Wanted cyber warriors

IMAGINE, for a second, that you are a human resources manager in a top aerospace company. Most days, you get into work at 9am. Today, a Monday like any other Monday, is no exception. You check your e-mail first thing in the morning. As usual, most of the e-mail you get are job applications. One of them catches your eye; you know that the aero engine division has a vacancy because work on a new jet engine is moving quickly.

The e-mail is from someone who appears to have the right qualifications. You download the attachment named "CV" and forward the e-mail to the aero division head for her consideration.

Somewhere else in the building, the aero division head reads your e-mail and downloads the attachment, too, before heading off to a meeting on the new engine design which she is very excited about.

Neither of you know that these two downloads have triggered pings in a computer far away, in another country.

The person sitting in front of the computer wears a quiet smile.

That's because a small piece of malicious code had been attached to the document that was sent to you, and your downloading it gave the hacker access to the computer by creating a "backdoor" - a hard-to-detect connection to the Internet that bypasses security protocols.

The hacker uses this backdoor to send in more malicious code and gains full access to the two computers - and through them, the company network.

This job application e-mail wasn't sent randomly. The criminal group, to which the hacker belongs, had been hired to steal your firm's intellectual property.

The hacker finds what he is looking for - a detailed 3D engineering drawing of the new jet engine with notes. He exfiltrates this file and other important documents he finds during his search, before hitting a "kill switch" which erases the malicious code and leaves with virtually no trace.

This incident, while hypothetical, is entirely feasible.

Similar incidents have in fact happened through what is known as Advanced Persistent Threats (APT), arguably the most dangerous and sophisticated form of hacking.

New threats, new opportunities

While this is the sort of thing that keeps chief information officers (CIOs) up at night, cyber threats are also fuelling a burgeoning demand for cybersecurity professionals.

David Koh, chief executive of the Cyber Security Agency (CSA) of Singapore says: "We tend to hear and read about the negative or 'dark side' of cybersecurity, but there is also an upside - cybersecurity is an emerging growth sector with the potential to provide over 2,500 job openings by 2018."

"The cybersecurity sector in Singapore is projected to grow by about 9 per cent a year to reach around S$900 million by 2020."

Today, there is a shortage of cybersecurity expertise worldwide.

Last year, a Robert Half report found that 85 per cent of Singaporean CIOs expect more cybersecurity threats over the next five years because of a shortage of skilled information technology (IT) security professionals.

"New technologies raise new security concerns. This trend has resulted in an IT security skills gap since the available expertise has not kept pace with the evolving IT threats," David Jones, senior managing director, Asia Pacific at Robert Half, had said in the report.

According to data cited by ISACA - a professional association focused on IT governance - the world will face a shortage of 2 million cybersecurity professionals by 2019.

Where there is scarcity, there is also earning opportunity.

A report by the Center for Strategic and International Studies and Intel Security which surveyed eight countries said: "The median cybersecurity salary reported in surveyed countries is at least 2.7 times the average wage, according to the OECD (Organisation for Economic Co-operation and Development)."

"Cybersecurity jobs in the United States pay an average of US$6,500 more than other IT professions, a 9 per cent premium," it added.

CSA's Mr Koh notes that in order to strengthen Singapore's cybersecurity, "we need to not only build technological capabilities, but also a highly-trained cybersecurity workforce."

The government has introduced a Cybersecurity Professional Scheme of Service for the public sector. Centrally managed by CSA, the scheme will develop a central core of cybersecurity professionals to be deployed across agencies to strengthen Singapore's cyber defences.

Elsewhere, other chances to acquire new skills are emerging.

"...the Ministry of Defence has announced the creation of a new cyber defence vocation for national servicemen. Other initiatives aimed at training and upskilling cybersecurity enthusiasts include the Cyber Security Associates and Technologists Programme and the Work-Study Degree Programme," says CSA's Mr Koh.

The private sector is also trying to plug the gap in the supply of cybersecurity expertise.

Minister for Communications and Information, Yaacob Ibrahim, recently noted that companies such as Singtel, ST Electronics (Info-Security), Quann, Accel, and Deloitte have joined the Cyber Security Associates and Technologists programme to train more cybersecurity professionals for the industry.

The formidable foe

Even as companies and governments try to marshall their cybersecurity troops, they will face a formidable foe that is well-versed in cyber guerrilla warfare.

"Perpetrators often acquire legitimate user credentials or gain access through unprotected software or hardware, allowing them to easily bypass traditional security tools like firewalls," says Sanjay Aurora, Asia Pacific MD of Darktrace, which specialises in detecting sophisticated cyber threats.

It can take up to 230 days for a company to realise they have been breached and critical systems compromised. "At Darktrace, we once started working with a customer, only to find that there was a sophisticated threat inside their network that had been there for eight years," he says.

Bill Chang, CEO Group Enterprise at Singapore Telecommunications (Singtel), notes that hackers have the means to break any password.

There are password-breaking machines... Any password in seven-alphanumeric format can be broken in minutes, 11-alphanumeric could be broken in two weeks, says Mr Chang, who oversees Singtel's vast and growing security practice, says Mr Chang, who oversees Singtel's vast and growing security practice. (See Clarification note)

Many people think malware to be a virus or a code, he continues. "But nowadays it (is) more a case of a 'who' rather than a 'what'.

"'Who' could be whether it is a nation-state, a very sophisticated group with immense resources that could target an organisation and bring it down or target a government. The 'who' could be a cybercriminal who is doing it for financial gains.

"The 'who' could be a group that just wants to steal IP and technology companies are very worried. The 'who' could also be an activist group like Anonymous who are out to get a government or organisation with whom they don't agree."

The problem is compounded by the fact that today, you don't need to be a coding specialist in order to be a hacker.

Online tools are easily available for hacking. "There is a Russian forum that... sells everything under the sun that you could use as attack tools. The underground web grows quickly. You need less than US$6,000 to create all these attack tools, a website to target people and you could use ransomware on them and could earn as much as US$90,000 a month even if you only attract a small percentage of people to download the ransomware," Mr Chang notes.

"With that kind of RoI (return on investment) you can imagine why this is growing so fast."

He adds that people in the hackers' ecosystem usually attack people and organisations in other countries and so apprehending them is difficult because of the lack of cross-country jurisdiction.

Safe habits save data

If you do not have a burgeoning cybersecurity career in your future, there is still more that you can do as an individual.

The key findings from CSA's first cybersecurity Public Awareness Survey of 2,000 respondents showed that many still do not practise good cybersecurity habits. For example, only one in three manage their passwords securely.

"We need a change in mindset," says CSA's Mr Koh. "Many of us believe that we are not targets, because cyber criminals will only target wealthier individuals and more profitable companies. Or we are deterred (from taking a taking a pro-active stance), thinking that cybersecurity is too technical."

Staying safe online is not as hard as one may think. Here's a list of some easy steps one can take to stay safe online:

Finally, always remember why you lock your front door and look into a keyhole to see who it is before opening the door. You do so because you don't want someone you don't know getting into your home.

Use the same habits online; don't keep your virtual door open and don't get tricked into letting an intruder in.

Fighting the cyber threat is the new frontier in IT - Singapore and its denizens need to be among the winners in this battle for cybersecurity. In this space, every individual can contribute by staying safe themselves. As with any other battle, the spoils go to the victors. So suit up, and get ready to man the ramparts.

Clarification note: This article has been updated to reflect that Singapore Telecommunications does not possess or use any password breaking machines.