Current trends and challenges in the cyber-threat landscape were the subject of an engaging roundtable discussion between policymakers and industry stakeholders last week.
The event, ‘Cybersecurity in Public Procurement,’ organized by HP Wolf Security, analyzed the evolving threat landscape and ways organizations can mitigate these dangers. Kicking off the discussion, Dave Prezzano, managing director, HP UK and Ireland, highlighted how cybersecurity has become increasingly important for the UK and US governments. This has been demonstrated by initiatives like President Joe Biden’s executive order, which places new cybersecurity requirements on federal agencies and their software suppliers, and the UK’s wide-ranging national cyber strategy.
Therefore, he believes “both countries are global cybersecurity leaders.” However, “more can be done in public-private partnerships.”
Ian Pratt, global head of security for personal systems at HP, outlined trends HP is observing in the cyber-threat landscape. He noted that while fears about nation-state actors have ramped up, cyber-criminals continue to be behind the vast majority of threats facing organizations. In addition, “the way people are being attacked hasn’t changed much,” with social engineering techniques like phishing continuing to dominate.
Such campaigns are becoming increasingly sophisticated, according to Pratt; for example, HP has observed a growth in automated email phishing attacks. After a user’s emails have been compromised, this technology is able to find conversations between colleagues in their inbox and reply to those with messages containing malicious links and downloads. This trend is particularly worrying as we “can’t expect the user to identify that kind of attack.”
A National Cyber Security Centre (NCSC) representative concurred with Pratt’s analysis, stating that there is currently no known specific cyber threat to the UK emanating from the Russia-Ukraine conflict. He views the most significant current threats to organizations as coming from cyber-criminals, in particular, ransomware and supply chain attacks, the latter of which is often seen as the most “potent way into organizations.”
The discussion then turned to the cybersecurity of public sector organizations, including procurement practices. Irfan Hemani, deputy director, cyber security at the Department for Digital, Culture, Media and Sport (DCMS), observed that geopolitics is becoming an increasingly important component in this, as demonstrated by recent plans by the UK government to restrict the involvement of Chinese tech firm Huawei in the country’s infrastructure due to national security concerns. He also outlined the Product Security and Telecommunications Infrastructure (PSTI) Bill as another way the government is “raising the bar” regarding the security of digital purchases by ensuring internet-connectable devices follow at least the first three ETSI standards.
"The need to grow cyber education and awareness among users alongside securing technologies was highlighted by Ruth Edwards MP during the roundtable"
Nevertheless, Hemani emphasized that cybersecurity must be pushed further up the agenda regarding procurement, showing the “importance of cybersecurity in the context of what digitized markets are doing.”
He also agreed with earlier comments that an undue emphasis is placed on cyber-attacks from nation-states when the vast majority of threats facing organizations come from cyber-criminals motivated by financial gain.
The need to grow cyber education and awareness among users alongside securing technologies was highlighted by Ruth Edwards MP during the roundtable. She believes the shift to hybrid working models and an increasingly data-driven society means the traditional view of endpoint security is unsuitable. Yet, many people are blissfully unaware of the expanded attack surface. Therefore, “we need to ramp up awareness, particularly among remote staff.”
The session also included a fascinating contribution from Gary Miles, head of crime for the National Fraud Intelligence Bureau at City of London Police, who offered stark insights into the trends and challenges faced by law enforcement in respect of cybercrime. He pointed out that there is currently “no legal offense of cybercrime at all.” Instead, attacks fall under traditional offending categories.
Miles noted that attempted fraud is an offense, meaning that even sending a phishing text is technically a crime in itself; however, there is a substantial lack of reporting of this kind of activity, partly due to how it is perceived. He observed that victims are often viewed as “stupid or greedy.” In addition, this crime “can never compete with violence” in terms of its severity.
Another trend seen by law enforcement is the growing use of cryptocurrency in fraud; for example, Miles said that 69% of investment fraud has crypto as a hook or cashing out mechanism. “The vast majority of serious organized fraud is now operating with cryptocurrency,” he added.
Due to these trends, law enforcement faces significant challenges in both identifying and prosecuting cyber-criminals, and Miles believes we “are not going to prosecute our way out of this problem.”
The wide-ranging roundtable discussion offered some realities regarding the nature of cyber threats amid increasingly dramatic rhetoric. The vast majority of threats organizations face continue to emanate from cyber-criminals rather than nation-states, while primary attack vectors rely on user errors. Countering these threats requires a wide range of approaches, primarily: standards and legislation, law enforcement, and most importantly of all, enhanced cybersecurity practices.