Future Thinking: Cyrating on Cyber Threats
In 2017, the Internet Society unveiled the 2017 Global Internet Report: Paths to Our Digital Future. The interactive report identifies the drivers affecting tomorrow’s Internet and their impact on Media & Society, Digital Divides, and Personal Rights & Freedoms. In February 2018, we interviewed two stakeholders – Cyrating, a cybersecurity ratings agency, and Niel Harper, Senior Manager, Next Generation Leaders at the Internet Society – to hear their different perspectives on the forces shaping the Internet’s future.
Cyrating is the first cybersecurity ratings agency anchored in Europe, and helps forward-thinking organizations maximize their cybersecurity performance and investments. It identifies potential for improvement, benchmarks it against industry best practices, and provides standardized cybersecurity metrics. We spoke to François Gratiolet, one of Cyrating’s founders, about the future of a secure and trusted Internet.
(You can read Niel Harper’s interview here).
The Internet Society: Experts predict an increase of frequency and impact of cyberattacks. What form are they likely to take in the next three to five years?
François Gratiolet: We believe cyberattacks will intensify in the next three to five years; targeting both Internet users and the Internet’s underlying infrastructure. User attacks will move from phishing to social media, with users increasingly being exposed through their mobile devices. While the use of IDs such as digital certificates and biometry might reinforce security in some regards, it will simultaneously introduce new targets for cyberattacks. And as the adoption of blockchain technology and cryptocurrencies will become a new norm, we also expect more cyberattacks on virtual currencies’ platforms. Because physical and digital worlds become increasingly entwined, IoT and utility infrastructure will similarly become more attractive targets for cyberattacks. Attacks on national telecommunications infrastructure, for example, can endanger economies in developed and developing countries alike.
In parallel, organisations’ boards, consumers and citizens are also becoming increasingly aware of the potential danger and risk of data breaches, botnets, denial of service attacks, and malware. Similarly, organisations’ obligation to keep stakeholders informed about breaches is also becoming more concrete as a result of codifications like the General Data Protection Regulation (GDPR) and the European NIS directive, which comes into effect in May 2018. GDPR harmonizes data protection in Europe, and imposes new duties for organisations offering goods or services to the EU. The obligation to notify stakeholders (investors, customers, partners and insurers) of data breaches compels organisations to be ever more responsible and transparent in terms of cybersecurity and to demand strict cybersecurity safeguards from their chain of suppliers.
What needs to be done to address cyber threats, put users in control of their data, and increase accountability for data handlers?
Organisations need to understand their enemies’ tactics and techniques and should be better prepared for dealing with cyber threats. At the same time, they need to understand their own information systems better, including how to monitor them continuously. This requires organisations to appropriately train all employees on dealing with cyber threats: from senior executives to IT operations. For that, organisations will need to work as a team and to share threat intelligence information. As data handlers and organisations will become hyper accountable with new regulations, they will need to ensure security by design of all digital products, including data breach notifications and remediation, suppliers’ security, etc. It will also be important for them to learn to demonstrate the effectiveness of the controls in place to protect their organisation, its systems, and the data it has to deal with.
Where users are concerned, there is a significant need to improve users’ own understanding and control of their data. Education and raising awareness is critical to ensure that users can handle their data securely. The tipping point will be to enforce the rules, especially new European regulations.
We believe security rating services like those offered by Cyrating will help organisations to improve their cybersecurity effectiveness and that of their suppliers or partners, introducing more transparency and trust to their overall business ecosystem, and contributing to enhanced resiliency overall. Such rating systems must be based on specific criteria and cybersecurity best practices, and must respect widely shared standards. These practices are crucial for the benefit of our economy, our society, and the safety of all.
How do you see insurance policies and companies evolving to cater for cybersecurity risks in the future?
The overall cyber insurance market will continue to grow at a great pace, with organisations realizing that, regardless of their current security processes, security can never be 100% guaranteed. All organisations therefore have to mitigate potential financial damage that is bound to arise from cybersecurity incidents. To fully equip themselves in the face of a cybersecurity tsunami, organisations will recognize and include cyber insurance as a key component of their risk management strategy. We predict that cyber insurance will, in the future, be a prerequisite in business relationships. With such growing adoption, reinsurance companies will have to prevent the “black swan” risk.
Cyber insurance does not remove the need for businesses to manage their risk from cyberattacks, however. A challenge is to effectively remediate cyber risks for a large volume of digital assets. A cultural shift towards the adoption of more cyber hygiene measures is arguably needed. This is why we advocate for a return to the fundamentals of cybersecurity with the enforcement of standards such as the establishment of SPF (Sender Policy Framework), which is designed to limit email usurpation, or the DNSSEC (Domain Name System Security Extensions) protocol to protect Internet domain names.
What are your fears for the future of the Internet?
We fear that security issues of the Internet will not be tackled in a consistent, technical, legal, and political way. Security Internet protocols such as DNSSEC or encryption will need to be fully embraced so that the lnternet users will have more confidence in the online activities that are increasingly becoming a part of our lives at work, home, and school. Cooperation and information sharing among end user organizations, providers and countries will be key to fight against cybercrime. We also fear pervasive and mass surveillance from large and dominant corporations as well as the end of the net neutrality. It will endanger the Internet as we know it, along with our digital economies.
What are your hopes for the future of the Internet?
We hope that cybersecurity will no longer be ignored in digital products and services design, but will become central to everything that an organization does, and be embedded in all processes and business operations. Thus, we hope that all the players in the value chain (e.g. operating systems and hardware makers, ISPs, registrars, SaaS providers) will offer top cybersecurity and that end-users’ organizations will buy and rely on them.
What do you think the future of the Internet looks like? Explore the 2017 Global Internet Report: Paths to Our Digital Future to see how the Internet might transform cybersecurity across the globe, then choose a path to help shape tomorrow.
The views and opinions expressed in this article are those of the interviewee and do not necessarily reflect the official position of the Internet Society.
Photo: Founders François Gratiolet, Christophe Ternat, and Charles d’Aumale, courtesy of Cyrating