OPINION. Digital Transformation affects all industries and with it the nature of criminal activity. By Alain Conrard, President of the Commission on Digital Strategies of the METI, a professional guild of mid-market companies (METI) (*)
With the enormous power and capability that digital technologies bring in all areas, innovation also enables groups of individuals, operating as startups in “agile” mode to conduct targeted attacks on vulnerable individuals and organizations. Whether they act alone or on behalf of large criminal organizations, they know no limits in their hacking crusade with the entire planet as their playground.
Ransomware attacks, which lock their victims’ data and demand a ransom, paralyzing the activity of a large number of hospitals in the middle of a pandemic, have shown just how far cybercriminals can go to cripple businesses without the slightest qualm. Cybercrime comes in different shapes and sizes ranging from small-scale credit card scams, i.e. phishing scams all the way to state-sponsored cyberattacks to block another country’s infrastructure or influence a presidential election. The break-ins are almost seamless and smooth: no violence to speak of, it is all done very cunningly by infiltrating systems using recognition systems, identifiers, passwords, with the stealth of a fully digitized Ninja. Everybody today (companies, individuals, industries, administrations, organizations, government institutions, universities, public authorities, services, technological devices, etc.) is a potential target for cyber criminals.
Cybercrime is the act of overpowering people by attacking what is crucial both in the private and in public spheres i.e. data. Even though the attacks consist in blocking a system and not actually stealing data, it is a matter of preventing access to data, which is one of the major and most serious types of attacks faced by businesses: having no access to their data they simply cannot operate. Thus, cybercrime clearly underscores how valuable and pivotal data is, it is today’s new « black gold.” If data had no value, there would be no cybercriminals. Data has become a major economic phenomenon. It is therefore today one of the most important commodities. It is where an ever increasing proportion of crime is concentrated, in multiple forms.
In recent years, the problem has grown considerably. Cybercrime has been classified by the French government as one of the five major risks today along with the threat of terrorism, pandemics, technological and natural disasters. According to Guillaume Poupard, Director General of the French National Agency for Information Systems Security (Anssi), « tomorrow’s conflicts are going to be digital, and all the major states are preparing for it.
The Digital Jungle
New digital technologies have made for a much more global, open and transparent world where access to information is, in theory, much easier to come by. It is precisely this “openness” that has caused this new form of crime with access to networks and “free for all data” making cyber crime rank high up there.
This open society has a serious problem: it is open. How then should it deal with its borders without giving up on that openness, that specific quality that makes it so unique? This pivotal concern, that of sovereignty, has been brought to the forefront by the openness and transparency that is characteristic of the digitalization of the world. How can we defend a territory when it is under attack, and all the more so, when it is open, with borders that are hard to determine and sometimes even unknown? Cyber crime takes this problem to a whole new level where so much more is at stake in the rapport between innovation and going beyond the traditional frontiers.
Cybercrime is typically a new “Wild West,” a term that designated the unstable area resulting from territory expansion during those years of conquest of the American West. Beyond the frontier, we are no longer in a designated area established and ruled by law – we are in an area where everything has to be invented. This Far West 4.0 is a grey area where everything goes: you can decide to do business and make money, decide to hack, terrorize, steal and indulge in any other activity. Desperados and outlaws from all over the world see it as an Eldorado where they can easily prosper. And this is because regulators are lagging behind and struggling to grasp how to legislate on these still untapped territories. Although everyone uses weapons that does not mean they are all experts in weapon handling. These times where border crossing has become common practice, the question of sovereignty is still an issue that needs to be addressed. While innovation opens up new spaces and pushes beyond the barriers, it also, at the same time, allows for space appropriation including by those with criminal intent – and does so by using the same digital tools brought about by innovation.
Innovation brings with it a lot of uncertainty and risk. Progress is a concept that is not a one-way route, it can go both ways pushing forward and sometimes rolling back be it in very different proportions. Any kind of progress comes with a certain degree of regression as if any form of advancement has to come with a price.
Hence, cyber criminals are the flip side of digital technology. They are the ultimate in digital perversion leveraging technology for malicious and criminal purposes. Cyber crime is innovation related for sure and relates more specifically to new technologies. What is striking though is that this wrongdoing emanates from the technology itself. Tools that enable progress are the same that lead to regression.
Just as in the Wild West, where the sheriff and the outlaw with a price on his head both carry the same Colt revolver, today’s cybercrime shows that the means to commit wrongdoings and crime are the same. Whereas we use different means than the crimes themselves to fight “traditional” criminality (prostitution or racketeering are not used in the fight against prostitution or racketeering…), cybercrime and cybersecurity use the same means, the same technologies. A bit like if drugs were used to fight drugs. The identical means on both sides have created an unprecedented symmetry between criminals and defenders of the law. It all boils down to mastering digital technologies. In fact, it is because of this surprising symmetry that hackers, who are cybercriminals, are often hired by cybersecurity companies or by law enforcement. Despite this symmetry, criminals usually have the upper hand when it comes to weaponizing digital technology whereas their victims unsuspectingly use digital technology, oblivious to the potential flaws and weaknesses of the systems they use.
A ransomware attack on a hospital means infiltrating interconnected systems, machines, scanners (all this is innovation), an entire digital infrastructure grinding to a halt using a computer code i.e. another digital system: no difference in nature between the blocking mechanism and the system blocked. It is the intention that differs.
Viruses supporting viruses
The pandemic has spawned a massive wave of cyber attacks that can also be considered as a pandemic. SARS-CoV 2 is not the only dangerous virus out there. There are other viral systems also known as « malware », « ransomware », « spyware », « trojan », « worms », « rootkit », « backdoor », and so on. These viral systems are proliferating and the pandemic may be a big part of the reason for the spike in malicious activity (do viruses actually help each other?), especially with remote work becoming the norm.
This makes systems more vulnerable to cybercrime, making employees who have had to adopt this remote work mode one of the weakest links in cybersecurity. Remote working expands the threat surface and increases the number of loopholes that cybercriminals can take advantage of to “reach” a company (« reach » of course has a double meaning suggesting « to access » and « to harm »). Indeed, each home office employee is a potential unprotected entry point to a network providing a major avenue for cybercriminals to commit cybercrimes. Resorting to social engineering (targeting employees, especially through social networks) is much easier than trying to exploit a network’s technical vulnerabilities. Trying to safeguard the online experience and journey of employees poses a serious challenge for CIOs. Also, “do’s and don’ts” and caution must be the new norm on networks as it is in real life especially when employees working remotely are becoming seasoned Internet users surfing more and more websites that may not necessarily be secure.
The remote work model definitely increases cybersecurity risks. Companies with strong CSR policies are the most likely targets for cybercrime. Indeed, company managers that resort to remote work expose themselves because the initiatives they engage in make it easy for cyber criminals to exploit the vulnerabilities that come with these initiatives. Be it because they want to transition towards an eco-friendly development strategy (employees not having to use transportation modes reducing the carbon footprint); or want to provide a better work environment (flexible work mode with some work from home and some in-person office presence); or looking to increase productivity without putting more strain on employees.
Anyone can now be a target. The economic war is now heightened by another kind of war that can hit any company – ransomware attacks. Ransomware attacks are definitely on the rise. The average ransom demand, in exchange for a decryption key, has practically tripled in 2020. Businesses have to clearly understand and factor in that a war is being waged and that the fight is on. They will have to make sure they constantly adapt their defense mechanisms to the changing nature of attacks. This must now be an integral part of the business strategy set out every year because failing to do so can have very damaging consequences in terms of business, operations and the competition. (Cf. Chantelle which filed for bankruptcy after a cyber attack).
Cybersecurity has become key. Because of its undeniable impact, it is now making its way on the list of priorities of corporate boards and executive committees, just like digital transformation did.
However, protecting against cyber crime is a costly investment plan with no real hope of generating any financial gain per se. Unlike an insurance policy, that protects against potential liabilities and damages based on an agreement, cybersecurity is based on technology. And the acquisition of this technology, which can hardly be amortized in the long term, as it rapidly becomes obsolete with cybercriminals always one step ahead, makes it a particularly significant investment for a company.
This is the dark side of the all-digital world. Every innovation comes with a downside i.e. what it eliminates or destroys in order to replace it. But each innovation brings with it a new opportunity: the web for instance while decreasing in-store traffic also generates more business with the click & collect model and so on…Innovation in cybersecurity though is all one-way- there is no profit generating opportunity that comes out of it. Despite this exclusively non-business profit aspect, it needs to be addressed as a high-priority.
Now a mandatory item on the balance sheet of companies, it is a net expense with no positive counterpart except for security. While the technologies involved in digital transformation present an interest in that they bring progress, cybersecurity, which utilizes almost all of them, only brings a kind of awkward gain: a negative profit, a « better be safe than sorry » type of gain. It is a “just in case” investment.
There is a way to put a positive spin on this security narrative by considering it as an opportunity to run a massive and permanent testing scheme on a company’s defence systems. It helps bring the company’s weaknesses to the surface so that they can be addressed.
(*) By Alain Conrard, author of, “Taking the Plunge! A Different Take on Innovation” book published by Cent Mille Milliards, in September 2020 ; CEO of the Prodware Group and President of the de la Commission on Digital Strategies of the METI.
Article initially published in La Tribune