Cyber Ecosystems against Cyber-Crime
Nicolas Arpagian is Cybersecurity Strategy Director of Trend Micro. He is also Advisor to Mr Michel Van Den Berghe, appointed by the French Prime Minister to build the Cyber Campus, a hub of cyber security that will bring together the main national and international actors in the field to federate the cyber security community and develop synergies.
The cyber ecosystem is extremely large. In the digital world, physical barriers are removed and anyone with an internet connection can partake in cyber activities, legal or fraudulent. A portion of the population uses illegal ways to watch live video streams of soccer matches for example, without really defining themselves as hackers.
International organizations have started talking about ‘cyber ecosystems’ against the cyber-crime industry. The World Economic Forum, amongst others, provides guidelines to improve cyber resilience, including strengthening ‘ecosystem-wide collaboration’ and sharing data about cyber-attacks amongst trusted parties in the same economic sector or economic chain. This type of recommendation has existed but confidentiality, reputational concerns and uneven levels of cyber maturity stood in the way of sharing information on attacks: discussing weaknesses is not something that companies traditionally like to do, especially as these new partners in the cyber security ecosystem might be competitors on the business side, for example clients or providers. However, sharing data around attacks has become absolutely essential.
To partake in such an ecosystem, corporations must consider two things. First, cyber risks cannot be avoided: it is not a question of whether an attack is going to take place but rather when will it happen. Second, there will always be a ‘patient zero’, the first entity to be infected. Partners need to go beyond the stigma of being the victim of a cyber-attack. Creating an ecosystem where trusted partners share data about cyber-attacks allows for a better understanding of the point of view of attackers. A member may realize that a business software they use has a vulnerability or that this vulnerability has been compromised, and know that many other companies in the same business sector use the same software and are therefore at risk or already under attack.
While it may seem counterintuitive to discuss weaknesses, sharing data around cyber-attacks has become absolutely essential.
In practice, there are several important ingredients in building a resilient ecosystem. Ahead of the attack, partners need to know and trust each other, to have agreed on their strategy and confidential communication channels. They also need to know how to document the attack in a way that is useful to others. To do so, imagining that someone else is the victim and is giving you the intelligence you need helps: you would want to know the context, what happened, what the symptoms were and how the attack was handled.
An ecosystem goes much beyond economic interests. It requires seeing the world in a transverse fashion, as some of our cyber tools are shared across sectors. It’s a very new way to do things.
While states cannot mandate ecosystem-building to fight cyber crimes, they can incentivize it. They can explain why this would be advantageous, they can highlight the practices that have proven their worth in various sectors, for example organizing circles of trust where the companies can share information about current cyber threats or helping universities or IT programs to have professional training sessions to guarantee that all students have the opportunity to learn about the main legal and technical aspects of cyber security.
The cyber ecosystem includes companies, regulators and states, all composed of humans of talent. Cyber security is recruiting. Civil administrations, armies, medium and large companies, service providers, and criminal organizations all need experts. In many developed countries, there is a shortage of candidates, because existing training programs do not recruit enough. I believe that co-optation might be a solution, as it emphasizes shared values and in particular ethical values. Another option for the larger companies is to transfer people with technical expertise and loyalty into cyber security departments within companies. We also need to showcase how varied the jobs are in cyber security, from crisis management to training, audit and consulting, and technical developments for example.