Cyber attacks sound like the stuff of dystopian nightmares, something from a novel of the future. But they’ve been a very real part of the security landscape for many years, and the attacks have ranged from malevolent pranks to embarrass businesses to the sustained series of assaults on Estonia’s infrastructure in 2007.
The attacks on Estonia began on April 27, 2007, mostly taking the form of a distributed denial of service (DDoS) assault that swamped the country’s infrastructure: parliament, banks, government departments and the media’s websites. The attacks lasted for three weeks, and while they were technically a fairly unsophisticated and blunt assault, the country’s infrastructure was hit hard.
The attack brought cyber security to the top of the agenda for government officials everywhere, says Robert Pszczel, director of the NATO information office in Russia and a scheduled speaker at DLD Moscow. “When you have a major attack like that, then it becomes a national security issue,” he says. “It makes people realize that we have to look at cyber space as a security issue.”
Russia is widely thought to have been behind the attack on Estonia, at a time when relations between it and its former Soviet satellite state were at a parlous low following a decision to move a war memorial from the center of the capital, Tallinn, which sparked protests from Moscow and riots among Estonia’s ethnic Russian community.
Nation states have been both the victims of and the aggressors in subsequent cyber attacks. More recently, in June 2010, Iran’s nuclear infrastructure was targeted by a very highly engineered worm, dubbed Stuxnet, which unusually for such a piece of malware, infected computers running Microsoft’s Windows operating systems via USB keys rather than via the Internet. The worm reprogrammed software that instructed industrial machinery made by Siemens, potentially causing havoc in industrial and nuclear equipment that depends on finely-calibrated machinery. While it was never proven, Israel and the U.S. were suspected of being behind that attack.
It’s not just nation states that face constant threats via the Internet on their infrastructures – businesses too have to remain constantly vigilant. An attack might be a swoop by an activist group such as the one carried out by Lulzsec last year on Sony, when thousands of user passwords were stolen and published online; or it might be the theft of commercial intelligence by anyone from a disgruntled employee to a nation – or both.
Dongfan Chung, an engineer with Boeing who worked on projects including the space shuttle was sentenced to 15 years in prison in 2009 for economic espionage on behalf of the Chinese aviation industry. Sentencing him in Santa Ana, California, the judge, Cormac J Carney, said: “The trust Boeing placed in Mr Chung to safeguard its proprietary and trade secret information obviously meant very little to Mr Chung. He cast it aside to serve the PRC [People’s Republic of China], which he proudly proclaimed as his motherland.”
As with the attack on Estonia, hacking and breaching security can be politically motivated. Most recently, in March it was reported that China was behind attempts to disrupt pro-Tibet campaigners by compromising their computers with a Trojan that includes the ability to steal documents from an infected PC.
Looking at the incidences of data security breaches of even one country gives an idea of the scale of the threat businesses, and hence society, face from cyber attackers. An April 2012 survey of UK businesses conducted by Infosecurity Europe and analyzed by accountancy firm PwC, found that 93% of large organizations responding to the survey had experienced a breach last year. Of those, 15% were hit by a DDoS attack – the same kind of attack that crippled Estonia’s infrastructure for three weeks in 2007. And 15% said that hackers had penetrated their networks last year.
Infosecurity Europe and PwC estimated the cost of security breaches in the UK alone to be “billions” in the past year. Says Pszczel: “There is a very significant cost that comes from not doing the right thing. The cost is tens — if not more — of billions.”
He points out that in tough economic times it is more difficult to co-ordinate preparedness and protocols to deal with attacks, but, he adds: “You can’t have it both ways. Cyber security is the fabric of society. The Internet has become part of our daily life – if it is under threat, society is under threat.”
“It doesn’t matter where the threat comes from, says Pszczel. “It can be from individuals, terrorists or governments. The point is that we need to be ahead of the bad guys, whoever they may be.”
As he observes, any system is only as secure as its weakest link, which is where an umbrella body like NATO has a big role to play, both for its expertise and for its ability to bring allies with a common interest together. “NATO has been in the avant garde of technology for many years,” says Pszczel. “The protection of secure communications is no longer just the province of the military, as it was many years ago. Our focus is still on protecting our allies, but we all need a common secure system of communication of information.”
European Commission Vice-President Neelie Kroes agrees there is a need for a more comprehensive approach to cyber security. In an April 24th speech, given via video to the annual InfoSecurity conference in London, she insisted, “Internet security cannot be left to the traditional instruments of national security – as if cyberspace was just another military theater.”
Kroes is proposing “a European strategy for Internet security” that involves shared responsibility by all stakeholders, including governments, businesses, and consumers. Among other things, the proposal would require EU member states toestablish “competent authorities” that centralize information and share it with partners. A new “European Forum” would ensure the authorities and the private sector cooperate as required.The proposal would also requiremandatory safeguards and prompt reporting of security breaches among private sector organizations that own, operate and service Internet infrastructure.
With a fairly small budget of around 2 billion euros a year, NATO is already leading initiatives to encourage governments as well as infrastructure providers like banks to prepare for the worst. “We have to devise the best possible systems at NATO to try to look ahead – we are a center of excellence in cyber defence,” Pszczel says.
“Whether it’s a country engaged in espionage or whether it’s crime, the point is, if you have a good system, you will dramatically increase the chances that you can deal with it,” he says.
Links to businesses are an important part of this strategy, Pszczel stresses. “Co-operating with other countries is very important and co-operating with the private sector is very important.”
It used to be the case that NATO focused on military technology, but now it focuses on the well-being of society through its role as a co-ordinator and umbrella organization for a number of nations. “We look at long-term policy,” he says. “We treat both the closed systems of the military and the open system of the Internet as threats to our security.” It’s a simple strategy: “You need to be ahead of the bad guys all the time, whoever they are,” he says.
Cyber security is a big business for both criminals and tech companies. The global cyber crime market is worth about $380 billion, according to Kroes. As demand for increased protection increases, technology companies are making acquisitions to shore up their expertise in this space (see chart).
Demand for such technology is expected to skyrocket as more governments and businesses realize that preparedness is key. Hard lessons were learned in the wake of the attacks on Estonia in 2007, by NATO, by nation states and by business. Says Pszczel: “One can say we now have a proper set of guidelines and specific resources. We have a significant number of people who are experts from NATO countries – it’s a kind of cyber fire brigade that can be sent in at short notice to help.”
Which is reassuring, because if there’s one thing that’s certain in the arena of cyber security, it’s that the next attack is just around the corner.