What happens if we all get put in lockdown and no one can communicate?
I think that’s the big question, isn’t it? In 2005, we wrote a paper as the Internet Industry Association on telework. We were looking at the main drivers and impediments because we were using telework as a lever to get the government to invest in a national broadband plan for the nation.
In order to do that, we had to try and demonstrate the business case. So we thought: teleworking is a fairly compelling reason why a nation should have superfast, always-on broadband. When we looked at the drivers behind what would bring about an accelerated focus on teleworking, we identified four main drivers and, ironically, pandemic was one of them.
Now, due to COVID-19, companies have had to scramble to ‘remote-ify’ their workforce. That was the positive side. But one of the impediments that we saw back in 2005 was the inherent cyber risk in having a remote workforce. It struck me as a fairly scary idea that if we have a pandemic where let’s say 80% of knowledge-based workers are now working from home, what would happen if, simultaneously, we came under a nation state or highly sophisticated threat actor attack against our communications infrastructure?
The internet has basically saved us, in the sense that we’ve managed to maintain some economic activity during the pandemic.
What is our preparedness level for that type of attack: a nation state cyber attack on our communications network?
That’s a really scary question to contemplate. How prepared are we? I don’t think we’re prepared enough. I think anyone who is serious enough to want to attack our nation’s physical infrastructure could probably do so. I don’t know what the recovery plan might look like, but we’ve definitely seen proof-of-concept attacks in the world. Remember the Stuxnet attack in Iran, which then got into the wild? At one point I saw a statistic saying that 30% of the world’s utilities had now detected the Stuxnet variant on their networks. I would think it’s a fair bet to say that most infrastructures have been compromised to some degree. It’s really then down to what circumstances would trigger the threat actor to actually disable the infrastructure in question.
But even if we just confine it to telecommunications infrastructure, then even a minor outage would negate the economy-saving alternative that remote working has enabled us to do by the simple act of taking people offline. You would effectively cripple the economy.
I think that’s our worst-case scenario. It hasn’t happened yet. But could it? I guess that depends on how the geopolitics of the world continues to evolve.
If nothing else, it’s a wake-up call and an opportunity, so let’s treat the pandemic as a practice run. Yes, it’s been bad, but if we could collectively turn our minds to future scenarios where this became a more long-term problem, then I’d like organisations to start asking the important questions. How resilient are we? How prepared are we? How well trained is our workforce? How well have we managed the behaviours of our remote workers so that we are as resilient as possible?
Where we go from here is going to be really important.
In your book, The Cyber Breach Communication Playbook, you talk about the reputational impact of hacks on organisations, but what are your thoughts about the human costs of a breach?
While it is recognised, I don’t think the human element is sufficiently accounted for in the responses that we take as an industry and as a society. That’s the reason why phishing emails and social-engineering techniques remain so successful.
In the mid-2000s, I was on the steering committee of the Cybersecurity Awareness Week and we had senior government advisers trying to architect education campaigns for the masses. They kept talking in language around, “We’ve got to stop people taking risks.” I remember thumping the table and saying, “You have to understand that risk-taking is fundamental to how humans behave in life.” So the discussion shouldn’t be about how we prevent them taking risks, but how we inform them as to the risks so they can make the appropriate risk calculations.
I remember saying we need to engage behavioural psychologists, as this isn’t a technical issue. It goes way beyond the technical parameters of a breach or a vulnerability environment. This goes deep into the heart of why humans do what humans do.
So I’ve been very interested to develop my own thinking in this area around human behaviour. When we talk about the human dimension of a breach, we’re really looking at the ramifications – the product of a breach after it’s occurred. So the human dimension operates at both ends of the breach timeline. One is prior to the breach: what is it about humans that predisposes us to engaging in risky behaviours, even when we know them to be risky? And then once a breach occurs: what are the impacts on the humans that have been directly or indirectly involved?
Can you talk about your work around epidemiology and how the learnings from that medical discipline can be applied to the development of cybersecurity posture?
Two or three careers before getting into the internet, I was actually studying science at university and I went on to become a human biology teacher for about eight years, teaching some of the concepts around epidemiology. It just proves that in life, nothing you do is wasted.
So when I found myself in this leadership role within cybersecurity and seeing the language that was being used around computer viruses, that brought back to me a lot of the concepts that I used to teach. We were all starting to say that we needed to take an epidemiological approach to cyber risk, but no one really drilled into what that actually meant. It was almost a bit of a throwaway line.
So around about 2010, I had this idea: “I wonder if anyone’s ever actually gone and spoken to an epidemiologist?” I approached the head of the New South Wales AIDS Council and, long story short, an epidemiologist researcher ultimately agreed to come and present to a group of 120 cybersecurity members within the Internet Industry Association.
What I was really hoping to get out of the session was to get the attendees to think outside of the technical box and start to explore the human dimensions of epidemiology and what learnings we could gain from other disciplines that already understood some of the determinants of human risk behaviour. My premise was that the risk posture we assume in relation to some areas of life are quite often generalised to other areas of our life. So if we were a high-risk-propensity individual in respect of how we drive a car, then it’s probable that we’re going to be a little riskier in how we conduct ourselves online.
What came out of the discussion was that there was a lot to be gained by what work had been done in other disciplines.
What particular aspect of epidemiology do you think translates to the development of a cybersecurity posture?
The cybersecurity industry has matured a great deal in the past 15 years. I think they really are starting to take an epidemiological approach when it comes to the technical aspects of cybersecurity – and I could give you some examples of that: practices like network segmentation, in a sense, is the technical equivalent of social distancing where you’re keeping out of proximity to threat vectors.
Even perimeter defences somewhat replicate these epidemics. They’re not the 100% solution these days because of IP and other threats, but they equate to things like protective clothing and masks and gloves.
So the parallels are definitely there in terms of how we manage cybersecurity technically. But my contention is: how well are we translating the human behavioural learnings of epidemiology into the cyber-risk environment? What the epidemiologist researcher said was that you can’t use standard messaging and expect that it’s going to resonate across all risk groups. So the short point is you can’t apply a one-size-fits-all solution to managing the human dimension of cyber risk.
Listen to the full episode from the IDentity Today podcast below.
Subscribe via Omny or listen via Apple Podcasts, Spotify or your favourite podcast app from here.
