Earlier this month, an RSA Conference 2019 took place with some interesting information on where current cybersecurity threats are coming from and from where we should be watching further attacks being launched from. Get this, the answer may surprise you if you’ve been following the media’s take on the issue. It isn’t Russia, but China that we should be watching for — at least according to some analysts.
RSA Conferences are annual IT conferences centered on cybersecurity issues. A conference took place March 4-8, at the Moscone Center in San Francisco. What makes the event interesting is the speakers and analysts that make it to the event from various roles or positions related to fighting cyber crime. This even includes U.S. government agents or personnel.
WashingtonPost’s Joseph Marks reported that at the recent event, officials described China, and not Russia, as the main culprit keeping U.S. Government agencies up at night.
“During keynote addresses, panel discussions and press conferences Tuesday, they were laser-focused on the digital security threat China poses to the U.S., describing it as more complex and damaging than any posed by other digital adversaries.”
NSA senior cybersecurity adviser and former White House cybersecurity coordinator, Rob Joyce, was quoted saying that Russia is a hurricane that comes fast and hard. Meanwhile. China represents a slow, long and pervasive climate change when alluding to the two powers’ abilities to conduct cybersecurity attacks on the U.S.
Director of DHS’s Cybersecurity and Infrastructure Security Agency was also quoted and said that while Russia is trying to disrupt the U.S. System as a whole, China is manipulating the system to its long-term advantage. He also mentioned that combating China’s cyber attacks will be one of the four main focus area for CISA during the next 18 months.
China appears to be a huge threat in terms of attacking government installations or finding aspects of the U.S. Political system and economies to disturb. China may appear to be a big threat, but it is not the only one. Fighting cybercrime as a whole should not be taken lightly.
Zdnet also ran a story about the event as Tom Foremski, the author, was at the event and had a chance to listen to some of the speakers live. Foremski’s take away from his time at the event seems to suggest this: cyber crime is currently at a dismal state because the costs continue to grow while prevention is really at a standstill.
“The cost of cyber crime is the loss itself (predicted to be $6 trillion a year in 2021 by Cybersecurity Ventures), plus the cost of buying the cyber security needed to bolt the stable door, plus all the engineers involved in developing the software, and then, on the customer side implementing it, all the sales people, field support staff, marketing, VCs, etc,” he said.
This suggests that current cybersecurity efforts mostly aim to circumvent already-known exploits and threats, while not focusing on a proactive approach to combating yet unknown threats. He called it a “dismal waste of human energies”.
Foremski also quoted a former secretary of defense and former CIA director Leon Panetta who spoke at the event and emphasized that cyber crime is not just a threat companies worry about, but an issue that can impact society as a whole.
“His biggest nightmare is of a computer virus that attacks and disables US infrastructure. He estimates that such an attack could result in millions of lost lives — it would be a digital Pearl Harbor,” Panetta said.
Panetta also mentioned how cybercrime or cyber attacks can divide nations and create scenarios of fake news influencing public opinion. This, Foremski referred to as “cultural hacking.”
Other notable takeaways from the event as Foremski saw it is that malware may be implanted already in different places or staying stagnant and waiting for someone to trigger it through remote code. Also, cybersecurity seems like a great industry to get into with no shortage of jobs in the future that should not be threatened by AI in any way.
Despite RSA Conference having a strong U.S. cyber security focus and the event taking place in San Francisco, EU is also worried about China. The Cybersecurity Act and certification scheme revisions are a reflection of this growing concern.
According to CGTN:
On Tuesday, March 12, Members of the European Parliament (MEPs) adopted the European Union (EU) Cybersecurity certification scheme for products, processes and services.The Cybersecurity Act is a scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards. MEPs also adopted a resolution calling for action at EU level on the alleged security threats linked to China’s growing technological presence in the EU.
5G technology, apparently, is being looked at with wary eyes as a possible method Chinese hackers have into gaining access to data and as a backdoor through hardware equipment. This definitely can undercut business as Chinese ripoffs or knockoff products are ripe through gaining access to company resources and data and being able to use this in their own manufacturing.
According to CGTN, “MEPs expressed their “deep concern” about recent allegations by the United States – where nuance and unilateralism often prevail – that 5G equipment may have embedded “backdoors” that would allow Chinese manufacturers and authorities to have unauthorized access to private and personal data and telecommunications in the EU.”
This would be a huge blow to 5G technology, promising to bridge the gap or in many cases overtake it between mobile networking and broadband Internet connectivity at home. It is being ushered as a major step up from current 4G technology present on mobile carriers and LGE mobile routers. If China compromises the tech, it can drive its adoption or keep it from taking off the way it needs to this year, in order to bridge that broadband online access gap.
Keep in mind that last year (December), MEPS within the EU have agreed on a cybersecurity certification scheme for all consumer devices as a way to safeguard against such issues. Although, as we can see the EU is still affected and continues to update the certifications. This latest update may be a reflection of the previous agreement or it finally being put in place and looked at closely — or it may be that the previous agreement has now been put in place.
Companies as well as governments have a lot to worry about as countries like China have a large hacking groups working for both personal or profit motives and on a government or political scale. This is why more companies, government agencies and cybersecurity groups should be coordinating efforts in combating cybercrime and working together. It is also worth taking not just a reactive, but a proactive approach to the issue to avoid future attacks that could cost governments and enterprises millions of dollars, political campaign slander, among many other aspects of peoples’ lives that will or can be affected through such attacks.