Cybersecurity report
Sponsored by
cybersecurity report
HSE ransomware attack: Government’s cybersecurity policy priorities Following the ransomware attack on the HSE and amid a growing threat to Ireland’s critical national infrastructure, the Government has sought to strengthen the capacity of the National Cyber Security Centre (NCSC). Minister of State with responsibility for Public Procurement and eGovernment, Ossian Smyth TD writes. caused major damage to IT systems that continues to impact on the delivery of services throughout the country.
The recent cybersecurity incidents in the Health Service Executive (HSE) and the Department of Health are the most serious cyberattacks we have ever faced in Ireland. These attacks, which were likely carried out by an international cybercriminal gang,
64
This heinous attack on our health services in the midst of a global pandemic shocked the world but is just the latest in a series of major ransomware attacks which have targeted critical industries such as health, energy and agriculture. The whole-of-government response to the HSE incident was led by the NCSC, a division within my department which plays an important role in defending Ireland from the global threat of cyberattacks. The NCSC was established by government decision in 2011, with a very broad remit covering government ICT and critical national infrastructure. The role of the NCSC is to monitor and
to respond to cybersecurity incidents in the State, to manage and share intelligence relating to threats to network and information security in the State including during incidents, and to lead efforts to improve the resilience and preparedness of the State in cybersecurity terms, including government, critical national infrastructure, and business. Recognising that cyber threats present a significant threat to life and livelihoods, in 2016 the European Union (EU) adopted the Network and Information Security Directive. The Directive sought to ensure member states are prepared to respond to cybersecurity incidents and to develop a culture of cybersecurity in the delivery of services essential to human life, or in key social or economic functions.
Within the NCSC, the Government has established a dedicated incident response unit called the Computer Security Incident Response Team (CSIRT). Ireland’s CSIRT is internationally accredited and engages with its counterparts in the EU and globally to share information on vulnerabilities and threats. The CSIRT team led the initial response to the incidents in the HSE and the Department of Health and continues to support these bodies in recovering their systems. I have been very impressed by the knowledge and technical skills of the CSIRT team, but moreover their hard work and commitment in the face of a major crisis for the health service. In common with similar bodies in other EU member states, the NCSC has also developed a more proactive approach to cybersecurity within the State. The NCSC engages with a broad range of stakeholders in both the public and private sectors, for instance sharing information on vulnerabilities and threats by way of advisory notices. In the days after the HSE incident, the NCSC engaged with all of its constituents to share information on the malware deployed by the cybercriminals to reduce the risk of successful attacks on other vital services. In the weeks since then, the NCSC staff have had extensive engagement with organisations across the public sector to provide advice and support to enhance their cybersecurity and resilience. The nature of the digital transformation in our lives is such that no country or organisation can be 100 per cent protected from the threat of a significant cyberattack. As the digital landscape evolves so too does the level of threat from cyber attackers. So far this year, Ireland has been affected by
“Against the backdrop of a growing threat, the Government has recently agreed to an expansion of the NCSC from 25 to 45 staff over the next 18 months, and to 70 within five years.”
cybersecurity report
In accordance with the Directive, the NCSC works closely with stakeholders in five critical sectors – digital infrastructure, energy, healthcare, transport, and drinking water – while the Central Bank of Ireland oversees cybersecurity in the banking and financial services sectors. NCSC staff engage on a regular basis with designated operators of essential services to support them to improve their cybersecurity.
Minister of State Ossian Smyth TD the SolarWinds supply chain attack, the malicious exploitation of Microsoft Exchange Server vulnerabilities and the destructive ransomware attack on the health sector, as well as many other localised cyber incidents. This trend is reflected across the globe with high profile ransomware attacks such as the Colonial Pipeline, JBS and most recently Kaseya which all had severe impact on individuals and businesses.
Cybersecurity is a global challenge which can only be addressed through collective action. I was heartened by the significant assistance the NCSC received from partners in the EU, the UK, and the US in response to the HSE incident, for which we are very appreciative. I also welcome that the European Council has condemned the recent malicious cyber activities against member states including Ireland.
Against the backdrop of a growing threat, the Government has recently agreed to an expansion of the NCSC from 25 to 45 staff over the next 18 months, and to 70 within five years. A significant package of other measures to further strengthen the capacity of the NCSC to respond to the growing threat from cyber criminals was also agreed by government, including the development of legislation to establish the NCSC on a statutory basis with a set of formal powers and a legal mandate. A five-year technology strategy for the NCSC that scopes its internal requirements and its relationship with academia and industry will also be developed.
Ireland also spoke recently at the UN Security Council about the damaging impact of malicious cyber activities which can threaten international peace and security. Ireland is working closely and proactively at UN level to promote a secure, safe, open, and free internet, firmly grounded in the application of international law in cyber space and norms of responsible state behaviour. It is also important that States take appropriate actions against actors conducting such activities from their territory.
In addition to the recruitment of 20 additional fulltime roles, a cybersecurity graduate training programme will be initiated by the NCSC in 2021, with four computer science graduates recruited each year on contracts of three years duration. Staff in my department are already progressing these measures and will work closely with the departments of Defence, Foreign Affairs and Justice, the Office of the Government Chief Information Officer, An Garda Síochána and the Defence Forces, and with all relevant partners to further enhance cybersecurity and resilience in the public sector.
The Government is also working with EU partners on the timely review of the Network and Information Security Directive, recognising that the threat landscape has evolved considerably since 2016, to ensure an appropriate regulatory framework is in place across the EU to safeguard essential services and digital platforms from cyber threats. This reflects Ireland’s long-standing support for the EU vision of cyberspace grounded in the rule of law, human rights, fundamental freedoms, and democratic values. International cooperation between states, with international organisations and involving industry is essential to keeping cyberspace global, open, stable, and secure.
65
cybersecurity report
Ransomware: To pay or not to pay? Legal or illegal? Caught between a rock and a hard place, many ransomware victims cave into extortion demands. But should they? Why are companies paying and what will it take for them
Advertorial
to stop?
66
It may just be, or at least initially seem, more cost effective to pay than not to pay. The current precedent to pay likely dates back to the ethically brave organisations who refused to pay. When WannaCryptor (a.k.a. WannaCry) inflicted its malicious payload on the world in 2017, the United Kingdom’s National Health Service bore a significant hit on its infrastructure. The reasons why they were hit so hard are well documented, as are the costs of rebuilding: an estimated US$120 million. This is without considering the human costs due to the 19,000+ cancelled appointments, including oncology.
decryption keys. Why pay the demand, then?
With examples of publicly recorded incidents showing the cost to rebuild is significantly more than the ransom, then the dilemma of whether to pay or not may be one of cost rather than ethics. But there is no guarantee that a decryptor will be forthcoming or that, if provided, it will even work. Indeed, a recent survey by Cybereason found that almost half of businesses that paid ransoms didn’t regain access to all of their critical data after receiving their
It’s also important to remember the devastating effects that ransomware can have on a smaller business that is less likely to have access to expert resources. Paying the demand may be the difference between the business surviving to fight another day and closing the doors for good, as happened to The Heritage Company, causing 300 people to lose their jobs. In countries with privacy legislation, paying may also remove the need to inform the regulator.
Well, the business of ransomware became more commercialised and sophisticated on both sides: the cybercriminals understood the value of the data involved in their crime, due to the rebuild costs being disclosed publicly, and a whole new industry segment of ransomware negotiators and cyber-insurance emerged on the other. A new business segment was born: companies and individuals began profiting from facilitating the payment of extortion demands.
Are negotiators and cyber-insurance causing or solving the problem? The current trend of paying the ransom and an attitude that it’s ‘just a cost associated with doing business’ is not healthy. The question at the boardroom table should be focused on making the organisation as cybersecure as possible, taking every possible precaution. With insurance there is likely to be an element of complacency, minimally meeting the need to comply with the requirements set out by the insurer and to then carry on with ‘business as usual’, knowing that if an unfortunate incident happens, the company can step aside and push the insurer to the front line. The two incidents that affected the cities of Riviera Beach and Lake City were both covered by insurers, as was a payment by the University of Utah of $475,000 and reportedly Colonial Pipeline was also partially covered by cyberinsurance, although at this stage it is unclear if it has claimed.
A cybercriminal’s first task could be to work out who has cyber-insurance, to narrow the list of targets to those that are highly likely to pay; it’s not their money, so why wouldn’t they? Cyberinsurance is probably here to stay, but the conditions the insurance should require from a cybersecurity perspective – a resilience and recovery plan – should define extremely high standards, thus reducing the possibility of any claim ever being made. The insurance must not be allowed to become the fallback option. ‘Attacked? It’s a nuisance but that’s okay, we are insured.’
Is it time to ban ransomware payments?
pay the ransom subsequently suffer another attack, and 46 per cent of companies believe this to be the same attacker. If the data shows that payment of a demand causes additional attacks, then banning the first payment would significantly change the opportunity for cybercriminals to make money. Government selection, via the sanctions list, of which cybercriminals can be paid and which cannot, seems to not be the right course of action.
Conclusion This complete disregard for decent behaviour and not funding cybercrime by paying ransom demands creates an attitude that funding criminal activity is acceptable. It’s not. The right thing to do is to make funding cybercriminals illegal and legislators should be stepping up to the plate and going to bat to stop the payments from being made. There may be a first-mover advantage for countries that do pass legislation forbidding payments: cybercriminals that are behind these high-value attacks are focused, funded, resourced, and driven. If a country or region passed legislation that prohibited
any company or organisation from paying a ransomware demand, then the cybercriminals will adapt their business and focus their campaigns on the countries that are yet to act. If a regulator for cyber-incidents that required payment existed, we would better understand the scale of the problem, as one agency would have vision on all incidents. The regulator would also be a central repository for decryptors, knowing who is on the sanctions list, engaging the relevant law enforcement agencies, notifying privacy regulators and they would know the extent and result of previous negotiations. In short, make paying the ransom illegal, or at least limit the insurance market’s role and force companies to disclose incidents to a cyber-incident regulator, and regulate cryptocurrency to remove the pseudo right to anonymity. All could make a significant difference in the fight against cybercriminals.
Advertorial
The ransomware attack in May by the Conti ransomware group on the Irish health service could highlight the reason not to ban paying the cybercriminal for a decryptor, and ban payment for them to not publish the data they have exfiltrated. As could the attack on Colonial Pipeline; no government wants to see lines forming at the gas pumps and if not paying means providing no or limited service to citizens, this could be politically damaging. There is a moral dilemma caused by an attack on infrastructure and paying while knowing the funds are used to resource future cyberattacks is difficult, especially when you consider healthcare.
“The question at the boardroom table should be focused on making the organisation as cybersecure as possible, taking every possible precaution. With insurance there is likely to be an element of complacency, minimally meeting the need to comply with the requirements set out by the insurer and to then carry on with ‘business as usual’, knowing that if an unfortunate incident happens, the company can step aside and push the insurer to the front line.”
cybersecurity report
While cyber-insurance may fund the ransom payment and conduct the negotiation that results in a cushioned impact, there are of course many other costs involved, as previously discussed. The insurers of Norsk Hydro paid US$20.2 million when the company suffered an attack in 2019, with the overall cost being estimated to be between US$58 and $70 million; some of the additional amount may also have been covered by insurance. If Norsk Hydro, or any other company that has fallen victim, had its time again it may decide to spend some of the estimated US$38 to US$50 million it then spent above the ransom payment on cybersecurity as a prevention, rather than to cover post-attack expenses to recover from an attack.
T: 053 914 6600 E: hello@eset.ie W: www.eset.ie
Paying the ransomware demand also seems to create a second chance opportunity for cybercriminals: according to the survey by Cybereason mentioned earlier, 80 per cent of businesses that
67
cybersecurity report
Garda National Cyber Crime Bureau: “Most crime has a digital footprint” Ciarán Galway sits down with the Garda National Cyber Crime Bureau’s Detective Chief Superintendent, Paul Cleary, to discuss his Bureau’s role and expansion, as well as cybersecurity trends. Headquartered at Harcourt Square, the newest bureau within the Organised and Serious Crime (OSC) section of An Garda Síochána, the Garda National Cyber Crime Bureau (GNCCB) is tasked with providing top tier digital forensics on behalf of the Garda organisation. Established in 1991, the GNCCB was previously a section of the Garda National Economic Crime Bureau and was known as the Cyber Crime Investigation Unit. As a result of the proliferation in cybercrime worldwide, and following recommendations in the Commission on the Future of Policing in Ireland report, An Garda Síochána was tasked with greatly increasing its capacity and capability in the area of cybercrime. The Bureau was subsequently re-established in its current configuration in 2017. Since June 2020, GNCCB has been led by Detective Chief Superintendent Paul Cleary who has been entrusted with its expansion. “This gives an indication of how serious the organisation is taking this particular type of crime,” Cleary asserts.
68
Cybercrime can be separated into two components: cyber-enabled crime and cyber-dependent crime. Cyber-enabled crime is traditional crime, such as theft, harassment, child exploitation or fraud, that can be committed without a computer but are enabled by a computer in certain circumstances. Cyber-dependent crime includes hacking, ransomware, DDoS attacks and malware. As such, the GNCCB head affirms: “Today, most crime has a digital footprint, whether in the commission of the crime, the preparation beforehand or in the cover up afterwards.” While cyber-enabled crime is generally investigated by colleagues across An Garda Síochána, the GNCCB is entrusted with digital forensic examination of computer media seized as part of investigations, including phones, laptops, desktop computers, SD cards, memory sticks and hard drives. Meanwhile, cyber-dependent crime falls under the GNCCB’s proactive investigations and different sections
within the Bureau ensure that it has the capacity and capability to investigate all types of cybercrime.
Structure and expansion Overall, the GNCCB comprises two top tier digital forensics units known as Computer Forensics 1 (CFE1) and Computer Forensics 2 (CFE2); the Cybercrime Investigations Unit; the Cyber Intelligence Unit; the Cyber Security Unit; and the Cyber Safety Unit Discussing the Bureau’s expansion, the Detective Chief Superintendent highlights the recruitment of 25 new members of An Garda Síochána to the GNCCB in April 2021. A further 34 members are expected to be allocated in the coming months. This is in addition to the decisions to recruit 20 Engineer Technician Grade III Garda staff, the first time that civilian staff have been recruited at this grade and at this scale. While not sworn members of An Garda Síochána, having been initially assigned to CFE 1 and CFE 2, they will effectively be
undertaking the exact same role as GNCCB detectives.
Simultaneously, in recent months, four satellite GNCCB hubs have been established in Galway, Cork, Mullingar and Wexford. Although geographically disparate, these hubs fall under the governance and oversight of the GNCCB. In addition, as part of its expansion, in conjunction with its partners in UCD, the GNCCB has trained almost 200 digital first responders across every district in the country. Whereas the GNCCB and its satellite hubs provide top tier digital forensics, the digital first responders are trained to assess, triage and preserve evidence on devices that they examine. “Issued with specialist equipment, they are attached to district detective units around the country. We have them trained to a level whereby they can be brought on searches by detectives. If they come across devices, they can have a look and analyse it to determine whether it contains data of evidential value. They are a very important component of the GNCCB’s expansion plan,” Cleary maintains. Acknowledging that talent retention can be a challenge for An Garda Síochána, given the competitive salaries available in the private sector, the GNCCB head argues that job satisfaction and the ability to “make a difference” matter more. “Policing and law enforcement will always be attractive to those people who have public service values and who want to pull on the green jersey and assist in their communities. “Working here in the GNCCB, undertaking the type of work that we do, people can absolutely make a difference. Plus, the type of experience that individuals get with the law enforcement grade toolsets that we use here is invaluable,” he says.
In recent times, instances of cyberenabled crime, including phishing, smishing, vishing and scam calls, have increased exponentially. Simultaneously, cyber-dependent crime attacks are increasing greatly in numbers and sophistication. Organised crime gangs are being increasingly attracted to cybercrime due to it potentially lucrative profits and limited risk of detection. If they are prosecuted, the Detective Chief Inspector suggests, they know that very often, the perceived white-collar crime can result in low sentences. “We are all aware of the rapidly progressing digitalisation of society and business and the endless new opportunity this presents for criminals to steal data, cause disruption, and gain very lucrative financial rewards with limited risk. Over the last year, we have observed first-hand how the Covid-19 pandemic and the increased prevalence of remote working on unsecured devices have enabled cybercriminals to adapt their scams to profit from unsuspecting people and unprepared businesses. “One of the biggest trends that we see in the cyber-dependent crime sphere is a lack of reporting by companies affected. We are very aware of the commercial agenda and potential reputational effects of a known data breach, but we would always ask companies and victims to report to the gardaí, even if they do not want to follow through with official attribution, we can still learn from the cyberattack and hopefully warn others,” Cleary reflects.
Ransomware Ransomware is a form of malicious software or malware that infects a computer or network by encrypting its essential system files, preventing it from starting up. Other ransomware encrypts an owner’s files, leaving them inaccessible to the user. Infections can be downloaded or injected into the system from emails that appear to come from trusted contacts. They can also be embedded in attachments that appear important or have filenames that suggest they are worth opening, or they can also be downloaded from infected
or insecure websites or personal devices. Once the malware has been opened or downloaded, it can reside in a device’s memory until triggered or it can immediately begin encrypting documents, spreadsheets, or other files. The files are scrambled using a mathematical algorithm and a decryption key, known only to the attacker, is required to unlock them. Often, a message is displayed onscreen, telling them that their content is locked and that they must pay a ransom to regain access. In some cases, the attacker may claim that they are from a law enforcement agency and that the victim must pay a fine for accessing illegal material online.
cybersecurity report
“Initially, they will be in the Computer Forensics Section,” Cleary indicates, adding: “That is where our biggest backlog is. We are anxiously awaiting the competition for the 20 civilian staff members to be advertised because we could do with that additional manpower here.”
Cybercrime
Worldwide, the law enforcement community believes that ransomware has reached a tipping point, with many countries having elements of their critical national infrastructure crippled due to such attacks. INTERPOL advises that the projected worldwide financial loss to cybercrime for 2021 is valued at $6 trillion, twice as much as in 2015. “We need a coherent effort to tackle this because if we are all working in isolation, it can become complicated by interjurisdictional issues. Cybercrime does not respect national borders; therefore, we need to get to a point where we can tackle it worldwide,” Cleary maintains. The advice from An Garda Síochána and the GNCCB is that ransom demands to recover data should never be paid. There is no guarantee that the data will be released once a ransom is paid, and it is likely that more demands may be made following the first payment. As such, acquiescence encourages further ransomware attacks, creating more victims around the world.
HSE attack While describing the recent ransomware attack on the Health Service Executive (HSE) as “an eyeopener for all of us”, the GNCCB head insists that the subsequent response was effective. Initially, the NCSC took the lead, and its priority was to restore the HSE systems safely, limiting the damage. Once that was complete, the GNCCB then moved in and began its investigation. “There have been a lot of lessons
4 69
learned through this attack which will only make us more prepared in the future,” Cleary observes, adding: “There was some level of preparedness there already, the response was good. It was great to be able to demonstrate how we can immediately come together to act and make tangible progress.”
cybersecurity report
The organised cybercriminals behind the attack utilise Conti ransomware and are known as the ‘Conti Ransomware Gang’. “To date, our investigation over the last 14 weeks has made great progress. We have a very good insight into how these cybercriminals conduct their business. We have seen the modus operandi that they use and know that they are financially motivated, as well as seeking to cause as much disruption as possible to their targets in an effort to encourage them to pay,” the Detective Chief Superintendent outlines. Despite the challenges, including pursuing cybercriminals across multiple borders, Cleary believes there is a realistic prospect of justice being served. “We always have to be optimistic because yes, while it does present challenges, I know from my experience that criminals will always make mistakes somewhere along the line and we will always be there to capitalise on those mistakes. They only have to make a mistake once. “We are collaborating with INTERPOL and EUROPOL on a concerted effort to use our combined law enforcement skills and resources to mutually beneficial aims. If you consider how we are already doing this with drug trafficking and importation and human trafficking investigations, you will see the same standard being applied to
cybercrime investigation as is assigned to those other investigations. Yes, it is difficult. Yes, there are some areas of the world which are not as receptive to our inquiries as others, however, we keep going. “Sanctions do not always come in the form of putting handcuffs on someone, there are a number of alternatives that can be attributed to these cybercriminals. I am cautiously optimistic that we will see attribution and sanction against those involved in these cybercriminal gangs.”
Child exploitation On a personal level, for Cleary, the greatest successes of the Bureau to date have been in the area of child exploitation. “The exploitation of children and the proliferation of child abuse material is one of the most heinous crimes that the GNCCB investigates. This crime targets the most vulnerable in society and there is a victim in every case,” he notes. A significant amount of GNCCB time is willingly spent on identifying the perpetrators of these crimes and their victims. The Bureau uses recognised tools and techniques to ensure its examinations can locate and identify the best evidence to prove the guilt or the innocence of the suspects involved. “We also draw on the investigative skills of examiners that they have built up over their experience as gardaí in regular and specialist policing roles,” the GNCCB head says, elaborating: “This is essential to their work which does not just involve the examination of computers, but must also involve an interpretation of the evidence, based on
experience and what their investigative head tells them.” Consequently, the work of investigators and examiners at GNCCB can be emotionally and psychologically demanding, especially those involving physical or sexual assaults on children. The wellbeing of his colleagues is at the centre of Cleary’s work, and he identifies staff welfare as a primary priority. “Our teams are encouraged to use the supports that exist within the organisation, including mandatory supports, enhanced counselling, the employee assistance service and the peer support network, while also looking out for each other. “I take staff welfare very seriously and it is a priority for me that we do have the supports in place to assist the members when they are tasked with this challenging and demanding work,” Cleary concludes.
Detective Chief Superintendent Paul Cleary A native of Ronanstown in Dublin West, Paul Cleary has 28 years of policing experience. Starting off in the north innercity, he spent three years in the North Central Divisional Drugs Unit, two years in the Special Detective Unit and another five years as a district detective in Store Street Station. Cleary then spent several years as a detective sergeant in the Operational Intelligence Section as a CHIS handler, three years as detective inspector in Kevin Street Station, investigating serious and organised crime, including gangland murders. He then worked as the Dublin Regional Detective Superintendent in charge of CHIS and as a detective superintendent for west Dublin, based in Blanchardstown. After promotion to Chief Superintendent, he spent a year-and-a-half in the Garda National Roads Policing Bureau at Garda Headquarters. Since July 2021, Cleary has been assigned Head of Bureau as Detective Chief Superintendent in charge of the GNCCB. He also has additional responsibility of two other OSC bureaus, they are the Garda National Technical Bureau, and the Garda Operational Support Services.
70
cybersecurity report
European cybersecurity strategy published In December 2020, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented the new EU Cybersecurity Strategy. Among its most notable of measures include plans to establish a new Joint Cyber Unit to combat cyberattacks across the EU. The 2020s has been dubbed the Digital Decade by the European Union, and the publication of the EU Cybersecurity Strategy will play a key part in the Shaping Europe's Digital Future strategy, the Recovery Plan for Europe, and the EU Security Union Strategy. The Strategy aims to “bolster Europe's collective resilience against cyber threats and help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools”. Speaking upon the presentation of the strategy, Margrethe Vestager, Executive Vice-President for A Europe Fit for the Digital Age, said: “Europe is committed to the digital transformation of our society and economy. So, we need to support it with unprecedented levels of
72
investment. The digital transformation is accelerating but can only succeed if people and businesses can trust that the connected products and services on which they rely are secure.” The strategy proposes action in three separate areas to put “trust and security at the heart of the EU Digital Decade”. The second of these, “building operational capacity to prevent, deter and respond”, contains within it plans for the creation of the Joint Cyber Unit. The Joint Cyber Unit is being designed “to strengthen cooperation between EU bodies and member state authorities responsible for preventing, deterring, and responding to cyber-attacks, including civilian, law enforcement, diplomatic and cyber defence communities”.
The High Representative has also put forward proposals to strengthen the EU Cyber Diplomacy Toolbox to “prevent, discourage, deter and respond effectively against malicious cyber activities, notably those affecting our critical infrastructure, supply chains, democratic institutions and processes”. The EU has stated its aim to further enhance cyber defence cooperation and develop state-of-the-art cyber defence capabilities, aiming to build on the work of the European Defence Agency and encourage member states to make full use of the Permanent Structured Cooperation and the European Defence Fund. In the first of the three areas, “resilience, technological sovereignty and leadership”, the Commission
NIS 2 “will cover medium and large entities from more sectors based on their criticality for the economy and society”. It will strengthen security requirements imposed on the companies, addresses security of supply chains and supplier relationships, streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across member states. The Commission has also proposed the launch of a network of security operations centres across the EU. These centres would be powered by artificial intelligence (AI), and will constitute “a real ‘cybersecurity shield’ for the EU”. These shields will then be able to detect signs of a cyberattack early enough to enact preventative actions before damage occurs. Additional measures will include dedicated support to small and medium-sized businesses (SMEs), under the Digital Innovation Hubs, as well as “increased efforts to upskill the workforce, attract and retain the best cybersecurity talent and invest in research and innovation that is open, competitive, and based on excellence”. The third area in which the Commission is focusing its efforts is “advancing a global and open cyberspace through increased cooperation”, where the EU pledges to increase its level of work with international partners “to strengthen the rules-based global order, promote international security and stability in cyberspace, and protect human rights and fundamental
“The Commission has also proposed the launch of a network of security operations centres across the EU. These centres would be powered by artificial intelligence (AI), and will constitute ‘a real cybersecurity shield for the EU’. These shields will then be able to detect signs of a cyberattack early enough to enact preventative actions before damage occurs.” freedoms online”. These measures will “advance international norms and standards that reflect these EU core values, by working with its international partners in the United Nations and other relevant fora”.
Competence Centre and Network of
Part of these measures will be the EU’s strengthening of its EU Cyber Diplomacy Toolbox and increasing its cyber capacity-building efforts to third countries by developing an EU External Cyber Capacity Building Agenda. Cyber dialogues with third countries, regional and international organisations as well as the multi-stakeholder community will be “intensified”, the Commission says. An EU Cyber Diplomacy Network will also be formed around the world in order to promote the union’s vision of cyberspace.
both the scope and depth of the 2008
cybersecurity report
proposes the reform of rules on the security of network and information systems, under a Directive aimed at establishing a high common standard of cybersecurity across the EU (NIS 2), in order to “increase the level of cyber resilience of critical public and private sectors: hospitals, energy grids, railways, but also data centres, public administrations, research labs and manufacturing of critical medical devices and medicines, as well as other critical infrastructure and services”. These infrastructure, equipment and services, the Commission says, “must remain impermeable, in an increasingly fast-moving and complex threat environment”.
Coordination Centres, and to ensure that a major portion gets to SMEs”. The proposed Critical Entities Resilience (CER) Directive will expand European Critical Infrastructure directive. Ten sectors are now covered: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space. Under the proposed directive, member states will each adopt their own national strategies and carry out regular risk assessments. It now falls to the European Parliament
The EU plans to support the new strategy with “an unprecedented level of investment in the EU's digital transition over the next seven years”. This funding will be arrived at through the next long-term EU budget, the Digital Europe Programme and Horizon Europe, as well as the Recovery Plan for Europe. Member states have also been encouraged to use their Recovery and Resilience Facility funding to boost their cybersecurity measures and match EU levels of funding. The stated objective is “to reach up to €4.5 billion of combined investment from the EU, the member states and the industry, notably under the Cybersecurity
and the Council to examine and adopt the proposed NIS 2 Directive and the Critical Entities Resilience Directive, processes which have progressed in 2021 since the December 2020 presentation date of the strategy. Once the proposals are agreed and consequently adopted, member states will be required to transpose them into law within 18 months of their entry into force. The Commission will periodically review NIS 2 and report for the first time on the review 54 months after its entry into force.
73
cybersecurity report
Ransomware attacks: case studies Ransomware attacks have been to the forefront of Irish cybersecurity concerns since the May 2021 attack on the Health Service Executive. Department of Health and HSE ransomware attack, May 2021 In May 2021, the Irish Department of Health was hit by a ransomware attack, with the HSE hit by the same perpetrators the following day. The attack caused significant numbers of outpatient appointments to be cancelled, with the numbers of appointments dropped in some areas reaching up to 80 per cent. With the health service using 2,000 systems and over 4,500 servers, the attack was described by HSE National Clinical Advisor Vida Hamilton as a “major disaster” that was “affecting every aspect of patient care”. Reports of patient records being shared online were deemed to be “credible” by Minister for the Environment, Climate and Communication Eamon Ryan TD, with the Financial Times reporting that they had seen files and screenshots from the hack. One file was said to have included the details of a man in palliative care, the authenticity of which was verified by the paper by matching with a death notice. With a criminal investigation being led by the Garda National Cyber Crime Bureau, working with the National Cyber Security Centre and the HSE, a spokesperson for the Department of the Environment, Climate and Communications, which includes the National Cyber Security Centre, said there was a risk “that the medical and other data of patients will be abused, either for fraud or be means of public release”. The ransomware used was reported to have been Conti, a ransomware that has been observed since 2020, which affects all versions of Microsoft Windows. The cybercrime group known to utilise the Conti ransomware is Wizard Spider, based in St Petersburg, Russia and known for their prior use of the Ryuk ransomware. Conti uses its own implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware, although the method of delivery is not clear. Once on a system, the ransomware will attempt to delete volume shadow copies and terminate a number of services using Restart Manager to ensure it can encrypt files used by them. It will also disable real time monitor and uninstall the Windows Defender application. Default behaviour is to encrypt all files on local and networked Server Message Block drives, ignoring files with DLL, .exe, .sys and .lnk extensions. It is also able to target specific drives as well as individual IP addresses. Despite demanding a ransom of almost €17 million, the group eventually provided a decryption key to the Government free of charge, with Minister for Health Stephen Donnelly TD stressing that no ransom had been paid or would be paid. Despite the provision of the key, the group still threatened the mass leaking of health records unless ransom was paid, saying the Government “should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation”.
74
WannaCry attack, May 2017 cybersecurity report
In May 2017, the WannaCry ransomware attack afflicted over 200,000 computers in over 150 countries. The attack would end up costing the UK Government £92 million and run up global costs of £6 billion. Britain’s NHS was brought to a standstill for several days due to the WannaCry outbreak, affecting hospitals and GP surgeries across England and Scotland. Although the NHS was not specifically targeted, the global cyber-attack highlighted security vulnerabilities and, much like the HSE attack after it, resulted in the cancellation of thousands of appointments and operations. Staff were forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones. WannaCry exposed a specific Microsoft Windows vulnerability, with most of the NHS devices infected with the ransomware found to have been running the supported, but unpatched, Microsoft Windows 7 operating system. The ransomware also spread via the internet, including through the N3 network, the broadband network connecting all NHS sites in England. The attack used Eternalblue, the software vulnerability in Microsoft’s Windows operating system, and exploited the Microsoft Server Message Block 1.0. The attack was stopped by an accidental kill switch discovered by a computer security researcher, who registered a domain that the ransomware was programmed to check.
SamSam attacks, 2018 SamSam ransomware was identified in late 2015, but it was in 2018 that it gained much more prominence after infecting the city of Atlanta, the Colorado Department of Transportation and the Port of San Diego, all in the US, abruptly stopping the services of those affected. In the same year, two Iranian hackers were accused of using SamSam against more than 200 organisations and companies in the U.S. and Canada, including hospitals, municipalities, and public institutions. A loss of $30 million is estimated as a result of the attacks. The city of Atlanta was reported to have spent more than $2 million to repair the damage wrought by the SamSam attacks. The Indiana hospital Hancock Health paid its ransom of $55,000. To spread, this type of ransomware often exploits vulnerabilities in Remote Desktop Protocols and File Transfer Protocol. Once the SamSam attackers gained a foothold within their targeted network, they used a variety of grey-hat and systems administrator tools to escalate their own privileges with the goal of obtaining domain controller powers. As soon as they had the domain administrator password, the SamSam attackers would take control of the domain controller and leverage it to distribute the ransomware to every machine on the network after performing tests to ensure that the domain controller had write privileges to the machines under its bailiwick.
75
41%
of
organisations cybersecurity report
security teams are understaffed
5%
are
significantly understaffed
19%
of
organisations take six months or more to fill a cyber security role
43%
of
cybersecurity hires are from outside of Ireland
Skills gap and shortages threatens Irish cybersecurity A skills gap in cybersecurity within Ireland has long been a source of warning from industry professionals. As incidents such as this year’s HSE attack emphasise the need to close such a gap, moves are being made to address these shortfalls. The Cyber Security Skills Report 2021 published by Cyber Ireland found Ireland to have both a serious skills shortage and a skills gap in the cybersecurity sector. Cybersecurity teams were found to be understaffed in a male-dominated industry afflicted by a “serious” skills gap, albeit one that is now investing heavily in upskilling and training. 42 per cent of respondents to the report’s survey stated that they were understaffed, defined as “the cyber security function in that business does not have sufficient staff to carry out those day-to-day tasks required for the organisation to be cyber protected”, with five per cent said to be “significantly understaffed”. 43 per cent of organisations were found to be staffed to appropriate level. One possible explanation for such understaffing is an inability to recruit suitable candidates within these organisations. 49 per cent of the survey’s respondents stated that they had unfilled positions within their organisations at the time of asking. Security engineer was found to be the most difficult role to fill, with 28 per cent of organisations naming it as their hardest role to fill. Security analyst, architect and consultant were all found to be next with 24 per cent each. Respondents noted that the primary reasons they found these roles so difficult to fill were “candidates lacking the desired attitude, skills, qualifications or experience” (49 per cent of respondents), “too much competition from other employers” (42 per cent), general lack of candidates (39 per cent), “candidates lack the required attitude, motivation or personality” (37 per cent) and a lack of the desired technical skills (34 per cent). 77 per cent of the unfilled positions were found to be technical cybersecurity positions. 77 per cent of unfilled positions being of the technical variety and 34 per cent of respondents stating that a lack of desired technical skills as its main difficulty with regard to recruiting point to what has long been known in the Irish cybersecurity
77%
of the open cybersecurity
roles are technical cyber security 76
positions
sector: that a significant skills gap exists and must be addressed. This became a common talking point in the late 2010s as cybersecurity job openings skyrocketed in Ireland. From 2017 to 2019, cybersecurity vacancies increased by 40 per cent, only for it to be found that there was little domestic ability to fill the vacancies.
Ireland’s skills gap and shortages are happening within a context of international gaps and shortages, with a global shortfall between 1.8 and 3.5 million security professionals estimated within five years by EY and Cybersecurity Ventures. Multiple international reports paint a global picture similar to that of Ireland’s cybersecurity sector, with organisations experiencing skills shortages, gaps and struggling to access talent. EY’s Global Information Security Survey 2018-19 reported that 30 per cent of organisations struggled with cybersecurity skills shortages, which they deemed to be more pressing than budgetary constraints, cited by 25 per cent in comparison. ISC2’s 2018 Cybersecurity Workforce Study saw 63 per cent of organisations reporting skills shortages. One-third of these categorising their shortages as significant. Stott and May’s 2020 report Cyber Security in Focus found that 76 per cent of respondents perceived a shortage of cybersecurity skills within their own companies, citing no improvement on 2019 levels. A 10-year study carried out by the Enterprise Strategy Group and the Information Systems Security Association published in 2020 revealed that cybersecurity skills continued to deteriorate for the fourth year in a row, with over 70 per cent of organisations affected. The technology sector is also said to be male dominated, both in Ireland and internationally, with reports estimating the share of women within the cybersecurity industry worldwide to now be 24 per cent, an increase on previous years, although it is believed that the percentage of women in actual cybersecurity roles within those industry positions is lower. In Ireland, 27 per cent of organisations have all male cybersecurity teams and 42 per cent have “significantly” more men than women. 27 per cent of organisations state that they have difficulties retaining women as part of their cybersecurity teams, with 30 per cent of turnover due to “family situation changes (e.g., children, marriage)”. There are plans afoot within the industry to address these skills shortages and gaps, with 72 per cent having conducted an analysis of their cyber skills needs and 52 per cent now having a formal cybersecurity training programme, although 32 per cent were said to be dissatisfied or unsure of the effectiveness of their training programme. 93 per cent of organisations stated that they support their employees in pursuing further cybersecurity education.
cite a
lack of technical skills as the
cybersecurity report
In response, initiatives such as the Cybersecurity Skills Initiative were launched. Founded in 2018, the CSI’s plan was to train 5,000 people in cybersecurity skills and help 4,000 companies to tackle the cybersecurity skills shortage over a course of three years. In 2020, 14 new cybersecurity courses in Higher Education Institutes (HEIs) were funded by government under the Human Capital Initiative (HCI) Pillar 1 and Springboard to address industry skill needs, and under the HCI Pillar 3, the CYBERSKILLS project received €8.1 million in funding. The project is led by Munster Technological University and will be coordinated nationally along with the university of Limerick, Technological University Dublin, University College Dublin and Cyber Ireland.
34%
primary reason for open roles not being filled
65%
of
organisations have increased staff training
30%
have
increased their reliance on artificial intelligence or automation
25% increased their reliance on certification to attest to tactual skill mastery
77
Protecting energy infrastructure from cyberattack cybersecurity report
Stuart Madnick, Professor of Engineering Systems at Massachusetts Institute of Technology and Founding Director of Cybersecurity at MIT Sloan, speaks to eolas about how to protect energy infrastructure from cyberattack. “There’s a lot of overlap between the issues the IT people and the operational technology people face, but there are important differences,” Madnick says. “Some of the key differences I want to stress are that in a cyberattack on an energy or industrial control system, real physical damage can occur. Also, a lot of the safety mechanisms that we normally rely upon is increasingly being controlled by software, so a cyberattack that takes control of your system can also take control of your safety mechanisms.” Referencing a spate of recent highprofile cyberattacks such as the Turkish pipeline explosion, attacks on a German steel mill and separate attacks on both the US and Ukrainian power grids, Madnick paints a picture of the typical cyberattack on energy systems, which usually involves the shutting down of relays, remedied by manual intervention and avoiding physical infrastructure damage. The industry fear is now that these attacks could create physical damage. “The good news is the good guys are in fact getting better,” he says. “We’re developing new techniques, better firewalls, all kinds of great ways to make our systems better protected.
78
Unfortunately, the bad guys are getting even badder faster. By some estimates this gap is growing.” One of the ways of combatting this growing improvement on the side of hackers that Madnick mentions is the use of the White House/National Institution of Science and Technology framework, which breaks down into five key areas: identify, where the organisation develops and understanding of cybersecurity risk; protect, where it develops appropriate safeguards; detects, where it develops activities to identify the occurrence of a cybersecurity even; respond, where it takes action on a detected event; and recover, where it develops plans to restore capabilities following an event. “We’re doing about 25 or so different projects at MIT Sloan,” Madnick explains. “Although a lot of energy has been going into IT systems, a small amount has been going into OT systems, our energy, water, infrastructure. Improving hardware and software is very important, but it’s the people and the management of those people that increasingly is the major facet.” In one of their projects, MIT Sloan treat
a cyber incident as a type of industrial accident and use prior research into such accidents to identify, understand, and mitigate cyber hazards, using examples such Stuxnet and TJX. The three key concepts that are central to this approach are top-down understanding, the understanding of process models and the understanding of process as hierarchical. “Almost always you find that the failures are at the managerial level, as well as the technical level,” Madnick says. Concluding, Madnick simultaneously sounds notes of caution and optimism: “There’s a whole new Internet of Things, and we are moving to automated energy systems, which have many great benefits, but they also introduce many new attack surfaces and many things we have never had to deal with. I hate to say it, but my review, is that in the near term at least, the worst is yet to come. “It’s very important for all of us to develop a deep organisational understanding of our cyber risks. If you don’t understand your risks, you won’t take the appropriate actions. We believe, very importantly, that management at all levels needs to take the lead.”