How can companies defend themselves against transnational threats?

CEO Samu Konttinen of Finnish cybersecurity firm F-Secure discusses nations’ ‘new arm race’ against transnational cybersecurity issues.

The SingHealth data breach in 2018 which exposed the medical data of close to 1.5 million Singaporeans, including that of prime minister Lee Hsien Loong, was a wakeup call that even highly guarded systems such as that of the Lion City are still prone to sophisticated cyberattacks. More recently in January, the data of 14,200 people with HIV have been illegally disclosed online, baring information including names, test results and contact details of both Singaporeans and foreigners.

Singapore Business Review spoke with the CEO of Finnish cybersecurity firm F-Secure Samu Konttinen on the international and ever-growing threat of cyberattacks, and how criminals are targeting the weaknesses within the IT systems of organisations and individuals.

We are all familiar with the recent SingHealth breach, and other denial-of-service attacks around the world, but just what is the scale of cyber threats and what steps are being taken to mitigate them?

Samu Konttinen: At F-Secure, we track between 500,000 to 1,000,000 new virus attacks per day! The volume and sophistication of these has grown substantially from the first virus launched from Pakistan in 1986. A key point about cyber threats is that they don’t respect borders; they are as international and interconnected as the Internet itself. The industry has moved from believing that attacks and hacks can be stopped to the position of rapid threat detection and resolution. On average, companies are taking 100 days to recognise and address a malicious entry into their systems; by which time the thieves have left the scene of the crime with all the digital assets that they wanted to take. Organisations need to identify their weakest point, and to safeguard the entire system to include that point too, and not just the often well protected infrastructure. This then includes not only the technology, but the people and processes in charge of security.

In the case of SingHealth, the report issued said that staff fell prey to phishing attacks, there were weak administrator passwords, and that they didn’t install system updates which could have stopped the hacking. The report faulted the IT cyber-security team which it said could not even recognise a security incident. SingHealth is a classic example of the weak link not being the technology, but the education and sense of importance that the organisation placed on data security. This would be one of the first and most important steps that an organisation can take; make security a board level priority.

Over the past year there has been an ongoing discussion on the interference of foreign agents in domestic politics from the US presidential elections to Brexit. F-Secure just issued a detailed analysis of Twitter activity around Brexit - what did it show and why does it matter to Singapore?

Samu Konttinen: Our research team found that nearly 6,000 Twitter accounts magnified recent far-right messaging on Brexit. An analysis of 24 million tweets related to Brexit from 1.65 million users uncovered “inorganic” activity on both sides of the debate, though disinformation was “far more” frequent among supporters of the United Kingdom’s scheduled withdrawal from the European Union. At the very least, our research shows there’s a global effort amongst the far-right to amplify the ‘leave’ side of the debate, and some of that in ways that suggest use of technology to do so I.e. it’s not just organic user content.

It’s neither possible to stop Twitter content, nor the inorganic amplification of those accounts, but it is possible to monitor and to counter that phenomenon. Indeed, is it essential to do so in order to understand the threat being posed by actors in situations like Brexit, Paris with the Gilets Jaunes, or the terrible events in New Zealand recently. This matters to states the size of Singapore because the sheer volume of external content can threaten to overwhelm the domestic social media voices. Valid points of view may not be heard. Using sophisticated tracking technologies shows that, like with Brexit, it is possible to analyse social media, and report that to the relevant authorities to take appropriate action.

Here’s what the first day of activity looked like, with the usernames of accounts most often pictured in a larger font:

You were here for the Black Hat Conference, the local meeting of an international organisation dedicated to cybersecurity. At the event, F-Secure chief research officer Mikko Hypponen spoke of “The New Arms Race.” What is this new arms race and is it wise to be sharing best practice openly?

Samu Konttinen: The traditional domains of war – land, air, sea, and space – have expanded into the cybersphere. We are now seeing a race to develop both offensive and defensive cyber weapons as nations across the world look to arm themselves against one another. The same is true with criminal players. What we are seeing is transnational cyber crime by villains. A key point about cyber crime is that the perpetrators cross political and geographical borders as invisible agents. They are not local gangs that can be easily defeated. As a result, organisations will need to be prepared to identify, resist, and repel these invaders 24/7.

The Black Hat Conferences are a platform which F-Secure and the industry supports because just as the web has benefited from open source code, the defence of interconnected devices and the digital infrastructure which underlies it all will benefit from shared wisdom and best practice. As I said, cyberthreats can originate from any part of the world, and it would be almost impossible for any one company or organisation to embrace that challenge of omnipresence. Gartner, a research company, predicted that there would be 15 billion web-connected IoT devices by 2021; devices vulnerable to a cyber threat. So we need to work together as an industry to create a united front against cyber crime to defend the Internet and all those people and systems that rely on it.

The Monetary Authority of Singapore (MAS) released two consultation papers on 07.03.2019 on proposed changes to the Technology Risk Management (TRM) Guidelines and the Business Continuity Management (BCM) Guidelines. In what ways will this affect organisations?

Samu Konttinen: Chief research officer Hypponen serves on the advisory panel for MAS, and so we are familiar with the guidelines. The Singapore government is taking a proactive approach to risk, and creating a framework for organisations to work together and to protect both their own interests and the reputation of Singapore at large. The new documents include guidance on effective cyber surveillance, secure software development, adversarial attack simulation, and management of cyber risks posed by the Internet of Things.

I think that a key point here is that of ‘simulation,’ in other words, there is an understanding that situations will arise and it is the preparedness for those that is key. Just as in other theatres of risk, e.g. emergency services drills, the Singapore government is laying out the need for procedures and policies which companies should ensure their people understand and can implement rapidly.

I can imagine a scenario whereby insurance policies will start to demand compliance with governmental guidelines, just as they do with fire safety. Consequently, companies will need to do more than just observe policies, but also adopt and implement these, which of course is in their own best interests.

There is a figure of some 2.4m quoted as a shortfall in the number of people needed to support the Cyber Security industry in APAC by 2021. Why is the number so large and what can be done to bridge the gap?

Samu Konttinen: The scale of the industry has grown to reflect the pace and penetration of the Internet. At F- Secure, we have employed an additional 900 people in the past 24 months, bringing our global headcount to some 1,600. F-Secure acquired MWR InfoSecurity in 2018, including in Singapore, and we seek more acquisitions to expand as quickly as the demand for our consultancy and managed services is.

The Internet has grown to embrace over 3.2 billion people, that’s 55% of the world’s population, and the latest phase of growth is linking cloud computing and mobile devices. These trends are rapid and global in nature, and have simply outpaced the organisational development and career path selection by candidates. Therefore, tertiary institutions need to start offering cyber security courses, just as NUS, the Nanyang Polytechnic, Temasek, and others are doing here in Singapore. There is also a need for companies like ours to offer training courses to those in technology roles in companies who need the new skills to tackle the ever present threats.

The number of 2.4 million may or may not be enough of a force to police the Internet, but as we have seen at the Black Hat Conference, there are many talented and committed people working to safeguard their organisations, systems, and the people who rely on them.