Tuning-up security in plural social networks

• Experts at the Daily FT-CICRA Cyber Security Summit 2019 point out social networking’s tremendous growth has created a breeding ground for cybercriminals 

By Hiyal Biyagamage

Social media platforms today have given a helping hand to cybercriminals to build a global cybercriminal network. According to a recent report from Bromium, the cybersecurity firm detailed all of the various tactics – ranging from crypto-jacking to botnets for hire – used by cybercriminals around the world to earn nearly $3.25 billion annually by exploiting popular social platforms.

During the third session of the Daily FT-CICRA 7th Annual Cyber Security Forum, local and international experts spoke from a public policy perspective as well as from a technology perspective on how social media providers need to be doing more to protect individuals and organisations from cyber threats that are growing at a rapid rate.  

Cybersecurity from a bird’s eye perspective

Delivering the first keynote, Facebook Public Policy Manager (India and South Asia) Bhairav Acharya spoke about how the world’s largest social media company works on the policy aspects of data collection, data governance and privacy as well as how Facebook works on cybersecurity.

“Some people see it [cybersecurity] as a flip side of data privacy; others see it as a standalone issue. At Facebook, we see it from both angles,” said Acharya.  

Looking at cybersecurity from a bird’s eye perspective, Acharya said, “Facebook is a large platform. It is a group of applications as well as a new bunch of technologies. All of them together, we can identify security implications of each of them differently. It is not a single monolithic corporation. I want to look at cybersecurity as a platform and look at cybersecurity for nations, particularly nations in the South Asian region – what are their challenges, what is the best way that laws can be made to serve the data security interest of each nation from a global perspective, what are the best global mechanisms we can use to promote cybersecurity.” 

Showcasing Facebook’s 10-year roadmap to the audience, Acharya said that Facebook began with an attempt to create an ecosystem. “When we use the word ‘platform’, people mean different things. Some people use platform as a place where there is a multi-sectoral platform for users and developers to interact. We use the word ‘platform’ in that way as well, but we also mean at as an ecosystem where communities can interact with each other. The mission of Facebook is to connect the world. To do that, we have to create a multi-sided platform. When people say Facebook, they tend to think of the blue app. But Facebook is much larger than that.”

In the cybersecurity universe, there are three approaches Facebook uses – they focus on the security of data, focus on the security of the network and focus on users. There is another school of thought, according to Acharya, that Facebook focuses on governments as well. 

“We focus on all four elements, but we focus more on some of these elements. Facebook focuses on data and networks. We have different tools which provide users with the ability to control their networks and data. Two-factor authentication (2FA) is one way, and if users want to add another layer of security, we provide three-factor authentication (3FA). Today, different countries in the world are discussing laws that make it illegal for service sector companies to miss out two-factor authentication. In the Indian banking sector, there are discussions underway to ensure there is no accessing of a system without going to two-factor authentication. In Europe, there are some sectors which are looking at three-factor authentication. We are moving inexorably but perhaps faster in this direction.”  Acharya said that going forward different industries will be having sectoral regulators making robust, sector-wide regulations; perhaps even nations making laws, requiring 2FA and 3FA as a condition to be able to access. “Going forward, if corporations or platforms provide 2FA, it can be immunity from a network or a system being taken down. What you can do is provide the best security systems up-to-date and educate your users to ensure that there is this level of structural stability in the platform.” 

A whole new world of innovations

Facebook does a whole lot of innovative work when it comes to developing cybersecurity tools, said Acharya. 

“We have teams working across the world who are building tools, who are building hardware and software that keep the platform safe. This does not work within a one cybersecurity team sitting and working in the headquarters. You need to have an agile cybersecurity force; we have understood that and that is what we do. We have also recognised that means of access to the internet, particularly in the developing world, is mobile-first. In countries like India, the government has set out a lot of policy attention into the mobile-first world. As nations and governments are beginning to encourage an app-based economy, stakeholders of this economy need to ensure that the mobile (hardware) and operating system (software) layers are secured. You need to bring cybersecurity to both these layers as well as the apps layer.”

Speaking further, he said, “As we transition from being a desktop-based service to a mobile-based service, a lot of our developer tools are being tested in South Asia because we want to test how cybersecurity works at scale in data-low countries and how cybersecurity work at scale in video-first countries. We see in many South Asian cities that videos are being consumed primarily. This has been made possible because of the tremendous investments in 4G. To ensure cybersecurity within this massive network, the 4G standard has to be secured, all the sub-components have to be secured, and companies have to invest in cybersecurity at an elementary level. Hardware and software layers, the two crucial layers for a mobile-first economy, must be secured. And lastly, the third layer, where Facebook and other apps rest, has to be ensured with proper security. This means that Facebook has to work with governments, app developers and other entrepreneurs, and hardware manufacturers to ensure there are no vulnerabilities.” 

Speaking about enabling secure frameworks, Acharya said, “Frameworks are codes which create the infrastructure upon which apps are developed. Sometimes, the programming languages might have vulnerabilities. We have invested in lots of resources to develop new resources.”

For example, Facebook has developed a language called Hack for HHVM (Hip Hop Virtual Machine) that interoperates seamlessly with PHP. Hack reconciles the fast development cycle of PHP with the discipline provided by static typing while adding many features commonly found in other modern programming languages. They have also developed a language called XHP, which is an augmentation of PHP. 

“We have automated testing tools that make sure that platforms and their components run securely. We have routine design reviews. And we also have bug bounties. We recognise and reward security researchers who help us to keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Facebook’s discretion, based on risk, impact and other factors. During the last two years, we have given out around $ 7.5 million in bug bounties. The only way we have been able to achieve security at this level of scale by ensuring that the community speaks for us. There will be vulnerabilities that can only be discovered by coders and programmers who are situated in this part of the world. This is a data low, mobile-first part of the world. Bug bounties that run in this part of the world are focused on data-low, mobile-first personifications. I would encourage security researchers from Sri Lanka to focus on this,” said Acharya.

Moving his focus toward how Facebook puts their attention towards governments, Acharya said, “There has been a transition that cybersecurity incidents are now being reported far more openly.  These incidents happen routinely without any manipulative consequences. However, these consequences could be of no harm, or they could have a high impact. Either way, we routinely classify security incidents according to level of severity, and we communicate them proactively to regulators. So where ever there are affected users, we communicate to those country’s regulators.”

Acharya also talked about Facebook’s Digital Literacy Library, a platform of resources to help youths better navigate the internet in a positive, responsible way.  “Most people do not securely use the internet. In the Digital Literacy Library, we have courses on passwords, public Wi-Fi, cybersecurity and phishing and so forth. These courses help users to be educated on data privacy and safe internet use.”

The interactive lessons and videos on the Digital Literacy Library can be downloaded for free, and they’re meant to be used in the classroom, in after-school programs, or at home. Created from more than ten years of academic research and ‘built in consultation with teens,’ the curriculum is divided into five themes: Privacy and Reputation, Identity Exploration, Positive Behaviour, Security, and Community Engagement. Lessons can be divided into three different age groups between 11 and 18, and they cover everything from having healthy relationships online (group activities include discussing scenarios like ‘over-texting’) to recognising phishing scams.

Cyberspace: the fifth domain of warfare 

UDC Ltd. and Voyager Labs Chief Executive Officer Udi Shaked was the second keynote speaker of the third session.  Speaking to the audience, Shaked said cybersecurity had become an increasingly critical business need. 

“Cybersecurity is a topic that is being discussed across the globe. It is a new war for enterprises, data and governments. The line between offensive cybersecurity and defensive cybersecurity looks very grey,” said Shaked. 

As technology becomes further intertwined with our professional and personal lives, the cybersecurity specialist’s mission of keeping business and personal data safe impacts more people than ever before. As a result, the answer to “What is cyber defence?” has become more complex. There are now multiple cybersecurity tracks: general cybersecurity, offensive cybersecurity, and defensive cybersecurity. Offensive cybersecurity means the deployment of a proactive approach to security through the use of ethical hacking while defensive cybersecurity implies the use of a reactive approach to security that focuses on prevention, detection and response to attacks. General cybersecurity is the utilisation of a mix of offensive and defensive tactics to provide security. 

Udi Shaked has been greatly involved in Homeland Security with a focus on high-end cyber solutions and associated technologies. He spearheaded the creation of corporate product development, market penetration and sales strategies for the organisation. Speaking about his business, Shaked said they collect information, analyse them and take necessary action to mitigate cyber threats which occur in the social media sphere.  “Today, technology can do anything. Tools powered by emerging technologies like artificial intelligence/ machine learning (AI/ML), digital sentiments and analytics and big data can perform data collection and analysis at scale and even conduct a PEST (Political, Environmental, Social and Technology) analysis for any organisation.”

Udi mentioned that there are multiple data collection touchpoints. “You can collect information from many sources such networks, critical infrastructures including airports, transportation systems, power grids and financial sector, which are critical assets for any nation and finally, devices. The information inside your mobile device plays a crucial role. With all these different touchpoints for collection and analysis, governments need to have security operations centres (SOC) where state-of-the-art technologies are connected and integrated; not just physically integrated but intelligent wise integrated as well. The integration needs to happen to collect different sets of data coming from different sources to make decisions based on insights,” said Shaked. 

Shaked later introduced VoyagerCheck to the audience, a proprietary AI technology by Voyager Labs. “VoyagerCheck puts pioneering deep learning, machine learning, and Natural Language Processing (NLP) algorithms to work for security professionals. By understanding patterns of behaviour from billions of data points, this rapid assessment solution can answer pre-defined questions with remarkable accuracy. The platform allows users to perform extremely high volumes of assessments daily, without compromising on precision over time. The platform can, for example, be used to evaluate risk or ascertain geographical affiliation, helping organisations make more informed decisions at scale.”

“We use this technology to perform three things. We can collect information very quickly and perform machine analysis. Secondly, we can perform assessments from the information we received; VoyagerCheck can perform automated assessments at scale with the click of a button.  The third element is the ability to perform visual investigations using the images which are stored in a particular network. VoyagerChecker can retrieve results within minutes, based on the most recent publically available unstructured data and get answers when you need them most, based on analysis of billions of data points,” Shaked commented.    

Shaked also mentioned that at Voyager Labs, they believe cyberspace is the fifth domain of warfare after land, sea, air and space. “Within this domain, terrorists interact, recruit and spread propaganda. Criminals communicate more effectively and discreetly. And National Security may be compromised. Within this new domain are billions of data points, which humans cannot grasp unassisted. But artificial intelligence can. Advanced AI-driven technologies can help agents and analysts identify clues and important information hidden in the sea of unstructured data, to augment their productivity and stay one step ahead of national threats.”

“In such context, Voyager Labs always stay one step ahead with artificial intelligence. Voyager Labs’ unique AI-powered platforms can help agents and analysts with a variety of missions and tasks that are becoming increasingly complex in today’s digital environment. For example, VoyagerCheck can help you assess risks and other factors at scale, support decisions and prioritise activities. Not only VoyagerCheck but also a product like VoyagerAnalytics can help you leverage massive amounts of publicly available unstructured data and glean deep, actionable insights to focus and advance investigations and intelligence missions.  Furthermore, VoyagerVision can help you harness visual data to understand human behaviour, adding another rich layer of information to your decision-making process.” 

Thoughts from panellists

ICTA Legal Director Jayantha Fernando and John Keells Holdings Executive Vice President/Group Chief Information Officer Ramesh Shanmuganathan joined the third session of the Cyber Security Summit 2019 as panel members alongside Acharya and Shaked. 

Speaking during the panel discussion, Shanmuganathan said that social media is a double-edged sword. “It is a necessity for everyone where we are headed in as the internet is helping to create a flatter ecosystem. In such a context, social media plays a pivotal role by providing people with access to information and giving them a voice as well. Taking the right away from the citizen is not how governments should go about social media. We need to start managing the downside of social media with intelligence. Preventive intelligence is more important than focusing on intelligence post a disastrous situation. We have to keep up with the pace of the technology evolution; the cyber resilience has to keep up with the pace of it.”  Discussing social media bans, he said, “Just because a handful of people who abuse social media with unnecessary elements, I do not think it is the right move to take away the access to social media platforms from every citizen. That is where we need to have proper governance in place. At the Microsoft Inspire event, Microsoft CEO Satya Nadella spoke about responsible and ethical artificial intelligence. I believe governance is a responsibility of social media platform providers; they can give AI tools to intelligence agencies to be able to govern in terms of what is happening at the backdoor; not in terms of privacy but in terms of managing the threat intelligence. Sri Lanka has CERT (Computer Emergency Readiness Team) from an internet point of view. Social media providers should also focus on creating a confluence or a body like the CERT to govern the use of social media,” said Shanmuganathan. 

Commenting about the stability of social media tools, Jayantha Fernando said, “With the increase in the use of social media tools, there is going to be abusers.  Looking at the current context, the need for more interactive and cooperative models between social media platforms and law enforcement agencies to mitigate rising cyber threats is a must. On the point of collaboration, I would comment that Facebook has taken proactive measures to ensure a great collaborative ecosystem. I think the learning curve is evolving; people still understand the extent to which these providers collaborate effectively to develop better cyber norms which are essential for the growth of this sector if we are to use these tools positively.”

“In Sri Lanka, we have the benefit of being part of an international community—being part of the Budapest Convention—where we can have criminal justice collaboration on a real-time electronic evidence-gathering system so that we have a faster collaborative approach than our neighbouring countries.  It is important for us to leverage on that and use these tools for the betterment of our country and better economic development,” Fernando commented further.  

The strategic partners of 2019 Cyber Security Summit were Cisco and Visa, and the Co-Sponsor was Cellebrite. Other partners included official payment network, LankaPay; insurance partner Sri Lanka Insurance; official printing partner, Lake House Printers and Publishers; hospitality partner, Cinnamon Grand; creative partner, Triad; and electronic media partner, TV Derana.