South China Morning Post
Advertisement
Advertisement
A man delivers a computer payload while working on a laptop on January 22, 2019 in Lille, during the 11th International Cybersecurity Forum. Photo: AFP
Opinion
Mamello Thinyane and Debora Irene Christine
Mamello Thinyane and Debora Irene Christine

Cyber resilience in the time of Covid-19 and beyond

  • Cyber resilience is a whole-of-society agenda that goes beyond just protecting critical information infrastructure
  • Resources and avenues for individuals and civil society organisations to perform the duty of active cyber resilience agents are limited
Mamello Thinyane
Debora Irene Christine
Mamello ThinyaneandDebora Irene Christine
Why you can trust SCMP

The novel coronavirus (Covid-19) pandemic is not only a global health challenge. It has had cascading impacts across many sectors of society, including the economy, education, governance, and cultural sectors.

One of the sectors that has seen a significant impact is the cyber sector. With the increasing reliance on information and communication technologies (ICTs) for communication and telecommuting, due to the containment measures that have been adopted across the world, there has also been an increase in adverse cyber incidents.

These incidents are not only affecting governments and businesses, but also individuals and communities. Among the Covid-19-related cyber incidents detrimental to individual citizens that have materialised in countries across the globe are:

  • Disinformation, misinformation and fake news around Covid-19 – the Covid-19 infodemic.

There are concerted grass roots and state-led efforts around the world that are exploiting social media to shape the narrative around the Covid-19 pandemic. Citizens are not only the end victims of these falsehoods; they are also inadvertently complicit by forwarding messages without fact-checking.

China’s new cybersecurity rules could hit foreign service providers

  • Social engineering attacks, including phishing messaging using the branding of trusted organisations such as the WHO.
  • Dataveillance in the name of Covid-19 epidemiological surveillance.

An increasing number of apps for epidemiological surveillance, symptom checking and contact tracing are being developed and deployed to assist in the fight against Covid-19. Some of these apps expose individuals to the risks of dataveillance and violation of personal privacy.

  • The exploitation of platform-specific vulnerabilities, including what is popularly called Zoom-bombing.
  • Disruptions to online services as people spend more time online and as network resources become strained.

Some network operators have reported increases of up to 50 per cent in their network usage.

The negative impact of these events is not only disruptive to societies; it also represents economic costs, loss of safety and security, and in extreme cases, the loss of livelihood and life.

Coronavirus pandemic exposing internet users to new cybersecurity risks

The vulnerabilities of individual citizens and communities to adverse cyber events during times of crisis indicate that providing resources and avenues for them to respond to and recover from adverse cyber events, as well as to continue everyday functioning under attacks and disruptions, is imperative.

The ability to recover and for life to continue in the face of these adverse cyber events depends on the cyber resilience posturing of the different stakeholders within the cyber ecosystem. Cyber resilience is a whole-of-society agenda that goes beyond just protecting critical information infrastructure.

It concerns the entire ecosystem comprising physical, technical, organisational, and human factors. The objective is to create the capability to anticipate threats, absorb the impact of the threats, and to respond in a rapid and flexible way to ensure the continuation of operations and everyday functioning.

Our research on the state of cyber resilience in Asia-Pacific found that while countries aim to be cyber resilient, few give elaborate framing and operationalisation of cyber resilience in their national cybersecurity strategies.

Further, current national cybersecurity frameworks have largely focused on companies, governments, and state-level actors, thus are difficult to operationalise for individual citizens and civil society stakeholders, such as community-level organisations.

Across the region, cybersecurity is considered as a shared duty of all stakeholders. However, resources and avenues for individual citizens and civil society organisations to perform the duty of active cyber resilience agents are limited.

Aside from campaigns for raising public awareness of cybersecurity issues and the inclusion of cybersecurity education in the school and higher education curriculum, Asia-Pacific countries are varied in their approach to supporting and enabling active participation of the civil society in the cybersecurity ecosystem.

China’s cybersecurity has improved but risk of financial malware still high

To enhance cyber resilience in their respective countries, governments are recommended to frame cyber resilience at the whole-of-society level and to operationalise resilience through well-defined programs, resilience metrics, and resilience maturity models.

Clearly defined avenues for civil society participation in the governance of national cybersecurity, from the refinement of national cybersecurity strategy documents to the reporting of cybersecurity incidents, would enhance the co-production of cyber resilience.

Meanwhile, citizens can enhance their cyber resilience in the time of Covid-19 and beyond through several measures. First and foremost, citizens need to gain a basic awareness of the cyber risks and vulnerabilities that might affect them. Citizens also need to develop an awareness of when things have gone awry and when they have been a victim of an adverse cyber incident.

Developing good cyber hygiene habits, including using good passwords and multi-factor authentication where possible, not forwarding unverified messages and fake news, downloading software from trusted sources, limiting and controlling permissions granted to applications, being cautious of links and downloads in emails, backing up data properly, and ensuring that account recovery mechanisms are working and up-to-date can protect citizens, both from external cyber threats and human errors.

Equally important, citizens need to attend to the adverse cyber incident. This might entail recovering hacked accounts and changing passwords, notifying relevant stakeholders of the compromise (e.g., informing your social media followers, people in your address book).

In some cases, this will require engaging professionals and relevant officials. The goal of cyber resilience is to ensure continuity of life, and therefore it is important for life to move on during and after an adverse cyber event.

The experience of an adverse cyber event should inform future behaviour and practice that mitigates both known and unknown future risks. This could include incorporating privacy-enhancing technologies in daily cyber life or adopting more secure software alternatives.

Covid-19 is not here to stay and the global community will come out on the other side of this unprecedented episode. The world will have suffered a great loss to human life and livelihood and the world as we know it will have changed.

Covid-19 has forced us to confront our overall lack of preparedness for dealing with such major global challenges, the global interdependencies between countries, our increasing dependence on ICTs, and the importance of taking responsibility to enhance our cyber resilience as individuals, communities, cities, countries and the global community.

Help us understand what you are interested in so that we can improve SCMP and provide a better experience for you. We would like to invite you to take this five-minute survey on how you engage with SCMP and the news.

Post