Lorem, ipsum
T HE DEF INI T I VE C Y BE RS EC UR I T Y G U IDE F O R D I R E C TO R S A N D O F F I C E R S
N AV IG AT ING T H E D I G I T A L A G E
SECOND EDITION
Navigating the Digital Age | Second Edition
We are at a pivotal moment in the evolution of digital technology. The pace of change has never been faster or more profound. As we entered this century, there were no smartphones, tablet computers, or vast social media networks. Now they are deeply embedded in the fabric of our everyday lives.
Where do we go from here? How do we ensure the technologies we treasure will enrich us? What inventions and innovations will inspire the next wave of change? Perhaps most important, how do we ensure that our digital interactions are secure and the people using them feel safe?
That’s where this book comes in. Our purpose is to shed light on the vast possibilities that digital technologies present for us, with an emphasis on solving the existential challenge of cybersecurity. If we fail on the cybersecurity front, we put all of our hopes and aspirations at risk. So we start this book with a simple proposition: When it comes to cybersecurity, we must succeed.
Two pressing issues are the lack of cybersecurity education for youth and the anticipated shortage of cybersecurity talent in the workforce of the future. Your readership enables us to support and elevate cybersecurity education for all students through the Global Cybersecurity Education Fund.
How we work together, learn from our mistakes, deliver a secure and safe digital future— those are the elements that make up the core thinking behind this book. More than 50 experts from around the globe have contributed their thoughts and ideas. Individually, the chapters are dynamic and thought-provoking. Collectively, they point the way to a more secure and safe digital future.
We cannot afford to be complacent. Whether you are a leader in business, government, or education, you should be knowledgeable, diligent, and action-oriented. It is our sincerest hope that this book provides answers, ideas, and inspiration.
www.navigatingthedigitalage.com
SECOND EDITION
T H
E D
E F
IN IT
IV E
C Y
B E
R S
E C
U R
IT Y
G U
ID E
F O
R D
IR E
C T
O R
S A
N D
O F
F IC
E R
S
x Table of Contents
65 10. Cybersecurity and the Board: Where Do We Go From Here? Mario Chiock — Schlumberger Fellow and CISO Emeritus, Schlumberger
How Work Requirements and Ethical Responsibilities Come Together
75 11. Cybersecurity and the Future of Work Gary A. Bolles — Chair, Future of Work at Singularity University; Co-founder, eParachute.com; Partner, Charrette; Speaker and Writer
83 12. The Ethics of Technology and the Future of Humanity Gerd Leonhard — Author; Executive “Future Trainer;” Strategist; Chief Executive Officer, The Futures Agency
Part 2 – Lessons From Today’s World Introductions
95 13. If You’re Not Collaborating With Colleagues and Competitors on Cyber Threat Intelligence, Beware: The Bad Guys Are Way Ahead of You Sherri Ramsay — Cybersecurity Consultant; Former Director of the U.S. National Security Agency / Central Security Service Threat Operations Center
101 14. Compliance Is Not a Cybersecurity Strategy Ryan Gillis — Vice President for Cybersecurity Strategy and Global Policy, Palo Alto Networks
Mark Gosling — Vice President, Internal Audit, Palo Alto Networks
Cybersecurity Awareness, Understanding, and Leadership
109 15. Security Transformation As a Business Imperative John Scimone — Senior Vice President and Chief Security Officer, Dell
115 16. The Importance of Cybersecurity Preparation and Leadership Stephen Moore — Vice President and Chief Security Strategist, Exabeam
121 17. Data Manipulation, Law Enforcement, and Our Future: Seeking to Build Trust in Our Digitally Connected Systems Dr. Philipp Amann — Head of Strategy, Europol’s European Cybercrime Centre (EC3)
The Convergence and Divergence of Compliance and Cybersecurity
131 18. Why Secure Availability—Not Compliance—Should Be Every Business Leader’s Goal Danny McPherson — Executive Vice President and Chief Security Officer, Verisign
121
Data Manipulation, Law Enforcement, and Our Future: Seeking to Build Trust in Our Digitally Connected Systems Dr. Philipp Amann — Head of Strategy, Europol’s European Cybercrime Centre (EC3)
While we have traditionally considered data manipulation as the practice of alter- ing documents and other information, that definition is changing. When we think about data manipulation now, the alteration of documents and information done with a criminal or harmful intent has become a major concern, but not the only one. We also think about things like fake news, social engineering through the discrete mining of social media informa- tion, and the use of data as a tool—or a weapon—to shape people’s thoughts, ideas, opinions, and, ultimately, their actions.
As highlighted in Europol’s Annual Internet Organised Crime Threat Assess- ment, data remains a key commodity for cyber criminals. However, it is no lon- ger just procured for immediate finan- cial gain, but it is also increasingly used, manipulated, or encrypted to further more complex fraud, for ransom, or directly for extortion. The illegal acquisition of intel- lectual property or its manipulation can reflect the loss of years of research and sub-
stantial investment. Data manipulation in this context can also mean using hiding techniques such as steganography to exfil- trate data or hide command-and-control commands.1
Data manipulation has become a mov- ing target for those of us in the business of combating criminal activity online, build- ing trust, and protecting our way of life in the Digital Age. Adversaries who manip- ulate data with malicious intent are con- stantly developing new tactics and attack modes, seeking any edge in a world where all of us are increasingly dependent on dig- ital connections. This includes activities by criminals who hide their identity, mask their location, and obfuscate their financial transactions.
The Evolving Role of Law Enforcement What can we do about data manipulation? The first focus for law enforcement is on investigating criminal behavior and pros- ecuting those responsible for crimes. With certain aspects of data manipulation and the often related criminal abuse of infor-
17
mation technology, we have made signif- icant headway in investigating and prose- cuting criminals and shutting down illegal activities. A few examples:
AlphaBay and Hansa: In July 2017, authorities in Europe and the U.S., includ- ing the FBI, the U.S. Drug Enforcement Agency, and the Dutch National Police, with the support of Europol and other partner agencies, announced that they had shut down AlphaBay, at the time the larg- est criminal marketplace on the Dark Web, and Hansa, the third-largest criminal mar- ketplace on the Dark Web. Both AlphaBay and Hansa were enabling massive amounts of illegal drugs, stolen and fraudulent iden- tification documents, access devices, mal- ware, and fraudulent services to be traded amongst cyber adversaries, which were enabling future data-manipulation crimes to be committed.2
Operation Power Off: In April 2018, the administrators of the distributed denial-of-service (DDoS) marketplace webstresser.org were arrested as a result of Operation Power Off, a complex investiga- tion led by the Dutch police and the U.K.’s National Crime Agency, with the sup- port of Europol and a dozen law enforce- ment agencies from around the world. Webstresser.org was considered the world’s largest marketplace for DDoS services. These services enabled cyber adversaries to use data manipulation to launch approx- imately four million attacks measured, aimed primarily at critical online services offered by banks, government institutions, and police forces.3
There are many more examples of suc- cessful law enforcement efforts that we can cite, but I am pointing to these because they have specific common characteristics:
1. They involved a coordinated effort across law enforcement agencies all over the world, along with the sup-
port of governments, regulatory bodies, and private companies. This is an absolute necessity if we are to successfully address criminal activity online, including today’s data manip- ulation challenges.
2. The crimes involved activities that were clearly illegal, and thus fit into the law enforcement model for investigating and prosecuting crim- inal activities. But, as cybercrime and malicious data manipulation evolve, not every instance will be clearly defined by legislation or regulation, thus making it more challenging to prevent, defend, investigate, and suc- cessfully prosecute perpetrators.
3. In each instance, law enforcement was in a position to be more reac- tive than preventative. Our ulti- mate goal is to be both. Law enforce- ment needs to successfully leverage resources from all around the world, not only to respond to crimes, but also to prevent and deter the criminal activ- ity from happening in the first place, and ultimately to become more pro- active.
These examples also highlight the high degree of professionalism, collaboration, and industrialization of the underground economy, where services and tools sup- porting the entire “cybercrime value chain” are readily available online and to non-tech savvy individuals.
Disrupting, Deterring, Diverting, and Defending In dealing with malicious data manipu- lation and cybercrime, the expectation is that law enforcement—together with all relevant partners and in accordance with its mandate—will take on a more expan- sive and complementary role in defend-
122 Cybersecurity Awareness, Understanding, and Leadership
ing against, disrupting, and deterring ille- gal activities before they can do harm and cause losses. This is why prevention and raising awareness are key topics, particu- larly in relation to addressing high-volume and low-level criminality online.
Law enforcement is in a unique posi- tion. Not only do we understand spe- cific modi operandi and techniques when it comes to cybercrime; we are also con- stantly monitoring trends and threats, while analyzing the evolving motivations impelling those who would do us harm.
However, when it comes to data manip- ulation, even when activities are motivated by malicious intent, we are sometimes unable to contribute as effectively as we would like. One reason is that not all of the forms of data manipulation we encounter are properly defined as criminal by leg- islation. In other words, the intent may be malicious, but that doesn’t necessarily make it a crime. There is also a lack of a harmonized common legal framework or an underuse of existing legal frameworks and provisions, meaning the same activity might be criminalized in one jurisdiction, but not in another.
Access is another issue. Not every orga- nization involves law enforcement when it first encounters a problem. There are many possible reasons for this. However, I would ask executives to preemptively think about how they work with law enforcement— before they have an issue. By building a proactive partnership with law enforce- ment, you will be better equipped to pre- vent an attack and enable a stronger and more impactful response should an attack occur.
Even in instances where access is possi- ble, we face challenges in relation to loss of data and loss of location, which create sub- stantial obstacles for investigations. There
is also a need for standardized rules of engagement with private industry to estab- lish a clear understanding of the extent to which private parties can engage with us and we with them.
When it comes to young people with strong information and communication technology (ICT) skills, we also support projects such as the “deterring youngsters initiative,” which, together with industry and academia, aims to divert young people away from a potential pathway to cyber- crime by offering positive alternatives.4 We see this not only as an opportunity to divert such talent to positive activities, but also as a way of addressing the shortage of ICT skills.
Cooperating, Collaborating, and Connecting If there is one thing we’ve learned about today’s cyber environment, it is that we are all in it together. We can gather strength in numbers and in pooling our knowledge, experience, and resources. It is a truism of the Digital Age that we are all connected. Our adversaries try to take advantage of our uber-connectedness—we should do the same in fighting them.
This touches upon the question of safeguards against and regulation of data manipulation, as well as responsibili- ties. Should it be left to tech companies to self-regulate when it comes to issues around data mining, data privacy, and data manipulation, or should the discussion involve all stakeholders, including indus- try, law enforcement, and the public? I would argue for the latter approach.
Regulatory and legal frameworks are just one example. If you look across the cybersecurity spectrum, you will see that every facet involves some level of cooper- ation and collaboration—from technol-
Data Manipulation, Law Enforcement, and Our Future: Seeking to Build Trust in Our Digitally Connected Systems 123
ogy platforms designed to work seamlessly together, to law enforcement agencies that work together to not only investigate crimes, but also to detect, deter, divert, and to help defend.
The No More Ransom initiative is a great example of a joint initiative between law enforcement and industry, aiming not only at prevention and awareness, but also victim mitigation.5 The joint platform is currently available in more than 30 lan- guages and supported by more than 120 partners, offering more than 50 decryption tools, free to victims of ransomware.
Building Transparency, Oversight, and Trust In order to attain the levels of collabora- tion and cooperation necessary to address data manipulation, we must trust our peo- ple, processes, and technologies and build trust-based relationships between industry partners and law enforcement. This means we have to also address issues around trans- parency and oversight, which are becom- ing far more complex as technology inno- vation continues to accelerate and flourish.
The growth of big data analytics and automated decision-making creates new issues in terms of transparency and over- sight, and therefore trust. This challenge could become exacerbated with the expan- sion of machine learning and artificial intelligence. When we allow automated decisions to be based on an algorithm, we may not have a clear way to determine if the data or the algorithm has been manip- ulated, which becomes further compli- cated if the algorithm has a built-in bias. This can add risk and make it difficult to audit and/or verify the outcome of such processing.
Trust is also an increasing issue in the area of fake news. It’s not just that fake news is being created and real news is
being manipulated; sometimes only par- tial information is shared, thus creating a narrative that seems plausible, but which is not based on all of the available infor- mation. It is designed to support a spe- cific idea rather than provide an accurate depiction of events. The challenge is com- pounded because adversaries are not nec- essarily breaking the law; they are merely taking advantage of their deep knowledge of social media and search-engine algo- rithms to manipulate data.
Finally, trust is also a key ingredient to successful public-private partnerships.
Moving Forward Data manipulation is on the verge of becoming one of the largest criminal indus- tries. Today’s reality is that law enforce- ment has a vital role to play in creating a more impactful and proactive response, not merely reacting to criminal activities. Everyone benefits from a holistic, adap- tive, and complementary approach that involves all relevant partners, one where organizations can leverage the capabilities provided by law enforcement agencies. For example:
• With prioritized and coordinated joint actions against the key cyber threats—supported by adequate leg- islation—we can increase the risks for cybercriminals and impose real conse- quences.
• With effective prevention and dis- ruption activities, we further tip the scales to the detriment of criminals by leveraging cooperation and partner- ships across law enforcement, govern- ment, and private industry.
• With advanced technologies and open platforms, we can use shared threat intelligence, machine learning,
124 Cybersecurity Awareness, Understanding, and Leadership
and automated decision-making to re- duce risk and improve responsiveness. This enables us to eliminate manu- al processes and use software to fight software while adhering to strict data protection regulations.
• With greater collaboration and com- mitment to sharing, we can band together as a community to use com- bined resources in the war against data manipulation. The cyber industry has made great progress in this area through the establishment of platforms such as the Cyber Threat Alliance (CTA), a not-for-profit organization that enables near real-time, high-qual- ity cyber threat information sharing among companies and organizations in the cybersecurity field. Another great example for collaboration that includes law enforcement as a key partner is the Cyber Defence Alliance. And we have also made significant headway together with the members of our own Advisory Groups.
Looking Ahead How do we turn this vision of cooperation and collaboration into reality? Europol and its European Cybercrime Centre (EC3) and its many different partners in law enforcement, industry, and academia are a prime example of the power of a net- worked response to cybercrime at scale. However, we need to continue to improve and forge new alliances, further our coop- eration with other partners, and continu- ously adapt our response. We also need to focus on areas such as regulations and tech- nology to clarify criminal activity, improve our preparedness, and enhance our ability to coordinate a response:
Regulations: With General Data Protec- tion Regulation (GDPR) in Europe, we are
seeing the benefits of proactive regulation with a strong cybersecurity element. GDPR forces organizations to understand what data they have, where it is stored, who works on it, who can manipulate it, and how to protect these assets. That is linked to quality and information management, with orga- nizations defining how they run their busi- nesses in relation to cybersecurity risk. It also promotes the idea of designing security pro- tections into products and services.
Taking a broader perspective, GDPR is about improving business and manage- ment practices, understanding core busi- ness processes, and identifying the assets of an organization, as well as its risk pos- ture. While GDPR is an important piece of legislation, its impact on the WHOIS database going dark after May 25, 2018, had substantial cybersecurity implications, not only for law enforcement, but also for the internet security industry as a whole. This highlights the need to strike a balance between privacy and protection of funda- mental rights on the one hand, and secu- rity and safety on the other.
Technology: Cyber criminals are adopting new approaches to increase their capacity to manipulate data and com- mit cybercrime. We must use current and emerging technologies to prevent them. This means the use of shared threat intelli- gence, open platforms, AI, machine learn- ing, and more. It also means we must explore the benefits of innovations, such as blockchain technology, to create an envi- ronment that is more transparent, trust- worthy, and resilient.
Big Data analytics, machine learning, and AI can improve cybersecurity through better threat detection and prediction, intelligence collection and analysis, and faster response. With effective use of infor- mation, the deployment of scarce opera- tional resources can be better targeted to
Data Manipulation, Law Enforcement, and Our Future: Seeking to Build Trust in Our Digitally Connected Systems 125
intervene precisely where issues, crimes, and threats can be expected. However, it is important that we use such tools care- fully, proportionally, and in line with rele- vant legislation and regulations.
An example of using technology and information collaboratively and effectively can be found in the Adversary Playbooks program that has been developed by the CTA. CTA members leverage an auto- mated platform to share actionable intel- ligence to create Adversary Playbooks that provide a consistent framework to iden- tify broad threat indicators and adversary chokepoints. These playbooks typically incorporate several core elements: techni- cal profiles, typical plays, recommended actions, and technical indicators.
Suggestions for Business Leaders and Executives Beyond regulations and technology, busi- ness leaders and executives have a vital role to play in addressing the evolving chal- lenge of data manipulation. They have a responsibility to set the cybersecurity agendas for their organizations and decide on the appropriate investments in people, processes, and technologies. Suggestions on steps business leaders and board mem- bers can take:
Develop an understanding of the evolving adversarial mindset: Executives can look to sponsor initiatives that drive your organization to build a proactive trusted partnership with law enforcement agencies. In doing so, you can gain insights into the motivations, technologies, tech- niques, and business models of cybercrim- inals, which can help to define the steps your organization can take to be better enabled to prevent an attack. Also look to collaborate with organizations, such as the Cyber Security Information Sharing Part-
nership, which enable secure threat intelli- gence to be shared.
Require organization-wide training and education: We all must be educated about the risks of data manipulation and the need for improved cybersecurity. This often starts in the executive suite, where C-level executives must understand risks so they can make the proper investments and strategic decisions. It also extends to security personnel, who are in relatively short supply in comparison to the need. So inspire, incentivize, and reward your IT security personnel to keep vigilant and informed. And recognize that, as leaders, we must leverage education and training in our work and classroom settings so users are aware of how they can mitigate risk whenever they go online.
Insist on a holistic approach: Cyberse- curity should be part of a holistic approach that should be part of all processes. Busi- ness leaders and board members need to establish a cybersecurity culture whereby everybody is aware of his or her responsi- bility, and security and privacy “by design” are guiding principles. Since humans are often the weakest link, ongoing train- ing, education, and creating awareness are indispensable tools in protecting against cybercrime and data manipulation.
Conclusion The world is changing before our very eyes. The threat to data encompasses all three principles of confidentiality, integ- rity, and availability. By gaining access to data and subsequently exposing such data, criminals undermine the confidential- ity of information. By manipulating the data, they undermine the integrity, and by attacks such as ransomware, they make the data unavailable. While data is a com- modity now, it is increasingly emerging as
126 Cybersecurity Awareness, Understanding, and Leadership
a cybercrime attack vector through means such as data manipulation, compromised processes, and the increased potential to shut down basic infrastructure services and other pillars of our societies.
The good news is that no one is alone. In fact, we are all connected, both literally
and figuratively. Our connected networks give us the ability to coordinate and col- laborate in the face of data manipulation and cybercrime. Will we be able to build the trust necessary among our people, pro- cesses, and technology to overcome these threats? We must, we can, and we will.
1 “Criminal Use of Information Hiding (CUIng) Initiative,” http://cuing.org/ 2 “Massive Blow to Criminal Dark Web Activities After Globally Coordinated Operation,” Europol, July 20, 2017 3 “World’s Biggest Marketplace Selling Internet Paralysing DDOS Attacks Taken Down,” Europol, April 25, 2018 4 “Cyber Crime vs Cyber Security: What will you choose?,” Europol, https://www.europol.europa.eu/activities-services/
public-awareness-and-prevention-guides/cyber-crime-vs-cyber-security-what-will-you-choose 5 “No More Ransom project helps thousands of ransomware victims,” ZDNet, July 27, 2017
Data Manipulation, Law Enforcement, and Our Future: Seeking to Build Trust in Our Digitally Connected Systems 127