Insights

Cybersecurity: new threats, new models

Yuval Wollman and Matthew McCormack

The recent Optus hack was a reminder that cybersecurity is an ongoing battle, and a single misstep can have catastrophic consequences.

As a former director-general of Israel’s Ministry of Intelligence and the current president of cybersecurity provider, CyberProof, Yuval Wollman knows this only too well.

During a recent visit to Australia, Wollman sat down with UST Managing Director Matthew McCormack for a wide-ranging conversation on the changing cybersecurity landscape – in a special evening event hosted by the American Chamber of Commerce.

Here are some of the edited highlights from the transcript.

Matt: You’ve had a wonderful career. You’ve done so much and seen it all. What has changed in the security landscape over that time?

Yuval: The main difference is that earlier this year, in February, the biggest cyber war conflict started in Ukraine. The combination of a physical military war with a cyber dimension was not in place 20 years ago, not even 10 years ago.

Even when you go back to Israel and how it fights with Iran and vice versa, you see a tacit cyber war taking place and now it's more and more out in the open.

Only four days ago, the Albanian Prime Minister came to Israel. He said, "I was cyberattacked by the Iranians. Help me." We've not seen that before so openly. Collaborations between Western governments and allies took place all the time, but not to that extent.

We've seen an unprecedented open collaboration – whether it's the U.S., U.K., E.U., Australia, Japan or others supporting Ukraine with intelligence.

But it's not only governments. It's the first time that we've seen large technology companies providing open support. Microsoft and Google and others share their information, they open their intelligence centres to the Ukrainian decision makers. They helped to stop some of the attacks.

But first and foremost, it's the Ukrainians themselves. They have developed capabilities since 2014. In the years between 2014 and 2022, there were very strong attacks against critical infrastructure and financial institutions. So, as they developed their military force and their air force, they also developed cyber capabilities.

Are you seeing any movement of those attack and defence capabilities from the geopolitical sphere or nation states into the private sector?

We cannot distinguish between the two. The Russians attack critical infrastructure, not only with real missiles but with cyber missiles, which often means privately held companies. The Solar Winds attack that was exposed in 2020 was an attack on the supply chain of Western enterprises, presumably related to Russian proxies.

The assets that a nation has are also in the private sector. So, the risk for the private sector has grown dramatically over the past year.

What should board members and CSOs focus on in this changing threat landscape?

The threat actor landscape has grown dramatically, not only because of the war but also because of other trends that took place even prior to the war.

The exposure is much bigger now because organisations have become more digitised. They're moving to the cloud, which creates more vulnerabilities. They’re working remote. And I'm not sure they have much more budget to counter that.

The first thing they need to do is prioritise. It's not a security discussion. This is a business discussion, whether it's a private enterprise or a government agency. The discussion should take place not only with the chief cyber executives, but across the board and management, to work with business stakeholders to understand what assets they need to protect. Where is the important data? What are the crown jewels, so to speak.

And then, according to that, you start asking yourself who is the threat? Where will it come from? And then you start to deploy resources to protect yourself as an organisation.

You want to project to your shareholders, to the company, ministers and the public as well that you have decreased the risk over time.

What lessons can we learn from the recent cyberattacks in Australia?

I believe those kinds of attack could have been better managed if the board and the management – it’s a C-suite problem – had prepared the right playbook in advance; not only disaster recovery but also when it comes to communication.

It's also how you build your teams to respond to make sure you understand what exactly was hurt, how you can wrap it and put it aside, how do you negotiate if it's ransomware … These are the decision that you need to take in advance to be ready for the containment.

You will be hit. The question is when. So, make sure that you're managing your risk properly so you will be hit in a place that is less sensitive and you know how to contain it once it happens.

We’ve seen examples recently where an organisation has been quick to blame a nation state only to find out that it was a very innocuous employee mistake. Is this a similar trend globally?

We're seeing a new methodology in the cyber security market; zero trust. How you manage identity and access in your organisation so that you don’t need to count on the ethics or loyalty of a specific employee.

Phishing is the easiest way to get in. Even if you assume 25% of employees will not comply with security measures and risk falling into the phishing trap, you need to make sure they don’t have access to sensitive data, to the crown jewels.

What are your predictions for the cybersecurity sector?

It's not only the increased risk because of the war. China is getting bigger and challenging the world order.

And it is also about the economic cycle that we're seeing. Budgets are more consolidated. Chief information security officers will need to better manage their budgets in the coming years.

At the same time, their organisations will keep moving to the cloud, creating more attack surface. They need to prioritise and make sure that they pick the right product to protect the right assets. How do you plan your architecture, your network? How do you work together to make sure that as the company moves to the cloud, they're getting the right tools and design to make sure they're not becoming even more exposed.

There are so many steps that can be taken to dramatically decrease the risk. And this is what sophisticated CSOs or chief information security officers are doing.