An “out of service” notice is displayed on the screen of an ATM at a bank infected by the Petya ransomware computer virus in Kiev in late June. The cyberattack, similar to WannaCry, began in Ukraine, infecting computer networks and demanding US$300 in cryptocurrency to unlock their systems before spreading to different parts of the world. Photo: Bloomberg
Governments and business must work together to patch cybersecurity holes
Daniel Wagner says that defending against cyberattacks is an unending cat-and-mouse game, and public-private partnerships would help in communicating risks and options for addressing them
Though cyberattacks now occur with greater frequency and intensity worldwide, many either go unreported or under-reported, leaving the public with a false sense of security. While governments, businesses and individuals are all targeted, infrastructure has become the choice for both individual and state-sponsored attackers, who target security systems previously seen as impenetrable. This shows the vulnerability of cities, states and countries and the importance of global risk agility.
The US now blames Russia for cyberattacks on energy, aviation and other sectors in recent years. Moscow planted malware, conducted spear phishing and gained remote access to sensitive areas of America’s infrastructure networks. They did this with surprising ease; for example, using false résumés to apply for jobs and installing malware once tainted emails were opened.
This modus operandi is not new to Russia or others intent on planting malware and gaining entry into sensitive companies and sectors. Russia planted the malware leading to the Petya attacksof 2017 by entering a Ukrainian tax and accounting firm servicing 80 per cent of Ukraine’s businesses, then gaining access to those businesses. This quickly infected computers around the world.
It is shockingly easy to enter otherwise secure computer systems and companies. Up to 95 per cent of the time this is because of the risk between keyboard and chair – employees who click infected links.
Cyberattacks are difficult to prevent, given the relative ease with which hackers can find a single system vulnerability, and the impossibility of plugging all security holes. Cybersecurity professionals play an endless game of cat and mouse, where would-be attackers attempt to enter a system while security professionals attempt to defend it by applying continuous patches. The adversary then quickly moves to another vulnerability. That is why many computer security programs produce patches numerous times per day.
High-profile cyberattacks are increasingly the norm, giving nations of all sizes, degrees of wealth and resources a seat at the table with world leaders in overt and covert cyberattacks. Iran and North Korea are prominent members of this club. All this has prompted the Trump administration to declare that it equates cyberattacks against critical infrastructure as acts of war, potentially resulting in a nuclear response.
International treaties to address the problem have limited impact because of the inability to hold signatories accountable and the difficulty of accurately determining those responsible. Enhanced information sharing and a mandate to swiftly release information on attacks provides a foundation to address future attacks, yet few governments routinely do so.
Governments, businesses and individuals must devote more resources to becoming cyber-vigilant. Apart from raising awareness, increasing resources and making counter-cyberattacks compulsory, nations must take a more holistic approach by thinking about how to address vulnerabilities, implementing routine cybersecurity audits and creating teams devoted to solving the problem.
Former US president Barack Obama issued the first executive order to establish a voluntary risk-based cybersecurity framework between the private and public sectors. Photo: EPA
Governments and businesses should engage in more public-private partnerships to address the issue. Former US president Barack Obama issued the first executive order to establish a voluntary risk-based cybersecurity framework between the private and public sectors, allowing all US government agencies to apply the best risk-management practices. This framework allows all those who participate to communicate and understand the risks, a vital step towards a functioning national and international cybersecurity network.
The European Union implemented the Directive on Security of Network and Information Systems forcing member states to adopt more rigid cybersecurity standards and allowing EU members and the operators of services like energy, transport and health care to communicate effectively. While other nations are in the process of acting accordingly, no nation allocates sufficient resources to adequately respond to the threats against critical infrastructure, nor does any nation have a truly comprehensive plan to prevent or meaningfully react to such attacks. Local and state governments must work together with national counterparts to produce and implement plans to address future attacks. They are coming.
Daniel Wagner is CEO of Country Risk Solutions and author of Virtual Terror
