Under Siege: the Booming Business of Cyber Crime and the Skills Gap Threatening Our Defense

The huge Ticketmaster hack last week is a reminder of the vulnerabilities of even highly resourced, global companies in an era of escalating cybercrime. 

The outlook won't improve anytime soon. 

It’s best to think of cybercrime as a highly evolved ecosystem, rather than imagining thousands of orcs buried deep in the dark web who surface occasionally to stage a virtual bank robbery. 

Cybercrime is an economy based upon a sophisticated supply chain of providers who respond like any other rational actor to risk and reward incentives, and who have learned the value of specialisation and comparative advantage when determining where their particular skill set best plugs into the machine. 

Crime syndicates, for instance, will buy services from one firm that specializes in harvesting credentials, another in breaking into systems, and perhaps a third that excels in exfiltrating data. Each participant clips the ticket on the way through, giving everybody an incentive to grow the pie. 

Even nation-state actors who commit cybercrime to advance strategic geopolitical goals are increasingly calling upon the capabilities of the cybercrime ‘private sector.’ 

It’s win/win, except of course for all those companies, universities, and government departments at the wrong end of the chain. They (and their insurers) are the ones stumping up the cash to fund the economy - not to mention the chaos they endure during and after attacks. And with so many criminal mouths to feed, the costs are huge and growing. 

Globally that economy is worth almost 8 trillion dollars, according to Cyberventures. Such a scale would have cybercrime comfortably sitting inside the G8 if it was a stand-alone economy! 

Like the rest of the world, the Asia-Pacific region is experiencing a surge in cybercrime activities, with increased targeting of critical infrastructure, financial institutions, and large enterprises. The Centre for Strategic and International Studies (CSIS) and McAfee estimate that cybercrime costs the Asia-Pacific region approximately $US171bn annually. This includes direct and indirect costs, such as loss of productivity and damage to brand reputation.  

The region's rapid digital transformation of business processes and infrastructure, coupled with varying levels of cybersecurity maturity among countries, has made it an attractive target for cybercriminals. 

For directors on the receiving end of an attack, the experience can be daunting, even overwhelming. All the training and white hat wargaming in the world doesn’t prepare business leaders for the chaos - and stress - that ensues as virtual hell starts breaking loose.  

“It’s chaotic, irrespective of how well prepared you are,” says Roman Quaedvlieg, founder of Excelium, a cybersecurity strategic consultancy based in Canberra, Australia’s capital. He is also the former head of Australia’s Border Force which is responsible for offshore and onshore border enforcement, investigations, compliance, detention operations, and customs services.  

With Excelium’s work split roughly 70/30 between business and government clients, he understands the unique pain points and capabilities of both. He says getting though a cyber attack isn’t just about dealing with the stresses of the moment - trying to disrupt the attack, contain it, then recover.  

“It’s also about dealing with a broad church of stakeholders who want to engage at moments of peak emergency - ranging from insurance companies who will come in and start dictating play, to lawyers (whether in-house or external) to cyber advisors (also usually appointed by insurers), and of course the spin doctors and marketing teams that want to control reputation and brand.” 

“Those actors can get in the way of actually dealing properly with a cyberattack,” he says. 

Quaedvlieg says that in his experience the general readiness of a business for a cyberattack is low. “Even if they've been through a cyber incident security response, that is normally a desktop exercise and they tend to breeze over the actual issues.” 

“But with a real attack, it often takes time for them to realize there's even a problem - it’s not like a skull and cross bones appears on the screen and you know what you’re facing. Instead, you are more likely to notice lags in the system, or the platform or your app goes down so you reboot and suddenly you can’t log in." 

Most boards aren’t experienced in dealing with cyber attacks - but that is changing quickly given their frequency. As Quaedvlieg says, the reality is that if you’re insured, when you’ve been hacked, your insurer takes over and trots out a panel of experts who take charge. However what’s not well understood is that your senior people will probably work around the clock for days or even weeks trying to get the situation under control. It’s existential for you and your customers, and its exhausting for the incident team. Little wonder that cybersecurity sits atop the risk register at most companies. 

Governments meanwhile, are not only concerned with the security of their own operations, but there are national security implications across the messy-in-between zone of critical infrastructure that ties government and business  together. Have rivals placed malicious code into ports or hospitals or power utilities, that remain there just waiting to be activated? (The short answer is "most likely.") 

Governments are arguably doing a better job than the private sector at protecting their own systems, at least in terms of Quaedvlieg’s experience with Australian clients. 

“There aren't as many successful attacks and I can tell you there are daily attacks on every department and agency from a range of actors, from bots to individuals to nation-states. But the government is relatively secure compared to the private sector.” 

Skills gaps 

But whether it’s business, government, or what Quaedvlieg calls that messy in-between of critical infrastructure there is a common and significant problem – the skills and capabilities gaps. Australia, for instance, faces a current shortfall of about 30,000 jobs and that is expected to balloon to 85,000 in the years ahead.  

Across the region, the picture is much worse. According to International Information System Security Certification Consortium (ISC2), Asia Pacific faces a cybersecurity workforce gap of 2.67 million, the worst in the world. 

In Australia, Excelium is part of a consortium called Cyber Nexus that is looking to build a cybersecurity talent pipeline for both the government and the private sector as demand for roles grows.  

“The talent is just not there in terms of numbers right now, so we're going to build a pipeline of talent.” 

At North Ridge Partners, we’re playing our part. The not-for-profit initiative that we’ve catalysed, Technology Queenstown, is planning to build a cyber security capability in the Deep South of New Zealand. Working with partners the University of Otago and Queenstown Resort College, we aim to become a node of Cyber Nexus, to train talented cyber professionals.

Generative AI 

An emerging complication in the perennial fight between cyber cops and robbers is the rise of generative AI. 

Artificial intelligence has long been a feature of cybersecurity, on both sides of the transaction, but generative AI adds new layers of capability. Take social engineering – basically tricking people into handing over credentials – as an example. Generative AI can create highly convincing phishing emails that mimic legitimate communications from trusted sources, increasing the likelihood of victims falling for these scams. Deepfake voice and video enable bad actors to impersonate executives or other trusted individuals. 

And one of the more powerful aspects of generative AI is its ability to write code. It can be used to create what is known as polymorphic malware which is software that continuously changes its code to evade detection by traditional antivirus software. 

For the defense, Gen AI can analyse vast amounts of data to detect unusual patterns that may indicate a cyberattack. It can also identify anomalies in network traffic, user behaviour, and system operations, allowing for early detection of potential threats. Response efficiency and effectiveness are enhanced by automating responses to common threats, such as isolating compromised systems, blocking malicious IP addresses, and initiating recovery processes, significantly reducing response times. 

Conclusion 

The global cybercrime economy is a formidable force, with substantial economic impacts felt worldwide. The Asia-Pacific region, in particular, faces significant challenges as it experiences rapid digital growth but also a huge lag in skills and capabilities. The threat is practically existential across all layers of society - Government, public institutions, corporations and consumers. And it’s going to get much, much worse before we see any improvement.

Addressing these challenges will require a multifaceted approach, combining technology, and education to mitigate the risks and costs associated with cybercrime, and a cooperative approach between government, business, and education.