ONE and three quarters of a trillion dollars. Read that again: $1.75 trillion and let that sink in.
That is how much the world is expected to spend between 2021 and 2025 to keep the cyberspace safe and secure for everybody—$1.75 trillion dollars.
The cumulative price tag of a safe cyber world through 2025 is almost five times the current gross domestic product (GDP) of the Philippines: about a tenth of the Chinese economy and about a twentieth of the US economy.
A huge amount if we think about it—monies that could have gone to fuel the operations of tens of thousands of schools, provide shelter to millions of homeless individuals, feed millions of hungry families, or it could even start funding the $175 billion yearly budget to “end poverty.”
“Instead of using these money to something mainly to develop probably some economies for growth, we are using these money to protect humanity from itself,” Kaspersky Director of Global Research & Analysis Team (GReAT) for Asia Pacific Vitaly Kamluk said at the recent Cybersecurity Weekend in Phuket, Thailand.
Huge investments
EVERY year, the whole world is expected to spend more and more on cybersecurity. On the average, the earth is projected to spend 15 percent more each year to protect cyberspace from digital criminals, data from research and data analytics firm Cybersecurity Ventures Inc. showed.
From $262.4 billion in 2021, economies around the world are expected to invest $301.8 billion in cybersecurity this year, $347 billion the following year, $399 billion in 2024 and $458.9 billion in 2025.
“The current threat landscape can take this projection up a few notches if we are to consider the real situation worldwide,” Kamluk said. “So, it is natural to ask why we are investing so much into cybersecurity and wouldn’t it be worth saving all this money for something else.”
Nonetheless, investments in a safe cyberspace are huge because the threats and repercussions are also gargantuan.
Cybersecurity, Kamluk explained, is more than just installing antivirus applications—it involves more than just algorithms and codes, but is actually a string of processes, people and policies that leverage technology to keep the digital ecosystem free of crime—or at least lessen or prevent digital criminal activity.
Reduces integrity
WITH all the energy, manpower resources and cash injected into cybersecurity, is it really necessary for us to invest in cybersecurity? Is it essential at all?
Kamluk said it is possible for the world to just stop investing in cybersecurity. But he likened it to a digital dystopia—a world without order but a whole lot of chaos.
“A world without cybersecurity would mean a world with no encryption or no secrecy, no access control, no integrity validation—so these are three pillars that we are going to lose if they say that we don’t need cybersecurity,” he said.
From an individual level, having no encryption or secrecy means that people have no protection from thieves. Malicious users can simply access your bank accounts, credentials and steal your income or even your property.
Cyberbullies can, likewise, use private data to coerce individuals for monetary or personal gain.
Having no encryption and secrecy also reduces the integrity of almost all industries that have embraced digital transformation, such as banking and finance, healthcare and even tourism, among many others.
Without access control, anyone can claim to be someone from anywhere. This simply means that anyone can claim to be you online and operate on your behalf—make deals, purchase things, or transfer money.
Digital dystopia
THIS also means that election results or surveys may be rigged in favor of anyone and there will be a rise in fraudulent transactions online, theft of media products and denial of services.
Lastly, a world without integrity validation means that we won’t be able to afford the luxuries of having information verified and authenticated before we consume them.
This means that fake news and disinformation will be rampant and undiscoverable, unscrupulous individuals have the ability to install backdoors on any digital system and it will be impossible for businesses to go online.
Trust, security and privacy—these three are the things we will lose as individuals if the world stopped investing in cybersecurity. Now imagine the repercussion of losing that for businesses and governments. It will simply become catastrophic.
“I see a world without cybersecurity as a digital dystopia where no one can fully harness the opportunities brought about by the latest technologies that we have in our hands,” Kamluk said. “Without companies and solutions working in the background to protect our data, our identity, the news we consume and the applications and devices we use, we will be left on our own to wade through the risks and I am sure no one would choose to live in a chaotic world like this.
“Today, cybersecurity is often an invisible part of our life which we take for granted, but we owe it almost everything we have achieved as a civilization,” he added.
Back to the old age
WITHOUT cybersecurity, everyone will be vulnerable to attacks and the frequency of cybercrime is also expected to rise—even as cyberattacks are already by the billions annually.
From July 2021 to August 2022, Kaspersky has detected and blocked over 7.2 billion attacks by malicious objects including malware and malicious web content worldwide.
This is only a fraction of all the threats in the world. According to Kamluk, a more “realistic number” of cyberthreats and attacks would be five times more than Kaspersky’s figures.
The Philippines and the rest of Asia Pacific “appear” to be a vulnerable region with 35 percent of detections of infection attempts coming into the region. This figure is 15-percentage points more than the figure recorded the year prior.
The Philippines ranked 8th in the region in terms of attacks, with Kaspersky recording 70 million detections this year.
Kamluk humored that the world has the option of going back to the old age and stop using technology altogether to stop cybercrime without cybersecurity.
“It sounds like a huge setback before we had any digital products and platforms. Are you really ready to live in it?” he said, noting that providing safety and security in the cyberspace allows the world to be more open to developing and incorporating technology in their daily lives.
“Technology is only possible when you can do things without fear,” Kamluk added.
Sophisticated, multidimensional threats
INVESTMENTS in cybersecurity are necessary. And investing more has become the norm, as actors have developed more sophisticated, even multidimensional tools to threaten the cyberspace.
Cybercriminals are no longer just targeting individuals and organizations through their large computers and hardware. They now aim to gain access to personal and corporate data through mobile phones and other handheld devices.
As of today, there are about 6.6 billion smartphones in use globally. So imagine how big the target is for cybercriminals.
Hacks and threats through smartphones have become more persistent this year, when Kaspersky noted a tripling of malicious installation packages for the first half of 2022 versus the full year figure in 2021.
Last year, Kaspersky detected 3.46 million malicious installation packages for the 12 months ending December, but for the first six months of 2022 alone, Kaspersky has already detected 11.5 million malicious installation packages, showing how big hackers are in targeting smartphones.
Kaspersky Senior Malware Researcher Suguru Ishimaru warned that Asia Pacific has become susceptible to mobile attacks, as more and more people adopt mobile banking in the region.
Ishimaru said Kaspersky’s active monitoring showed the notorious Anubis Trojan now delivers a combination of mobile banking Trojan with ransomware functionalities to its target smartphones.
Ransom functionalities
MOBILE banking Trojans are one of the most dangerous species in the malware world. This type of threat steals money from mobile users’ bank accounts usually by disguising the Trojans as legitimate apps to lure people into installing the malware.
The latest form of mobile banking Trojan is called Anubis, which accounts for 10 percent of the mobile banking threat in the second quarter of 2022, according to Ishimaru.
Anubis works by providing Android users with legitimate-looking and high-ranking but malicious apps available on Google Play. Aside from this initial infections may be done by smishing (phishing messages sent through SMS) and Bian malware, another mobile banking Trojan.
Once in, this infamous mobile banking virus can do a complete device takeover. It can steal personal information and identity, access private messages and login credentials, record sound, request GPS, disable play protect, lock the device’s screen and more.
Ishimaru explained that Anubis is known for compromising hundreds of bank customers per campaign, proving that it’s among the most active malware targeting Android users right now.
“Our recent findings show that the cybercriminals behind this threat have started implementing ransom functionalities,” he said. “If this modification proves to be successful, chances are other malicious groups will copy the same technique of stealing data and holding devices hostage.”
Not exclusive to Android
BUT mobile threats are not exclusive to Android users. As bad actors continue to innovate and make their attacks more sophisticated and multidimensional, iOS users are also now vulnerable to new threats.
A threat actor based in China called the Roaming Mantis carries out malicious campaigns that target Android devices and spreads mobile malware initially via DNS hijacking and currently through smishing.
Using the same techniques, the smishing messages targeting iOS users contain a very short description and a URL to a landing page. If a user clicks on the link and opens the landing page, there are two scenarios: iOS users are redirected to a phishing page imitating the official Apple website, while the Wroba malware is downloaded on Android devices.
Once the victim inputs his credentials to the phishing website, it will then proceed to the 2FA or two-factor authentication phishing website. This allows the attacker to know the user’s device, credentials and 2FA codes.
Ishimaru said there is a notion that the iPhone Operating System (iOS) is a more secure operating system.
“However, we must take two things into account—the increasing sophistication of mobile bankers’ social engineering techniques and malware arsenal and the possibility for human errors,” he added. “Remember that both Anubis and Roaming Mantis require user’s participation before they can take over a device.”
According to Ishimaru, with more than half or 63 percent of digital payments in the Asia-Pacific region doing their financial transactions online through mobile devices, awareness is no longer enough.
“Protecting our smartphones is a step that everyone should be doing by now,” Ishimaru said.
In the Philippines, text scams are becoming more and more rampant nowadays with speculations of data breach from banks, telcos, vaccination sites and government being pointed as possible culprits for the massive and coordinated attacks.
Be careful of your emails
ASIDE from smartphones, hackers and bad actors are also leveraging the ubiquity of email correspondence to pull off tricks that can help them in stealing data and personal financial information.
Kaspersky Senior Security Researcher Noushin Shabab revealed that the Asia Pacific receives 24 percent of the global malicious spam mails being detected and blocked by Kaspersky solutions. This means one in four junk electronic messages were delivered to computers in the region.
Unlike its mobile counterparts, malicious spam is not a “technologically complex attack, but when done with sophisticated social engineering techniques, it poses a severe threat to individuals and enterprises alike,” Shabab said.
Spammers and cybercriminals are sending out spam in mass quantities hoping to make money from individuals who respond to their junk emails, or run phishing scams to obtain passwords, credit card or bank details, or spread malicious code onto the recipient’s computers.
There are over 267 billion spam emails sent and received per day and the percentage of spam emails to the total number of emails is estimated to be as high as 84 percent.
“Malicious emails could be in different forms, there could be malicious files attached, or text emails,” Shabab said. “The top file formats of malicious objects in every month, the most detected malicious object, was the different malware like trojans and executable files that are malware.”
With the dense population in Asia Pacific and their high adoption of digital services due to the lockdowns, the region has become a great target for bad actors.
Shabab explained that the region accounts for almost 60 percent of the world’s population, which provides scammers more potential victims compared to other parts of the world.
Their extensive use of online services—including the pandemic-induced demand for online shopping—also makes individuals more susceptible to falling victim to scams.
There is also the lingering pandemic aftermath which led to lockdowns and work-from-home set up in the region where people took their work computers home. Home networks are usually less protected from cyberattacks.
“Since 2018, the number of malicious spam mails detected by our solutions has seen a gradual decline after its peak in 2019. This, however, does not equate to our mailboxes being cleaner and safer,” Shabab explained. “Our constant monitoring of the current and new Advanced Persistent Threats [APTs] operating in Asia Pacific showed that the majority of these notorious threat actors use targeted phishing called spearphishing to crack into an organisation’s systems.”
Example of APT
THE Sidewinder threat actor is an example of an APT that targets key entities in the region through malicious emails.
Shabab explained that the Sidewinder threat actor has been using “new malicious JS code with recently created C2 server domains.” Known for targeting military, defense and law enforcement agencies, foreign affairs, IT and aviation entities in Central and South Asia, Sidewinder is considered one of the most prolific threat actors monitored in the APAC region.
The attacker, also known as Rattlesnake or T-APT4, “targets victims with spear-phishing emails containing malicious RTF [rich text format] and OOXML [Open Office eXtensible Markup Language] files.”
Shabab noted that some of the main characteristics of this threat actor that make it stand out among the others are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their operations.
Sidewinder has been going to town by sending malicious emails since 2012. Sidewinder also continues to expand its victimology and to sharpen its phishing tactics, she added.
Well-oiled groups
FOR example, to reduce the suspicion raised by some of their spear-phishing documents that had no text content, the group followed their first attempt to attack the victim—a spear-phishing email containing a malicious RTF exploit file—with another similar email, but in this case, the title of the malicious document was “_Apology Letter.docx” and it contained some text explaining that the previous email was sent in error and that they are reaching out to apologize for that mistake.
“There are many more well-oiled APT groups like Sidewinder who are constantly upgrading their tools and tactics to target high-profile victims in APAC through believable spam and phishing emails,” Shabab added. “The implication for enterprises and government organizations here is that a single malicious email when clicked can crumble your most sophisticated defenses and usually, APTs like Sidewinder just need one door to open, one machine to infect and then it can hide and stay undetected for long.”
One does not have to be a government agency, major financial institution, or energy company to become a victim. APTs target any sensitive data that they can use for their benefit.
Major danger
THE major danger of APT attacks is that even when they are discovered and the immediate threat appears to be gone, the hackers may have left multiple backdoors open that allow them to return when they choose.
“This increases the importance of guarding mailboxes—an entry point they usually exploit to get a foothold of an organization’s networks,” Shabab said.
To be able to search for potential spear-phishing signs without diminishing the company’s actual security, Kaspersky suggests private and public companies to install protective anti-phishing solutions on mail servers as well as on employee workstations.
Enterprises should also utilize an advanced security software that can detect sophisticated APT attacks.
For governments, Shabab suggests defining better spam regulations to curb spam risks.
“Fewer spam emails from legitimate organizations means people are less used to receiving unexpected emails every day and are more vigilant when they are being targeted with malicious spear phishing emails,” she said.
Strengthening PHL cyberspace
GIVEN the persistent threats to the global and local cyberspace, Filipinos have to be more aware, open and responsive to the digital defense needs of individuals, companies and government bodies.
As the Philippines continues to be consistent in seeing and experiencing attacks—from the notorious Comeleaks to the recent mobile spam and spear phishing acts—it has all the more reason to be more cautious and alert.
According to a policy paper developed by Democracy.PH, “there is an immediate need for the Philippines to elevate its cybersecurity posture and capability.”
“The government should immediately take steps to increase the level of Philippine cybersecurity,” the group said.
The 31-paged paper was forwarded to the administration of newly-elected President Ferdinand R. Marcos Jr.
According to the position paper, “a quick win” is for Marcos to issue an executive order mandating that government agencies adopt minimum cybersecurity standards, designating the Department of Information and Communications Technology (DICT) and the Office of the Executive Secretary to be the point agencies to ensure effective implementation.
“The best framework to adopt at the minimum among all the international standard and best practices would be the National Institute of Science and Technology [NIST] Cybersecurity Framework,” the paper read.
The group also asked the president to consider making a National Cybersecurity and Information Security Act (NCISA) as a priority legislative measure of the administration and the establishment of a National Cybersecurity Commission (NCyC) as an attached agency of the DICT to pursue the cybersecurity protection of the Philippines.
“The NCISA should be well-fit under the umbrella of a broader overall National Critical Infrastructure Protection Act,” the paper read.
For his part, former ICT Assistant Secretary Allan S. Cabanlong said it is high time for the government to focus on ensuring a safer cyberspace for Filipinos, especially since the Covid-19 situation created a whole spectrum of opportunities for cybercriminals to thrive.
He noted that the pandemic has defined the new global threat landscape and the overall state of cybersecurity. Cabanlong, who is now the president of nongovernment organization CyberGuardians, observed that working from home, online meetings and conferences, online shopping and the massive use of the internet have given great opportunities to cybercriminals to victimize internet users.
According to Cabanlong, the government must beef up its cybersecurity workforce and provide morale, instead of politics, in order for these cybersecurity-trained technical people to stay in the government.
Step one
CABANLONG added that the transfer of knowledge must be supported instead of forever managed services—cybersecurity services managed by third-party—which can introduce more risks to the government data, provides the opportunity for corruption and can halt the cybersecurity operations of the government, if not renewed on time, due to the nature of the procurement law.
“Today, the government already has the tools but the question is the government workforce ready? By then, it will be fully operational,” he said.
Cabanlong further said the government must move forward with its cybersecurity plan, which “became silent and went under the radar” in 2019.
“Today, government initiatives are returning to step one. With this, the cybersecurity community is hoping that DICT must recommend to the BBM administration to place an expert or technocrat who knows what it is to lead the country to cyber resiliency,” he added. “Putting a qualified person to the job will determine the present and future state of our cybersecurity.”
Whole-of-nation approach
THE Marcos administration recognized these observations and said that it is doubling down efforts to provide Filipinos with a safer cyberspace.
According to DICT Director IV-Cybersecurity Maria Victoria Castro, cybersecurity “is not anymore an option, but a must.”
“This is the reason why the Marcos administration is working double time in instituting cybersecurity programs and activities that are geared towards strengthening the cybersecurity posture of the country,” Castro said. “And as cybersecurity is a whole-of-nation approach, the department’s programs also give prime importance to the roles of other government agencies, critical information infrastructures [CIIs], business/private sector and individuals in promoting cybersecurity.”
Today, the DICT Cybersecurity Bureau (CSB) is assessing the National Cybersecurity Plan (NCSP) 2022 and is now moving towards updating it through 2028.
Furthermore, the DICT is also bolstering its manpower capacities, building up talent through knowledge sharing with their foreign counterparts.
“A country that is serious in improving its cybersecurity posture must take stock of its current landscape by identifying its inadequacies and vulnerabilities so it could develop strategies to achieve its goal,” Castro said. “The NCSP serves as the framework by which government agencies, military, CIIs, businesses and the academe base their own cybersecurity strategies.”