Information Technology

Now that the world is open to travel again, digital nomads (and those learning skills suitable for remote work) are dying to start working in exotic locations. But private browser windows just aren’t enough anymore. Only a maximum strength virtual private network will ensure your privacy and the security of your data. IPVanish VPN will do that and more, and a 2-Yr Subscription is currently available at over 70% off for just $69.99.

Once you connect to IPVanish, all of your online activities will be routed through an encrypted tunnel, ensuring your privacy remains absolute. The entire time you browse the web, stream video, send messages, and everything else, your IP address is thoroughly concealed, even from the company itself. IPVanish guarantees a zero-logs policy on all of your apps. In fact, even automatic diagnostics won’t be performed. In addition to keeping your online presence private, IPVanish offers 256-bit AES encryption to keep your data perfectly safe. No need to worry anymore about hackers and snoops on public WiFi networks. And unlike a lot of other VPNs, you won’t have to sacrifice speed in order to stay safe. With IPVanish, you’ll get completely unmetered bandwidth and unthrottled speed on an unlimited number of devices. You’ll also get access to over 1,900 servers in more than 75 locations, which means geo-restrictions are a thing of the past, as well. From now on, you can watch all your favorite content from wherever you happen to be without getting that irritating message saying it’s not available in your particular location. Best of all, this all happens seamlessly. There are user-friendly apps for all platforms, no matter which device you’re using. But if you do happen to run into any issues, IPVanish offers 24/7 customer support. Users and reviewers both find IPVanish quite satisfactory. The app has a 4.5 out of 5 stars rating on Apple’s App Store, and TechRadar has this to say: “US-based IPVanish is an appealing VPN provider with a long list of features, including several that you won’t often see elsewhere.”

To surf the web securely without a trace, on a speedy connection from absolutely anywhere, grab a 2-year subscription to IPVanish today for only $69.99, a 73% discount off the usual $263 price.

ZDNet Academy More

Box on Wednesday announced new, major integrations with Microsoft and Slack, as well as a series of product updates that include new, AI-driven malware protection. Box rolled out the updates during its annual BoxWorks conference, following a turbulent year that has ramped up cloud-based content management and collaboration expectations.  “This past year and a half, everything we’ve been doing has been consistent with our long-term vision,” Box CEO Aaron Levie said to ZDNet. “But the rate of change and number of things we’re doing vastly exceeds what we would’ve imagined.” 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

For instance, Levie said, strong customer demand drove Box’s entry into the e-signature market — something he didn’t necessarily foresee happening a few years ago, he said. “But because of COVID-19, everyone’s moving to digital workflows, and we’re now entering a multi-billion dollar category.” After acquiring SignRequest for $55 million in February, Box released its native e-signature feature, Box Sign, to a subset of users in July. This week, Box is rolling it out to all US users.  “Fundamental patterns of work are evolving because of this hybrid nature of working in different locations,” Levie said. “It’s affecting our entire product roadmap.”  The accelerated move to digital work also spurred a spike in ransomware attacks. To respond to the problem, Box is adding new capabilities to Box Shield, the company’s flagship security control and threat detection solution. The new malware deep scan capability scans files in near real-time as they are uploaded to Box. It uses deep learning technology and external threat intelligence to analyze the data within files and contain malware. The feature is designed to minimize disruptions to workflows. Admins, for instance, can occasionally override threat verdicts for low-risk content.
Box
Box also announced improved, machine learning-powered alerts in Box Shield, as well as more detailed alerts for admins that explain why certain behaviors are deemed risky. 

Over time, Levie said, Box plans to add more features to Box Shield that will help customers with rollbacks in the event of an attack, as well as features to prevent ransomware from getting into different file environments.  In addition to updating Box Shield, Box is revamping Box Notes with more collaboration features. The improved product will let users add a table of contents, anchor links, and more to simplify content organization and navigation within a Box Note. It will also include call-out boxes so users can better highlight content, code blocks to simplify the technical collaboration process, and in-line cursors to help keep track of edits in real-time. It will also feature new security and control capabilities, like granular permissions and access stats. The updated Box Notes is expected to be generally available in January 2022 and will be included in the core Box offering at no additional cost. Meanwhile, the Box mobile app is getting a new Capture Mode, for iOS and Android, for seamlessly capturing, scanning, and uploading photos, audio, or documents. This should make it easier for field teams to add content directly into Box. The app is also getting Optical Character Recognition (OCR) technology that recognizes text automatically and turns scanned documents into searchable PDFs. The new OCR feature includes multi-language support. There will also be a redesigned iPad experience with a simplified layout.  In terms of integrations, Box for Microsoft Office will now enable real-time co-authoring on the Office desktop, and mobile apps (including Microsoft Word, Excel and Powerpoint) with all edits automatically saved to Box. Meanwhile, an updated Box for Microsoft Teams integration will allow customers to default to Box as a storage option in Teams. Box and Microsoft have hundreds of thousands of joint customers. The enhanced Box for Microsoft Office integration is expected to be available in early 2022, and the Teams integration is expected to be available by the end of the year.  Box is also deepening its integration with Slack, so users can make Box the content layer in Slack by uploading files directly to Box through the Slack interface. They can maintain Box’s security and compliance standards, even when files are uploaded through Slack. The new capabilities are expected to be available later this year and will be included in the core Box offering. More

Victims of ransomware attacks who choose to pay a ransom to cyber criminals for the decryption key could have to publicly disclose that a payment was made within 48 hours of doing so. The Ransom Disclosure Act proposed by US Senator Elizabeth Warren and Representative Deborah Ross would require organisations which fall victim to ransomware attacks and pay the ransom to detail information about the payment. Information about ransom payments which would have to be disclosed include the amount of ransom demanded and paid, the type of currency used to pay the ransom – commonly paid in Bitcoin – and any known information about the attackers demanding the ransom. The information would have to be disclosed to the Department of Homeland Security (DHS) within 48 hours of the payment being made. The aim of the bill is to provide DHS with better information about ransomware attacks to help counter the threat they pose to businesses and other organisations across the United States. “Ransomware attacks are skyrocketing, yet we lack critical data to go after cyber criminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cyber criminals are siphoning from American entities to finance criminal enterprises — and help us go after them.” SEE: A winning strategy for cybersecurity (ZDNet special report)The threat of ransomware has loomed large throughout this year and several incidents have had a direct impact on people’s daily lives. The Colonial Pipeline ransomware attack led to a shortage of gas in the North Eastern United States as people rushed to stockpile – the company paid cyber criminals millions of dollars in order to get the decryption key. 

Meat processor JBS USA paid an $11 million ransom to cyber criminals after falling victim to a ransomware attack in June. While the FBI discourages the payment of ransoms, many victims feel the need to make the payment, perceiving it as the quickest way to get the network up and running again.  But even with the correct decryption key, restoring the network can still be a slow and arduous process. Many victims are also coerced into making the ransom payment because ransomware cyber criminals steal sensitive information from the network before encrypting it and threaten to leak the data if they’re not paid. But it’s because victims regularly give into extortion demands that ransomware is still so lucrative and attractive for cyber criminals.  “Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure. Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” said Congresswoman Ross. “The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation,” she added. Currently, the Ransomware Disclosure Act is just a proposal. In order become legislation it will have to be approved by both the House of Representatives and the Senate before it could be signed into law by President Biden. MORE ON CYBERSECURITY More

Developers behind the Apache HTTP Server Project are urging users to apply a fix immediately to resolve a zero-day vulnerability. 

According to a security advisory dated October 5, the bug is known to be actively exploited in the wild. Apache HTTP Server is a popular open source project focused on the development of HTTP server software suitable for operating systems including UNIX and Windows. The release of Apache HTTP Server version 2.4.49 fixed a slew of security flaws including a validation bypass bug, NULL pointer dereference, a denial-of-service issue, and a severe Server-Side Request Forgery (SSRF) vulnerability.  However, the update also inadvertently introduced a separate, critical issue: a path traversal vulnerability that can be exploited to map and leak files.  Tracked as CVE-2021-41773, the security flaw was discovered by Ash Daulton of the cPanel security team in a change made to path normalization in the server software.  “An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the developers say. “If files outside of the document root are not protected by “Require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.”

Positive Technologies has reproduced the bug and Will Dormann, vulnerability analyst at CERT/CC, says that if the mod-cgi function is enabled on Apache HTTP Server 2.4.49, and the default Require all denied function is missing, then “CVE-2021-41773 is as RCE [remote code execution] as it gets.” CVE-2021-41773 only impacts Apache HTTP Server 2.4.49 as it was introduced in this update and so earlier versions of the software are not impacted.  Yesterday, Sonatype researchers said that approximately 112,000 Apache servers are running the vulnerable version, with roughly 40% located in the United States.  The vulnerability was privately reported on September 29 and a fix has been included in version 2.4.50, made available on October 4. It is recommended that users upgrade their software builds as quickly as possible.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

As someone who builds integration products, I spend a lot of time researching industry and technology trends while speaking with analysts, engineers, architects, target customers, and my product peers. This work inevitably drifts my point of view into some version of “what’s happening now, what is likely to happen over the course of the next few years, and what is my role in guiding the industry to the best possible future?” This article intends to provide a synthesis of the most impactful ideas over the past year and their influence on my go-forward thinking as a connectivity Product Manager. I hope you enjoy the reading and look forward to your thoughts in the comments. APIs become a part of internet fabric  To some students of modern technological history, the “connectivity” part of the internet looked very different just a few decades ago. By “connectivity,” I mean APIs, protocols such as HTTP, and agreed-upon architectural patterns that unlock data. As a result, technology professionals speak about “legacy modernization” projects to expose old technology silos that would otherwise remain hidden from the digital lifeblood of the business. These so-called digital transformation projects often relied on XML-RPCs to enable integrations with mainframes while the new digital era brought standards such as REST, GraphQL and Web of Things.
Free for commercial use. No attribution required.
While established companies invest in new APIs to support digital transformation projects, early startups build on top of the latest technology stacks. This trend is turning the Internet into a growing fabric of interconnected technologies the likes of which we’ve never seen. As the number of new technologies peaks, the underlying fabric — otherwise known as the API economy — fuels the market to undergo technology consolidations with the historic-high number of acquisitions. There are two interesting consequences of this trend. The first is that all of this drives the need for better, faster, and easier-to-understand APIs. Many Integration-Platform-as-a-Service (iPaaS ) vendors understand this quite well. Established iPaaS solutions, such as those from Microsoft, MuleSoft, and Oracle, are continually improved with new tools while new entrants, like Zapier and Workato, continue to emerge. All invest in simplifying the integration experience on top of APIs, essentially speeding the time-to-integration (a level of growing importance when it comes to business agility). Some call these experiences “connectors” while others call them “templates.” But in the end, the leading integration minds are actively invested in this area.  The second consequence is well-defined, protocol-based connectivity. Looking at the world of REST ー a well-accepted architectural style defined in Roy Fielding’s dissertation ー we see that REST APIs dominate the scene with well-established specification standards such as the OpenAPI Specification (previously known as Swagger). Not only do these protocols enable industry-leading iPaaS solutions to agree on what the next world of connectivity will look like, they also set the foundation for new experiences — often referred to as innovation — to evolve. More technologies just keep emerging, offering visualization and transformation products that understand these standards while bringing more users into the world of connectivity.  I am excited about the potential of this space and its ability to define the fundamental building blocks of the future internet with APIs as the centerpiece of its fabric. Also: APIs, microservices succeed as long as the organization doesn’t get in the way Breaking silos with indexed search and browser-like API discovery

Moving from specialized tools and standards to a simple API discovery layer means that any employee who can write queries and logic flows will also be able to build full-fledged applications and customer-facing experiences. Many leading analysts are now seeing this dynamic as more APIs are consumed by less-technical departments like marketing, finance, sales, and HR. I see this trend further evolving in two major forms. The first of these is universal API search and discovery. Many of us are using Google to search for information, and “Googling” endpoints (the addressable location of an API) and data shouldn’t be any different. This means more tools will evolve, but the approach we take will be fundamentally different; instead of manually documenting new endpoints with references and API portals, we can start indexing new APIs dynamically based on their machine readable descriptions. Using techniques similar to Google crawler tactics that discover publicly available web pages, more users will have access to all publicly available endpoints and the data. 

The second form involves how we explore those APIs and the data they contain. Today, many developers start by searching for an API portal, finding a relevant SDK, and sampling an API’s capability with API-consumption tools like Postman. Less-technical users, however, turn to low-code/no-code solutions that bridge the technical gap by demystifying API access (a skill typically reserved for software developers). It’s interesting to think about what will change as we evolve the underlying foundation of those protocols and standards. I believe that we’re soon to see more browser-like discovery tools, where webpages are replaced by endpoints and information is replaced by data. In this world, users can search, query, play, and plug the data instead of worrying about API technicalities like URIs, endpoints syntax, query parameters, etc. Looking ahead, what I find most exciting about this development is that we will see the creation of new digital capabilities that are closer to the end user and are much faster to build. These innovations also trigger a need for enterprise professionals to see the bigger picture of how it all connects, while product leaders and CIOs must pay closer attention to inconsistencies in the customer experience or potential compliance, privacy, and security issues.Also: Turns out low-code and no-code is valuable to professional developers, too Productizing connectivity: protocols vs. connectivity as a service More than ever before, users demand access to data. Yet many existing solutions are too complex, too expensive, or too heavy. This creates a technology vacuum that will be filled in the following ways. On one hand, integration professionals like me will continue to advance connectivity standards. Optimization for ease-of-consumption, particularly by non-developers, will lead to a new API consumption layer, so that less-technical experiences can evolve on top of it.  On the other hand, new business cases will be made for creating agile API-facade-as-a-service solutions. As more users demand faster time-to-market while taking scalability, availability, and security for granted, more startups will emerge to address the need. We’re already seeing new entrants involving productivity infrastructure as a service by Nylas and a unified API from Kloudless that connects over 150 SaaS solutions through a single canonical model. All of this makes it easier than ever before to build and maintain connections with external systems.  As we’re advancing on each front, I suspect that the industry will first need to agree on common architectural patterns as we build new solutions around them.  Data is the new endpoint in security Data breaches are trending up, with a record of 1,767 publicly reported breaches in the first six months of 2021. Our most common attempts at securing data focus on protecting the infrastructure that provides access to it: endpoints. Although this approach makes sense for some organizations, as we shift more infrastructure to the cloud where the infrastructure is far less within their control, securing that infrastructure becomes more problematic. We add more users into the mix who can now search, query, and share data with their favorite apps, and we have a recipe for disaster.  To stay ahead of these trends, we first need to change our mindset. Instead of protecting endpoints in the new digital world, we must protect the data. This space is full of interesting innovations with new encryption and tokenization standards that further propagate the zero-trust model. This trend is also recognized by new startups that are building businesses around the idea of protecting data with encrypted data vaults and use-cases ranging from securing PII to offering HIPAA-compliant encrypted data stores. Regardless of how we evolve our new API layers, at the core of the “secure” approach will be our ability to discover and work with sensitive data.Also: API security becomes a ‘top’ priority for enterprise players The bottom line We are still “rounding first base” in terms of defining the next generation connectivity layer and understanding what kinds of businesses can be built on top of it. As APIs are already in the center of many digital transformations, we’re clearly seeing a trend of simplifying API consumption with low-code/no-code solutions that bring more users to create pluggable enterprises. It’s fulfilling to think of a world where everyone can contribute to improving the business.  Anton Kravchenko is  Director of Product at MuleSoft, a Salesforce Company. If you are thinking about or building products or protocols that touch on any of these ideas, he would love to hear from you. More

A previously undiscovered cyber-espionage campaign using never-before-seen malware is infiltrating global aerospace and telecommunications companies in a highly targeted operation that has been active since at least 2018 but has remained completely under the radar until July this year. The campaign is the work of a newly disclosed Iranian hacking group dubbed MalKamak that has been detailed by cybersecurity company Cybereason Nocturnus, which discovered it after being called by a client to investigate a security incident.  

ZDNet Recommends

Dubbed Operation GhostShell, the aim of the cyber-espionage campaign is compromising the networks of companies in the aerospace and telecoms industries to steal sensitive information about assets, infrastructure and technology. The targets – which haven’t been disclosed – are predominantly in the Middle East, but with additional victims in the United States, Europe and Russia. Each target appears to have been handpicked by the attackers. SEE: Ransomware attackers targeted this company. Then defenders discovered something curious”This is a very, very targeted type of attack,” Assaf Dahan, head of threat research at Cybereason, told ZDNet. “We’ve only managed to identify around 10 victims worldwide.”MalKamak distributes a previously undocumented remote access trojan (RAT) known as ShellClient that is designed with espionage in mind – which is why it remained undetected for three years. One of the reasons the malware has remained so effective is because the authors have put a lot of effort into making it stealthy enough to avoid antivirus and other security tools. The malware receives regular updates so that this continues to be the case. “Each iteration, they add more functionality, they add different levels of stealth,” said Dahan. 

ShellClient has even started implementing a Dropbox client for command and control on target networks, making it difficult to detect because many companies might not notice or think much of yet another cloud collaboration tool performing actions, if they even notice it at all.  It’s all part of the plan to use the trojan to monitor systems, steal user credentials, secretly execute commands on networks and ultimately steal sensitive information. Each infected machine is given a unique ID so the attackers can keep track of their work during the weeks and months they’re snooping around compromised networks.  “Once they’re in, they start conducting extensive reconnaissance of the network. They map out the important assets – the crown jewels they would go for, key servers such as the Active Directory, but also business servers that contain the type of information that they’re after,” said Dahan.  The campaign successfully remained undetected until July, when researchers were called in to investigate an incident. It’s possible that the attackers got too confident in their tactics and overplayed their hand, leaving evidence that allowed researchers to identify the campaign and the malware being deployed. “According to what we’re seeing, in the last year, they picked up the pace. Sometimes when you’re faster your you can be slightly sloppy or simply there’ll be more instances that would be detected,” Dahan explained.  

Analysis of MalKamack’s tools and techniques led researchers to believe that the attacks were the work of a hacking operation working out of Iran, as one of the tools ShellClient RAT uses for credential dumping attacks is a variation of SafetKatz, which has been linked to previous Iranian campaigns. The targeting of telecoms and aerospace companies operating in the Middle East also aligns with Iran’s geopolitical goals. SEE: A winning strategy for cybersecurity (ZDNet special report)But while there are similarities to known Iranian state-backed cyber-espionage operations including Chafer (APT39), which uses similar techniques to target victims in the Middle East, US and Europe, as well as Agrius APT, which shares similarities in malware code, researchers believe that MalKamack is a new Iranian cyber operation – although it likely does have connections to other state-sponsored activity. Researchers also believe that Operation GhostShell remains active and that MalKamack will continue to evolve how it conducts attacks in order to continue stealing information from targets. It’s currently not known how the attackers gain initial access to the network, but there’s the possibility it comes via phishing attacks or from exploiting unpatched vulnerabilities. MORE ON CYBERSECURITY More

A new bootkit for conducting covert cyberespionage that is able to compromise system partitions has been discovered. 

Researchers from ESET say the new malware, dubbed ESPecter, was only found recently but the origin of the bootkit has been traced back to 2012 — suggesting that the software is stealthy enough to have avoided detection by cybersecurity teams for the best part of a decade. “We traced the roots of this threat back to at least 2012; it was previously operating as a bootkit for systems with legacy BIOSes,” commented ESET researcher Anton Cherepanov. “Despite ESPecter’s long existence, its operations and upgrade to UEFI went unnoticed and have not been documented until now.” The only radical change in the malware since 2012 is a shift from legacy BIOS and Master Boot Record (MBR) infiltration to modern UEFI. UEFI is a critical component in the pre-OS stage of a machine starting up and has a hand in loading an operating system.  The malware takes root in the EFI System Partition (ESP) and persists through a patch applied to the Windows Boot Manager, however, this is yet to be fully analyzed.  The patch allows ESPecter to bypass Windows Driver Signature Enforcement (DSE) protocols to load its own unsigned drivers on a target machine and inject other components to create a connection to the operator’s command-and-control (C2) server.  ESET found an ESPecter sample on a PC together with keylogging and document-stealing functionality modules, an indicator that the malware is likely used for surveillance purposes. 

Once executed on a target machine, ESPecter is able to deploy a backdoor containing commands for cyber spying, and alongside key logs and documents, the malicious code also takes screenshots on a regular basis and hides this content in a hidden directory.  However, the Secure Boot feature has to be disabled for a successful ESPecter attack.  “It’s worth mentioning that the first Windows version supporting Secure Boot was Windows 8, meaning that all previous versions are vulnerable to this persistence method,” the team says. The researchers have not found concrete evidence for attribution, but there are clues in the malware’s components — specifically debug messages — which suggests that the threat actors are Chinese-speaking.  It is also not known how ESPecter is distributed; however, there are a number of potential scenarios: an attacker has physical access to a target machine, Secure Boot has already been disabled, or the exploit of either a zero-day UEFI bug or a known, but unpatched, security flaw in legacy software.  “Even though Secure Boot stands in the way of executing untrusted UEFI binaries from the ESP, over the last few years we have been witness to various UEFI firmware vulnerabilities affecting thousands of devices that allow disabling or bypassing Secure Boot,” ESET says. “This shows that securing UEFI firmware is a challenging task and that the way various vendors apply security policies and use UEFI services is not always ideal.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Asean has championed the region’s efforts in cybersecurity and pledges to drive further collaboration amongst member states, including plans to adopt common standards and best practices. It also urges the need for participation from the international community, particularly as digital transformation continues to accelerate amid increasing cyber threats.  To date, Asean is the only regional organisation to have subscribed, in principle, to the United Nations’ (UN) 11 voluntary, non-binding norms of responsible state behaviour in cyberspace, according to Singapore’s Minister for Communications and Information and Minister-in-charge of Smart Nation and Cybersecurity, Josephine Teo.   Asean advocated the need to implement the international cyber stability framework and was making good progress on the roadmap to guide adoption of the norms, said Teo, who was speaking Wednesday at the Asean Ministerial Conference on Cybersecurity, held in conjunction with Singapore International Cyber Week.

Pointing to the Asean Regional Action Plan, she said Singapore and Malaysia recently organised a workshop with other member states. The region was expected to officially endorse the action plan at the Asean Digital Ministers’ Meeting on December 1, 2021.  There currently are 10 Asean member states including Singapore, Indonesia, Thailand, Malaysia, and the Philippines. The region in September 2018 agreed on the need for a formal framework to coordinate cybersecurity efforts, outlining cyber diplomacy, policy, and operational issues.  Members states had underscored the importance of “a rules-based cyberspace” to drive economic progress and improve living standards. Internal laws, voluntary, and non-binding norms of state behaviour, as well as practical “confidence-building” measures were essential to ensure the stability of cyberspace, they said.  They added that such plans would include the region’s efforts to observe the 11 norms recommended in the 2015 Report of the UN Group of Governmental Experts. The 11 norms outline what the the international organisation deemed necessary for to create a “free, open, peaceful, and secure cyberspace”, including global cooperation to develop and apply “measures to increase stability and security in the use of ICTs” and to “not knowingly allow their territory to be used for internationally wrongful acts using ICTs”.

Speaking virtually at the Asean Ministerial Conference, Asean Secretary-General Lim Jock Hoi said the global pandemic underscored the need for a coordinated approach to address address cyber threats.  Noting that digitalisation had accelerated, Lim said Asean–ready or not–would have to embrace digital transformation to maximise its benefits and work towards building a regional community. Here, he added that the region had kicked off various initiatives including digital economy agreements and the 2019 Asean Agreement on Electronic Commerce, which aimed to facilitate collaboration and growth of e-commerce transactions in the region. With increased digital adoption, though, came higher exposure to cybersecurity threats that could cause significant damage, he said. He noted these included ransomware, phishing, and Distributed Denial of Service (DDos) attacks that had disrupted business operations, impacted individuals, and threatened the stability of Asean communities.  Such threats and cybercrimes were becoming widespread across the region, targeting critical information infrastructures (CII) such as oil, energy, and e-commerce. Without “resolute action” within Asean member states, Lim said these challenges would significantly undermine the resilience of and trust in the region’s digital economies and prevent them from realising their full potential.  He said member states already were working to enhance the region’s cybersecurity posture, including efforts to strengthen partnerships amongst the respective CERTs (Computer Emergency Response Teams) to build “mutual trust” in dealing with security incidents. The Asean CERT was established to improve the region’s knowledge and capacity to respond and mitigate the impact of cyber attacks, he noted.  The development of a coherent regulatory and policy framework on cybersecurity also was essential in Asean, he added, which he said could be accomplished through regional frameworks for cybersecurity maturity assessment and CII security.  There also should be cybersecurity standards and best practices to drive interoperability across the region, which would further support the secure and trusted use of digital technologies and drive an integrated Asean economy, he said.  International communities should build cyber norms, rules With cybersecurity a global issue, Lim said Asean would collaborate with the international community and play its role in developing a rules-based cyberspace with cyber norm behaviours.  Further stressing the importance of global cooperation, Teo said supply chain and ransomware attacks were increasing in frequency, scale, and impact. She cited the SolarWinds breach, the US Colonial Pipeline attack that posed real-world consequences, and the Kaseya breach, which forced more than 800 Swedish Coop supermarkets to close.

“These examples show the importance of strengthening our cybersecurity. They also highlight the need for international cooperation to build consensus on the rules, norms, principles, and standards governing cyberspace,” she said. “Such efforts will help to ensure that states behave responsibly in their use of ICT, so we can achieve an open, secure, and interoperable ICT environment. In doing so, we can also strengthen the rules-based multilateral order.” According to Teo, Asean currently was laying the groundwork to drive its updated Digital Masterplan 2025, which involved five key objectives including advancing cyber readiness cooperation, strengthening both regional and international cyber policy coordination, and enhancing regional capacity building. She said recent global supply chain attacks also highlighted the need for swift exchange of threat information to mitigate the spread of such attacks. This emphasised the importance of “cyber ops-tech collaboration” such as the Asean CERT, and through the development and implementation of technical standards.  “Often, we are forced into a reactive position when dealing with cyber incidents. In fact, we would rather be proactive on cybersecurity, by making our systems, networks, and devices secure-by-design,” she said. She pointed to Singapore’s efforts here with the introduction of the Cybersecurity Labelling Scheme for IoT devices, enabling consumers to identify the level of cybersecurity of such devices.  Teo said Asean member states could collectively raise the cyber hygiene level in the region by working towards a common baseline cybersecurity standard for IoT devices.  Singapore on Wednesday also announced the official opening of the Asean-Singapore Cybersecurity Centre of Excellence campus. Announced in 2019 to facilitate cyber capacity building efforts in the region, the centre aimed to conduct research and provide training in areas that included international law, cyber norms, and various cybersecurity policy issues. The facility also would offer CERT-related technical training, conduct virtual cyberdefence training and exercises, as well as drive the exchange of best practices, cyber threat, and other related cyber threat information. The centre comprises two training labs that can hold up to 100 in-person participants, conference rooms, and amenities to facilitate capacity building efforts, CSA said. RELATED COVERAGE More