Contribution to the National Risk Assessment on the topic of Cybersecurity

Transcription

1 Contribution to the National Risk Assessment on the topic of Cybersecurity 30 June 2014 presented to the Department of the Taoiseach by Contact Jason Ward EMC Director for Ireland, Scotland and UK North T: +353 (1) M: +353 (0) E: A: Blanchardstown Corporate Park, Ballycoolin, Dublin 15

2 Taoiseach, The speed of technological growth and the open, increasingly social nature of it has proved taxing for private companies and government bodies. The explosion of broadband and smart devices has provided cybercriminals numerous new avenues to private, often secret, information. This is not only an issue for individuals, but for national governments, causing hundreds and thousands or millions of euros worth of damage. The omnipresence of internet-enabled technology has also brought to the fore the new threats of cyberwarfare and cyberterrorism, which have the potential to cause major disruption on a national scale. EMC, particularly its security division, RSA, whom I both represent at an international level, has extensive experience and wide-ranging expertise of cybersecurity. The following document outlines, in detail, the threats posed by cybercrime, cyberterrorism and cyberwarfare to the Republic of Ireland and the means to combat both through initial recommendations for a revised National Risk Assessment. On behalf of the managing board of EMC in Ireland, I hope that this document will assist your department in its drafting of a new National Risk Assessment. Jason Ward EMC Director for Ireland, Scotland and UK North

3 The cost of cyberattacks The ubiquity of the internet and mobile devices has brought people closer than ever before, promoting social sharing, building new business and encouraging innovation. This interconnectedness is a triumph, and the currently unfolding technological revolution will undoubtedly be the great legacy we leave to our children. But, to an unscrupulous hacker, the syncing together of mobile and desktop devices, of social media and accounts, presents a well-labelled roadmap to valuable data, private and governmental. Simply put, the extremely fast pace of technological advancement is constantly introducing new variables into the domain of cybersecurity to such an extent that traditional security measures cannot keep apace. Cybercrime has already had a damaging effect on the Irish economy: the Deloitte 2013 Irish Information Security and Cybercrime survey, in association with EMC, found that 40% of Irish companies experienced at least one security breach in that year with an average cost of 135,000. In terms of the remediation and clean-up costs associated with security incidents and cybercrime, the survey showed that the average cost of a large security incident stood at 29,954. Recent instances of a lapse in cybersecurity, reported extensively in the media, show that even one weak link in a network, or a chain of networks, can lead to a massive data breach, affecting millions of individuals, with financial and psychological consequences. The cybercriminal s arsenal As technology becomes increasingly sophisticated and economies of scale reduce cost barriers to it, hackers can employ more elaborate methods of disruption. Given the openness of today s technology, and society s now instinctive, unthinking use of it, targeted attacks are especially hard to prevent. Malware that is to say, programs designed to disrupt, destroy, or gain access to private files comes in a multitude of forms. Some are downloaded from spam s or from suspicious websites, while others are targeted: that is to say, designed and deployed to breach a specific system or network. Often, threats lie dormant in a system or network for days, weeks, or even months before they are activated. New, high-profile viruses like CryptoLocker are especially potent. Once downloaded, the virus encrypts the contents of the user s hard drive, making the device virtually unusable. The decryption password is only provided to the victim if they provide the criminal or criminal organisation with a ransom of several hundred euro, and even then, their compliance is not guaranteed.

4 Furthermore, the prevalence of mobile devices and their accompanying app stores has led to a rise in botnets, networks of interconnected, internet-enabled devices that are used, often without their owner s knowledge, to perpetuate harmful viruses through the initial downloading of a rogue app, malware masquerading as a seemingly legitimate piece of software. On an individual scale, the effects of malware are mostly self-containing. On a national scale, malware designed intentionally to cripple government systems can have rippling, tangible effects on public services. Such grandiose cyberattacks constitute the basis of cyberterrorism and cyberwarfare and can be used by criminal organisations, political groups and foreign powers to cripple national infrastructure for a variety of reasons. There is no reason to assume that the Irish government could not fall foul of such an attack. Methods of defence While mostly adequate for private individuals, for government and businesses, simple anti-virus suites and firewalls are not sufficient enough protection from these advanced threats. Imagine these traditional methods as brick walls: effective at combatting the crassest attempts at a security breach, but otherwise useless against those well-equipped and thoroughly determined to circumvent them. But, our defences are also evolving. Intelligence-driven security measures that proactively assess internal networks using artificial intelligence are the next step in cybersecurity. Bespoke and scalable to an organisation s needs, this type of software looks for unusual patterns in user behaviour (such as attempted log-ins from an unknown location); predicts attacks; and responds with appropriate measures, all by analysing a vast swathe of collated internal and external data that give insight into typical organisation protocol. Though some cyberattacks can be impossible to repel before they cause damage, government can immunise itself from a majority by ensuring personnel employ adequate security hygiene. It should be established practice to update browsers and security software when prompted; to have unique passwords for different accounts, and to change them frequently; and not to open suspicious attachments from those deemed suspicious.

5 How could a cyberattack affect Irish government? Cyberattacks are damaging to all strata of Irish society, and can occur on micro and macro scales. At a government or national level, a cyberattack can constitute a single incident, like the illegal accessing of an elected representative s account or the defacement of a departmental website for nefarious purposes, like blackmail or espionage, by an individual or organisation; or full-scale cyberterrorism or cyberwarfare, like breaching an entire computer infrastructure to jeopardise vital utilities, such as electricity or gas, or bank networks, by an organisation or nation state for political or financial motives, or simply to cause chaos. While the former is a regular occurrence for politicians and governments in Ireland and abroad, the threat of the latter which has the capacity to disable entire systems is a growing reality. Over the last three years in particular, cybersecurity has shot to the top of national defence agendas as countries around the world, including the United States, United Kingdom, Canada, France, Israel and Russia, have faced waves of attacks on government departments, intelligence agencies and other parts of the national infrastructure. Indeed, in 2013, NATO Defence Ministers met for the first time to discuss exclusively the unique problem of cybersecurity. Without a proper cyberdefence strategy in place, the Irish government is flirting with disaster. Unprovoked or unpredicted attacks will easily overcome a security infrastructure ill-equipped to handle anything large scale, and without a central body to contain a breach or warn other stakeholders, the consequences for a government network, or indeed, wider public infrastructure including emergency services and transport would be dire, causing massive financial, political, and psychological loss. EMC recommendations for the National Risk Assessment EMC is an international technology company that specialises in data storage, cloud computing, and through its security division, RSA, intelligence-driven security solutions. It employs over 3,000 people in Ireland, many highly skilled engineers. The company s Cork-based Centre of Excellence is a major research and innovation hub, and forms the basis of EMC s EMEA headquarters.

6 Through RSA, EMC has worked with a number of major clients, including intelligence agencies, to deliver scalable cybersecurity solutions that combat new and existing threats while working within established organisation parameters. Following extensive consultation, we propose three key items for the cybersecurity section of the revised National Risk Assessment and the basis of a National Cyberdefence Initiative: 1) Ensure that government and its associated computer networks are protected by intelligent security solutions that proactively target threats using artificial intelligence. 2) Form a Cyberdefence First Response Team, an organisation responsible for rapidly assessing and eliminating emerging threats to national security; disseminating vital cybersecurity information to the government and public; and coordinating cyberdefence operations within Ireland and abroad. 3) Hold monthly, or regular, meetings between key government stakeholders and a panel of appointed cybersecurity experts to review existing infrastructure and emerging or current threats. Conclusion While cybercrime and cyberwarfare are alarming and unprecedented adversaries, the Irish government now has the means and the expertise to mount an appropriate, sophisticated defence against them. EMC believes that the first step in establishing this defence will be a revised National Risk Assessment that looks more intensely at the problem of cybersecurity; and the ultimate formation of a National Cyberdefence Initiative to protect Irish computers and networks at a state and individual level.