Anticipating cyber crime in the digital age takes more than street smarts. To be able to predict what Professor Greg Austin of the Australian Centre for Cyber Security describes as the “rich threat spectrum”, you almost need to be psychic.
States, corporations and private citizens are facing a growing list of risks to their privacy and security, the academic said. He suggested that even savvy cyber navigators have no real way of accurately predicting where and how the next breach will come.
“Threat types insiders face on the technical side change a lot over time.
“You can’t assume that because you have been managing the threat type well in year one, that the management arrangements for that threat type in year two and year three are going to be fine,” Professor Austin said.
Speaking at a legal symposium last month, Professor Austin said mitigating and fighting cyber crime has become increasingly difficult at every level.
Major world powers such as the US and China have ramped up the tone of their talk on cyber security in recent years, and Professor Austin urged people to take cues from that language. In April, for example, US President Barack Obama declared a “national emergency in cyber space” for the second consecutive year.
Professor Austin advised that the key to readiness is for actors to remain alert to the possibility that any type of cyber breach could be moments away.
“If you’re a person guarding the systems of a corporation or a government, your only mission, in one sense, is to prevent the intrusion or to stop the intrusion.
“We need to ask ourselves, can we maintain a situation where cyber criminals are rarely caught and the best cyber criminals are never detected?” Professor Austin said.
He dismissed the general idea that one day authorities may get ahead of possible threats, explaining that the advancing digital and technological landscape favours criminals.
Those setting out to breach, access or steal secure information could be anyone from lone ‘hacktivists’ to state spies, he said.
“The single group of people in the world who are most adept at exploiting it are criminals – and you can put after criminals, states,” Professor Austin said.
“We’re in an environment where […] we will never have a police force that can investigate or prosecute the majority of cyber crime.
“That leaves us in a rather interesting situation where governments, corporations and private citizens have to find new forms of self-defence, which doesn’t depend on deterrence through the criminal justice system,” he said.
The cyber expert warned companies against the temptation to over-rely on performance reports. Doing so would lead to complacency about the reality of ongoing risks and ignore their fluid nature, he said.
Professor Austin made his remarks at the Cyber Risk Security Symposium in Sydney. The event was jointly hosted by DLA Piper, Aon and Symantec in August.