DORA- A step in the right direction but it’s not a home run
March 2023 by Monica Oravcova COO & Co-Founder Naoris Protocol
Cryptocurrency and digital assets such as NFT’s will most definitely be strong contenders for the defining innovation of this decade. Social platforms and connected media have facilitated an exponential growth in the speed at which new technology and ideas are adopted. Growing in tandem with these innovations however, are far less desirable technologies in the form of hacking software. The remote working trend, and an exponential increase in the use of collaboration tools in particular, have created an easy gateway for cyber criminals. Recently, Zoom had to pay $85 million to litigants who had been victimised by racist, sexist assaults from “Zoombombers.”
It is incredibly easy for hackers to spread malicious code using collaboration tools. For example, they can purchase Zoom credentials for as little as $0.002 each. They can steal usernames, passwords, registered email addresses and personal meeting URLs through “credential stuffing,” a technique that they use once they acquire the victims details through the dark web and then use bots to attempt logins until one of them works. Regulators, in response to this kind of threat and a myriad of others, are now zeroing in on companies who have weaknesses in their cybersecurity and making them accountable for breaches.
Holding companies accountable
The European Council has approved regulation which will go a long way in halting the trend of escalating cyber threats. The Digital Operational Resilience Act (DORA) has prescribed a set of requirements for the security of networks and information systems for businesses operating in the financial sector, as well as 3rd parties that provide ICT services to them. The legislation applies to both large and small financial institutions operating in the web2 ecosystem. There will be further regulation that covers web3 and digital assets via the Markets in Crypto-Assets Regulation bill (MiCA) next year.
The aim of the legislation is to ensure that organisations can effectively respond to and recover from the impact of ICT breaches, allowing them to continue with “business as usual” in the event of an attack. It is an attempt to ensure that the consequences of an attack don’t affect critical functions of a company or have an impact on the financial markets as a whole.
DORA concentrates the following aspects of compliance:
● ICT incident reporting and management, requiring financial firms to implement management systems to monitor, describe, and report any major ICT-based incidents to relevant authorities.
● It will encourage financial firms to share cybersecurity information and intelligence with firms in other member states, to assist with strengthening response and recovery capabilities in the European financial sector.
● Third-party ICT providers, including cloud service suppliers, will be regulated by one of the European Supervisory Authorities (ESAs).
● They will have the power to request information, issue recommendations, conduct inspections and levy fines. Financial services firms will be required to assess and document potential risk that may come from associations with third-party ICT service providers.
Resources may be an issue
While DORA goes a long way to ensure that there is corporate accountability when handling data, it will need massive human resources to ensure compliance. Legislation without monitoring and evaluation of results is an exercise in futility. A skilled and well-resourced team of officers will be needed to enforce the rules. Concerns have been expressed about the sheer volume of people that will be needed to monitor the hundreds of thousands of companies that handle peoples data. There are many layers of complexity to navigate. Not only do many businesses operate on a global scale but they have both virtual and physical offices, and they may also have hundreds of partners or sister companies in their structures. Without a large team of officers in place, monitoring companies looks like an insurmountable challenge. The only solution that makes sense is the adoption of a hybrid model, where companies agree to a set of self-regulatory standards and then work in tandem with the regulators on reporting.
The war against cybercrime needs new weapons
DORA does not lay out what methods should be employed in order to achieve a higher capability of threat mitigation. There has been limited discourse about how new generation technology can play a role in the cyber security space. When we look at web3 and the existing solutions that are being presented, they are totally inadequate because we are playing a game of apples and pears. The typical narrative still focuses on centralised security solutions. Gartner recognises that the latest trend is the Cybersecurity Mesh. Naoris Protocol takes this one step further with the decentralised Cybersecurity Mesh that mitigates threats in near real time using a highly resilient, distributed consensus that increases trust levels across the network. Naoris Protocol recognises that you cannot mitigate web3 cyberthreats with web2 technology which is for the most part, totally out of date, even for web2.
Addressing multiple points of failure
We are dealing with multiple points of failure. In the past companies could manage their cybersecurity within its borders. Now we have remote workers with personal devices that are exposed. Connected mobile devices, IoT, cloud servers, social media networks and collaboration tools, are all potential gateways for criminals. The only sensible way to mitigate this is to secure the gateways, and this requires a paradigm shift. The technology being developed by Naoris Protocol may be core to addressing the problems that prevail in traditional and web3 financial cybersecurity.
Decentralised Cybersecurity Mesh could lead the way
Naoris Protocols is building a decentralised cybersecurity mesh that prevents a single device from becoming a point of failure as it protects all devices, no matter where they live in the connected universe. It protects in real time, converting untrusted devices into cyber-trusted validator nodes while enforcing CyberSecurity standards across the entire digital infrastructure. Naoris Protocol is developing this decentralised hyperstructure as a real solution to the shortcomings in current cybersecurity solutions.
The Protocol creates real time Zero Knowledge proofs of the cyber-status of all devices, networks and environments, using Swarm AI and blockchain technology. The proof of the state of security at a specific point in time will be demanded by auditors and businesses, as well as possibly used as forensics data in court. It is designed to run alongside existing cybersecurity systems, easily integrating with existing solutions.
A reactive approach to fighting cyberthreats is no longer useful, when a professional cybercriminal can purchase malware software for as little as a few hundred dollars on the dark web, and can hack into some enterprise systems in under an hour. We can’t do blow by blow retaliation, we have to change the game in its entirety. Naoris Protocol turns the concept of cybersecurity on its head, as their solution prevents breaches, rather than remediating them, and every participant in the network plays a role in securing it. When you have a massive network of devices using swarm AI to detect and prevent a breaches in milliseconds, you are a good way down the path of combating an attack. The Naoris Protocol solution makes networks stronger as they grow, not weaker.
Until we move towards proactive and away from reactive solutions that mitigate risk, we will continue to tread water in the fight against cybercrime. As it stands, cybercriminals have the upper hand, however we believe the trajectory of cyberthreats will turn if we can achieve two main goals; turning every device into a soldier against an attack and helping individuals see how important their role is in prevention. Humans still account for over 90% of the breaches, so helping individuals develop a cyber security mindset will also be a powerful weapon in the arsenal of cybercrime prevention.