HAS ANYONE GOT A PEN? THE FUTURE OF CYBER SECURITY MAY NOT BE DIGITAL

By Shaun Read
An edited version of this article was published in Financial Mail online on 14 May 2021

It is rumoured that President Vladimir Putin hand writes all his memos. The reason is simple, you cannot hack a piece of paper. The only risk is that some Kremlin lackey loses the piece of paper (no doubt to be followed shortly by his accidental fall from a tall building). Whether the rumour is true or not, the reality is that the only way to avoid being hacked is not to connect with the cyber world. However, this is simply not possible for any business operating in today’s environment. The result is the often repeated mantra that there are only two types of businesses: those that have been hacked and those that will be hacked.

Despite this threat, more and more companies pride themselves on their progress towards greater integration of their systems and the Internet of Things (IoT) or the so called Fourth Industrial Revolution. As they do, they leave the analogue world further and further behind. Historically the large majority of cyber-attacks were aimed at accessing a company’s database. As a result, businesses have naturally focussed on protecting their data and creating parallel data storage and recovery centres. However, the increased integration of digital systems has allowed cyber criminals to open new and more lucrative opportunities for cyber hacking. As a result, cyber criminals are increasingly focusing their attention on denial of service attacks, which shutdown a company’s entire IT system. Companies are then either forced to pay a ransom to remove the lock on their system or have to find a work around.

A further disturbing trend is that cyber crime has moved from individuals in the cyber underworld to state sponsored actors. Businesses are a soft target for states looking to destabilise their enemies. The recent hack on the privately owned Colonial Pipeline in the US disrupted the supply of 45% of the fuel for the whole of the east coast of that country. Speculation is rife that Russian proxies are to blame. This follows on from the SolarWinds hack, also widely attributed to Russian state sponsored hackers, who targeted a company that supplied some 33 000 customers with IT management software, including some US government departments. The spyware embedded in the SolarWinds software served as a convenient back door to otherwise hyper secure government systems.

Cut off from access financial markets, North Korea is rumoured to have has stolen or extorted billions of dollars through cyber-attacks to fund its regime and gain access to technology designs. Famously, North Korea has also been blamed for shutting down the IT infrastructure of Sony Pictures IT infrastructure, seemingly out of revenge for the release of a film parodying Kim Jong-un. Earlier in March of this year, Chinese hackers were stated by the White House to be actively targeting Microsoft exchange servers, leaving behind possible backdoors to return to later.

South Africa is certainly not immune to cybercrime. According to an Accenture report, South Africa had the third highest number of cybercrime victims of any country in 2019. Liberty, Life Healthcare, PPS, Momentum Metropolitan and Experian, are some of the businesses, stated publicly, to have been targeted. The City of Johannesburg was hacked by a group calling themselves the Shadow Kill Hackers, who demanded a ransom payment in bitcoin. The Covid-19 pandemic has increased the vulnerability of business IT systems as staff are forced to work at home and link in to the company from less than secure environments, often using unsecure personal computers.

Most companies are simply not able to afford to maintain a duplicate secondary system that operates independently of its primary system and that can go live at any time. At the same time, how many companies have left the analogue world so far behind them that they cannot operate when faced with a total or even partial loss of their IT systems?

Which brings us back to my “Putin solution”. On a recent trip back from a neighbouring state, I arrived at the airline check in counter to find the systems were down. Steeling myself for hours of delay, I was surprised when the check in attendant reached into a draw for a carbon copy book (look it up millennials) and wrote out my boarding pass and luggage tags. More by accident than by design, the lack of resilience of the computerised check in system was such that the airline could not afford to let go of the analogue world. As a result, the flight left on time.

A less comforting story was a trip to New York in 2016 when all flights of a major US airline around the world were grounded due a systems problem. Every single component of their computer system was affected and shut down: ticketing, boarding passes, cargo, take offs and landings, plane scheduling, ground crews, plane crews, maintenance, seating, upgrades, suppliers, payments. To this day, the airline contends this was due to a power failure at a control centre but speculation remains rife that the cause was a computer hack. Irrespective, the complete dependency on a computer system meant there was no ability to cope without it and it took many days for to restore normal flight scheduling.

The future of cyber security may well therefore be to not completely let go of the analogue world. This may be as basic as ensuring that your staff have phone communication (one which is not dependent on the internet), pen and paper and printed forms and manual credit card machines (remember those) – oh and keys to the front door. The ability of a business to continue operating, even in the most basic of forms, will seriously undermine those looking to extract a ransom.

Companies looking to gear up for the fourth industrial revolution are well advised to determine the extent to which they the leave the analogue world behind altogether. The cyber criminals and their state sponsors certainly are doing so.