Pierre Noel on the growing threats of cyber risks

Mr Pierre Noel, Chief Security Officer, Asia, Microsoft, discusses the threats cities face from cyber-attacks, the fall-out from these, and what cities must do to become resilient to web-based threats.

Data Centre © Robert Harker 2012

How threatening are cyber-attacks to cities, and to what extent can they disrupt the day-to-day functionality of municipal areas?

Pierre Noel (PN): Today’s cyber-attacks pose severe risks to the livelihood of cities. On one hand, an attack could be aimed at city information, like data on municipal operations, civil servants or residents. On the other, perpetrators could target critical infrastructure assets, like water provision, electricity supply and transportation networks, in the hope of causing widespread chaos. In both instances, the fallout will be disastrous to city administrators, businesses and constituents.

Who instigates these attacks and what motivates such people?

PN: Hackers come from a variety of backgrounds including criminal syndicates, terrorist cells, activists groups and even disgruntled employees and contractors. While more of an issue more for nations rather than for cities, cyber-warfare is becoming increasingly common, where rogue governments and terrorist groups instigate such acts. All of the above stems from the fact that cities house extremely sensitive information about how they operate and the people that live in them, and hackers will continuously attempt to steal, amend or destroy this data.

Perpetrators target cities with the aim of achieving many different outcomes. These include financial reward by means of bribery or theft; disruption or damage to physical and digital assets; and exposure of confidential information, which could be viewed as controversial by the general public.

“Cities around the world are exposed to cyber-attacks on a daily basis, with the number and diversity of these risks set to grow exponentially in future.”

What are the most common cyber-risks threatening cities?

PN: In general, there are two types of attacks. Typically, there is malware, which exists in many forms and is not targeting a specific entity or operation. Any computer that is connected to the Internet will be exposed to malware. However most devices – particularly those used by government agencies – will have standard IT security features that block most harmful threats that can be found in the Internet. Nonetheless, it is not unusual for city departments with limited budget to operate using computers that are not properly protected, that can result in widespread infection.

The other types of attacks are advanced persistent threats, which are specialised incursions aimed at specific organisations and with a particular purpose – be that to steal information or to cause damage in some way. Cities around the world are exposed to both forms of cyber-attacks on a daily basis, with the number and diversity of these risks set to grow exponentially in future.

What must cities do to protect themselves against cyber-attacks?

PN: Municipal authorities must have a holistic perspective of all cyber-risks, which not only directly threaten government assets, but also those of suppliers and other partners. An important step in achieving this is to appoint a Chief Resilience Officer, who is responsible for protecting a city from cyber-attacks and other risks like natural disasters.

As part of their remit, they must assess all threats and communicate the implications of these to all stakeholders, including other government entities, industry and the community. By doing this, cities will be able to determine where gaps in their resilience reside and what must be done to address it. More often than not, these gaps result from substandard technological deployment and somewhat lax human behaviour. In order to mitigate the likelihood of cyber-threats, city authorities must ensure their defence systems are up-to-date and guarantee that all stakeholders are educated on web-based risks.

“In order to mitigate the likelihood of cyber-threats, city authorities must ensure their defence systems are up-to-date and guarantee that all stakeholders are educated on web-based risks.”

Few countries are better protected against the threat of cyber-attacks than Singapore. The nation has invested in state-of-the art defence systems and has implemented robust processes to counter the risks. Being a city-state, Singapore also benefits from having government agencies like the Infocomm Development Authority, Ministry of Home Affairs and Ministry of Defence, which collectively monitor cyber-security issues. With the number and sheer scale of these increasing, cities are looking to implement specific teams aimed at mitigating cyber-risks, among many other web-based threats. O