Q&A: Cyber threats
Mohd Noor Amin is the Chairman of IMPACT and heads the world’s largest public-private partnership against cyber threats. In this interview, he discusses the issues associated with combating cyber threats, high profile attacks as well as IMPACT’s work and future endeavors.
What are the critical steps an organization has to take in order to effectively combat cyber threats?
The spectre of cyber threats is starkly different from common internet crimes like identity theft and money fraud. Cyber threats can involve the use of technology to divert or destroy systems and infrastructure, causing injury or death and even undermining economies and institutions.
Even if one is to discount the risk of human casualties, the economic loss that can be caused by a cyber disruption or attack should be reason enough for governments to sit up and take notice. An international consensus is required to close down loopholes, strengthen law and infrastructure and direct resources to where they are most needed to prevent cyber threats from gaining a foothold in any country.
Organizations need to seek consultation from cyber crime cells in order to prevent data theft and guard against cyber threats. Additionally, it is important to conduct periodic cybersecurity audits on all systems in order to ensure information security. Cyber usage guidelines should be created for employees/officials and they should undergo training to facilitate understanding and implementation of these guidelines.
Governments of the world have recognized the need of a good security governance program in order to protect sensitive data. This is achieved by setting up policies based on regulations and framework, and performing compliance monitoring. However, the complexity of ensuring compliance and strong IT governance is compounded due to the variety of security issues that must be monitored, and the need to comply with multiple standards and also the frequency of measuring the IT-based controls, policies and audit results. The obstacles associated with implementing strong IT compliance come from often repeated, time-consuming processes: creating, defining, and distributing policies; tracking exceptions; managing standards; managing entitlements; remediating deviations; and performing both procedural and technical assessments.
There have been a number of high profile cyber attacks in the past few years. Which ones would you single out as the most serious?
Many ICT systems – in both the public and private sector – face daily threats from hackers and their bots – networks of zombie computers millions strong, bombarding scanning and probing their websites with the aim of exploiting the vulnerable ones. For the most part, the probes come from criminal groups’ intent on stealing identities, credit details, passwords and other information they can turn into financial gain. There are also groups called “black hats’ that try to break in simply for the thrill and kudos of breaching multi-million dollar security networks.
But as the coordinated attack on Estonia’s cyber infrastructure in March 2007 showed these same skills can be used for political purposes, to create a breakdown in a country’s social and economic fabric. That attack proved very publicly that cyber terrorism is neither a game, nor a hoax, and that these nightmare scenarios are a very real threat.
By 2007, Estonia was one of the economic success stories arising from the devolution of the old Soviet Union. A tiny country of only 1.3 million inhabitants, it had a GDP of almost US$28bn in 200. Within ten years leading up to 2007, the annual growth rates often exceeded 10%, ranking it amongst the World Bank’s most highly rated investment economies. Its attempts to embrace information technology were similarly bold. Established in 1996, Estonia’s Tiigrih??pe (Tiger’s Leap) program was a far-reaching nationwide effort to educate its population and install cutting edge ICT technology at the heart of the country’s public and private sectors. According to a Business Week report (Estonia Superpower, December 17, 2007), at the time of the 2007 attacks in April and May 2007, over 350 government agencies were linked using a secure server system called X-Road, including integrated health and electronic voting services.
Yet it was these same advances that made Estonia such an ideal test target for cyber terrorists wanting to flex their muscles and determine just how quickly a cyber assault could shut down a country and bring it to its knees. On April 28 Estonians awoke to find that they could no longer access the websites of newspapers and media organizations. Shortly afterwards the credit card system went down, preventing citizens from buying items as basic as petrol and groceries. Government and financial websites effectively went offline as a series of massive and coordinated distributed denial of service (DDoS) attacks targeted the country. On May 2nd the attacks escalated once again and Estonia, a badge of European inter-connectivity, was being forced to isolate itself. Worryingly, rumors on the Internet suggested that the first wave of attacks were merely the probes and feints for a major blitz to take place on May 8.
At 11.00pm on May 8th net traffic in Estonia increased to approximately 200 times its normal level. Estonia’s government later calculated that up to a million computers, from locations as varied as Vietnam and the US, were used in the coordinated overnight offensive, including botnets “rented’ or loaned to the terrorists by cyber crime and hacker groups. According to McAfee’s Virtual Criminology Report 2007, “Each phase [of the attack] was designed to tap deep into the nation’s core infrastructure and seek out the extent to which systems and networks could stand up to relentless cyber assault.” With the rigorous efforts of a hurriedly put together international team of experts the attacks were brought under control and eventually ceased on May 23rd as abruptly as they had started.
In the very recent past, cyber threats have become a grim reality, as these incidents prove. In Japan, some of the 24 million users of DoCoMo’s i-mode mobile phones had their handsets taken over by a malicious programming code delivered by email. The code directed the phone to dial 110 – Japan’s emergency hotline number. The mass numbers of phones dialing the emergency number caused the system to shut down.
In the first quarter of 2009, malware and spam propagators proceeded to exploit legitimate sites to bypass traditional content filtering technologies. Latest tactics include the targeting of ISPs and the borrowing of images from legitimate, well-known hosts to use in e-mail messages. The use of social networking sites (e.g. Facebook, etc) for phishing schemes is another growing trend. By gathering networks of friends, unknowing users have fallen victim to money-making and password stealing schemes.
In your opinion, what countries are most prepared to face a massive cyber attack? What does a country need to do so?
Cyber threats today are no longer confined to the security of the country but also affect the economical well being of the nation. As Estonia’s experience showed, we are all at risk from cyber threats. Even for those of us who have never so much as touched a mouse or keyboard. It could be something as simple as disabling the banking networks, halting ATM withdrawals and credit card payments; or manipulating the stock markets and causing banks and other institutions to fail, taking jobs, pensions and savings with them.
In order for countries to be constantly prepared and on guard for the next massive cyber threats, it is important that the national governments work with all sectors including academia, industry leaders and cybersecurity experts to address the increasing instances of cyber threats.
How does the International Multilateral Partnership Against Cyber Threats (IMPACT) work?
IMPACT is the first and only global public-private partnership that advises and enables governments to play a global leadership role in the interest of national and global cybersecurity.
IMPACT works closely with national governments, industry leaders, academia and cybersecurity experts to evangelize borderless effort on cybersecurity. At a primary level, IMPACT provides analysis, monitoring and alerts to partner countries so that they can internally manage and act against rising and predicted cyber threats. This is done through our Global Response Centre, leveraging Network Early Warning Systems (NEWS) and Electronically Secure Collaborative Application Platform for Experts (ESCAPE).
What innovations can we expect from IMPACT in the future?
Our roadmap is clear. As the surging cyber threat of online breaches, scams, dangers and exploits escalate, cybersecurity will become an critical topic for governments across the globe, in an increasingly connected world. As the need for cybersecurity becomes instrumental in the prevention of potential system meltdowns, we see an uptake in cyber threat prevention initiatives and services on a national, regional and global level.
It is clear what hackers and malicious Internet users are capable of. In 2007, hackers caused a nationwide meltdown Estonia, where online attacks paralysed networks of the Estonian government, police, ministries, banks and media. As a result, Estonia was forced to disconnect from the internet, causing large scale disruptions to its economy. If there is one lesson to learn from that, is that cyber threats are borderless and targeted; in many cases, these attacks are coordinated for broader detriment.
At IMPACT, we are working with governments in partner countries to prevent similar occurrences from repeating themselves. To this end, we are leveraging partners in the academia, private and public sectors, to ensure the protection and security of government’s cyber territories and critical ICT infrastructures.
There is a huge need to create more information security professionals globally. IMPACT through its collaboration with world recognized international information security certification bodies & information security experts aims to increase the number of security professionals globally through its Centre for Training & Skills Development. IMPACT also aims to train more information security practitioners to build their skills through its highly specialized information security programs.
Enhancing governments of the world’s readiness through its Centre of Security Assurance. IMPACT and ITU will help developing nations build its national Computer Incident Response Teams under ITU’s Global Cybersecurity Agenda (GCA). This will enhance nations capacity and readiness in combating global cyber threats.
Through IMPACT’s collaboration with (ISC)2, it aims to provide awareness to schools and organizations through (ISC)2 65,000 security professional globally. This is in line with ITU’s Child Online Protection agenda in raising awareness among children in using the internet safely and positively. Developing cybersecurity related policies and harmonization of national cyber laws in collaboration with ITU and other United Nation agencies.