In conversation with: Stéphane Duguin from The CyberPeace Institute

7 December 2023 · 10 min read

The number one challenge in the cyber security industry right now is burnout: There’s too much data, too many cases, and not enough time.

The current cyber threat landscape is shaped by a diverse array of factors, each contributing to an unprecedented level of complexity. To gain a deeper understanding of these contributing elements, SoSafe engaged in an interesting interview with Stéphane Duguin, the renowned CEO of the CyberPeace Institute.

The CyberPeace Institute stands out as an organization with the commendable mission to fortify cyber security and protect the most vulnerable in our digital society. The Institute acts as a pillar of hope for NGOs, providing them with much-needed defense against cyber threats and acknowledging their specific susceptibilities in the cyber world.

This engaging conversation with Stéphane Duguin explores the intricate world of cyber threats, shedding light on the primary challenges organizations face today. It explores the evolving role of AI in emerging threats, the crippling impact of ransomware, and how factors like burnout and geopolitical dynamics are exacerbating the cyber security landscape. Most notably, Duguin provides expert insights into an area he knows intimately: the profound and often brutal effects of these multifaceted cyber threats on NGOs.

What kind of organizations does the CyberPeace Institute help, and what are the main challenges they face?

The mission of the Institute is to protect the most vulnerable in the cyberspace. We decided that one of our priorities would be to defend NGOs, especially humanitarian actors. The reason behind it is that when they are affected by a cyberattack, it always has a very strong human impact. It’s as close as you can get to the loss of human lives. We need to stop talking about networks, computers, and money and start talking about people. These NGOs are in a very complicated situation because they are targeted by both criminal groups for financial gain and state actors for geopolitical reasons, and they don’t have the cyber security maturity to deal with these attacks. 

What are the main services you provide to NGOs?

We recently launched the Humanitarian Cybersecurity Center, which offers a set of services for NGOs. One service is a volunteering program called “The CyberPeace Builders.” For this program, we partnered with private sector companies willing to go beyond just securing themselves and want to make a difference in the community. We ensure these volunteers can help NGOs with their cyber needs free of charge. The goal is to make NGOs more resilient or help them recover from an attack, but we don’t do incident response. We have more than 330 volunteers helping 117 NGOs. Our goal is to provide free cyber security services for 1,000 NGOs by 2025. 

You mentioned that you have a human-centric approach. In your experience, how can cyberattacks affect individuals? 

We should never forget that, in most cases, cyberattacks aim to play with the victim’s cognition, meaning there is a manipulation factor. For example, ransomware is one of the few cybercrimes that requires the victim to be an accomplice. When you are hit by ransomware, you must make complicated decisions that have a psychological impact, such as whether to pay the ransom or report the attack. The second part is the creation of guilt on the part of the victim. NGOs are very heavily affected by CEO frauds. When that happens, the person who fell for the attack, in many cases, is under the scrutiny of the organization. 

Another consequence is more systemic and depends on the victim’s type of activity: the impact of the attack on the beneficiaries of the entity. We see this in the healthcare system, for example. When a hospital is hit by ransomware or activities that disrupt operations, people do not receive the same quality of healthcare. A Vanderbilt study shows that a cyberattack’s impact on hospitals is still evident after several months – or even a year later. This showed that patients with critical conditions received lower-quality healthcare and had a higher chance of having a fatal outcome than before the attack. The reason for this is they are still recovering from the attack and putting their systems back together, resulting in longer response times.

We cannot underestimate the long-term psychological impact on victims. An example that illustrates this very well is the ransomware attack on the Vastaamo Clinic in Finland, where they refused to pay the ransom and the criminals decided to extort each and every patient of that clinic, threatening to disclose their private psychological information. In that situation, Finland had to set up an ad-hoc victim support unit to treat more than 25,000 victims.

Looking at the current threat landscape, how do you think it has changed in the last year?

Fundamentally, the cybercrime as a service business model has accelerated. We have seen a very rapid increase in criminal groups using disruptive technology. Cybercriminals are very good at collaborating with each other, and they are now leveraging new technology as attack vectors. We are seeing it with ChatGPT, but we already saw it long ago when deepfakes appeared.

The second aspect that has not improved is how states protect people from cyber threats, which implies ensuring laws, norms, and regulations are properly enforced in the cyberspace. There is a misconception that the cyberspace is unregulated, which is simply not true. There are many cyber security laws, but they are not properly enforced. There aren’t enough law enforcement resources to have a systemic response. Another way in which states do not contribute to improving the threat landscape is through surveillance attacks. When states continue to use their resources to conduct surveillance attacks, they are investing in global cyber insecurity, because for that surveillance to work, they need to ensure there are vulnerabilities in the cyberspace.

The third aspect is something we have seen for quite some time, but that is, unfortunately, booming now more than ever in the context of the conflict in Ukraine: the “civilianization” of cyberattacks. This means that civilians are taking part in large cyberattacks because of a specific crisis or conflict. For example, we have seen some Russian criminal groups attacking anyone who is against Russia’s interests and volunteer hackers joining the Ukrainian IT army. This is very worrying because it means crowdsourcing cyberattacks, which blur the lines between who is a civilian, who is in the military, and who is the target.

Cybercriminals are very good at collaborating with each other, and they are now leveraging new technology as attack vectors.

What do you think are the most common types of cyberattacks? 

If you look at what has happened in Ukraine, more than 90% of the attacks are DDoS, but when it comes to mainstream cybercriminal attacks, the most common attack vector is still phishing. It can be used for almost any type of attack: banking attacks, CEO fraud, ransomware, and credential theft, to name a few. This rise of ransomware attacks and the constant innovation around them is also very worrying, as these attacks can completely destroy organizations and communities.

Currently, one of the largest crises is the war in Ukraine. If we consider the increase in the number of cyberattacks since the war started, do you think a “hybrid war” is happening right now?

Data says that there is definitely a hybrid war going on. Our platform is the only one in the world that publicly traces cyberattacks since the war started, and it has registered more than 1,300 cyberattacks since the invasion, approximately 20 attacks per week. Upwards of 87 threat actors are responsible for these attacks, impacting 20 sectors in over 45 countries.

How does the current geopolitical situation affect the cyber threat landscape for NGOs? 

We live in a world of crises, one after the other: COVID-19, the war in Ukraine, and the earthquake in Syria and Turkey are just a few examples. Every time there’s a crisis, there’s an emotional response from the public to donate to charities or humanitarian aid, meaning there’s a lot of money coming in. Because criminals are attracted by money, they target this particular sector that does not have enough cyber security resources. NGOs and donors are the unwilling parties in this. On the one hand, NGOs only ask for funds for their operations, not for cyber security. On the other hand, donors do not give money for cyber security but for the operation of the NGOs. This happens because cyber security is not seen as an important topic in this field, which is what we are trying to change.

We live in a world of crises, and every time there’s a crisis, there’s an emotional response in the public to give to charities or humanitarian aid. Since criminals are attracted by money, they target that specific sector, which does not have enough cyber security resources.

With the emergence of new tools like ChatGPT, the field of Artificial Intelligence is experiencing a significant boom. In your opinion, how do you think this will affect the cyber threat landscape?

Everything we saw regarding deepfake engineering was a disruption of AI back in 2017. Quite some time has passed, and now criminal groups can generate very convincing and authentic content to manipulate people: a familiar voice, face, or well-crafted email. Another aspect of AI technology is its use to better evaluate your social ecosystem to create very smart social engineering attacks or vectors of attack.  

There’s also a strategy that is on the rise among criminal groups, and that is AI-generated or AI-assisted attacks to better automate the attack and discover the infrastructure more easily. This means that, on the defense side, we must implement AI tools to be better at defending ourselves.

You mentioned the benefits of using AI as part of our security defenses. What challenges do you foresee in this use of AI?

The big risk here is that AI will generate a lot of data that actual humans will need to go through. The problem with this is that the number one challenge in the cyber security industry right now is burnout: There’s too much data, too many cases, and not enough time. Unfortunately, AI is only going to exacerbate this problem because it will multiply the amount of data, which is quite concerning.

If you look at this from a wider perspective, one of the reasons you are subject to burnout is not finding your job meaningful. With the rise of AI and the low possibility of detecting what is true and what has been manipulated, the fundamentals of democracy have been undermined. This means that in front of a judge, anyone can say that the evidence against them is false or has been tampered with. If you create this doubt, you bring down the entire system that these digital investigators are working for, so it’s harder for them to feel like their work has any meaning.

Key takeaways from the CyberPeace Institute

This interview sheds light on the escalating complexity of the cyber threat landscape, emphasizing not only ongoing threats like phishing, ransomware, and CEO fraud, but also their evolving nature in the rapidly advancing times of technology and AI. These threats are now growing more sophisticated and prevalent, with cybercriminals ruthlessly targeting not only corporations but also vulnerable entities like NGOs. This complex tapestry of challenges is exacerbated by an unstable global geopolitical landscape for which the cyber security industry needs to be well-prepared. However, as Stéphane Duguin points out, the lack of resources and burnout among professionals are now bringing the security sector to its knees and leaving organizations even more vulnerable to attacks.

But if resource allocation poses a significant hurdle for corporations, it becomes even more daunting for NGOs, which have fewer resources and often find themselves particularly strained in recovering from cyberattacks. To combat the consequences of these attacks, Stéphane Duguin highlights the need to adopt a human-centered approach focused not only on the technical aspects of cyberattacks but also on the profound psychological impact on individuals and the disruption of vital services to those who rely on NGO aid.

We need to stop talking about networks, computers, and money and start talking about people.

For further insights from leading experts in the cyber security field on essential strategies to reduce human risk and protect your company, explore our latest Human Risk Review report.

Human Risk Review 2023

Read the report

Discover our latest phishing data, expert insights, and strategies for navigating the European cyberthreat landscape.

You might also be interested in:

Do you want to stay ahead of the cyber game?

Sign up for our newsletter to receive the latest cyber security articles, events, and resources. No spam, only content that truly matters.

Newsletter visual