Antivirus is dead: young talents are Hong Kong’s first line of defence against cyberattacks
Winnie Tang says with cyberattackers becoming ever more aggressive and global, rules and battle plans have to be redefined, and the government must urgently step up talent training in schools
The recent cyberattack by the ransomware cryptoworm WannaCry drew the world’s attention to network security. According to Kaspersky Lab, a network security software company, the number of online attacks detected in the first quarter of 2017 doubled to more than 400 million, compared with the same period in 2016, while over 200,000 mobile phones were infected by ransomware Trojans, which is 10 times the first quarter of last year.
Unfortunately, antivirus software may not be able to protect your computer and mobile phone completely. Symantec, the developer of Norton, once the best antivirus solution, announced the “death” of antivirus software as it is difficult to shut viruses away.
Cybellum, an Israeli network security firm, recently found a virus that specialised in attacking antivirus software and named it DoubleAgent. Instead of hiding and running away from the antivirus security agent, attackers now directly assault, hijack and gain control over it, turning it into a malicious agent. In other words, it is impossible for us to defend against network attack programmes and ransomware.
Michael Daniel, the White House cybersecurity coordinator in the Obama administration, said cybersecurity is a big challenge in part because we are handling new problems with old thinking. His recent article in the Harvard Economic Review focused on three reasons for the network security problem.
One, it is not a mere technical problem, although there is a technical aspect, such as how to write a totally bug-free programme.
Two, cyberspace is different from the physical world, and the rules of the game have to be redefined. At light speed, “concepts like distance, borders and proximity all operate differently”. In the physical world, a person is likely to be on site when committing a crime, while in the internet world, threats can come from anywhere and from anybody.
Moreover, a crime in the cyber world is not bounded within any particular country, much like a crime committed in the high seas. How do we hold individuals and organisations accountable for mischief done in international areas?
Three, the law, practice and rules of the internet world have not been fully developed yet, regulations are not yet complete, including the responsibility of user protection. In the case of the WannaCry attack, the global impact covered government departments, public and private organisations, and individuals, but the copyright owners of the computer software being attacked were private developers, so who is responsible for chasing after the culprit?
In addition, we have to think about the following: what is the right division of responsibility between governments and the private sector in terms of defence? Are there any protective measures provided by the companies which are handling our data? Are there any standards to follow in the industry? How should regulators approach cybersecurity in their industries? What can governments, private enterprises and individuals do and what is it they cannot do?
In short, as long as we continue to try mapping physical-world models onto cyberspace, they will fall short in some fashion.
So how can we protect ourselves? Risk is inevitable since we have to use the internet. Therefore, to manage and mitigate the risk, public and private organisations, as well as government departments should strengthen their “immune system”.
The recently published 2017 Global Information Security Manpower Research Study, which interviewed 19,000 professionals in 170 countries, flags a serious shortage of global IT security personnel. The workforce gap by 2022 will reach 1.8 million.
I believe that education is the best way to stimulate new thinking and solve problems. Therefore, it is a matter of urgency to train the younger generation in computer programming and network security awareness, as well as to promote STEM (science, technology, engineering and mathematics) in primary and secondary schools.
The government should speed up accordingly as there are no short cuts to talent training.
Dr Winnie Tang is an honorary professor in the Department of Computer Science at the University of Hong Kong