By Ian Hall (City AM, for the CFA Institute)
The threat of cybersecurity and data-privacy attacks is under-estimated and growing, and organisations and individuals should proceed with extreme care in respect of digital information security, according to a Switzerland-based expert.
David Basin, Professor of Computer Science at ETH Zurich, used a seminar at the 72nd CFA Institute Annual Conference to urge the audience to exercise “caution and conservatism” with online security and privacy.
Basin had travelled from ETH Zurich, one of the world’s leading universities in science and technology, to the conference in London to warn delegates that online security and privacy is “probably worse than you think”.
In a presentation entitled ‘Cybersecurity and Business Disruption’ Basin described how technological advances frequently heighten risks. “We entrust more and more of our lives to these systems, but we are less secure,” he warned.
Basin contrasted today’s online security situation with that 30 years ago when, he said, hacking “was not very sophisticated”. Nowadays, he said, we live in an era of state-sponsored attacks, meaning the threat landscape has changed dramatically. Increased digitalisation and “hackers getting better” mean that the situation continues to become more challenging.
Contrasting examples cited to illustrate the growing amount of digital data being created – and therefore the growing risk of cyber-attacks - included pacemaker medical devices and traffic infrastructure in ‘smart’ cities. “Would anyone want to hack a pacemaker?” he asked the audience. “The answer is ‘yes’.”
To illustrate his point Basin showed media headlines from 2013 when it was reported in the US that former Vice President Dick Cheney’s pacemaker had had its wireless feature disabled by doctors some years previously over fears the device could be hacked in an assassination attempt.
Expanding on his theme, he said: “Everyone is being hacked. It’s a free-for-all.”
Critical infrastructures, privacy, democracy and sovereignty are, he said, all under threat.
High-profile corporate-level data-breach examples cited by Basin included River City Media and FriendFinder Networks. He also cited the case of Facebook and Cambridge Analytica in the context of voter-profiling for political purposes. “We are being hacked by AI [Artificial Intelligence],” he said.
In respect of geo-political aspects he was sceptical about the extent to which governments worldwide would co-operate on cybersecurity matters. “Governments have very different interests when it comes to security,” he said, dismissing the prospects for international rules (a so-called ‘Cyber Geneva Convention’ or ‘Digital Geneva Convention’) to protect the public from nation-state cyber threats.
Other concerns aired by Basin that organisations should be wary of include: ‘BYOD’ – the trend towards encouraging people to ‘bring your [their] own devices’ to their workplace (and to use those devices to access company information and applications) – with Basin pointing out that “not everyone is a security expert”; and rogue individuals working within (as opposed to outside) the organisation. He said: “For example, if you’re a bank, you need to be wary of people [working] within the bank.”
During the audience Q+A Basin was asked about the potential of 5G (fifth-generation wireless technology) and, again, he urged caution. The issue has been high-profile recently in the UK over the potential role of Chinese telecoms giant Huawei in supplying core parts of the country’s mobile- phone network.
Beyond the validity of questions over which organisations should be able to control a nation’s infrastructure, Basin pointed out that the advent of 5G will itself “see more systems online, which [itself] brings [greater] risks”.
He concluded on a practical note by urging that security and privacy risks be “adequately weighted and measured”.
Pre- and post-breach preparedness is crucial for organisations in this danger-laden digital era.
For more content from the 72nd CFA Institute Annual Conference, visit www.annual.cfainstitute.org/blog/.
All posts are the opinion of the author. As such, they should not be construed as investment advice, nor do the opinions expressed necessarily reflect the views of CFA Institute or the author’s employer.