The COVID-19 pandemic has shown the world the importance of resilient infrastructure and services, said international cybersecurity expert Melissa Hathaway in her keynote address during the Canadian Council for Public-Private Partnerships annual conference, held virtually this year.
“We need to futureproof our infrastructure,” stated Hathaway. “The private-public partnership is driving towards a common goal. Futureproofing that infrastructure and understanding the security resilience needs requires relationship, co-operation and mutual accountability. The digital transformation is now. We’ve accelerated it in 2020. Are you ready and are you resilient?”
Leaping into cyberspace
The world has made a great leap into cyberspace this year as a result of the pandemic, explained Hathaway in her address, The Implications of Cybersecurity Issues for Future-Proofing Infrastructure.
“It’s required an awful lot of innovation among us within our infrastructure and our corporations,” she said. “We’re seeing a digital transformation underway of society and of our infrastructures. Canada’s digital economy is worth over seven per cent of its overall GDP right now. The largest economic opportunities are being driven by Ontario, British Columbia and Quebec. We’re seeing the more and more digitization of these infrastructures, you’ll see Canada’s digital economy grow to 20 per cent over the next 10 years.”
She discussed delivering high speed low latency networks that are essential for the Internet of Things and how 5G is expected to be introduced around the globe in the next two to three years.
“It’s going to pave the way for what we in the west call ‘Industry 4.0’ and what in the east they call ‘Society 5.0,’ major transformations of key sectors,” Hathaway noted. “This is going to really require Canada to reshape its policy thinking and decision-making of how are we going to introduce new standards and regulations.”
Advanced manufacturing, robotics and advanced micro electronics in Ontario, Waterloo specifically, are going to start to drive more than 10 per cent of the GDP of Canada.
“Overall as we connect more and more of our infrastructure to the internet and become hyper connected it should unlock $13 trillion of economic value by 2035,” Hathaway stated.
Identifying threats and risks to cybersecurity
Becoming more connected means becoming more vulnerable.
Hathaway said in 2020 there has been a 715 per cent increase in ransomware attacks, a 150 per cent increase of distributed-denial-of-service attacks and a 600 per cent increase in the Internet of Things attacks.
“These are untenable statistics and will continue to grow in the future if we don’t start to manage this risk and start to address the vulnerabilities,” said Hathaway. “These disruptive activities are increasing at an exponential scale.
“We are seeing influence and propaganda campaigns that are meant to undermine our democracy and we are seeing a number of areas where nation states and others are stealing sensitive corporate data, intellectual property and our personal data to monetize it in the underground economy.”
To put this into perspective, she said, Microsoft has patched over 1,100 vulnerabilities this year and 15 per cent were considered “critical,” meaning able to gain access to a company’s infrastructure. Oracle had 1,600 vulnerabilities this year of which a third were critical.
“These unpatched systems are very easy to find on the internet,” Hathaway explained. “It’s free and easy and the tools are cheap and available. It only takes me seconds to gain access to your enterprise or your infrastructure. This is the state we are living in right now as we become more connected.”
One example is the MAZE ransomware, which runs off of infected devices and knocks companies offline such as insurance, accounting, IT services, defence contractors and electronics.
“What happens is they get in through one of those Microsoft or Oracle vulnerabilities, they exfiltrate your data, they encrypt your systems and then they demand a ransom,” Hathaway explained. “The value at risk to you and your infrastructure is you will have business disruption, you’ll have data loss, you’ll have regulatory fines. It’s at an epidemic kind of scale in terms of what is happening in ransomware.”
The issue, she said, is most products come with the principle of “field it fast and fix it later.”
“’Patch Tuesday’ therefore leads to ‘Vulnerable Wednesday’ in the core of your businesses and in the core of our infrastructures,” said Hathaway.
“We can’t have a future where we are fielding the technologies fast and worrying about the security vulnerabilities later. It’s our responsibility to design it right and field it right.”
Futureproofing infrastructure and services needs to be done now
There is a need to talk about how to futureproof infrastructure and digital resilience moving forward, she added.
“It requires us at a national level to strategically assess what is at stake and at a corporate level per our infrastructures to strategically assess what is at stake,” said Hathaway. “What are our critical dependencies, the core companies that drive our GDP, the infrastructures that power our countries, the assets that we can’t afford to lose, that if harmed would cause grave economic and national security consequences.”
With public-private partnerships, it’s important that all parties get something out of it, she pointed out.
“When we’re talking about a private-public partnership and we are talking about the digital resilience of our critical infrastructures we have to be very specific on what goal we are trying to achieve and what is your job and what is my job in order to achieve that,” said Hathaway.
“As we connect more of our critical infrastructures it means that we have to prepare the current generation and the next generation to be able to deliver these services and infrastructures…by design with the security, privacy and resiliency for the future.”
Follow the author on Twitter @DCN_Angela.