Technology has driven globalisation – and now the international community needs to regulate its use. Andy Garth Government Affairs Lead at ESET discusses cyber security and the role of IT governance with Johanna Hamilton AMBCS.
In order to support peace, prosperity and safety internationally, we need both consensus and rules. As countries opt in and out of unions, treaties and accords – depending on politics and economics – it’s difficult to see how a new age of universal agreement can be reached. Welcome to a whole new world of cyber diplomacy...
Can you tell me about your role?
I'm the Government Affairs Lead for ESET. I look after several things, including the regulatory side of activity. So, we're following very closely what's happening in the EU, particularly with the new NIS2 Directive, Cyber Resilience Act, Artificial Intelligence Act, Cybersecurity Act the Digital Markets Act... a whole host of regulatory files that will have a bearing on both individuals, companies and also the public sector.
I am also working with governments around the world. The EU and the US are the real regulatory powerhouses of the globe, as we saw with GDPR, which came out of the EU and then quickly adopted around the world. My role is also about how we keep a country safe – how we support more sensitive areas of government from evolving cyber threats. From Prime Minister's offices to ministries of defence, to departments that pay people's pensions – indeed protecting all national critical infrastructure.
I’m also spending a lot of time on the cyber threat intelligence picture. ESET is probably the leading source of information on the malware tools that have been deployed in Ukraine, that means there's quite a lot of interest in our threat intelligence side of our activity. And with a title like ‘government affairs lead’, you get involved in anything that cuts across the government.
Tell me about your work in cyber diplomacy?
The cyber diplomacy side is where particularly you work at supranational level to secure international agreements to make the global digital space safer. And so, there's quite a lot of talk at the United Nations about getting members to agree the appropriate rules of responsible state behaviour in cyberspace.
So, this is where states say they will not attack healthcare or critical national infrastructure. Some things should be off limits. So, there are 11 norms of reasonable state behaviour in cyberspace which have been agreed. The challenge is, that these are non-binding and voluntary. There are no consequences for infringing the rules and with a lot of state led cyber-attacks you can try to hide behind plausible deniability.
Attribution is difficult and many state actors that get involved in this will use third parties. They will use proxies to do their bidding, that means we now see crimeware groups doing cyber espionage and disruption. There is clearly a relationship between some states and some criminal groups. There are also “false flag” attacks where one state actor would launch a cyber attack but try make it appear that it was instigated by another state.
The idea of the UN is to try, at this supranational level, to get everybody to agree to the rules. And the conversation now in the UN is very much about expanding these norms but also trying to agree about the consequences. So, in other words trying to enforce the agreement. Secondly, once you've set the rules, we also want to make sure that we enhance cyber resilience, particularly in the less developed world.
The UN are trying to do more capacity building initiatives in Asia, Africa, South America, Latin America and also within Europe. Therefore, cyber diplomacy is very much geared towards those two areas. It's agreeing global norms and secondly agreeing on how we make the world a more cyber resilient space.
ESET is based in Bratislava –in the former Czechoslovakia – so are you perfectly placed to know what threat actors may be up to?
ESET has over two billion sensors around the world and is one of the largest cyber security companies. We have access to a lot of telemetry and a lot of data. Of course, because of our long history, over 35 years in business and being European based, we have a significant amount of data which is from Europe. We actively track Chinese-speaking, Russian-speaking and other groups attacking European interests.
I think we offer a different piece of the jigsaw. Many of the threat intelligence companies are American-based and they look at the threat picture through an American lens of what's happening in the US, whereas we're European and see it from that focus as well. Our footprint is a little different.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
For example ESET has been in Ukraine for a long time and part of the public-private sector effort to counter cyber threats. In addition to ESET’s protection and detection capabilities, we believe it is really important to share information on threats with the rest of the infosec community.
We have probably the largest security blog in the world, which is welivesecurity.com. And we’ve shared information with the infosec community about wipers that were deployed in Ukraine – so others can protect themselves.
Do you think being based in an ex-eastern bloc country is a barrier?
Slovakia is a member of the EU and uses the Euro. We're also a member of NATO. Bratislava is only 40 minutes from Vienna. While it is easy to think of Bratislava being part of the former Czechoslovakia, 30 years on, ESET is based in a thriving European capital offering valuable insights to the infosec community – I don’t think the geography is too much of a barrier now. We have offices and R&D centres around the globe.
How can we make IT good for society, globally?
One of the fuellers for ransomware attacks is crypto currency. Finance ministers need to bring more transparency into cryptocurrency transactions as that's obviously a problem. That begs the question, what can be done at G7 level or G20 level?
Cyber security is a big user of AI machine learning, so one of my worries is that when we talk about regulation, we don't hinder the good guys by over regulating. I also hope that when we set the regulation that it's “smart regulation” and the people who make the rules understand how machine learning and AI works.
In the EU they are looking at AI regulations, but clearly there are some uses of AI that are more worrying for certain member states than others – such as AI which is used for face recognition. But there is also AI that's in use for commercial applications that is arguably low risk – it’s about getting the balance right.
Has the cyber threat landscape changed over the last few years?
The threat landscape just seems to be growing and getting more and more difficult. There has been a huge increase in cybercriminal activity particularly ransomware attacks. The adversaries are increasing in number and in sophistication too – it's a constant challenge for the defenders. There's lots of activity on the dark web, including ransomware as a service. They're highly organised and highly skilled.
You've got state actors in there as well, involved in cyber espionage, cyber disruption and peddling disinformation. The hybrid warfare side of things is also growing. Unfortunately, the cyber threat risk is increasing and as we use technology for more and more, so the attack surface available for these threat groups is also expanding.
A global pandemic has meant more remote working and that too has added to the challenge. I think looking forward, it's just going to be a constant battle. It's going to continue to be a challenge for everybody to try and keep on top of these evolving threats. But we are up for that challenge.
Do you see it coming down to an almost granular cyber security level?
Absolutely. Cyber security education is very important now. 85% of cyber security breaches are actually down to human error and it can be as simple as just clicking on the wrong link. Spear phishing attacks are now so sophisticated and so believable it's easy for anybody to make that mistake.
Therefore, we need to educate people because technology is only ever going to get more prevalent, have more uses and present more risks as time goes on. We need to protect the less tech savvy and vulnerable people who are falling foul of scams – hopefully technology companies like ours can help in some way.
If we can train people to pause before pressing a link, not to share their password or create an overly simple password then that will help; with technological solutions hopefully there to add an extra layer of protection.
Fortunately, there are innovative companies around. I was listening to one company today who have a plug-in that scans emails and flags them as red, amber or green. Even before you’ve opened them, it has made part of the decision for you – whether it’s genuine or not. But it's never going to be 100%. Humans will also make mistakes just from being busy and clicking without thinking. I'm sure everyone has done it – I know I have!
How important is it to attend conferences such as SASIG?
It's really important. Technology is moving very fast so cyber security needs to keep up. SASIG is a great way of being introduced to new products and innovations from both new and more established companies. No one company can have a product for everything to do with cyber security. It's an opportunity to do some intel into what's going on and to meet and talk to people about the challenges. We learn a lot from talking to each other.