In the reality show Survivor, a group of contestants are left stranded on a remote island. There, they learn survival skills to outlast their competitors, compete in challenge tasks to outplay them, and form strategic alliances to outwit them.

These same three principles apply to cyber defence as well, and are especially vital when it comes to defending critical systems such as water, information communications, and energy. When such systems fail, they can threaten the livelihoods and survival of citizens.

At the recent AI x GOV summit, cyber experts from around the world shared what governments can do to defend critical systems against increasingly advanced cyber threats.

The vulnerability of critical systems 

Many critical infrastructure components are “not as resilient” to cyber threats as they should be, highlighted Tim Brown, VP Security and CISO of SolarWinds at the Defending critical systems panel. This is because many of them are “gated, old, and have been forced into a world of internet connectivity”, he said.

“That’s where the trouble starts,” agreed Anthony Lim, Director of Strategic Alliances, Centre for Strategic Cyberspace + International Studies, Southeast Asia and Australasia. “Critical systems are at risk not because they’re weak, but because they’ve never had to deal with this before.”

It’s like Covid-19, he said. Nobody has had Covid-19 before, so when the disease struck, no one knew how to defend against it.

Critical systems were created at a time when digital technology didn’t exist, said Dato Ts Dr Amirudin Abdual Wahab, CEO of CyberSecurity Malaysia. The technology is outdated, and the infrastructure these critical systems run on are ageing, he added.

Today, these systems are being digitalised retroactively. But the more retrofitting happens, the greater the complexity of these systems, explained Amit Sharma, Advisor and Director, Office of the Secretary of Defence, India. This makes them all the more difficult to secure.

Traditional security such as firewalls and intrusion prevention are no longer sufficient, Amirudin added.

Outwit, Outplay, Outlast: Knowledge is key

To tackle the cyber threats of today, defenders of the world need to “outthink” the threat actors, highlighted Brown. “Don’t underrate thinking in our overall protection,” he added.

Governments need to do a better job of not just implementing technology, but thinking about what gaps there are and how to defend those gaps, he said.

They also need to consider different scenarios and how they can respond to possible threats. “If I have a threat actor that is taking over one machine, is that going to flow to others?” Brown asked.

“I have yet to see a comprehensive security solution or intrusion detection system” for critical information systems, shared Sharma.

Software tools to detect intruders are unlikely to work for critical systems, he said. This is because many of these systems run in real time. “The moment you put in any kind of external agent, you are actually jeopardising the critical response of these systems,” he explained.

In the absence of tech or software tools to beef up the cybersecurity of critical systems, “knowledge is key”, Amit emphasised. Governments need to “keep updating” and “keep evolving” to tackle the ever evolving cyber threats.

Working as a team 

“The bad guys cooperate and share very well,” said Lim. “It’s not like the bad guys know everything, but they share their research.” They would go to their community on the dark web and ask about a particular system they are trying to hack or infiltrate, he explained.

Governments need to do the same. “Cybersecurity should be seen as a collective responsibility,” Amirudin highlighted.

For example, countries in Southeast Asia are working together to share information and improve cybersecurity. The 11 member states of ASEAN have subscribed to the United Nations’ norms of responsible state behaviour in cyberspace, wrote GovInsider.

As part of this initiative, ASEAN established a training centre in Singapore for ASEAN national teams responding to cyber-security incidents. This will help to “strengthen cybersecurity strategy development, legislation and research capabilities of all ASEAN nations,” the article highlighted.

It’s not just about the nation as a whole approach, but it’s the world as a whole approach that makes critical systems resilient, Amit emphasised.

Countries can even consider learning from cyber adversaries. They can work with the same people who are researching how to disrupt critical systems and take on a more proactive approach towards such threats, Amit suggested.

Hackers can provide valuable information on how they operate to help governments better prepare for potential threats. For example, a hacker suggested that governments focus on how to stop attackers that have already infiltrated a network, rather than trying to prevent infiltration, according to this Financial Times article.

Not just a public sector issue

Besides being a global issue, defending critical systems also takes public and private partnership, Brown said. “You require partnership with industry, because it’s the industry that is running most of the critical information infrastructure,” said Amit.

To help governments secure their critical systems, private organisations first need to ensure their software and security products are highly secure.

SolarWinds, for example, does so by sharing vital information like how they build code and their security measures of their products so that governments can conduct a proper risk assessment before using their products.

It is vital that critical systems survive, as any disruption can have a catastrophic impact on a country’s economy and citizen lives. But to protect them against cyber threats, cybersecurity tools alone are insufficient. Instead, governments need to work together in order to outlast, outplay, and outwit the threat actors.