Francesca Bosco, UNICRI Programme Officer, United Nations Interregional Crime and Justice Research Institute, talks about cyberattacks, information systems and networks, iot, cybersecuirity risks, threats and vulnerabilities.
CYBERATTACKS and CYBERSECURITY
A cyber-attack is a criminal behavior that is directed to damage, to disrupt, or even to destroy information systems and networks. Part of these information systems and networks are for example our PC's, our laptops, our smartphones. And more so, since we are living in extremely and even more interconnected world for example IOT devices that are part of the ecosystem that we have to consider when we think about the risk of cyber-attacks are for example also critical infrastructures and which are basically all the critical sectors, vital sectors that are running our economy and our society. When we think about cyber security on the other hand, that is basically we have to think about cyber security more as a sort of like a convergence of people, process, and technology. Therefore cyber security are not just the security measures, technical measures, but it's really about educating to have a sort of like a cyber security mindset included in our life: both in our personal life but also in our professional life at all stages. For example institutions, private sector companies, clearly in our personal life but also in academia, civil society organization, everything. Every subject, let’s say every actor of our society needs to have a cyber security approach. Clearly there are some let’s say basic concepts of cyber security so confidentiality, integrity, and availability of data and systems. But integral part of cyber security is to be able to put in place a set of attitudes, a set of approaches and behaviors including technical measures to keep our system secure. When we think about cyber security we have to consider different aspects. We have to understand what we have to secure so basically the asset. We need to understand which are the possible vulnerabilities of the asset. What does it mean? It means that everything that we use and also that we create might have some vulnerabilities, meaning gaps and weaknesses. If you think for example about systems and networks there might be mistakes for example in the line of code that are building our system. This is open vulnerability. It's like thinking about a door that might be opened by criminals or by people that might have a sort of illicit interest. So, a vulnerability is a weakness on one hand. On the other hand we have possible threats that are used to exploit this vulnerability. Threats therefore are either threat agents, so for example different criminal actors that might be interested in exploiting the vulnerabilities or with the threats we also intend for example the techniques that are used for exploiting this vulnerability. On the other hand we have a risk, which is basically let's say the adding up of threats and vulnerabilities which is the risk that we are running when we have to consider information systems and networks. There might be risks that are natural things, for example natural disasters that might shut down for example servers. This is an example of unwanted risk. On the other hand, we have risk that might be more intentional and also more clearly technically related. As we said before since an integral part of cyber security is the human element also related to the human nature for example exploiting social engineering techniques.
When we think about the current world that we live in that is extremely interconnected we have to think that not everything that is currently connected to the internet, for example critical infrastructures, were created when the internet exists. What it means is that we have a super advanced and highly technically designed devices, and on the other hand we have also structures and infrastructure that were created in an age when the internet was not so widespread. But they are living now in the same ecosystem as we are and we are using both of them. So this is one of the first problems that we have to consider. The underestimation, I think we're getting better in terms of underestimation especially from a member state point of view and especially in the European Union thanks to the extremely well-articulated work of the European Commission towards for example strategic framework regarding cyber security and a cyber security agenda. I think all the member states are getting more knowledge and aware when it comes to cyber security. Still there is a sort of underestimation which is an inner aspect of cybercrime. Why? First of all because we don't have an internationally agreed definition of cybercrime. We have a good understanding of the concept and we set up a common language for understanding each other when we talk state to state but on the other hand, we still don't have a more widely accepted definition. Second problem is the underreporting aspect because there are some forms of cybercrime that are considered either less dangerous or on the other hand because there's not enough awareness also from a citizen point of view that you should report cybercrime. This is extremely important to understand numbers let's say the numbers of cybercrime and on the other hand also for member states to set up priorities based on these numbers. This is one of the problems why there is still this sort of a misconception or a not full understanding of the extent of cybercrime. There are some very good initiatives the work of the European Union that is producing every year. The threat landscape report is extremely important. Europol as well with the EC3, the dedicated agency for cybercrime is producing an extremely interesting report the IOCTA: the internet organized crime time assessment that is giving not precisely data but is at least trying to give trends and to give us some sort of priorities. Also for policymakers to understand how important it is to work on this: to work to fight on one hand and also to prevent cybercrime. When I think about for example on the estimation of risk in terms of for example private companies one of the increasing risks are for example insider threats. Insider threats are an extremely tricky point because it's very difficult to manage and also to sort of act in a preventative way towards the insider threats. On the other hand one of the risks that is currently receiving some attention from the European Union and especially dedicated to the private sector companies but as well as institutions and, if I think about it, also for example universities and academia, is the concept of intellectual property. Why? Because at the very beginning cybercriminals started being interested in money. But once you spend the money the money is gone. Then the second step was understanding the extreme benefit that you can have stealing data because data you can reuse them, you can create fake profiles, you can sell them for example in the dark markets and so on and so forth. Then another step is intellectual property. So the know-how that we have for example in our companies, start-ups, that we have in our universities, this is extremely interesting. And that's how also why for us as individuals it is extremely important to take care of our data on one hand. So sensitive data, personal data, but also data regarding for example our family, our work, our social life but also on the other hand think about again which is the asset that we want to protect. That's how I think we are a little bit underestimating the risk that we are running in our society, because we are not let's say managing properly data also from a personal point of view not only from an organizational and I would say private sector point of view.
A THREAT TO THE PHYSICAL WORLD
2017 has been considered to be the worst year in terms of cybercrime. I guess that it has happened in the past, it might happen in the future. One of the main points, especially I would say in the last couple of years, has been the rising ransomware attacks. The critical aspect of ransomware attacks is that when the first time we were seeing attacks of ransomware attacking mostly I would say end users or on the other hand for example private sector companies, specific businesses, I mean clearly banks and financial institutes where some or most of the attacks as well as also some institutions for example at medium and higher level so for example at the city level but also at the state level. The dangerous aspect is then that they started attacking what they call cyber physical systems. What are cyber physical systems? More and more since everything is interconnected, we are seeing the connection of for example critical systems so for example in industrial settings. All those technical systems that are helping the automation, for example in the industrial production or on the other also safety controls that are managed at industrial level. Other examples of cyber physical systems will be more and more for example IOT devices or robotics also because they will have big hardware that will have an impact in our physical world but on the other hand they will be say connected to the internet and they will be given orders let's say by using connections. Therefore they will be unsecure and this is something that we have to deal with and we had a sort of a wakeup call a couple of years ago with a big botnet called Mirai. And the interesting aspect of Mirai is that what ends up in the newspaper was that it attacked Deutsche Telecom. When they started the investigation they discovered that the first let's say weaknesses and vulnerabilities that they tried to exploit were for example toasters and baby monitors. Why? Because most of the IOT devices that we have in our societies and in our markets they do not have the adequate level of security that is needed thinking that they might be interconnected to the widest internet. And that's a problem that we're facing because clearly criminals might exploit less secure devices to attack even bigger infrastructure. Another good example is the fact that this specific botnet Mirai also attacked an important DNS system called DYN and this brought down a lot of quite important or quite a well-known web services, for example the NY Times, Reuters. So, the problem is that in that case it was a side effect meaning that this botnet propagated in such a fast way and in such an uncontrolled way because it was exploiting all vulnerabilities and all the weaknesses. This is another step of cyber security. Not only we have to put on the market devices that are secure, but we have to patch old vulnerabilities. This is another challenge that we have because a lot of the devices and a lot of the infrastructures that that we're currently using and that they are as mentioned before critical and vital for our economies, might have old vulnerabilities that still need to be patched. Therefore that's why attacks against cyber physical systems, attacks that are let's say stemming from the virtual world but that are having more and more a practical effect let’s say in the real world are extremely worrying. A very good example is also last year’s attack of wannacry where among others, one of the main targets was the UK health service and specifically a good example is the attack against a hospital. For example, they had to reschedule or the visit. They had to pay attention to reschedule for example the time schedule of the ambulances. They had also to take care of some patients that were connected to some machines that were connected to the whole system. That's why it is the first time that we're seeing some virtual attacks that have also quite a concrete impact on the physical world.
GDPR is absolutely I think a game changer. It's absolutely a game changer for a couple of reasons. First of all because it's including two aspects that for a long time have been considered in a separate way: privacy and security. Putting together privacy security really means raising up the level of knowledge and awareness and understanding that we really need to boost the cyber security attitude that we need in our economy because clearly GDPR has a very a strong focus on private sector companies and also on institutions so but clearly more the economic aspects but on the other hand it's also including not only measures regarding the data protection, even if the name is general the protection regulation, but on the other hand also some aspects of understanding which are the risks that you're running, when you're running a company when you're running a service, regarding the data that you're collecting that you are managing and that you are storing. This is extremely important and I think it's clearly not the end point of the process from a legislative point of view but is also a milestone that we have reached at the EU level and also with relationship with that what they're called third world countries that will for sure raise the knowledge. I also give some practical and personal example also of people that are not directly affected by the regulation but that have started receiving alerts that regarding the fact that due to the entering force of GDPR they will be informed about how their data are collected and stored by certain services. I think it had an extremely good effect in raising the awareness also for the normal citizen, the average user in understanding how important are our data and the fact that we need to treat them with respect.