Building the resistance: How the cyber security industry is protecting the web

The SolarWinds breach of the U.S. government capped off a banner year for cyberattacks. But experts say it could end up making the internet more secure.

For most of us, 2020 was the worst of times: political instability, economic uncertainty and a history-altering pandemic. But it was the best of times for at least group: cybercriminals. With formerly office-bound employees spreading out, often to poorly secured home networks, the number of internet endpoints — computers, phones, Internet of Things (IoT) devices — exploded globally. As the so-called “attack surface” for online ne’er do wells increased exponentially, so did phishing, ransomware and other forms of cybercrime.

In fact, according to Waterloo-based information-management company OpenText, cyberattacks have grown five-fold during the pandemic, and ransomware attacks in the first half of 2020 were up 20 percent over the same period in 2019. And, no surprise, there’s been a 2,000 percent increase in malicious files with “Zoom” in their name.

But as much as COVID-19 exacerbated the problem, it didn’t create it. With every passing year, the tech available to consumers and companies grows more sophisticated, from 5G to the proliferation of IoT devices. There are plenty of upsides to that, of course — the (relative) ease of 2020’s work-from-home pivot attests to it. But the rapid pace of change has opened new opportunities for bad actors, and there are far more transformative changes in store.

“Today’s [security] techniques are going to die,” Mark Barrenechea, CEO of OpenText, told attendees of Enfuse On Air, a cybersecurity-focused virtual conference last December. 5G will enable ever-greater exploitation of internet-connected devices, biometrics will become more vulnerable to bio-fakes, and eventually, quantum computing will render today’s encryption standards useless. “That’s why it’s really important to be keep being forward-looking on security and protection, and cyber-resilience strategies,” said Barrenchea.

For companies still struggling to get employees to stop clicking on phishing emails, this profusion of threats may seem intimidating. But many infosec experts are optimistic that 2020 marked a turning point, thanks both to the pandemic and to other headline-grabbing cyber-breaches — especially the SolarWinds hack that capped off the year in such dramatic fashion.

Beginning back in March, hackers (believed by U.S. intelligence to be affiliated with Russia) accessed a computer system belonging to information-management company SolarWinds. They slipped malicious code into a software update, which soon found its way to thousands of SolarWinds clients — including much of the U.S. government. The breach wasn’t discovered until December, and it landed like a bomb in the infosec community. Some likened it to a “cyber Pearl Harbor.”

The SolarWinds hack was what’s known as a supply-chain attack, wherein a malicious actor uses a trusted piece of legitimate software to pass an infection to an unwary target. That vulnerability in the software supply chain is longstanding, and certain to be exacerbated by the adoption of emerging technologies. Take IoT: as more devices go online, their profusion creates a broader attack surface. And as more devices are connected via 5G, the ability to move more data, faster, increases the risk still more.

“Commonly you’ll see those attackers using a device as a launch pad, not attacking the device itself,” says Rohit Sethi, CEO of Toronto-based cybersecurity provider Security Compass. “The code for the device may be old and vulnerable, it’s exposed to the internet, it was never designed to be secure in the first place. That’s a great way to launch into a network.”

And since software vendors have been able to avoid answering hard questions about security, says Sethi, plenty of products — workplace software, IoT devices, even cars — are vulnerable by design. “Vendors are being asked how they’re securing data centres, or whether their employees are susceptible to phishing emails, but not about the nuts and bolts of the software itself,” he says. “So you have tons of products entering the corporate network that are compromised.”

SolarWinds may spell the end of all that. Anthony Di Bello, vice president of strategic development with OpenText, believes that there will be a renewed focus on extending corporate security practices to third-party vendors, and evaluating just how risky certain software products are. “The integration of security into software development and building a secure supply chain is going to be a bigger part of the conversation now,” says Di Bello. “Every software vendor is going to have to become a security vendor in some sense of the word.”

Di Bello and Sethi are both advocates of what’s known as DevSecOps (for development, security, operations). In simple terms, DevSecOps simply means baking security into software development, and the idea has gained traction in recent years. “Ask for third-party validated credentials that really show they’ve integrated security,” says Sethi, such as broad certifications such as ISO 27034  or more specific ones, such as ISA Secure, which focuses on automated industrial systems. “If a major software vendor hears demand from enough customers in that sector, they may change their approach.”

At the same time, companies need to also start preparing for the profound changes that are on the horizon — chief among them the sea change that quantum computing will bring about.

“There’s a strongly held belief that when quantum hits the mainstream, current encryption will be rendered completely useless,” says Di Bello. “This is such intense computing power that brute force attacks against encryption, by trying millions of keys in a short time, will be possible.”

For now, companies are limited in how much they can prepare for quantum. But “crypto agility” is a growing watchword. In the simplest terms, it means that organizations of all kinds should work with security experts to ensure that when new quantum-resistant cryptography is rolled out, it can be easily incorporated into an organization’s existing security efforts.

Those efforts are already underway. In the U.S., the National Institute of Standards and Technology’s is currently in the midst of developing algorithms that will form the first post-quantum encryption standard, tentatively planned for 2022.

The growing adoption of biometrics, from fingerprints to facial recognition and beyond, is also changing the security conversation. Deploying biometrics can help diversify an organization’s security strategy, making it more resistant to some security threats.

“A password is binary — it’s right or wrong,” says Courtney Gibson, chief information security officer at BioConnect, a Toronto-based company that builds biometric security solutions for enterprise clients (think data centres, social-media companies, etc.) “But people grow, change their hair, gain and lose weight, get a paper cut on their finger, change their glasses, wear masks. So, biometrics are probabilistic: is this actually Courtney, or has he just changed his hair and glasses?”

That means biometrics have advantages and disadvantages. They can be tricked, but they aren’t rendered useless by a compromised password. As Gibson says, “I can learn your password, but I can’t put on your face.”

But like quantum computing, biometrics will be subject to the same arms race that infosec professionals have always played with cyber criminals. Fake bio identifiers, like fingerprints and voices, could trick biometric systems. That might not always be the case.

“It’s the perennial game of cat and mouse,” says Di Bello. “Build the better mousetrap, and the mice get smarter.”

Claudette McGowan, the global executive officer of cyber security at TD and chair of CILAR (Coalition of Innovation Leaders Against Racism), is launching a podcast called C Suite on February 4. In the first episode, she talks with Kevin Mandia about one of the biggest cyber breaches of all time.