DAVOS - Countries should cooperate and share information about cyber attacks to tackle the threat posed by cyber criminals, panellists at a World Economic Forum (WEF) discussion said on Tuesday.
Albanian Prime Minister Edi Rama, whose country suffered a massive cyber attack last July that shut down public services, said sharing information with Albania’s allies is crucial so that they can identify the type of cyber weapons being used.
The cyber threat is akin to the pandemic, but worse, he added at a panel discussion on securing critical infrastructure. “This is not about one virus. It is about a multitude of viruses and mutations that happen every second.”
Sharing information will increase “immunity”, he said, cautioning that cyber attacks can inflict an “apocalyptic” degree of harm.
Singapore’s Minister for Communications and Information Josephine Teo, who was on the panel, said enhancing international cooperation is one of the key planks of the Republic’s cyber-security strategy.
Cyber criminals do not respect geographical boundaries, said Mrs Teo, who is also Minister-in-charge of Smart Nation and Cybersecurity. If nation-states do not cooperate in areas such as exchanging information on cyber incidents and plugging legislative gaps that criminals using ransomware are taking advantage of, “we will continue to find it very difficult to get on top of the game”, she added.
The WEF had flagged widespread cybercrime and cyber insecurity as one of its top 10 global risks in the 2023 edition of its Global Risks Report released last week.
Mrs Teo said the world today is very dependent on IT systems and operational technology (OT) systems that control industrial equipment and processes.
She cited how a cyber attack on a hospital could mean patients are unable to get the right medication, as their records cannot be retrieved. An attack on an air traffic management system would have horrific consequences, she added.
Mr Oyvind Eriksen, who is the president and chief executive of Norwegian industrial investment firm Aker ASA, said his company had previously paid more attention to cyber attacks on IT systems rather than actual operating systems.
The biggest risk today to Aker – the second-largest oil and gas producer in Norway – is hackers taking control of critical operating systems, which would have major safety, environmental and even financial consequences, he said.
On how to counter such threats, cyber-security expert Robert M. Lee said governments need to collaborate with industry players and not simply dictate how to improve security.
“When we try to bring our biases of what works in IT security and try to apply them to these operational technologies, you are going to get a lot of money spent and not a lot of return,” he added.
Mr Lee, who is the chief executive and co-founder of industrial-focused cyber-security firm Dragos, held up Singapore’s Cybersecurity Act as a good example of collaboration. The Act, which came into force in August 2018 and is currently under review, defines who is responsible for the cyber security of critical information infrastructure in crucial sectors such as water, energy and healthcare. It also includes a code of practice for operators of critical infrastructure to improve their cyber defences.
“Also, we must understand that even the software vendors, and everybody else, love their own software. It is probably the least important part of it,” Mr Lee said. “It is always going to come back to having smart humans, because you are talking about human adversaries.”
As for funding cyber defences, Mr Lee said companies need to find out whether they are devoting resources to where those are most needed. “When I go speak at boards... it is often surprising to folks just how much they are spending on the website and not the gas turbine system.”
Mrs Teo said defending IT or OT systems will not come cheap. However, businesses cannot think of cyber security only in terms of cost, but also how it impacts their competitiveness, she added.
“If your business goes down, you do lose a lot of that revenue. If your reputation is gone, for certain businesses, it is very hard to recover,” she said.
“If you are a bank, and your customers have lost money because you failed to secure the systems adequately, who dares to bank with you? That is going to be an even bigger cost.”