20 November 2018

European and American cyber-security strategies. How do we fight against the gap between “do it Today” and “fix it on Tuesday” (I)

Laurenţiu Sfinteş

I have been lately participating at a conference organized by the Danish Institute of International Studies, in Copenhagen, about cyber security. The debated ideas and the answers the participants gave to a specialized public- in the conference room were also representatives of the Danish army forces- brought arguments about efforts’ intensification to control the cyber security domain, to elaborate national strategies in the field, by presenting the existent, but also the future threats as they actually are, not as admitted in the public eye: serious and with effects over the critical infrastructure’s security. In the following pages, I will offer you some relevant aspects which were discussed during the conference, about the actual situation in this field, last period’s evolutions which led to the necessity of adopting some national strategies, but also international and national regulations to fight against cyber threats.

Image source: Mediafax

In a recent speech, held at the München Security Conference, UN’ General Secretary, Antonio Guterres’, was saying that “the dark part of innovation process and cyber threats is one of the seven most important threats against international peace, stability and security (…) Cyber threats are growing. Cyber war is less and less a hidden reality, but more and more capable of destroying relations between states, or some of modern life’s structures and systems”.

This is a correct and direct characterization of the issue, coming from the leader of world’s organization, who has responsibilities in international security’s domain. But cyber threat’s issue didn`t now just show up overnight. It is the results of decades of accumulations in an area which evolved faster than the society which created it. Hence, the society became more and more dependent on the Internet and information technologies’ products.

And this technology developed so fast that its own products became unsafe, whizzing after a faster implementation of new programs and applications, following the: “do it Today, fix it on Tuesday” saying.

The discussion on what can we do to fix this situation can be debated on three levels:

  • the growing opportunities of digital economy;
  • the insufficient secured software products which are deluging the market;
  • the numerous capabilities, increased by reasons/interests from other fields, either political or economic, to explore the vulnerabilities of these products, of cyber systems.

Regarding the opportunities, some data are relevant. Hence, globally, in 2018, the digital economy of electronic products, systems, programs and applications is estimated to be worth about $3, 7 trillion. On short-term, it is estimated that it could reach $19 trillion, and on long-term $32 trillion (around 46% from world’s economy). Through internet’s connection of inhabitants from less developed states, the national GDP can be increased with 4 to 10%. At the moment, a 5 to 7% from world’s GDP is digital economy. This percentage is bigger in some states, like Holland- 25%, Denmark-10 to 20%, US-7%.

The tendency which takes an interest on a global plan represents the more and more interconnected economies, and the national and global GDP is a consequence of these interconnected structures, wherein the financial and informational fluxes go around freely abroad, through the internet and the informatic platform specially created to support, through particularly made programs, each domain.

The dependency on this field, on the faster implementation of new products and services, came along with a wrong approach of security aspects. Hence, the existence of some programs and platforms which are insufficient secured almost became something usual.

This need to quickly seize and win in the cyber market created a gap between launching a product and implementing the security procedures, following the saying: “launch it now, we will solve the issues later”.

There was also the wrong perception that it is difficult for third parties to identify the vulnerabilities and to attack the informatic systems, which were not involved in the process of creating them.

Nowadays, there are already specialized systems, created by young IT specialists, which one can find on public platforms, internet sites,  that can show the vulnerabilities in cyber infrastructure at a global level. Some are free to be used, other, more sophisticated, created for a mercantile purpose, are available in exchange of an amount, usually insignificant, considering the damages they can produce.

Some of the intelligence, economic, possible military structures are using these programs to verify their own systems and to train the personnel to implement security measures.

Computers or systems’ vulnerabilities map is, as a result, at any user’s hand who can, from home, to identify vulnerabilities, to choose a target, to pay for the asked service, with a VISA or any other payment method, and to wait for the execution of this service. You can be a hacker without actually being one! The true hacker will work for you! What services is he/she offering? Well, a lot! For example, taking information from sites, taking a vulnerable ID, attacking someone´s personal profile from social media, Facebook, Twitter (it only costs $100!), attacking operation systems and taking/destroying dates (easier on Windows, harder with Apple or others, but if you pay a bigger amount, anything is possible), sending spams (a few hundreds of damaged computers costs around $100!), taking personal documents wherefrom are processed in a digitized system. The damages are huge and can be made by people who are simply staying on their couches, hence there is no need for a sophisticated organization to cause some problems. 

On the other hand, an organization which is developing its digitalized activity and has medium capabilities, needs around 197 days to identify a security incident made against its systems and 67 days to neutralize it. Many times, it does not even know it has an issue. Often the ones who are discovering these incidents are the specialized intelligence structures, or the ones who created the used programs. These are institutions which are permanently surveilling the networks and their issues, to prevent cyber-attacks or to discover the possible software issues.   

Things are more complicated when it comes to neutralizing the incidents, if we are talking about sophisticated attack programs, but they are even more difficult if produced in a country with superior capabilities.

Attacking governmental systems and networks, public, corporations, big companies’ and social media sites became a usual occupation. There is almost no company, organization, important public structure who was not cyber-attacked. And we are not talking about systems and companies from less developed states. This is a phenomenon which takes place in the developed world, in the digital world.

Attacks have, in most of the cases, economic and financial reasons. Are being attacked structures which are managing money, a lot of money, banks, retirement funds, public taxes infrastructure, institutions and corporations’ archives, all because they can embezzle money, because they can embezzle patents and inventions, or businesses ideas, because they can ask for rewards.

These attacks are allowed by 1/3 of the well-known vulnerabilities. The most common are the ones caused by the partial implementation of security measures. Many of the used programs, many applications need a larger freedom of movement than the one allowed by security procedures. The users choose, in order to make a certain program work and to have the economic or financial dividends of its use, to put the security lath lower, hoping that nothing will happen.

But it happens:

 October 2016- Blocking the Internet services in US and Europe, through a malicious Mirai type software. Over 75 of the important big companies had loses evaluated to $22.000 per minute for each, around $100 million by each entity. It was all organized by three people, who wanted to block the security cameras from New York and to create chaos;

May 2017-Blocking the medical services from Great Britain, but also other services from around 100 countries, through an attack called WannaCry ransomware (ended by paying an amount of money to use Microsoft’s unlocking program’s tool), originated in North Korea. The services were blocked because the users did not have any more access to their computers. Medical services functioning was affected because many of them have online connections, digital services. 81 British hospitals were offline when they had to be online.

Although the security breaches were identified through these attacks, the response measures were delayed, hence it produced new attacks, only 6 weeks later:

June 2017- Blocking the economic activities and physical infrastructure of some corporations, by using the NotPetya virus, which supposedly was made by Russia. The vulnerability was again in Microsoft’s area. The attack was produced through infecting a software product, created by a software company from Ukraine, but used by many international companies. It got diffused from Ukraine to US in less than 5 minutes. One of the important “victims” of this virus was the Danish company Maersk, which is providing 10% from the national GDP. 45.00 computers were destroyed, 4.000 servers, 2.500 applications, not only in Denmark, but also in all offices and regional branches from the entire world, in only two hours. Only four computers remained untouched by this virus, in a Maersk office from Ghana, thanks to a cut of the electric grid. These four computers allowed company’s cyber system to be repaired, but the loses were huge, in billions. An estimation of the financial loses produced by the attack is $50 billion. The effects of the attack are being repelled even today, 15 months away from that moment, and the loses can reach $1 trillion.

August 2017- Destroying the commercial infrastructure, security procedures and safety. The Triton/Trisis virus, which, initially, was used in Saudi Arabia, ulterior have attacked the physical infrastructure from other countries too. The target were the safety systems which were protecting different installations- in Saudi Arabia were, of course, the oil rigs ones - the loses were huge and have affected the national security of some states wherein were produced such attacks.

Aware that the cyber attacks are not simply attacks against some people, not only against some companies and corporations, or against some economic infrastructures’ elements, but they affecting the security of an entire country, the security strategies must be quickly adopted and implemented. This must be done as cyber attacks are endangering the national GDP, social security, stability and also the national sovereignty.

This is what led to unseen decisions like it was, for example, the elaboration and publication, in April 2018, of a Technical Common Alert, made by the US and Great Britain, wherein it is confirmed that the national infrastructure of both countries was attacked, and the attacks came from Russia. The alert aims to be a warning signal for institutions and corporations, to make them aware over the responsibility to prevent the cyber vulnerabilities and immediately report to specialized structures in the area: U.S. Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), as well as to National Cyber Security Centre (NCSC), any suspect incident or behavior of the used softs and programs.

Defence and Security Monitor will be presenting you, in the following period, the way this alert is implemented, as well as some interesting elements from the national cyber strategies, recently and very recently adopted in US, Europe and a series of other states.