[interview] Cybersecurity: Threats, challenges, and guardrails

Cybersecurity issues are constantly in the news. COVID-19 has seemed to accelerate the proliferation of cybercrime. The number of cyberattack victims has gone up fourfold since the pandemic began, according to France’s national IT security agency (ANSSI). The benefits of digitizing documents and the easy of data-sharing have been a boon to everyone, but without security, this technology carries major risks.

An interview with Gaëtan Le Guelvouit, manager of the Trust & Security laboratory, who works with his teams to make the Internet a trusted space.

Cybersecurity: What new challenges are there?

The threats to data security, infrastructure, and equipment are still the same. But they are spreading on new ground.

In recent years, we've seen successful attacks on IoT equipment, facilitated by the weak security of such devices. Additionally, a great deal of malware targets only mobile devices used by the general public (like tablets and smartphones) because they've become central to the digital lives of most people, containing their personal data, photos, passwords, etc.

And the latest trend we've seen, in the transportation sector, has been the arrival of more or less autonomous vehicles that all happen to be connected, which can make the consequences of such attacks very serious. Striking examples have been demonstrated with semi-autonomous cars, just by modifying road markings or signs.   

With the use of AI becoming common in all areas, we're also becoming aware of the need to make their algorithms secure. There are naturally some learning biases that warrant an ethical response that goes beyond cybersecurity. But I’m thinking mainly of injecting data to create backdoors, or developing subtle disruptions to fool algorithms. Using AI for good in cybersecurity is therefore challenging, but so is securing the AI itself.

Finally, the fight against disinformation is a battle that has already begun, but will become even more important. With social media, facilitated by deepfake tools, we are seeing large-scale manipulations for political or economic purposes. In more mundane matters, all authentication techniques that go by voice or facial features will potentially be vulnerable to these digital fakes.

Are we all at risk?

Hackers are after our data, just like they are for businesses or governments. Historically, these criminals sought to steal banking information like debit card numbers, or online bank login details, to get an immediate profit from their misdeeds. Though this is still happening, hackers are also looking to steal digital identities by hijacking accounts tied to our digital lives, or even physical identities by retrieving identity documents, and even locking private documents and demanding a ransom to regain access to the stolen data. We are therefore facing numerous threats, and cybersecurity affects us all.

These attacks spread via malware that reaches us through emails and modified software, either on the web or on mobile devices.  And these bits of code don’t care what type of system they land in. It might be an individual, but it could also be a multinational corporation or a hospital.

How can you protect yourself?

First, there's basic digital hygiene, like keeping your devices up-to-date and properly managing your authentication methods. This cuts out a large share of the risk on its own.

It is also notable that the general public is aware of scam techniques that exploit human and social weaknesses, such as phishing. In response, hackers have fine-tuned their approaches, which are now larger and more believable.

Multi-factor authentication is often made available by major digital players, and in some cases required. The concept is to verify the user’s identity in more than one way: A password of course, but on top of that, a single-use code, biometric data, etc. This is a major advance for limiting the consequences of disclosing a password. It sometimes works to the detriment of user experience, but the problem is now starting to be addressed with more ergonomic or transparent processes.

Businesses are witnessing a migration from perimeter security – the information system is walled off by an enclosure, like a castle to use one common analogy – to Zero Trust paradigms. In the current environment, which mixes remote work and cloud-based resources, defining and monitoring the perimeter has become too complicated and inefficient.

With Zero Trust, access and rights are granted only after verification and attestation. The context of the request, the device used, and of course the requester, are analyzed. A hacker who has found a weakness will quickly see his plans to smuggle out data thwarted. Again, multi-factor authentication is part of the Zero Trust toolbox, with dynamic rights management systems, AI, etc.

We have seen many hospitals suffer harmful attacks. What makes them such attractive targets for hackers? Are they more vulnerable than other organizations?

Recent attacks on French hospitals have been based on ransomware, a type of malware that encrypts some of the infected computer's data – making it unusable without destroying it – then demanding a ransom to decrypt it.

These attacks are not designed specifically for the field of medicine. But hospitals make for attractive targets, because they cannot function without their information systems (patient records, medical imaging, admission logs, etc.) and the availability of this data is critical. Paying to regain immediate access rather than launching a long, expensive recovery plan is therefore tempting. Additionally, the hacker may also be aiming to steal medical records, which have some value in cybercrime marketplaces. But such schemes are far more unusual than ransom demands.

Hospitals are indeed vulnerable targets. Even before the pandemic, tight budgets prioritized care over IT security. The result is obsolete hardware, which is rarely monitored or updated, and will be more exposed to attacks. The same is true for user training. And as with all enterprises, the proliferation of working from home has greatly expanded the perimeter of the network, which increases the attack surface. An investment plan for improving the cybersecurity of public services was announced by the French government as part of its stimulus plan.

As a team working on the security of content and 5G-and-beyond networks, what issues are shaping your research today?

When it comes to content security, after launching an anti-piracy solution for sporting events with our partner Viaccess-Orca, we will adapt our technology to protect movies and television. The main challenge will be to ensure perfect quality on all screens, including with recent video formats like Ultra HD and HDR.

A first step was achieved when the visual tests of a major Hollywood movie studio were passed early this year. We also have to look at a much larger time scale: While a soccer game might be broadcast for just 90 minutes, a TV show might be available for years! This means we need to rethink our approach to searching for illegal content. 

For networks, we are focused on providing security bricks from b<>com’s private 5G options. We already have our device authentication technology, which we will need to adapt and integrate as the first component of a Zero Trust approach. More broadly, we want to design an automated system to detect attacks, which will also be able to partially contain them. This is a response to the variety, complexity, and intensity of the attacks that networks today are facing.