Prof. John Mallery
Research Scientist MIT Computer Science & Artificial Intelligence Laboratory, US
Director Centre for Cyber Security Research & Innovation (CSRI), Deakin University
Additional Director Office of the Scientific Advisor of Defence Minister, DRDO Ministry of Defence, Government of India
Director of Cyber Security Ernst & Young – MENA Region, Qatar
Prof. Mallery, in his Keynote Presentation, discussed about various dimensions of multi-level cyber conflicts and put the financial sector in the critical infrastructure layer of economics. Then he deliberated upon the comprehensive cyber defence framework, including the cyber defense strategy and cyber risk reduction strategy. Both the strategies encompassed several categories such as knowing a threat model, having security and resilience architectures, incentivisation of critical actors, analysing residual risk, creating deterrence architectures and, developing mutual defence alliances and partnerships among others. He emphasised on cyber data sharing architecture for rapid threat mitigation and the need of raising information assurance in globalised ICT supply chain. Prof. Mallery concluded by stating that success in cyber risk reduction requires a comprehensive strategy for cyber defence and solidarity against unfair trade practices is necessary to sustain and modernise the contemporary international trade regime. And finally, the International Vulnerabilities Equities Process (IVEP) can drive phased increases in information assurance in ICT and raises the cost for malicious cyber activity.
Manuel, in his Keynote Presentation, focused on the threats and risk management practices in the banking sector and underlined the challenges of governance in them. He stressed on four ‘W’s to consider for cyber security in financial sector -what is important to one’s business and asset, the value of data to them, their customers, partners, suppliers and attackers; where the assets are and how they are protected; who is after that asset and why. The motivations, according to Manuel, range from curiosity to political, ideological, financial need and in many cases to gain power. He emphasized that financial organizations should be concerned about cybercrime from the criminal syndicates and trusted insiders, who could be classified into – negligent, ethical and malicious, and also highlighted that the governments around the world are building defensive as well as offensive capabilities to tackle this menace of cyber security breaches.
Sherin highlighted the issues of malwares being provided as a service that has made the technology breaches easier and the issue of attribution in the cyber space. According to him, it is almost impossible to discover who actually had committed the attack especially when the server used for attack was rented and hired by bitcoins. He was of the opinion that there have been discussions on national and policy levels but the problems are more entrenched at the very core of the day to day operations.
Sonal, explained that it is because of the lack of security apparatus at the fundamental level of design of technology that results in vulnerabilities and causes cyber threats. He emphasized that the processes and the systems need to be monitored which include both the normal as well as the abnormal behaviours. He concluded by emphasizing the need to invest more in technologies that are cognitive in nature where data fusion and analytics can be done.
The panel discussion began with very significant observations by the Moderator, Sharma who raised concern of selling malwares and providing malwares as service -a very prevalent phenomenon that is specifically designed as to not have abnormal behavior and defeat the anti-virus software. To this, Prof. Mallery responded and underscored that classical computer security and design time security is not enough because the adversaries and attackers have multipliers working for them and role of insiders is also a challenge. The Moderator then raised the conflicting issues of privacy vs. security vs. usability. In response to that, Sherin stated that when talking about human privacy and human life, the former has to take a backseat and found that the question is not very easy and straightforward to address. He also stressed on ‘resilience’ because the attackers would eventually find ways to get through the systems and networks despite defence system in place. Thus, the focus should be on recovery and resilience.