Cybersecurity, according to Gary Sorrentino, is everyone’s problem now. “It used to be a technology issue, and it was specifically down to technology teams to fight it,” explains the managing director and chief information security officer of J.P. Morgan Asset & Wealth Management. “Now, it’s a whole business problem.”
Not just a problem, but increasingly a whole business priority, with the annual cost of cybercrime forecast to hit $6 trillion (£4.4tn) by 2021, according to Cybersecurity Ventures – double the figure for 2016.
That’s why J.P. Morgan Asset & Wealth Management not only trains its nearly 23,000 employees in cyber defence, but also reaches out to offer advice and tools to its clients. “It’s not just about protecting ourselves any more,” Sorrentino says. “We are now involving everyone – employees, clients and vendors – in the battle against cyber threats.”
Sorrentino points to malicious emails containing malware or phishing attacks as a primary threat. Last year, the global volume of spam email more than quadrupled, with malware detected in one in every 131 emails sent, according to a report by IBM’s Managed Security Team. The increased use of cloud services is also a concern, particularly for financial institutions. “Cloud is moving rapidly,” he says, “so it’s important that cloud security meets the confidentiality, regulatory and legal requirements that are imposed on banks today.”
Cybercriminals are increasingly moving away from crude, front-door approaches such as DDoS attacks to more subtle methods. To better anticipate attacks, J.P. Morgan relies on teams of penetration testers dedicated to finding weaknesses in the company’s systems. “Reactive defence is business as usual, but companies themselves need to take a proactive approach,” Sorrentino says. “The days of guarding the front door and running to a breach once it’s happened are over.”
Here we break down four ways cybersecurity innovators are staying ahead of the evolving threat.
Future attack intelligence
The decline of the private data centre in favour of distributed cloud storage has increasingly blurred the boundaries between information a company needs to protect and information that it wants to share. “The security industry has spent 20-plus years obsessing about the network perimeter,” says CEO and founder of Digital Shadows, Alastair Paterson “But thanks to cloud services, bring-your-own device policies and increased data sharing, that perimeter has disappeared.”
Paterson’s London-based startup offers advance-threat intelligence by continuously monitoring more than 100 million sources – across both the open and the dark web – to detect early signs of a potential cyberattack before it manifests.
Monitoring publicly available information will not be enough, however, unless companies take steps to share data. “Time and time again we see cybercriminals collaborating to innovate around their malware,” says Barmak Meftah, president and CEO of California-based security company AlienVault. “It’s only through collaboration and the open sharing of information that companies will be able to keep up with these evolving threats.”
To solve this problem, AlienVault created the Open Threat Exchange in 2012, which acts as an open-source hub for nearly 70,000 members, who share an average of 14 million threat indicators every day.
Detecting potential attacks before they take place is just one part of the picture. Companies also need ways to respond once an attacker has gained access to their system, explains Nicole Eagan, CEO of Darktrace. The London-based cybersecurity company’s machine-learning algorithms monitor a network’s internal behaviour to spot abnormal activity patterns. “Unlike other approaches that are predicated on using yesterday’s attacks, Darktrace spots and stops threats that have never been seen before,” Eagan says. “It’s detected nearly 50,000 new threats across our 3,000 customer deployments, ranging from insider threats to brute-force approaches such as DDoS attacks.”
The next step is going beyond detection to automated response. In 2017, Darktrace launched Antigena, a program modelled on the human immune system that’s designed to shut down cyberattacks, without human intervention, once they’re spreading through a network.
Automating cyberdefence is not just about saving employees’ time. It’s about allowing companies to respond faster to attacks that are increasingly being fully choreographed in advance. “Today, attackers get to precompute victory,” explains Darpa program manager Dustin Fraze. “They can scan your network, learn what software is running on it and pull it into their lab to discovery zero-day vulnerabilities. A defender only has their first opportunity to respond after an attacker has already succeeded. Patching that vulnerability can take weeks or even months.”
In 2016, Darpa set up the Cyber Grand Challenge to advance the development of automated defence systems by pitting them against an attacking counterpart. The first event, in August 2016, saw one of the earliest instances of automated adaption playing out on machine timescales, when one attacker discovered a zero-day vulnerability which was immediately fixed by its opponent’s defence.
Imagine if cybercriminals were able to gain access to a device that could instantly break all standard forms of encryption. That scenario may not be as distant as we think, according to Oxford professor of quantum physics Artur Ekert. “Once a quantum computer is built, many popular ciphers will become insecure,” he says. “Not only future messages but also any RSA-encrypted message that is recorded today will become readable moments after the first quantum factorisation engine is switched on. That day is probably decades away, but can anyone prove that it is?”
Ekert has a potential solution, a form of encryption he proposed in 1991 that takes advantage of quantum entanglement to securely distribute the same truly random encryption key to two communicants in different locations. Quantum entanglement is a property of particles generated in such a way that any change in state of one particle instantly propagates to the other. A measurement of either particle thus tells you the state of both, Ekert explains. “Given many pairs of entangled photons, two people can choose certain measurements and follow a procedure to generate a shared key.”
In addition to resilience against quantum decryption, a further advantage is that any attempt to access the key and eavesdrop on the conversation would be immediately discovered, says University of Vienna professor of physics Anton Zeilinger. “Quantum states are so fragile that any measurement or observation of them would change the state.”
The nation-state attack
The 2014 hacking of Sony Pictures, alleged to be sponsored by North Korea but denied by the state, was not the first time an attacker turned to cyberspace to achieve its objectives. But, according to Microsoft president Brad Smith, it marked a turning point at which the IP of private companies became fair game for the playing out of political battles.
”In fundamental ways, this new plane of battle is different from those of the past,” Smith told the 2017 RSA conference in San Francisco. “Cyberspace in fact is produced, operated, managed and secured by the private sector. Governments play all sorts of critical roles, but the reality is that the targets in this new battle – from submarine cables to data centres and smartphones – in fact are private property owned by civilians.”
What that leads to, he argues, is the need for a digital Geneva Convention, committing governments to protecting civilians from nation-state cyberattacks and requiring the assistance of technology companies in protecting against them.
It also necessitates greater co-operation between companies and governmental actors, particularly as criminals increasingly imitate the sophisticated methods of state-sponsored cyberattacks. “No single organisation can defend against the threat on its own,” says the UK National Cyber Security Centre’s CEO Ciaran Martin, explaining the motivation for its founding in October 2017. “We can only properly protect UK cyberspace by working with others – with the rest of government, with law enforcement, the Armed Forces, our international allies and, crucially, with business and wider society.”
For more from J.P. Morgan Private Bank, click here