Cécile WendlingAXA Group Head of Security Strategy and Awareness
September 29, 2021
AXA Group's Security Team walks us through 3 cyber-scenarios in the not so distant future
9 minutes
This article is part of the AXA Research Fund's upcoming report, Building Cyber Resilience: Threats, Enablers and Anticipation.
FULL REPORTBy: Dr Cécile Wendling, AXA Group Head of Security Strategy and Awareness, Mathieu Cousin AXA Group Security, and Lou-Anne Ducos, analyst intern at AXA Group Security.
Sitting in your open space, you try to finish your missions as fast as you can before picking up your kids from school. But you find it impossible to concentrate. Phones buzz, everyone whispers, it looks like a playground. Annoyed, you decide to go home to finish your work and you meet one of your colleagues on the way: ‘Have you heard the news?’, they ask. You have absolutely no idea of what he is talking about, but after finally checking your phone, everything becomes clear: Facebook, Instagram, Twitter, TikTok abuzz about your company.
A well-known cybercriminal group announced it hacked your system and claims to have access to all the information on your customers, distributing samples on social media to prove it. The hackers gave you 24 hours to pay the ransom before they publicly release all the information in their possession. This is a nightmare: you spent the past six months working on a big merger and acquisition, and, with the green light given by the regulator, the game-changing deal for the nation's economy was almost done. The company knows about cyber-attacks and should be prepared against it, especially in these important times. Irritated, you decide to get more information. Your leadership is unanimous: the company is not experiencing any cyber-attack – the news is fake. Relieved, you think that the public affairs department just has to claim the truth.
But it is already too late, and the share price of the organization is dropping. The first official response stating that The company is investigating any possible breach
and the second, claiming that the samples
spread by hackers were fake information, go unnoticed. No one is listening, and fear wins over reason, but when the ransom deadline is over and the hackers take no retaliation actions, everybody finally realizes it was a lie. But the affair has become a huge cost to the company and your merger and acquisition is compromised.
The government that was supporting you in this merger and acquisition process decides that such a series of events will not happen again. As a first step, all social media will face restrictive measures to prevent such a situation from being repeated and many users see their accounts closed without notice. While you understand the reason beneath this stricter control, you fall asleep thinking of the future of your freedom of speech.
This scenario could already happen now, and might come true in the months and years to come. Indeed, disinformation is a growing concern for both public and private actors. Europol defines social media as increasing the proliferation of disinformation and conspiracy theories
. As an example, recent Russian cyber-attacks to meddle in the U.S. elections using social media highlight the growing influence these platforms can have on people’s opinions and behaviours. Moreover, cyber-attacks entail significant indirect or soft costs beyond direct costs, (e.g., brand erosion, loss of confidence from customers, partners and investors). Since 2016, the Ponemon Institute global survey of data breaches found the average cost of reputational damage to represent more than 40 percent of all costs.
To limit the impact of fake news, reputational risk is becoming an integral part of strategy and planning. It can include for example the monitoring of social media to quickly detect any attempts of disinformation, the preparation of a communication plan, including a centralized control over all your communication channels and means for the public and the press to check official messages and statements.
Fake news also affects individuals with different and varied consequences. Awareness is one of the key tools so far.
45 minutes has passed since you arrived in your doctor’s waiting room. You already had time to read all the magazines available and decide to take your phone to check the latest news. Social protestations against labour reforms… slow economic growth… you finally opt for an article on natural disasters. Massive fires are burning down entire buildings in the West, flooding was followed by a devastating hurricane in the East. Nothing very surprising, you think, as climate change is causing important damages everywhere.
Your doctor finally arrives, and your medical consultation begins. Quickly, you feel that your doctor is irritated. He explains to you that since this morning, none of his records are available and that the entire medical system is down. 'How is that even possible?', you ask, and he starts talking about natural disasters and data centres. At one point, you stop him as you really struggle to see the link between natural disasters and the loss of your medical data. He asks you if you’ve heard about the fires in the South West and the recent hurricane in the Eastern coast, and you explained proudly that you have indeed just read this detailed article on infrastructures damaged throughout the country. However, what you were not expecting is that among these infrastructures, some crucial data centres were destroyed, preventing part of the country from accessing medical data; and for the first time, you realize how dependent on physical structures our digital world is.
While this incident was minor for you, you cannot stop thinking about people in urgent care and the devastating consequences a fire can have on them and their medical teams. What are we going to do if all our critical activities can be brought offline at any time because of physical incidents?
This scenario could already have happened, and might happen in the months and years to come. Critical infrastructures are threatened by malicious attacks, such as the ransomware attacks launched in May 2021 against one of the U.S. largest pipelines and the Irish health services, and are physically threatened by the consequences of climate change. The increased number of natural disasters pushed the Information Security Forum (ISF) to identify a major disruption and damage to IT systems and assets after a natural disaster
as a major threat for 2022. As such, cases of outage and attacks against critical infrastructures, including cyber and interconnected ones, are going to become more frequent and should be carefully mitigated.
Aside from taking proactive measures to fight climate change globally, critical infrastructure management and their users can limit the impact of cyber and natural risks by securing remote access, using for example endpoint protection, good password hygiene and security practices, or by having an updated and accurate inventory of assets and monitoring for anomalies. Data could be duplicated and stored in different locations to avoid data loss such as for the OVHcloud services firm fire in France in March 2021.
Nothing destined you to this path, but an economic crisis, disillusion and the necessity to provide for your family made this job an opportunity you could not miss. When your friend told you about this opportunity, you declined, thinking that you had none of the computer science abilities required for this kind of job, but he promised it would be easy and he was right. You now make more money than you ever thought you would, just by launching cyber-attacks on wealthy companies.
Thanks to artificial intelligence, cyber-attacks are automated, and the level of skills required to launch them is quite low. Some guys you met on the dark web gave you appropriate tools to work with. You are part of a team of 30 people, each of you with your own specialty, and you barely notice the difference with your previous job. Today, your mission is to use a powerful AI tool against a banking company. You know that you are going to face their 'Endpoint Detection and Response' solution, which is in theory able to detect threats directly on information systems, but it does not matter, your tool is smart enough to bypass it. It quickly detects a large number of computer security flaws unnoticed by the software publisher or service provider, the so-called ‘zero-days’, and lets you pick and exploit them, rendering the bank protection systems useless. Your AI also accelerates your attacks thanks to automation, so you can go home early most days.
All you have to do is to launch the attack and artificial intelligence will do the rest. AI versus AI, your attack went successful. You found five different vulnerabilities that will be used to steal data, resell it or use it to launch new cyber-attacks. You would never have believed that data would make you rich, but well it definitely became the new oil!
This scenario could happen in the upcoming months and years, as AI-powered attacks[9] can also take many forms, from designing an attack, providing extreme speed of compromise, to mimicking expected communications and masking on-going attacks.
AI also offers surveillance tools against cyber-attacks, from scanning and analysis to response automation to contain a cyber-attack quickly. Continuously improving cyber security systems and scanning for existing vulnerabilities also contributes to limiting the impact of AI-based attacks. Currently, cyber ecosystems are being put in place across economic sectors or economic chains and facilitate the sharing of information relative to attacks.
Tomorrow is a big day for your tech team, as the company is launching a new series of cars with ground-breaking technologies that none of your competitors master. After years of work, it is time to celebrate, and you joke with your colleagues about the millions you are going to make. Nothing could spoil your joy today.
However, one of your colleagues runs to you, as the CEO needs to talk to you urgently: your main challenger just announced his new collection of cars similar in every way to yours. You cannot believe it, as you have been working in the uppermost secrecy for the last 15 years to develop these technologies. How could they have developed the exact same model, and to have it ready one day before you launch your own collection? The tech news alerts accumulate on your phone and you have to accept the reality. Furious, you call your staff: 'We have been spied on! How did you let that happen?'
Surprised, one of your employees explains that all confidential information has been encrypted following the procedure. At the back, a young intern in the IT department seems embarrassed. You ask him what he thinks about the situation and he explains how the government of your competitor may have been able to break your cryptographic protocols and algorithms using quantum computing. He continues saying he was quite surprised at the beginning of his internship when he realized that you were not using any data encryption solution resistant to quantum technology.
You now realize that you have indeed heard about a quantum-proof encryption algorithm a few months back, but it was very expensive and you had not expected quantum technology to become a threat before a couple of decades at least. A couple of years back, the data centre of your IT provider had been robbed, and amongst the many physical servers’ stole were several of yours. Thanks to backup data centres, allowing you to duplicate data and locate it elsewhere, it had not affected your operations and, at the time, investigators and consultants had assured you that it would take about 100 years for anyone to decrypt the stolen data. By believing these assessments, you’ve made one error that now costs you 15 years of work and the first player advantage.
All experts do not agree about when the various approaches covered in the field of 'quantum computing' will be mature enough for public uses but quantum computing technology could come to fruition as early as within the next 10 years. The important consequences of quantum computing on cyber security require getting ready now. Indeed, some currently secure algorithms and quantum computers could break cryptographic protocols with reasonable time and effort. Moreover, it is likely that large numbers of organizations, from governments to criminal groups, are currently storing encrypted data that they have intercepted with the will to break the encryption later.
However, quantum technologies also offer progress in cyber security using post-quantum cryptography and physical quantum security. Engaging in a transition towards more quantum resilient-encryption and monitoring all data breaches that could be used against the organization if decrypted could help mitigate the quantum risk.
Dr Cécile Wendling is Group Head of Security Strategy and Awareness at AXA. Prior to this position, she was Group Head of Foresight at AXA and Associate Researcher at Centre de Sociologie des Organisations (CNRS - Sciences Po Paris) in sociology of risks and catastrophes. She has a PhD from the European University Institute on EU crisis management and gives lectures on foresight methods, risk and crisis management, among others.
Mathieu Cousin is leading the Threat Anticipation activities at AXA Group Security since the 1st January 2020. Before joining AXA Group Security in August 2016 as Security Researcher in the Strategy, Architecture and Research team, Mathieu spent four years as a research analyst and security researcher.
Lou-Anne Ducos is a Master student from Sciences Po Saint-Germain-en-Laye studying international relations and a security analyst intern for the threat anticipation team at AXA Group Security since March 2021.