Defence of the Cyberrealm: How Organizations Can Thwart Cyberattacks

Cybercrime

February 2, 2019//-Governments and companies have much work to do to protect people, institutions, and even entire cities and countries from potentially devastating large-scale cyberattacks.

In this episode of the McKinsey Podcast, Simon London speaks with McKinsey senior partner David Chinn and cybersecurity expert Robert Hannigan, formerly the head of GCHQ, about how to address the major gaps and vulnerabilities in the global cybersecurity landscape.

Simon London: In 2018 was a year of good news and bad news in cybersecurity. The year passed without a major international incident, certainly nothing on the scale of the WannaCry ransomware attack, in 2017. And yet every few weeks brought news of another big data breach at another big company.

So where do we stand going into 2019? Are we winning, in any sense? When and where will the next so-called tier-one attack occur? And, importantly, what is the role of government in helping to ensure national cybersecurity.

To find out more, I sat down in London with David Chinn, a McKinsey senior partner who works with public- and private-sector organizations on these issues, and also with Robert Hannigan, who is the former head of GCHQ, the UK government’s electronic-surveillance agency. Robert also led the creation of the UK National Cyber Security Centre, or NCSC. Today he’s a McKinsey senior adviser. Robert and David, welcome to the podcast.

David Chinn:Thank you, Simon. Glad to be here.

Robert Hannigan: Thanks.

Simon London:I think for a layperson, the general question around cybersecurity is, probably, are we winning?

Robert Hannigan: No, I think we are making progress, but I think it would be very rash to say we’re winning. If you look at the two big trends, the rise in volume of attacks and the rise in sophistication, they are both alarming. On volume, particularly of crime, there were something like 317 million new pieces of malicious code, or malware, [in 2016]. That’s nearly a million a day, so that’s pretty alarming.

On the sophistication, we’ve seen, particularly, states behaving in an aggressive way and using very sophisticated state capabilities and that bleeding into sophisticated criminal groups. It’s a rise in the sheer tradecraft of attacks. So no, I don’t think we’re winning, but I think we’re doing the right things to win in the future.

David Chinn:I would agree with Robert. We may not have seen a single attack that brought down multiple institutions in the same way that WannaCry did, but look at the list of institutions reporting very sizable breaches of increasingly sensitive data.

Now we’ve got some more regulation forcing people to be more transparent about the breaches and the length of time that attackers were inside networks before being discovered. And it’s not always clear to those attacked what they’ve lost. I’m broadly pessimistic.

Simon London:When you think about where the next tier-one attack might come, what are some of the vulnerabilities that in business and government people are thinking about, talking about?

Robert Hannigan:I think most of the focus now is on supply-chain and upstream risk, because even the best-defended companies now realize that their vulnerability is either those who are connected to their vendors, their suppliers, even their customers. And, increasingly, government is worrying about the IT infrastructure, so the global supply chain, both hardware and software, and its integrity.

And some of the state attacks we’ve seen in the last couple of years have been against the backbone of the internet, if you like. Routers, switches, and places that give you massive options to do different things with internet traffic. It’s going deeper and more sophisticated.

David Chinn:I think there’s different versions of what tier one might feel like. I think that the increasing ability of both criminals and states to attack critical infrastructure [is one of them].

Taking out power to a city might have relatively limited impact in terms of the actual damage done, but could have a huge impact on the way people feel.

Robert Hannigan: There’s a difference between a genuinely catastrophic damaging attack and a politically sensitive attack that spreads fear and terror or a lack of trust in data. It’s fairly easy to imagine things that will lead to public panic.

You’ve seen big public controversies over airlines and banks being unable to function, often not through cyberattacks. But if you were to multiply that and see it as a malicious attack, you could see genuine public disquiet, a lot of political pressure to do something about it.

Simon London: Yes, it’s interesting, because when you talk about critical infrastructure of the modern economy, you often think about things, like, as you say, the internet backbone.

It’s those kind of things. Or maybe financial services, the financial system. But just talk a little bit more about the supply chain, for example. That’s one that I think in the broad conversation and the broad business public is less discussed.

David Chinn: If you think about, at the simplest level, how a pint of milk gets onto the supermarket shelf, there are many stages in that, from the farm—by the way, the cows are milked by a machine, which is probably connected to a network—through to the transport network. The cold chain. The monitoring of the cold chain.

You don’t need to disrupt anything except the record that says the milk was kept cold for it no longer to be a product that can be given to the public. The integrity of that data is the essential glue that sticks it all together.

Robert Hannigan:If you think of the big ransomware attacks of WannaCry and NotPetya a couple of years ago, one of the lessons from those is that although they almost certainly weren’t targeting big manufacturing enterprises in Europe, they effectively disabled quite a lot of household-name companies.

They simply couldn’t do business, couldn’t manufacture for, in one case, several weeks. It was a wake-up call to sectors of the economy who thought they weren’t a target for cyberattacks because they didn’t have great IP or data that was worth stealing.

The Internet of Things is simply connecting more processes and more devices to the internet. And it is quite striking that the level of security built into those is usually very low because they’re designed and built and procured on cost. There will probably be a role for regulation to improve the standards there.

But it does mean companies are, both through digitization and through the Internet of Things, increasing their attack surface, making it harder for them to understand the perimeters of their own networks, harder to see where their vulnerabilities are. That is a real problem for the next five, ten years.

David Chinn is a senior partner in McKinsey’s London office, and Robert Hannigan, the former head of GCHQ, is a senior adviser to McKinsey. Simon London, a member of McKinsey Publishing, is based in McKinsey’s Silicon Valley office.

 

 

 

 

 

 

Leave a Reply

*