ISACA Now recently had a virtual sit-down with Misha Glenny, an investigative journalist, author and broadcaster specializing in global organized crime and cybersecurity. Glenny will be a keynote speaker at the inaugural CSX 2016 European Conference in London 31 October – 2 November. Glenny will present The Human Factor: Cyber Security is Made Out of People at the conference 1 November.
Glenny is one of the world’s leading experts on cybercrime and global mafia networks. He is an associate professor at Columbia University’s Harriman Institute and former BBC Central Europe correspondent who covered the revolutions in Eastern Europe and the wars in the former Yugoslavia. Glenny leaves no stone unturned (and no failed state unexamined) in his excavation of criminal globalization.
Here is our conversation:
ISACA Now: Are governments doing more harm than good in the fight against cybercrime, especially when they demand encryption keys and the like or create malware to use against adversaries?
GLENNY: It’s important to remember that the speed of innovation influences government responses to threats in cyber as much as it does everybody else. Security usually takes its place at the back of the queue when it comes to the development of new software and its integration into existing systems. This means that governments are often struggling to keep up.
Privacy is a big issue in the West and there is no question that the US and British governments handled their increasing digital surveillance badly ensuring that the Snowden revelations would lead to greater suspicion of their intentions. This has even affected people and organizations that are fundamentally sympathetic to the need for government to play a key role in the protection of cyberspace. The big beasts of the technology from Google through Apple and Microsoft are now much more reluctant to cooperate with governments in providing access to systems because of reputational damage.
In the last year, we have seen Western governments, intelligence agencies and police forces begin to reconcile themselves to a world in which encryption is the norm. This is pragmatic and sensible as different organizations, not least the Chinese government, move towards the development of unbreakable quantum encryption systems. The digital intelligence services are still able to track cyber and other criminals, especially by exploiting big and meta data patterns.
But increasingly governments will have to rely on closer cooperation with the private sector (including sanctions against companies that knowingly fail to report breaches) and by investing more into education both for cyber security specialists and the general public. At the moment, we are faced with a critical shortage of security engineers and this is one of the most serious, albeit largely unseen, problems that government faces.
ISACA Now: Is the cybercrime issue almost too unwieldy to address? What potential solutions do you envision? What can be done to reduce cybercrime in the long term, if not eliminate it?
GLENNY: Cybercrime cannot be eliminated. The fundamental infrastructure of the internet and our building new insecure stories upon already insecure foundations means that this is risk that can only be managed – not eliminated. Much of the responsibility lies with individual companies, especially their boards, and the development of education and communication strategies so that young people coming into business in whatever capacity are fully aware of their personal role in sustaining the best risk management strategies across the cyber network. The growth in cyber crime has been the combination of two things: the development of simple off-the-shelf malware programs which non-specialists can deploy on the one hand, and lazy security practices within companies and organizations on the other. The British government is right to suggest that with a decent cyber security strategy, most businesses can eliminate over 95 percent of the risk to their computer networks. That final 5 percent requires a much higher degree of sophistication than most of the threats out there. With best practices in cyber security, the nightmare of ransomware, for example, can be almost entirely removed.
ISACA Now: What will be the key takeaways from your CSX Europe presentation?
GLENNY: Firstly, that the biggest failures of the cyber security industry concerns the issue of communication along with the concentration of digital solutions at the expense of the human factor. Secondly, that as the Internet of Things multiplies both the number and nature of vulnerabilities, we are moving into a new era of security issues with fundamentally different parameters.
For more information about the inaugural CSX 2016 European Conference in London 31 October – 2 November click here. Two other CSX events are planned for 2016, including CSX North America and CSX Asia Pacific.