Techseen: Should a cybersecurity threat be tackled by an individual, an enterprise, by the government, or should it be a combined effort (personal, commercial and administrative)?
Walia: Digital technology – from the ubiquitous smartphone to IoT devices for the home or office – has become widespread across APAC, with India being one of the fastest adopters of new technology. In this landscape, it is impossible to expect any one sector of society to shoulder the responsibility of cybersecurity alone.
Individuals, enterprises and government – each has their own part to play in fighting cyber threats. End-users of technology, often identified as the weak link in cybersecurity, need to take charge of their own security needs and ensure that they use devices and services in a manner that is safe and responsible. This will drastically reduce the attack surface area exposed to cybercriminals and cut risk of cyberattacks. Enterprises, on the other hand, can do their part by setting up sensible cybersecurity policies, taking proactive steps to prevent cyber breaches and being prepared in the event of a successful attack. In particular, manufacturers of connected devices must ensure that security considerations are built into the very design of the hardware and software, rather than as vulnerabilities that can be patched as needed.
Governments, besides having the responsibility of setting up big-picture frameworks and legislation, also have a key role to play in stopping cybercrime across borders. In particular, they need to ensure that their own legal frameworks around cybercrime, as well as their law enforcement officials, are well-connected to, and compatible with, laws and law enforcement processes in other countries. By its very nature, cybercrime is generally not restricted to a country’s borders. Rapid, rigorous cooperation between law enforcement officials across national borders is increasingly important to all jurisdictions interested in policing cybercrime.
Likewise, there is a greater need than ever now for collaboration and information sharing in the private sector, especially within industries. For example, banks and financial institutions need to put aside commercial differences and do more to share threat information in order to efficiently protect the whole industry from cyberattack. Similarly, the public and private sectors also need to work more closely together to ensure legislation is well drafted, and is feasible to implement from a practical standpoint.
Techseen: Like the EU adopted the NIS Directive, have other countries come together to form a cybersecurity legislation? What are the roadblocks that countries face when cybersecurity is a global issue?
Walia: Each country and region faces its own unique challenges to establishing cybersecurity legislation. While there haven’t been any major cross-border legislative actions taken outside of the EU, most countries have stepped up collaborative efforts to tackle cybersecurity, particularly in this region.
Last year, Singapore played host to the inaugural ASEAN Ministerial Conference on Cybersecurity, a significant step forward in efforts to boost cybersecurity in the region. As a result, the ASEAN Cyber Capacity program was launched, aiming to enhance cybersecurity resources, expertise and training among Southeast Asian member states with initial funding of S$10 million. This is meant to fund a wide variety of mechanisms aimed at empowering businesses and public servants in the region to form cybersecurity legislation and strategies.
However, establishing cross-border legislation can be difficult owing to different levels of infrastructure and cybersecurity maturity across markets. Markets with highly developed digital infrastructure such as Japan and Hong Kong face vastly different challenges than emerging economies such as Vietnam or Myanmar. With different needs and priorities, it can be difficult – or even ineffective – to implement blanket cybersecurity legislation across a region.
Techseen: You have mentioned in your report that regions such as APAC keep updating standards in their policies to adapt to new challenges and threats. How often is this needed? How important is it for countries to understand the threat matrix and comply?
Walia: There is no specific, optimal length of time following which governments should revisit their standards for security. As technology development speeds up, naturally policies will have to be updated more frequently as they become out-of-date.
What is important is that policy-makers are proactive in consulting businesses and security experts regularly rather than reacting to major cyber breaches that have exploited vulnerabilities in existing policies. This ensures that policies and legislation are effective, adequate and up-to-date.
Techseen: Why is there no framework for APAC or Latin America, like the EU-US Privacy Shield?
Walia: The EU-US Privacy Shield is a framework governing the exchange of personal data for commercial purposes between the European Union and United States, between which there have been longstanding business partnerships, similarities in attitudes towards data protection and privacy, as well as developed technological infrastructure.
In contrast, countries across Asia Pacific face varying levels of technology development and adoption, even within their own borders. This makes it difficult for a unified framework to be set up across countries. However, countries in Asia Pacific have already begun making strides to establish their own common standards for cybersecurity. The ASEAN unit has been particularly active on this front recently, with the first ASEAN Ministerial Conference on Cybersecurity convened last year at Singapore’s International Cyber Week (SICW). In years to come, we expect even greater collaboration between countries to bring us toward a common cybersecurity standard across the region.
Techseen: What role do private technology giants such as Google, Apple, IBM or Facebook play when it comes to cybersecurity legislations? Do you feel that the private tech sector is anti-establishment when it comes to privacy laws?
Walia: Greater collaboration across the public and private sectors is a critical ingredient to effectively countering cyber threats. By combining threat intelligence and technical expertise with the law enforcement capabilities of public sector organizations, the scope of attack for cybercriminals can be greatly reduced.
Earlier this year, one of the co-conspirators behind the Operation Windigo malware attacks pleaded guilty to conspiracy to violate the Computer Fraud and Abuse Act in the United States. Through the operation, over 35 million spam messages were generated daily, gathering millions of dollars in fraudulent payments.
ESET researchers had helped the Federal Bureau of Investigation (FBI) lead the investigation by providing technical expertise in identifying affiliate networks used by the Ebury gang, sharing sinkhole data to identify victims and produced a thorough technical report of the groups’ activity. This helped lead to the extradition and arrest of Maxim Senakh from Finland in 2016.
Techseen: ESET has talked about developing a global cybersecurity culture. How is it possible to have a unified plan of action when the laws and regulations of each country are different?
Walia: Legislation can be effective in regulating behavior, but, as you rightly have pointed out, it can also be difficult to align meanings and concepts of privacy, freedom of expression or security policy across borders.
It would be extremely challenging to standardize cybersecurity legislation across countries. However, organizations and governments can take effective, and aligned plans of action across borders if they are able to make cybersecurity a priority in all aspects of operation, and work towards a common goal of a more secure cyberspace.
Developing a global cybersecurity culture is more than just about creating and standardizing legislative action. Countries also need to set up channels and platforms that allow them to share information and resources to better anticipate and block cyberattacks. The need for this has been highlighted by the Bangladesh Bank heist last year. The approach taken by cybercriminals to carry off this operation was highly similar to an attack on Ecuadorian bank Banco del Austro SA in 2015, and could possibly have been foreseen and prevented with greater threat sharing within the industry.
Techseen: Which are the countries that you think should take measures when it comes to developing and creating cybersecurity laws? Which are the countries that have not yet taken cybersecurity threats seriously?
Walia: All countries that use digital technology – that is, all the countries in the world – need to conscientiously take steps to develop and create cybersecurity laws.
While most technologically developed nations already have their own legal policies and frameworks in place to deal with cyber threats, developing nations must act now to defend their digital assets. Thankfully, cybersecurity has quickly climbed to the top of the agenda for most countries, and is now a priority across most regions.
Techseen: What do you think will happen in the future, when it comes to countries collaborating for countering cybersecurity threats? Will everyone go their own, individual way or will they come together?
Walia: Time is of the essence in any cyberattack scenario. Having timely access to information and threat intelligence can make a big difference in protecting organizations and individuals.
Across the globe, we have seen cybercriminals banding together, with highly organized crime rings running large-scale cyberattacks in which their tools, data and expertise are shared across criminal organizations. The rise of easily available exploit kits has also significantly lowered the costs of attack for cybercriminals. This has made it far harder for any one organization to protect users on its own.
Fortunately, today, we are already seeing more organizations, governments, and even competing security vendors, put aside commercial interests to combat the growing threat of cybercrime together. As the cyber threat landscape continues to evolve, this will no longer be a choice, but an imperative for organizations that want to survive in the digital age. By banding together and collectively making a stand against cybercrime, we can quickly react to emerging threats, prevent major security incidents and create a safer cyberspace for all.
Techseen: What would you suggest a country’s government should do to develop and pass cybersecurity legislation?
Walia: Developing legislation – on any topic – is a complicated matter involving a large number of actors and political factors. However, on account of the number, frequency and impact of cybersecurity incidents worldwide, countries around the world have stepped up efforts to establish strong policies relating to cybersecurity.
Legislators need to consider the elements necessary for security in their own specific territories, including capacity to respond to large-scale incidents, the protection of critical infrastructure, ability to collaborate with other countries, and even to consider the development of a security culture which can be instilled in the population.
To do this efficiently, governments should work in close collaboration with private sector security experts and business organizations to get a holistic and realistic understanding of on-ground concerns and possible solutions to cyber threats. Matters such as data privacy and access are often debated between government and industry, and greater understanding and agreement between the two is important to set up effective, well-designed legislative frameworks.
Stepping up partnerships with the private sector has already been outlined as a key priority in Singapore’s recent National Cybercrime Action Plan, with the focus on upgrading capabilities to respond to cyber threats. However, there is still more that needs to be done in extending these partnerships in consultation with security experts to strengthen legislation in order to create a criminal justice framework that is nimble and effective in real-world contexts.