Quo vadis cyber risks? At it-sa Expo&Congress special keynote speaker Peter Hacker talks about risks and geopolitical challenges

The tenth Special Keynote at it-sa Expo&Congress on 24 October 2024 once again guarantees exciting insights and an outlook into the future of cyber security.

Risks and strategies for overcoming them will take centre stage when special keynote speaker Peter Hacker addresses the audience.

The expert, entrepreneur and author Peter Hacker researches and deals globally with the topics of digital change, cybercrime and cybersecurity. Peter’s expertise is sought after by Corporations, International and Regional Organizations, Regulators and Rating Agencies. He is Founder and Managing Director of Distinction.global, an independent, globally operating cybersecurity and risk transfer think tank based in Switzerland.

In this interview, Hacker talks about points that he will be discussing in detail in his exclusive keynote speech: The perception of cyber risks at top management level, growing geopolitical challenges, the importance of artificial intelligence and resilience as a decisive factor in withstanding cyber attacks.

Since when have you been involved in cybersecurity, and was there a specific trigger for it?

New technologies and digitalization have fascinated me for many years. I developed a passion for programming and coding early on. Alongside this, I also sparked an interest in the darker side of technology. It quickly became clear to me how closely technical possibilities and security are linked. Cybersecurity, therefore, fits perfectly for me. Preparing clients with my team for the rapidly changing risk landscape, devising new technologies, seizing opportunities, and addressing risks – as an internationally active IT security expert, I bear my share of the responsibility we all have for a secure digital future.

You are a sought-after expert worldwide and directly experience the perception of cyber risks at the highest management level. What questions do top managers come to you with?

For many board members or senior executives I speak with, cyber risks are now at the top of the risk radar. This is partly because board members – especially in the USA – have already been fired and held legally liable due to material damages caused by cyberattacks. As a result, I sense a certain concern about giving the topic sufficient attention. Additionally, the realization is finally, albeit slowly, dawning: an investment in cybersecurity protects intangible assets such as intellectual property or brand reputation. This is also due to the increasing frequency and complexity of cyberattacks on critical infrastructure or essential services and their financial, legal, and security consequences. Gradually, IT security is no longer perceived at the board level merely as an ‘operational expense’. However, despite the growing fear of being caught off guard, too little is being invested. Moreover, there is simply a lack of qualified resources. Geopolitical tensions are currently affecting international trade and supply chains in unprecedented ways.

You mention the increasingly unstable geopolitical situation. Which aspects of the global security landscape are particularly in focus?

Tensions between superpowers will continue to increase. The complexity of cyberattacks has risen globally, making further arms races likely. The US elections will also lead to further escalation of potential new attack vectors and targets in cyberspace. Regional conflicts such as Russia-Ukraine and Israel-Gaza have fueled new attack trends and hacktivism, focusing on social, economic and political targets. We must continue to deal with social engineering, ransomware, business email compromise (BEC), website defacements, and complex attacks using wiper malware. Additionally, new AI-driven attack methods are exacerbating the challenges, often supported by state actors.

How well-prepared are companies in the DACH region in terms of cybersecurity, in your opinion?

In Germany, Austria, and Switzerland, I often work with industrial, technology, pharmaceutical, and financial companies. Their IT and operational technology remain prime targets for cybercriminals. Industrial plants are much more vulnerable today than in the past when IT and OT were separate. The connection with IIoT (Industrial Internet of Things) further increases the risk of successful attacks on OT due to a simultaneous link between organizational data (logistics and shipping) with technical data from computer-aided manufacturing/processing systems (production). Moreover, there is too often a lack of urgently needed investments and upgrade requirements. I am alarmed by the frequency of social engineering attacks on sectors such as energy, gas, oil, mechanical engineering, automotive, banking, insurance, pharmaceuticals, and technology. Massive incidents are only a matter of time.

What can we learn from other countries?

We are in a digital arms race. Hackers are attacking critical infrastructure worldwide, including in the DACH region. Investments in protecting this infrastructure should be a priority. My urgent recommendation: rethink security concepts, keep systems up to date, regularly train teams, relieve the burden from their shoulders as quickly as possible (limited resources inevitably lead to burnout) and renumerate better. Above all, we must always remember: humans are often at the centre of attacks. Awareness of cybersecurity is therefore crucial. Equally important is the topic of cyber resilience, i.e., response and recovery. It is more important than ever today to maintain the ability to act even in the event of an attack, i.e., to react actively. At the board or executive level, there needs to be more insight that cybersecurity is not just a cost issue but serves the company’s value. This requires an in-depth understanding at the top management level of what is at stake, for instances, among others, but not limited to liability risks and fiduciary duties, and what kind of pre-incident tested response and recovery options exist within the first 12h -72h of an attack – the so-called “actionable intelligence” at hand.

Should managers therefore view cybersecurity as a positive factor for business success?

Exactly. Understanding every single investment in cybersecurity as an investment in the protection of intangible assets and not as a cost factor is the central question for more IT security. We need a cultural change here. A significant attack on the global financial system, a nuclear power plant, or the energy infrastructure is a nightmare scenario – unfortunately, not impossible. The potential cyber risk is constantly changing and becoming more systemic. Missing patches, stressed resources, outdated software, and the rapid pace of digitalization form the basis. Added to this are massive, rapidly growing, and sometimes very complex physical and digital dependencies and software supply chain threats. These developments bring exponentially growing challenges for the IT security community. At the top level, there needs to be a clear stance that defines IT security as a positive contribution to business success.

What obstacles do you see in sustainably implementing cybersecurity concepts?

Criminals need less skill and financial resources. They also no longer need extensive organization – cybercrime-as-a-service means that many actors operate independently. At the same time, the cost, organizational, and workload pressure on security teams is growing exponentially. We are still at the beginning of the digital era. The use of AI will also exacerbate the threat situation – and even today, we do not have enough resources and often too little funding. In my view, it is time for the importance of cybersecurity to be established not only at the executive level but also to be represented personnel-wise! Unfortunately, I often see in our global mandates that material damages and liability obligations must first arise before board members become aware of the enormous importance of cybersecurity to day-to-day business.

There is a real hype around AI, and the discussion about opportunities and risks will play a major role at the it-sa Expo&Congress. How do you assess the potential of AI for cybersecurity and the clash between attackers and defenders?

I like to look at this question from three perspectives.

Thanks to AI, we can fundamentally recognise attack patterns faster and receive important clues about malware mutations. AI technologies shorten response times and improve defence strategies through real-time analysis of threat data. In the future, vast amounts of information and connections can be evaluated even better and checked for suspicious patterns immediately.

Experience shows that in the event of a ransomware attack, the so-called Last Known Good Configuration Recovery Option is often insufficient. As a result, new attacks keep occurring. Today, the use of AI technologies in Data Clean Rooms, although costly, brings enormous advantages. These are secure, protected environments where personal data is cleaned and processed using AI technologies, making it available for various data analyses.

However, attackers also benefit. A direct approach, for example, focuses on programming malware and attack vectors to target AI-based virus scanners. The attacker’s goal is actually simple yet highly efficient: to identify specific behaviours and events that the scanner deliberately searches for. Such activities lead to a profile, which in turn allows the AI model to be optimised accordingly. Patterns can be created regarding tactics, techniques, and behaviours, enabling existing AI models to be replicated and deceived with fake data.

We have been researching AI technologies for some time to assist our clients in the ever-changing risk landscape. It is clear that even with AI, it will remain a cat-and-mouse game with attackers. Therefore, we are well-advised to give the opportunities presented by AI technologies the same priority as their risks.

You are deeply involved with cyber insurance. How important is this component in your view for protection?

We work with insurers and companies on the topic of cyber insurance. These coverages are useful when they are tailored to the risk profile and tested in real scenarios. However, damages from attacks on critical infrastructure or government entities are hardly insurable.

Fundamentally, I believe that state-sponsored cyberattacks of any kind have a systemic component. Consequently, they cannot be insured solely by the private sector. When state-sponsored attacks have systemic impacts, the gap between economic damages and insurance capacity is unbridgeable. I see the only way for such cyber risks is through a partnership between the insurance industry and the public sector. There have already been some efforts in Singapore or current projects in the USA and the United Kingdom.

How is the market for cyber insurance developing?

Globally, we are talking about a premium volume of nearly 16 billion US dollars this year. 85 percent of this is concentrated in North America and Europe. More than two-thirds of this is accounted for by the USA and Canada. Growth markets include South America, Asia-Pacific, and the Middle East, including India. We expect the premium volume to double by 2030 due to digitalization. In the DACH region, there is significant catch-up potential for SMEs, but it also requires substantial investment in implementing IT security strategies and risk management.

As a Special Keynote Speaker at the it-sa Expo&Congress, you will take the stage in Nuremberg on 24 October. You ask, “Quo vadis cyber risks?” – what can attendees look forward to?

Of course, I will take a look at the status quo and deepen my analysis of the points already mentioned here, such as cyber risks, AI, and geopolitics. However, what is more important to me is the development that is already on the horizon:

Digitalization and the associated cyber risks are irreversible. Our level of interconnectedness has never been higher, the IT dependencies have never been more challenging than today but also the potential of our Industry is exponentially growing. In the future, technologies, codes, malware, and viruses will develop into strategic, economic, and geopolitical assets – but also challenges – on an unprecedented scale. The importance of cybersecurity will grow exponentially.

Our future will become more unpredictable and less foreseeable. The question is: where are these developments leading, and what do they mean for states, companies, and society?