Hagai Katz, head of Government Sector at Check Point explores how nation states can and should prevent cyberattacks against their critical assets and citizens.
In the spring of 2007, Estonia became the first nation state in the world to fall victim to a massive, targeted cyberattack. An enormous distributed denial of service (DDoS) attack paralysed government and other critical websites, as well as systems such as banking infrastructure across what was at the time one of the world’s most connected countries – forcing the country to disconnect itself from the Internet to allow services to recover.
Since then, large-scale attacks against national interests aimed at damaging critical infrastructure and destabilising countries have only increased. Consider, for example, the infamous Stuxnet worm, which was detected in June 2010, targeting ‘high value’ infrastructure in Iran and was almost certainly state-sponsored. Or the US and UK issuing a joint statement in April 2018 on malicious cyber activity, supposedly perpetrated by the Russian government.
There are many potential consequences of large-scale, nation-state targeted cyberattacks, ranging from disruptive to deadly. For example, what if the electricity or water supplies to a city were cut off, even just for 36 hours? Businesses would not be able to function; hospital patients and vulnerable people could die. A large-scale attack on the banking system could paralyse the financial markets and cause businesses – even economies – to fail. And attacks that disrupt transportation systems such as air-traffic control could have obvious consequences.
Cyber warfare by one nation-state against another has become a real and present danger. The question is – what can national Governments do to protect their citizens and infrastructure?
The current state of national cyber-security
It’s important to remember that cyber risks to nations don’t just come from other nations. Cybercrime organizations, terrorists, hacktivists and others are using sophisticated tools, as well as reusing state-sponsored cyber-weapons, which have leaked into the public domain; that was the case of the global WannaCry ransomware attack (and the subsequent NotPetya attack), which grabbed headlines in 2017. No wonder why the World Economic Forum’s 2018 Global Risks Report placed cyberattacks high on both its likelihood and its impact indices. Thus, most nation states have already shifted from viewing cyber threats as “only” about financial, data or privacy losses to genuine threats to physical safety and life.
As such, most national governments now take a three-pronged approach to cyber defence. First, they tend to build cyber arms – that is, to develop committees and administrations which focus on exploring the best strategy, legislation and approach to dealing with cyber threats.
Second, governments focus on programmes of education and awareness. Mostly, they try to close the global shortage in cyber security professionals, which is estimated to be of about 3.5 million.
Third, they establish at least one civil national CERT (Computer Emergency Response Team), with the aim of confronting cyber threats and attacks. Countries typically separate their military cyber defence from their civil defences; for civil defence they may have a single centralized CERT, or a few CERTs which focus on specific sectors. However, as their name suggests, CERTs are, by definition, reactive rather than proactive. They typically take action only after a major cyber incident has already started, or has taken place. Some CERTs are moving towards proactive capabilities – they collect intelligence and try to alert about new, emerging risks or predicted attacks, but the effectiveness of these measures is limited, since the overall cycle of detection, analysis, publishing and implementation may take weeks rather than seconds or minutes.
In any case – the majority of CERTs lack the legal, as well as the technical capability to proactively protect their national interests in real or near real-time manner. And this is where things need to change; today, even if a CERT is informed hours before a mega-attack, it has no means to proactively block the attack and defend major industries, utilities, hospitals, airports and other critical facilities.
Building effective cyber homeland security
Instead, let’s examine a security model we’re more familiar with. In addition to defending the borders of a country, homeland security defences use tools such as radar to scan the skies for impending missile attacks against the country’s cities and interior. This gives the ability to analyse enemy actions and make intelligent decisions on whether to instruct citizens to shelters, or launch anti-missile strikes.
A similar approach should be adopted for nationwide cyber defences. Both perimeter and internal protections are needed, to protect against a range of threats, from large-scale DDoS attempts to stealthy, damaging malware. The major access points into the country’s critical infrastructures should all be proactively monitored, with threat intelligence feeds into an operations centre to proactively identify, analyse and determine the correct response to incoming threats. This can be combined with real-time threat prevention to trap new, evasive malware threats before they can spread laterally at scale.
This overarching visibility and threat analysis layer should be an ‘umbrella’ over organisations’ own cyber defences and intelligence feeds, securing the overall nationwide cyber resilience. Those protections need to be as automated as possible, to ensure an immediate response, with minimal need for human intervention, to match the speed at which today’s threats can propagate. The protections should be driven by real-time intelligence and situational awareness to ensure they can defend against even new, never-before-seen threats.
The Internet has revolutionized every aspect of society – including international diplomacy and warfare. To defend against new generations of threats, the only valid approach is to take a holistic approach to national cyber defence, which can identify the earliest signs of attacks and contain them automatically, before they can cause widespread disruption.