Click to listen on your favorite streaming platforms:
The economic impact of cybercrime on society is vast and growing. Bad actors have used tools like phishing, malware, ransomware, and more to cripple businesses and shut down vital infrastructure. And new technology brings a new host of threats.
My guests today say that while the threat is real, there are things individuals, organizations, and governments can do to reduce the risk of cybercrime and recover once an attack occurs. Srini Subramanian is a principal in Deloitte & Touche LLP's Cyber Risk Services practice and leads the Global risk advisory for Government and Public Services industry. Gordon Hannah leads Deloitte & Touche LLP’s Risk & Financial Advisory's Cyber Analytics and Reconnaissance team. We will discuss the state of information-sharing.
From cyber hygiene to advanced threat detection, society has tools that may be able to stem the tide of cybercrime. But my guests emphasize that sharing information on threats and keeping an eye on what is required for recovery after the threat is passed may be some of the most powerful tools we have.
Tanya Ott: Think about all the things you do on a typical day: You’re on your phone, texting, checking your social media accounts. You shop online, send money to friends through apps, log onto your bank to check your balance. You’re inundated with emails from work, from friends, from stores you’ve visited once or news sites you’ve barely heard of.
And each of these interactions is a potential entry point for cybercriminals.
Now think about the systems you depend on: Telecommunications. Banking. Water and electricity. The traffic lights on the roads you drive on, the air traffic control systems when you fly. The hospital system in your town. They’re all connected via a vast network of networks—and anything that’s connected is also vulnerable.
That vulnerability has spawned an underground industry of cybercrime. What started as emails offering us free university diplomas and “get rich quick” schemes has progressed to becoming one of the major tools of organized criminal gangs—and even weapons of war.
This industry is profitable. Cybercrime is forecast to cost the world US$9.5 trillion in 2024.1 If it were measured as a country, then cybercrime would be the world’s third largest economy after the United States and China, according to the World Economic Forum.2
I’m Tanya Ott, and, today, on Government’s Future Frontiers, we’re going to be talking about the cyberthreats facing individuals, organizations, and even nations—and how government and business are working together to meet the challenge.
Joining me to work out ways to stop the hackers and criminal gangs are Srini Subramanian and Gordon Hannah. Srini is a principal in Deloitte & Touche LLP's Cyber Risk Services practice and leads the the Global risk advisory for Government and Public Services industry, while Gordon leads Deloitte & Touche LLP’s Risk & Financial Advisory's Cyber Analytics and Reconnaissance team.
First, I want to ask Srini—why is cybercrime such a threat? How did we get here?
Srini Subramanian: As we started embracing a digitally enabled society, to really look at the core of this, we have connected our economy and society using technology platforms designed for sharing information, not protecting it. That was the internet’s primary purpose—electronic connectivity and [data-]sharing. We chose to connect our economy and society and our applications using this platform. Now we are really working toward making this [platform] secure. And the staggering numbers that you just talked about are a part of a byproduct of this fast-paced evolution of technology.
Ott: What type of threats does our interconnected society face?
Subramanian: [They’re] really categorized into three different areas. One is cybercriminals. These are actors that are financially motivated to carry out some act on the technology using technology for financial gain.
The second is a cyber hacktivist— hacking and activism put together. They are motivated to get attention for political or social causes [by] defacing government websites or other large corporation websites to convey a message about a cause that they really care about.
The third category is where [my colleague] Gordon Hannah comes into play: Nation-state cyber actors. So the nation-state cyber actors carry out targeted activities using the cyber platform to gain defense or economic advantage over another country, typically carried out by state-sponsored actors.
Ott: While the aims of these three categories of cybercriminals may be different, they often rely on the same general approach.
Gordon Hannah: I would say well over half of cyber incidents really start with some portion of identity fraud or the ability to get [into] an account [with] inappropriate access.
Subramanian: In the case of online world, data is an asset. Information about your bank account or your financial or your health information, all of those are assets related to an individual. And a person trying to impersonate an individual is trying to gain some of this information for their own personal wealth accumulation.
Ott: One of the biggest components of cybercrime right now is ransomware: Criminals gain access to an individual computer or to a computer network, and threaten to destroy information—or to broadcast it—if ransom isn’t paid. For all—that it’s a huge moneymaker today—it started modestly.
Subramanian: Ransomware really started with individuals. They click on a link or provide their credentials and inadvertently [give] access to their desktop or laptop to a bad actor. And all that they do is make this computer device inaccessible to the owner by locking or encrypting all of the data and saying you want your data back, mail this kind of money to this number. Generally not very large amounts of money—US$300, US$400—that is something that people can afford, and that people are not willing to go through the pain of going to law enforcement or being without their computer and all of the things that are in the computer for days together.
And now the ransomware has ballooned into targeting corporations, targeting local governments, county governments, and demanding hundreds of thousands of dollars, and getting that kind of money.
Ott: And profits like that have turned cybercrime into an industry.
Pia Huesch: Cybercriminals and particularly ransomware criminals have become increasingly professionalized—to the extent that it’s somewhat absurd.
Ott: That’s Dr. Pia Huesch. Pia is a research analyst from RUSI, the Royal United Services Institute, a security and defence think tank based in London.
Huesch: You can find, on the darknet, job advertisements for an HR manager for a ransomware group. That’s how professional they are. They are highly specialized. They hire people for particular tasks, and they cooperate with other criminals, such as money-launderers. It’s a sophisticated system and highly professional.
Ott: The typical procedure? It usually starts with a phishing email that contains malware.
Huesch: Once inside, the ransomware then tries to establish a link with the attackers’ command or control server in order to receive instructions.
Ott: The attack doesn’t necessarily happen immediately.
Huesch: The attacker might spend weeks or even months in some instances looking for more information.
Ott: Information that gives them more access, more privileges, [and] more opportunities to profit.
Huesch: That can take a long time, during which many attackers remain undetected. It could be weeks or months.
Ott: But eventually, they strike, either encrypting data or threatening to expose it.
Huesch: Typically, a countdown appears on your screen and panic spreads.
Ott: If the victim decides not to pay?
Huesch: In that scenario, a ransomware criminal might decide to blackmail you with the previously exported data and, then say, if you don't pay the ransom, we will leak your sensitive data online.
Ott: Some organizations decide to pay. But their problems may not be over.
Huesch: There are incidents where attackers would share that information on the darknet and say, these are the companies that have previously paid. It is not that uncommon that companies are targeted a second or even a third time.
Ott: Gordon, how can organizations protect themselves from ransomware attacks?
Hannah: Having things like multifactor authentication that requires you to provide a secondary form, like a onetime passcode, is a really strong deterrent. But it’s still amazing to me how many organizations have not implemented it, or they implemented it and [gave] individuals the option not to use it. When you’re just looking for someone’s username and password, there are massive breaches that have taken place over the years and massive access to information about you.
Subramanian: Just that step is going to help really mitigate so many of those attacks, because people are still using just user ID and passwords and weak passwords. And enabling multifactor authentication can really mitigate a number of those risks. What may look like an extra step goes a long way in ensuring protection.
Ott: Do we need additional software of any kind to protect our assets?
Subramanian: In some instances. We absolutely do like antivirus and software that is monitoring when our systems and all the transactions that are going on to look for known signatures of attacks. Most of these are now built into the software operating system itself. The sites are saying, well, you know, this is a site that you don’t want to go to because we have had issues with the site in the past.
Ott: What about software updates?
Subramanian: Install them promptly. One of the reasons that these updates are provided by the software vendors is to make sure that they are plugging the vulnerabilities that that may have been found. And doing those implementations of software updates promptly is another technique to having good cyber hygiene.
Ott: Those are measures that individuals can take. What about enterprises? How should they be thinking about these threats?
Subramanian: We advocate a philosophy of secure, vigilant and resilient.
Secure is, you take all the measures, you get the in the monitoring systems and things like that. But you can only do so much. You need to still be vigilant. You are monitoring for any kind of abnormalities and having the situational awareness when something goes wrong, so the enterprises can immediately start acting when a threat is detected.
[And] in spite of being secure and vigilant, there are going to be cyber incidents that happen. To be able to bounce back and recover quickly, one of the things that we talk about is if enterprises have solid backups, robust backup mechanisms that can help them recover quickly, then they don’t have to deal with ransomware.
There are techniques like air-gap backups where you do a backup and it is not connected to anything. And you use that to restore your systems. So being secure, being vigilant, and being resilient is an excellent philosophy to look at most of these attack vectors and see how can we thrive in an environment where we seem to be having a lot of these cyberthreats.
Hannah: One area we haven’t gotten too much into yet is actually this concept of nontraditional infrastructure that conducts and interfaces with more traditional cyber infrastructure. We often refer to that as industrial control systems.
One of the things to be very aware of is the majority of the critical infrastructure in most countries is actually privately operated and maintained. There has to be a lot of cooperation between the public and private sectors around protecting individuals and the use of the infrastructure.
If those systems now are not protected, that can be a huge vulnerability. If I can get into your networks and somehow now get into the controllers for critical functions like providing water or electricity or things like that—or oil—you know, those types of things can be tremendous threats to organization. So you really have to, as Srini said, do as much as you can do to secure and protect all of that. Then to monitor it in real time as you can to look for any anomalies to defend against. And then the third piece is you’re probably not going to be perfect in there, [there are] going to be things that happen. And how do I recover, how do I respond, and recover when something bad has happened?
Ott: The vulnerability of critical infrastructure has not escaped the notice of nation-states. Even crude cyberattacks can cripple a country—something Estonia experienced firsthand.
Colonel Jaak Tarien: [In] 2007, Estonia got cyberattacked. As I’ve been told by the high level of state leadership in Estonia, when they went to Brussels NATO HQ and told allies Estonia is under attack, the first response was to switch on TV to BBC, CNN, and say, well, where are the tanks? Where is the aircraft? What do you mean attacked?
Liisa Past: Estonia, in 2007, really became the testing ground and patient-zero of a politically motivated cyberattack—attacks against Estonian digital infrastructure, the media, the banks, and parts of government websites and the parliament were targets of distributed denial of service attacks, a reasonably unsophisticated attack. All it does is taking systems down for a short period of time. It’s basically an automated way of sending too many requests to a website or a server, to a point where it becomes unable to service any requests.
Heli Tiirmaa-Klaar: Suddenly, you have the data flooding your servers. The river is just 400 times wider than it used to be, right? So, you are mitigating it all the time so that you can still put your services up.
Past: In today’s terms, that wouldn’t even be a red light in the monitoring system. But back then, it was a test case of so many things, our reliance on their highly digital way of life being first of them, so suddenly, not having access to that online banking platform for a few hours at the time, for a few days in a row, was a serious step back from what we were used to.
Tiirmaa-Klaar: At some point, when the attacks were at its maximum, there was a decision to limit the connectivity with dial internet. Some connectivity was remaining, but the majority of the services you could not access from abroad.
Past: Those attacks have never been officially attributed. The Estonian authorities at the time were focused on making sure that business could continue as usual, as much as possible.
Ott: Those were the voices of Colonel Jaak Tarien, former director of the NATO Cooperative Cyber Defence Centre of Excellence; Liisa Past, national cyber director for Estonia; and Heli Tiirmaa-Klaar, an Estonian ambassador for cyber diplomacy recalling the events of 2007 in Estonia.
Gordon, what are the specific factors to consider in terms of nation-states utilizing cyberattacks against other nations?
Hannah: First of all, attribution in cyberspace is very difficult for a number of reasons. Obviously, it’s a massive space. Whenever you communicate from one point to another, there [are] actually multiple ops or points along the way. The proliferation of attackers as well as attacking tools, like malware as an example, make it very difficult on attribution.
Subramanian: It is very easy to see when there is military aggression by one country on the other that is physical in nature. With tracking and things like that that we have, it’s very easy to pinpoint where an attack originated. It's very difficult to do that in the cyber world.
Hannah: So the policies are more geared towards collaboration. Cyberthreat intelligence is extremely important. Even at Deloitte, we have our own cyberthreat intelligence service. We hold calls both internally and with our clients to talk about what the threats are that we’re seeing, who the groups are, and what countries they may be associated with, and getting that information out there, what this threat is, and how should you specifically protect against it.
We’re also involved with critical information infrastructure providers, whether it’s oil and gas, electric, [or] financial services. We participate in what are called ISACAS, which are information-sharing groups that are built around this concept. How do I share this threat information in such a timely way to help others mitigate and prevent [a] potential threat?
Ott: Srini, how important is information-sharing, whether we’re talking about national threats or criminal organizations?
Subramanian: The aspect of getting information about these issues is extremely important and [so is] sharing across borders. We just talked about ransomware and payment mechanisms, where the payments are usually dealt with in cryptocurrency, and to be able to trace and identify where it is going is just one example of where collaboration between countries is required.
Another example is looking at threats that are coming in based on whether it is attacking a banking industry or government or healthcare industry, and sharing it broadly so that if it is a patch that needs to be applied to the systems, that different countries are doing those patches immediately. We say that, in this area, an ecosystem approach of governments, industry, and academia are really working hand in hand together to be able to tackle some of these threats is extremely important.
Ott: There are so many moving parts in responding to cyberthreats. For example, technology keeps advancing, so threats keep changing. I’m thinking here about artificial intelligence.
Hannah: It’s kind of a chicken-and-egg thing. Obviously defensive cyber capabilities are leveraging artificial intelligence, but so are the adversaries and the bad actors. There’s a bit of an arms race taking place.
It can be overwhelming, the kinds of attacks that can be launched today. My family got an automated phone threat that leveraged the [family] member’s voice patterns. It sounded exactly like they were calling and that they had been taken hostage, and we needed to send money somewhere to get them back. I view that as a cyberattack. Now, you have technology that can leverage either your public recordings or your voicemail recording and say new things and new words based on your voice patterns that sound a lot like—if not exactly like—you.
Ott: How can new tools play a role in helping individual consumers protect themselves?
Hannah: Providers are working to up the security ante. Today, now, on my phone, I can have a setting and say it’s an incoming call [that] looks [suspicious]. To me, that’s another great use of AI. It’s looking at trends in analysis and saying, oh, this number is calling a number of individuals more or less the same time, trying to get them to answer, and it could be spam. That’s a good use of AI and technology to try to mitigate risks.
One of the big focus areas we do work with law enforcement is trying to educate, users and populations around better etiquette, better techniques, technology, and software that you may leverage to better protect yourself. Obviously, resisting the temptation to click on that link and open that email when it [may] look fraudulent. I know in a lot of cases, a lot of people don’t look at the real address of the sender, because if you did, you would know it’s not the company that’s being mentioned in the communication.
What we’ve been working with in law enforcement is a lot of education around this.
Better cooperation and information-sharing between the public and private sectors, I would say, that’s another area we’ve been putting a lot of time into because we may see a threat before the government does in the private sector side or vice versa. If we’re able to share that information along with, here’s specifically what it is, and here is specifically how to protect yourself from it, that’s a huge win. The faster you can do that, the better.
Ott: Quantum, AI, the Internet of Things, managing big data, so many complicated issues here are intertwined and cyberthreats can really come from just about anywhere. Yet, governments can’t simply secure every organization’s networks and systems. So, what can governments do? What can they do to catalyze more effective defenses for themselves?
Hannah: I think the starting point is always around risk—really understanding what your biggest risks are. And like you said, no one has infinite resources to apply to protect themselves. But have you prioritized in a way that aligns with risk? [Organizations] can apply the protections and monitoring those responses commensurate with the level of risk they’re encountering. Because, like you said, there’s just so much infrastructure and it’s really hard to do everything for all of that at the same time. So having prioritization and a risk-based and -focused lens, is always the starting point. And then, executing on a lot of the things we talked about: getting protective measures in place, monitoring that infrastructure, and then being able to respond and reconstitute if something bad has happened to it.
Subramanian: From my perspective, the government really has two major roles. One is government collects, disseminates, [and] uses personal information of people in a very significant way. Most of us, we don’t even have an option not to share our personal information, because [the government provides] the identity—they have the birth certificates, they have health care records, financial records through our tax filings, and so forth. So, government has a very important responsibility of protecting all of that information.
The second responsibility of government is to make sure that the private sector is not adversely impacted, because any kind of economic impact also affects citizens and residents [by] enabling knowledge-sharing and putting out policies and issues. Gordon mentioned that about critical infrastructure. We are talking about transit, energy and utilities, and all of that infrastructure that provides day-to-day services to people. If that infrastructure is impacted now, we are not only looking at data loss, financial loss, but we are also looking at disruption and safety issues.
Government is constantly looking to see how can we provide funding for private sector to strengthen the security of these infrastructures. One recent example is a US government agency that published about personnel working in this critical infrastructure—what kind of protection measures they want to take in their personal lives to make sure that their [security is not going to be compromised, and they are not going to be used as a vehicle to carry out an attack.
Ott: We talked about the experience of Estonia earlier—how it weathered one of the first national cyberattacks. But that hasn’t stopped it from pursuing a more connected society.
Subramanian: Estonia, a relatively small country with maybe 1.3 or so million people, [has] been able to digitize and use digital technology to make most of their government and other services efficient. And at the at the foundational level of that is the digital identity—the identity that almost 98% of the Estonians carry. And they use it to carry out more secure transactions that give them a lot more trust in how they are transacting electronic business.
Now, turn your attention to one of the most populous countries in the world, India. They have been able to give digital identity, over a 10-year period starting 2009 or so, to 1.4 billion people. Now they are realizing the advantage of having such a digital ID to carry out secure transactions. Billions of transactions, in fact, that are really removing the need for people to be doing cash transactions, from taxi and other drivers taking those kind of electronically enabled payments through a secure digital identity. That is another way that some of these things are coming out as enablers of technology evolution. And so, there is a lot of hope in terms of being able to leapfrog and adopt these technologies.
Now, you might ask, well, why has this not happened in countries like United States and the United Kingdom and others. The main reason is, it is the disadvantage of having the legacy technology; and a number of these technology implementations in developed countries took place over the last 30 to 60 years. Now, in order to modernize and upgrade, it takes time and effort, and that is one of the reasons why it is taking time to be embraced. Whereas some of the other countries that didn’t have that kind of infrastructure are able to leapfrog and innovate quickly. And that’s what we want to do, embrace new technologies and be able to confidently transact business on the internet without worrying about these consequences.
Hannah: Yeah. And I would just add, there are a number of international organizations and international standards that have been developed around internet usage ethics [and] around internet intellectual property. But it’s up to individual countries whether they embrace some of those or not and codify them in law and enforce that law.
Ott: The United Nations is working on a cybercrime treaty, but it’s facing some unique challenges. I asked Amrit Swali, a researcher in the international security program at Chatham House, an independent policy institute based in London, to tell me more.
Amrit Swali: The global community has long recognized the cross-border nature of cybercrime and the importance of establishing both regional and international methods and mechanisms to deal with it. And obviously, there are really big legal, ethical, and also procedural concerns that come up when you’re talking about responding to cybercrime. When you’ve got an instance of cybercrime that was conducted by someone based in one jurisdiction, and it’s affected someone based in another jurisdiction, there are a lot of issues in terms of how exactly you counter it and combat it, and then investigate and prosecute it.
Efforts to address this already exist. For example, we have the Budapest Convention on Cybercrime and its protocols, which facilitates cooperation on cybercrime and electronic evidence–sharing, and it has signatories from all over the world. And then alongside that, there are also various initiatives, institutions, frameworks, and organizations that do really important work on international investigations, evidence-sharing, and capacity-building, amongst other things.
The UN cybercrime treaty, if agreed, would essentially be the first legally binding international treaty on any cyber issue. So it’s quite a big deal, and if done appropriately, it could also harmonize cybercrime legislations across the world and provide a really important framework for preventing cybercrime that all UN member states could feel ownership over.
What the treaty is essentially aiming to do is establish a solid legislative framework for how to investigate cybercrimes, how to prosecute cybercrimes, what actually counts as a cybercrime, and how countries should cooperate on sharing evidence and information—trying to streamline the way we think about cybercrime globally.
There are some concerns there. I think one of the big contentious issues at the moment is around the scope of the treaty’s application, whether the treaty should apply to a broad range of crimes that have a computer or ICT [information and communications technology] elements.
Now, there are examples already where national cybercrime legislation has been used to criminalize online content, freedom of expression and free speech, target journalists and activists, and also just police general behavior through really vague and ambiguous morality clauses.
A narrow scope can help protect against these issues. But of course, appropriate, and proportionate global application is a huge concern here.
And I think we also have to acknowledge that the cybercrime landscape looks very different for every country. So, some countries might have big ransomware issues, and others might be prioritizing things like online fraud and scams. Countries also have very different levels of technological and legislative capabilities. So when we’re talking about a global treaty, we really need to be thinking about how it’s going to be implemented and whether the treaty is also incorporating mechanisms for allowing successful and effective implementation. The reality is that you probably can’t police that to as strong an extent as you’d want.
Ultimately, cybercrime is costing countries a lot of money. So, there is also an incentive from a financial perspective—from a cybersecurity sector—and also from a reputational perspective to use this mechanism, if agreed, to reduce the impact of cybercrime on a country’s society and a country’s economic position.
I think regardless of what happens with these treaties, private companies and NGOs and other multistakeholders will continue their work on cybercrime, whether that’s through cybersecurity developments, research, or advocacy. I think we can be assured that the treaty will contain some sort of role for multistakeholders, but it's yet to be seen how substantive that will be. But there is no doubt that that is a really important part of this conversation.
Ott: One of the issues that makes an international treaty on cybercrime so complex is that worry that cybercrime not be defined overbroadly. How does disinformation fit into the conception of cybercrime?
Hannah: I think the two are pretty closely related. With social media, we’ve seen algorithms built to feed you more of what you’re interested in, which can include misinformation.
I come back to educating and training the users. I think there are a lot of initiatives to really help in this area. But, you know, in that case, users have to probably seek it out.
Subramanian: Tanya, it’s really the integrity of the data: How do we know whether the information that is being published is factual or not?
If you look at the evolution of generative AI, that is another topic that is gaining a huge amount of traction in recent months, because what looks like a conversation or a commentary by an individual with the voice of that individual could be not factual. So, how do we really authenticate whether a video or a picture or audio commentary is factual or not?
Ott: All of these issues make me think tackling cybercrime is a 24/7, 365 days a year, year after year, job. Will we ever be done?
Hannah: Early on, the thought process was, I'll build my fortress and then be able to operate from that. [Now the concept is] the bad people are already inside your castle. How do you make sure you can still get food and water to your citizens? That’s the whole concept with zero-trust. Assume the bad people are already on your network. How are you going to still execute your mission or your service or business? Things are always changing in this domain. Threats are always evolving. New ones are always coming.
Ott: That’s a bit of an ominous thought.
Subramanian: Well, my quick final thought is there is a lot of hope. There are a lot of opportunities. There are a lot of things that are going to change for the positive. I would really encourage people that are looking to see where they want their career to be, look at technology and STEM (science, technology, engineering, and mathematics) and cyber. There are plenty of opportunities for any of the interest that you may have in this area. There is a huge opportunity to deliver impactful work that really gives a sense of purpose. So, I’m hopeful and excited for the future.
Hannah: Trillions of transactions and information exchanges are conducted online every day. Systems are operated successfully. Organizations have learned to mitigate risk as best they can, but also to understand they have risk.
As we continue to do more and more of kind of that basic blocking and tackling that we talked about, if we can get that all in place, that gives you a great platform to be thinking and looking for and protecting yourself against the more advanced threats. So it’s not impossible. You can achieve good results and mitigate risk.
Ott: Well, a huge thank you to my two guests today, Gordon Hannah and Srini Subramanian from Deloitte. We also heard from Dr. Pia Huesch of the Royal United Services Institute, Amrit Swali of Chatham House, and Colonel Jaak Tarien, Liisa Past, and Heli Tiirmaa-Klaar of Estonia.
Thank you for listening to Government’s Future Frontiers from Deloitte Insights. Remember to follow and subscribe, so that you don’t miss an episode.
Next time we’re talking “the final frontier”—yes, space.
Satellite technology, human spaceflight, launchers, telecommunications, navigation, monitoring of the climate. They all have one thing in common—they rely on our ability to venture into space. So, we’ll be examining the challenges, the opportunities, the pitfalls, and benefits of all things space-related.
Remember to follow and subscribe, so that you don’t miss an episode. And if you like what you hear, please leave us a review!
This podcast is produced by Deloitte. The views and opinions expressed by podcast speakers and guests are solely their own and do not reflect the opinions of Deloitte. This podcast provides general information only and is not intended to constitute advice or services of any kind. For additional information about Deloitte, go to Deloitte.com/about.