Even with more attention paid to cyber hygiene and growing investment in resilience, cybercriminals still manage to exploit the fear and uncertainty caused by COVID-19 globally to gain network access.
Indeed, that higher dependency on connectivity and digital infrastructure due to physical distancing requirements expands the avenues of cyber intrusion and attack, according to a report issued by the World Economic Forum’s Partnership against Cybercrime initiative. Formed 11 months ago, that working group now counts more than 50 organizations among its members, seeking to amplify public-private collaboration in cybercrime investigations and initiate a paradigm shift in the way to collectively deal with the growing impact of cybercrime.
Tal Goldstein, head of strategy at the World Economic Forum's Centre for Cybersecurity, and Derek Manky, chief of security insights and global threat alliances at Fortinet, spoke to SC Media about the Partnership against Cybercrime Working Group’s recommendations for organizations facing cybercrime challenges: Promoting principles for public-private cooperation to combat cybercrime, taking collaborative action to disrupt cybercrime ecosystems and partnering to combat global cybercrime.
Why did the working group decide to focus on cybercrime rather than other challenges to cybersecurity like nation-state attacks?
Goldstein: We were trying to look at the main needs and where we could have the most impact. At some point we realized that the work that is needed against cybercrime is probably on the top of the list. First of all, while nation-state cyberattacks related capture most of the attention, the majority of cyberattacks against both companies and individuals are coming from cybercriminals. There is much needed in dealing with that and it’s across the globe. Second, while security measures like the one Fortinet is providing are still the key effort that is needed to dilute those threats, long term if we want to systematically contain those attacks we must make sure that this is risk and cost for criminals. Because, right now, it is ridiculously easy and riskless to commit cybercrime.
And that’s more than just a law enforcement problem, according to your report.
Goldstein: Traditionally, law enforcement agencies are responsible for that and they still are. Private sector has a crucial role. When there is a crime you call the police, they come and they help you. If you are attacked in cyber, the first call will be to your cybersecurity company, your service provider, your platform provider in most cases. So the private sector is on the frontend of this fight; they see what’s going on, they have information, they have the capacity, the ability and the skills to investigate and understand those attacks. It’s what they’re doing every day. We want to make sure they’re walking side-by-side with law enforcement. That brought us to realize there’s something that needs to be promoted.
You met a year ago to validate that idea and then brought it to the forefront at Davos earlier this year. That was right before COVID-19 began its trek around the globe. How did that affect your mission?
Goldstein: We immediately started as COVID started. It was a challenge to take it virtual. We were quite concerned at the beginning that we could pull off all those stakeholders together in virtual settings. We were amazed how much willingness, motivation and interest there was from all parties, though, to try to better understand how we can overcome some of the barriers and amplify the cooperation that is needed. We worked through the spring and summer and came up with recommendations.
Manky: I was part of the virtual force that came in after it went virtual. I think the most important things we came up with is the stakeholders, the experts and a very diverse base that we have and an ecosystem.
How does this effort toward greater collaboration between the public and private sectors differ from other initiatives? Explain how collaboration might work?
Manky: I’ve been doing alliances for well over 10 years. There are a lot of silos in the industries and one-to-one relationships, and they do work; they’re necessary. We’re always trying to make [use-case] information actionable so we can disrupt cybercrime and there are various ways to do that. Cybersecurity vendors do that through mitigation – building up a larger barrier and security that makes it harder for cybercriminals to get into systems. But in an attack lifecycle, different stakeholders have different purposes for information. A cybersecurity vendor can take in very technical information; we’re on the front lines, so we can understand how to protect against that. We can understand how to automate that through platforms and how to analyze it.
But it’s a different game, of course, when it comes to how we actually move the needle further, how do we take infrastructure offline, how do we go to law enforcement and provide evidence and present it so that warrants can be obtained and arrests and prosecution can follow. And of course, you have all the geo-regional challenges too. And this is what I’m so excited about in this partnership. We’ve had a lot of good success in the private sector over the years on the mitigation side and trying to slow the growth of cybercrime. But when it comes to truly moving that needle, this is what’s needed.
The report reflects the challenges and recommendations from all the stakeholders brought in. What are the thorniest challenges that emerged?
Manky: one of the chapters I was involved with was the principles of collaboration – how, between the different stakeholders, do we move that needle. And some of the things that stand out to me is, how do we do that at scale? Again, it’s one thing to be able to focus on how to create a system in the U.S. or Canada or EMEA. But how do you actually replicate those successes, because now you’re dealing with transporter routing; now you’re dealing with different geopolitical issues; you’re dealing with having dedicated working groups or these threat focus cells in [different] regions to tackle specific problems. How do you get stakeholder buy-in and commitment? Again, these are things we outlined specifically and really digested as well to try to simplify it. No one has solved this problem yet, not at this level, and when you tackle a problem this big, it can obviously be very complex, so simplification is also a challenge.
Goldstein: Generally, you can say there are two types of challenges – the more policy and technical challenges and the ability to cooperate. Part of the way we can deal with that is through thought leadership and part of what we’re trying to achieve with this report is bringing stakeholder commitment. So it’s not just cooperating on a single case, but rather to be a part of something bigger that will help to deal with some of the challenges related to their corporations. And the other challenge is to scale it up. There is no current global or international architecture we can use to bring everyone together. It’s a very fragmented structure that we have today. It’s the nature of cyber, the nature of the geopolitical situation we have today. So what we try to do is suggest a more soft architecture that can bring the different stakeholders together. Creating this with several layers of architecture is what we’re trying to promote.
Manky: The point of having the architecture is agility. Cybercrime is very agile in nature. It’s always changing, you have to move quickly on things and adapt. That has been a challenge in the past. With hard architecture, things can take years to move or change.
You’ve said this report is just beginning, what are your next steps?
Manky: Now that we have taken a good look at the challenges, and some of what’s required, a focus of 2021 is determining the key milestones we can accomplish next year for putting the [plan] into action.
Goldstein: What we are trying to do is address it from both sides. On one side, top down support might actually help in bringing all those stakeholders together and continuing the strategic discussion of how we can tackle different types of threats and some of the barriers. We will have a deep dive with the same group, but we’re expanding it. We’re having discussions that hopefully will lead to more concrete action. At the same time, with the soft architecture... we didn’t want to take five years to design an architecture, so in five years it wouldn’t be relevant. Instead, we will shape it as it progresses. And the different stakeholders will all be trying to implement the recommendations, the concepts and the operational processes, in a way that will connect back to the strategic level, then share feedback on what they’re doing, what is working well, what is not working well, so we can shape the whole architecture as we move forward. [Public and private stakeholders] are already taking use cases and trying to see how they can learn from them.
Manky: The reporting back is critical and so having feedback to that scale, on a global level, and then also having the granularity that’s needed at the regional level – it’s this bidirectional flow, being able to tackle things regionally but being able to report at a higher level.