Spec i a l
m e d i a
CYBER AND ARTIFICIAL INTELLIGENCE— TECHNOLOGICAL TRENDS AND NATIONAL CHALLENGES
o f
s t r a t e g i c
c y b e r
s e c u r i t y
M A G A Z INE
QUARTERLY REVIEW Q3 2020 KVARTAALIKATSAUS Q3 2020
The development of quantum technology is accelerating – cyber security must keep up
2020/3
Contents 2020/3
04 14 50 3
19
46
Editorial
Cyberwatch Quatrterly review
Can you entrust your OT/ICS Security to your SOC-as-aService?
More “Muumimamma”, please
6 Global cyberpolitics – in your living room
7 The development of quantum technology is accelerating – cyber security must keep up
10
40 Cyber sovereignty – Anarchical dream meets Westphalian necessities
42 Improve Cyber Security with Deep Learning and Semantic Analysis
44 The U.S. and China Tech Rivalry Escalates Further
Cyber and Artificial Intelligence — Technological Trends and National Challenges
2
|
CYBERWATCH
FINLAND
Aapo
Cederberg
50 New opportunities emerge when eastwest integrate within radiological safety
52 Excellence of Cyber security in an Electricity Organization
55 Cyberwatch Energy Sector: strategic review
Special media of strategic cyber security Publisher Cyberwatch Finland Tietokuja 2 00330 Helsinki Finland www.cyberwatchfinland.fi Producer and commercial cooperation Cyberwatch Finland team office@cyberwatchfinland.fi Layout Atte Kalke, Vitale atte@vitale.fi ISSN 2490-0753 (print) ISSN 2490-0761 (web) Print house Scanseri, Finland
Cover and content pictures Shutterstock
4
FINLAND COULD BE AT THE FOREFRONT OF DEVELOPING A DIGITAL SECURITY AUTHORIZATION TO VERIFY THE DIGITAL SKILLS OF EVERY CITIZEN.
Editorial
Every Day is Cyber Security Day!
T
he challenges of the cyber world are universal, hence, building a reliable situational awareness is even more demanding. From a global point of view, hackers attack every 39 seconds, an average of 2,244 times a day. It is estimated that in 2021, companies will be subjected to ransomware attacks every 11 seconds and the cost of the attacks will rise to 20 billion USD. Cybercrime is estimated to cost 11.4 million USD per minute in 2021. The cost of online payment fraud is estimated at 32,343 USD per minute. According to the latest research, 40-45% of cyber threats can be combated with technological solutions. The question arises as to how to prevent the remaining 55-60% of cyber attacks? The cyber world and its challenges have become significant, which is why cyber security has also moved up two places on the EU’s 6-point priority list (the 6 priorities of the EU Commission in 2019-24), and for the first time cyber security has also been classified as critical infrastructure. In October, we celebrate the eighth anniversary of Cyber Security Month in Europe. The campaign has been organised by the EU’s network and information security agency ENISA and the European Commission together with the Member States. The purpose of Cyber Security Month is to raise public awareness on digital and network security and to promote the safe use of the Internet. In addition to ordinary citizens, the target group is small and medium-sized enterprises. The campaign highlights a variety of cyber security themes and includes seminars, events and campaigns taking place in 25 different countries. The slogan of the campaign is “think before you click” (ThinkB4UClick) Hopefully as many people as possible have already responded to the Digital and Population Data Services Agency’s Digibarometer in Finland. Researched information is needed, since there have been several digital leaps, both good and bad, and because the change in the digital operating environment should work universally, put people first, and open up new opportunities for business. Development is evolving, Spoofy is an entertaining educational game that introduces children to cyber security vocabulary and phenomena. Among other things, the game teaches them how to identify and avoid online dangers. The player is an everyday cyber hero who saves people from danger and solves their problems in the cyber world. The game has been developed in collaboration with Traficom’s Cyber Security Centre, the state development company Vake, the National Board of Education, Nordea and the cities of Espoo, Turku and Jyväskylä and is provided by CGI, which is also the main sponsor of the project. The topics are explored in four different places that are familiar to children: home, where hardware and software security skills are reviewed. school, where they are reminded of online codes of conduct Their grandparents house, where they will learn whom and what they can trust The city, where you learn to protect your own and others’ privacy The idea of the game is ingenious, each of us are the “cyber hero” or “anti-hero” of our own lives, depending on our level of digital know how. The corona crisis has reminded us of the vulnerability of society and the impact crises have on society as a whole and thus on each of us on a personal level as well. Citizen responsibility is emphasised. We are responsible for our own safety and also for the safety of our fellow human beings. This principle is also applicable to the cyber world, especially now that many of us are working remotely from home. Our workplace and our home have become one and a part of the same digital ecosystem, with vulnerabilities and security insufficiencies that could harm all actors. The majority of cyber attacks, an estimated 90 percent, occur through humans, either because of intentional or unintentional blunders. This is also the case in the world of corona. If we don’t wash our hands or use hand sanitiser, or cover our mouth when we sneeze, the virus will spread uncontrollably. Taking care of our hygiene is important, as is our cyber hygiene. But what is digital “hand washing”? In practice, it is the mastery and knowledge of the basics, in other words, the essential digital skills of a citizen. The better the level of citizens’ digital skills, the better the conditions for us to succeed and improve our national competitiveness. Authorities and voluntary organisations of companies should work together and develop common learning pathways for digital security and cyber security. In this way, we will be able to make better use of the opportunities offered by constantly evolving technology. Finland could be at the forefront of developing a digital security authorization to verify the digital skills of every citizen. This requires new thinking and a record-breaking digital leap. Thus, creating a virtually new digital culture and cyber culture, where digitalisation and cyber security go hand in hand. Finland, as a superpower of education, has good preconditions for this. This requires decision-makers, at every level, to have a better strategic understanding of the cyber world, in the words of President Paasikivi, ”The acknowledging of facts is the beginning of all wisdom. AAPO CEDERBERG Managing
Director and Founder of
Cyberwatch
Finland
Chairman of Cyber Security Committee of World UAV Federation (WUAVF) CYBERWATCH
FINLAND
|
3
MORE
“MUUMIMAMMA”, PLEASE text: Professor BUCK ROGERS MSc
Professor Buck Rogers MSc Has had a long career in cyber, covering military, government and private business. A confirmed Moomin fan with a tattoo to prove it, and a lover of all things Finnish with another tattoo to prove it.
S
o, before I get accused of cultural misappropriation, I need to be honest, I am not Finnish, however, as a Brit I am a Finophile. My love for Finland started over 18 years ago on a visit to Oulu university, which is also where I attended my first mid-summers party, and later that year a post sauna roll in the snow, after all being cold is only a state of mind (Sisu). I would consider Northern Finland (Utsjoki) my spiritual home, and I have travelled to Lapland more than once (and not just to see Father Christmas). However, and more importantly for this article, I have been to the home of all that’s good in the world
Muumimaailma - Naantali ! So when I had the chance to write an article for this magazine, from a country I love there clearly could only be one subject, Moomins and cybersecurity (I was surprised it had not been done before)! Moomin Valley like the cyber world contains lots of different characters, an understanding of, and using of Moomin characters to articulate threats and opportunities can enhance the user awareness experience, make Cyber/Info security more approachable and relevant, after all, no one wants to be the Groke! To quote Moomin Papa in Moomin Papa at sea
But one needs a change sometimes. We take everything too much for granted, including each other. So let’s get started -
4
|
CYBERWATCH
FINLAND
MOOMINTROLL (MUUMIPEIKKO)
LITTLE MY (PIKKU MYY)
The good - An agreeable user, keen to learn, see’s the world of technology as exciting, something to be used and investigated. Feels safe behind the endpoint controls, loves keeping in touch with family and friends by social media. Confident that there is nothing the CISO can’t sort out. Will always do the right thing. The bad - Prone to phishing attacks especially if its an appeal for help. Total faith in security and believes they will catch any bad stuff, could lead to clicking without thinking. Shares too much on social media with friends and family, a potential social engineering target.
The good - Honest, action-focused, brave and fearless, will defend the organisation and is not easily fooled, observant so will notice even small changes in software or functions. Very reliable, at home in most environments, will adapt quickly to using new technology - prepared for anything. The bad - Likes to find out other’s secrets (but never shares them), small things annoy her, action-focused (does stuff immediately), very aggressive, brash and abrasive personality. Messy and untidy, can hide well!
Solution - A good induction process, keep education and training updated and relevant to him/her. Monitor the effectiveness of the training, whilst developing a proactive cyber reporting structure. Do not stigmatising mistakes, but investigate concerns, (backed up by a well-understood discipline process) - Make sure the Moomintroll user knows he is the first line of defence!
SNIFF (NIPSU) The good - Timid so won’t do anything risky with his technology, cares for the equipment issued to him, happy for others to tell him what to do. Not malicious or mean-spirited. The bad - Greedy, immature, no responsibility, cowardly. Unlikely to own up to making mistakes/ report (clicking a link, giving away a password). Would risk corporate information for gain. Easily bored so unlikely to read or make and effort to understand corporate security policies. Solution - A good data loss prevention program with employee monitoring. Principle-based cybersecurity policy, regular training and testing based on real-world events.
Solution - All the skills needed for a red team member, train and develop them for your own internal testing team - a perfect pen-tester.
THE GROKE (MÖRKÖ) The good - None, Groke types turn up uninvited, spread their cold fear and gain wealth/information from others. Acts like a hostile nation-state. The bad - Where they turn up destruction follows. Silent until you notice the temperature change. Unlikable and threatening until they get what they want, will then silently disappear. Solution - Nation-state threats and APT’s are always the hardest to defend against, having a detection and response capability, which is tested, backed up with a good cyber intelligence capability on emerging threats will help - target 1-10-60, 1 minute to detect, 10 to identify and 60 to remove.
THE HATTIFATTENERS (HATTIVATTI) The good - None, act in groups, lack free thought, follow direction unquestioningly. Similar to intellectual property theft APT. The bad - Silent and covert, never stops moving, only interested in the next target, once reached they move to next. Faceless, they can sense even the smallest vulnerability - very serious and zealous. Solution - As for the Groke, however, good cyber hygiene will make it difficult for them, easier to move on than the Groke if you are a hardened target.
And finally the CISO, every organisation needs a good CISO or “Muumimamma”, calm and collected, never let things get on their nerves - provides a safe work environment (so people can be at their best). Keeps secrets, will intervene if someone is wronged and happy to learn from mistakes. Thanks to Muumimamma everything runs smoothly, a constant and calming presence, respected by peers and seniors alike - will always share learnings and knowledge. The best countermeasure from the Groke and Hattifatteners.
Now, I’m only saying all this because-well-because I like you. Moominpappa, from the book Moominpappa at Sea.
CYBERWATCH
FINLAND
|
5
GLOBAL CYBERPOLITICS – IN YOUR LIVING ROOM text: MIRVA SALMINEN Researcher Arctic Centre University of Lapland
T
he idea of the neutrality of technology in the face of global power struggles has been questioned for some time. Nonetheless, the ordinariness of cyberpolitics remains less understood. Yes, it involves high-profile cyber-attacks on critical infrastructure, online terrorist recruitment and fiery exchange of words between world leaders on Twitter, but also your everyday interactions on social media, ability to use digital services when needed and choice of technology and its manufacturers. Global cyberpolitics takes place in your living room, but did you notice? As digitalisation is intruding the structures of society ever deeper, the criticality of information and communication technologies for the functioning of society has been recognised. Cyberspace has been securitised as an object of state level security decisions, policies and administrative arrangements. It has become internationally accepted that the digital actions of a state’s opponents may justify the recourse to exceptional measures to return the balance of power. At the same time, global cyberpolitics has generally become understood as relations between states and their representatives. While the United States and China dispute over particular corporations and the actions of each other and Russia questions the effective principles of internet governance, news articles your friend shared on social media about Covid-19 only infecting particular ethnic groups may easily pass as an apolitical fact. The 6
|
CYBERWATCH
FINLAND
existence of fake news, deepfakes, troll factories and intensifying strategic influence are known facts, but may not feel like an everyday issue. However, political influence targeting everyone in cyberspace is not restricted to the times of elections, but shapes our perceptions and actions on a daily basis. For long, technology corporations denied their role in cyberpolitics in the name of the neutrality of technology and/ or freedom of speech. It was stated that technology in itself was not good or bad, but what people chose to do with it. Yet, by deciding not to intervene in hate speech, dissemination of disinformation or denial of historical facts, global social media giants took a political decision for which they are gradually becoming accountable for. Freedom of speech is not an absolute right but needs to be balanced against the realisation of other human rights. Similarly, non-governmental organisations and consumers are gradually picking up the questions of corporate social and environmental responsibility related to the extraction of raw materials for ICT and the use of developing countries as disposal sites for electronics. Consumer decisions are political decisions alike. At the supranational level, and alongside becoming a cybersecurity actor, the European Union is creating itself room in cyberpolitics as a regulator of the single market, a facilitator of responsible digital innovations, as well as a patron of privacy and other fundamental rights. However, it also reaffirms the contract as
the primary means to constitute the relationship between a consumer and a service provider with particular legal effects. Thus, it cannot affect what you choose to share, opt in for or opt out from. At the international level, the United Nations has been investigating digitalisation and cybersecurity for over two decades, but only last year corporations and civil society representatives entered the discussion in the General Assembly’s First Committee and highlighted the importance of human aspects of cybersecurity. The human aspects entail political influence, both from top-down and from bottom-up. #MeToo and Black Lives Matter movements serve as prime examples of the latter. Pressing the like button may not have much instant influence, but channelling support through a number of channels at best empowers actors to act against injustice in the long run. In global cyberpolitics, you are not merely an object whose perceptions and opinions can be affected through information campaigns or whose ability to act can be restricted through a denial of service attack or ransomware. You are a political actor and influencer alongside states, corporations, NGOs and other actors – whether you recognise this role or not. The intensifying responsiblisation of individuals for cybersecurity, for example, in discourse on digital skills as civic skills highlights the importance of acknowledging this role. Sharing a video clip online may seem harmless, but still lead to liability if causing a detriment.
THE DEVELOPMENT OF QUANTUM TECHNOLOGY IS ACCELERATING – CYBER SECURITY MUST KEEP UP
text: ANTTI VASARA President & CEO VTT Technical Research Centre of Finland Ltd @ahavasara
The development of quantum technology may change the future of humanity and, at the same time, bring new, sustainable growth to Finland. Cyber security must be developed at the same pace with quantum technology.
T
he major changes in different industrial sectors over the recent decades can be largely attributed to digitalisation and the improved power of computers. The development of quantum technology accelerates this change and increases the computing power to a higher level than we can currently imagine, opening totally new opportunities for, e.g.,modelling, complex simulations and machine learning. In the future, the enormous computing power of quantum computers can be harnessed for solving major global problems, accelerating the development of medicines and vaccines, or for effectively finding new
7
|
CYBERWATCH
FINLAND
ways to overcome climate change, for example. This future is closer and closer: quantum technologies are already breaking out of research laboratories to wider use. In the coming decades, the use will expand to different industrial sectors and open new application areas. Latest by the 2040s, quantum computers will already be used for doing so amazing things that it is impossible to forecast them in the present day. Exponential computing power can lead to an exponential leap in productivity, which would allow adapting the Earth’s resources to the well-being needs of the growing humanity.
CYBERWATCH
FINLAND
|
7
OPPORTUNITY WORTH BILLIONS OF EUROS
For Finland, the development of quantum technology offers opportunities for sustainable economic growth. If we gain foothold in quantum technology, this could generate a new, significant branch of technology industry for us. The first steps have already been taken: VTT Technical Research Centre of Finland Ltd and Aalto University are currently in the process of acquiring the first quantum computer to Finland. Over the next few years, investments will be made in its development and use. Finland has a lot of expertise in superconductive circuits, complex radio systems and sensors created in quantum and cold physics laboratories. We also have quantum technology companies already in operation. The starting point is good, but we need to enhance our competence in all areas of quantum technology. We must also invest in state-of-the-art manufacturing and research infrastructure and launch a national research, development and innovation programme in quantum technology. With such measures, Finland may even become one of the world’s leading countries in selected fields of quantum technology in the future. NEED FOR QUANTUM-SAFE METHODS
The huge potential of quantum technology also poses threats to cyber security. It has been known for long that a powerful quantum computer would be able to break the existing encryption methods. As technology develops, this has become a significant risk in recent years. Cryptography must be developed at the same pace as quantum technology, and the existing data networks must be protected using quantum-safe security methods. The project coordinated by VTT examines the possibilities provided by the existing methods and develops new methods, thus building quantum-safe cryptography. One of the key issues is the standardisation of new encryption methods and algorithms. Once a standard has been drawn up, its adoption will take at least several
8
|
CYBERWATCH
FINLAND
years. When it comes to development, we must look dozens of years ahead to ensure that information to be kept confidential in the long term remains secure. The US organisation for standardisation, National Institute of Standards and Technology, has launched a competition to seek new algorithms for future standards and for introduction to extensive use. In Finland, work aimed at standardisation is carried out, for example, in the extensive Post Quantum Cryptography project coordinated by Business Finland. Today’s quantum computers cannot yet break encryption, and the forecasts about machines capable of doing so vary greatly. However, we must be prepared for the development to advance rapidly. QUANTUM TECHNOLOGY FOR THE USE OF CYBER SECURITY
Quantum computers are often seen exclusively as a threat to cyber security and the development and standardisation of quantum-safe encryption methods as the key effort. But in addition to threats, quantum technology also provides opportunities for cyber security. There are areas in cyber security that require a lot of computing, machine learning and modelling. Perhaps, the computing power of quantum computers lends itself to improving cyber security much earlier than for breaking encryption. The development of quantum-safe encryption methods may also accelerate the generation of innovations based on digital trust. Ensuring cyber security in our current information networks in the era of quantum technology is one issue to solve. Another future issue relates to how to guarantee the security of actual quantum computers. At the moment, the focus is on the implementation of quantum computers themselves and not on their security aspects. However, we should also be thinking about this within the next few years in order to avoid the pitfalls of traditional computers in quantum machines.
Hellenberg International has 25 years record in assisting public and private clients in critical infrastructure protection and crisis management related projects. Our senior team has been contracted by the European Commission (DG Home Affairs, DG Enterprise, DG ECHO etc.), the United Nations, the Ministry of Defence of Finland and the NATO.
We have been serving major international corporations such as AVSECO, SAAB, MTR, Airbus, Finnair and Siemens. We have been interacting with the US State Department, the US Ministry of Energy, Rosatom, the Singapore Civil Defence Force and many others.
www.hellenberg.org CYBERWATCH CYBERWATCH
FINLAND
|
9
FINLAND | 9
CYBER AND ARTIFICIAL INTELLIGENCE — TECHNOLOGICAL TRENDS AND NATIONAL CHALLENGES text: LIRAN ANTEBI and GIL BARAM
Liran Antebi is a research fellow at INSS, where she directs the research field on advanced technology. She lectures at Ben Gurion University and advises in the fiel of advanced technologies. Gil Baram is the head of research at the Yuval Ne’eman Workshop for Science, Technology and Security and a research fellow in the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University.
10
|
CYBERWATCH
FINLAND
Keywords: Artificial intelligence, cyber warfare, national security, arms race
Autonomous systems based on artificial intelligence are playing an increasingly meaningful role in everyday life in a variety of fields, including industry, medicine, the economy, and security. Because they are computerized, these systems are exposed to coding errors, which may lead to incorrect decision making and the execution of unwanted actions. In addition, they are vulnerable to cyberattacks that may harm or completely suspend their activity. This article examines the risks posed to autonomous systems as a component of the arms race among the powers and discusses policy steps to contend with these threats at the national level.
INTRODUCTION
“Artificial intelligence is the future, not only for Russia, but for all humankind . . . It comes with colossal opportunities, but also threats that are difficult to predict. Whoever becomes the leader in this sphere will become the ruler of the world.” These were the words of Russia’s President Vladimir Putin in a September 2017 lecture.1 And indeed it seems that autonomous systems based on artificial intelligence (AI) are becoming increasingly ubiquitous in a variety of fields, including industry, medicine, the economy, and security. As computerized systems, they are vulnerable to coding errors, which may lead to incorrect decision making and the execution of unwanted actions. Additionally, they are vulnerable to cyberattacks that may harm or completely suspend their activity. At the same time, systems with some autonomous abilities are increasingly being used; these systems do require some human involvement in decision making for their operation, but both their calculation and recommendation processes are autonomous and generally not explainable. This article examines the risks to autonomous systems and ways to contend with them at the national level. The first part surveys the uses of AI in the security realm. It describes the arms race taking place in this field, its influence on the international arena, and the incentives for carrying out a cyberattack on these systems. The second part describes potential cyberattacks on AI-based systems—the attacks and manipulations that are unique to cyber systems—and reviews possible uses of AI for both defensive and offensive purposes in cyber warfare. Finally, the article suggests policy steps aimed at reducing the risks that are increasing as the use of autonomous systems expands and human dependence upon them grows. ARTIFICIAL INTELLIGENCE AND AUTONOMOUS SYSTEMS— DEVELOPMENT AND KEY USES
AI is a subdivision of computer science research that has existed since the 1950s. One of the simplest and most widespread definitions of AI is “the science of making machines do things that would require intelligence if done by men.”2 Over the past decade, significant advances have been made in the field of AI, partly due to
advances in computer science research, development of advanced hardware and software in the fields of computing and communications, and the development of cloud computing and big data. Within this framework, subsets such as machine learning and deep neural networks also have evolved, enabling various advanced applications in different fields. These include image analysis applications, which are used in the medical world to help analyze various tests; speech recognition applications, which enable the operation of “smart assistants,” such as Siri and Alexa; and many predictive algorithms, which offer people online products or services similar to those they have previously purchased or in which they have shown interest. The Defense Advanced Research Projects Agency (DARPA) at the US Department of Defense defines AI as “programmed ability to process information.”3 Despite this definition, it is important to clarify that not all computing systems use AI. AI algorithms are designed to make decisions and typically do so using real-time data. These are not passive machines capable only of mechanical or predetermined responses—to which we have become accustomed in the age of automation—such as automatic doors. Rather, they are machines capable of integrating information from different sources, including sensors, digital data and even remote inputs, analyzing this information immediately and acting in accordance with conclusions derived from this data. This allows the processing of data at levels of sophistication and speed that did not previously exist.4 The most common uses of AI today are in the subset known as machine learning. This subset uses statistical algorithms to imitate human cognitive tasks, by inferring rules about these tasks based on analysis of large quantities of data on a given subject. In practice, the algorithm “trained” on existing data, and through this process creates a statistical model of its own, which will later be able to carry out the same task using new data it had not previously encountered.5 The use of AI technology is increasing, and many countries, companies, and security agencies now rely on these systems for various purposes. Civilian uses of AI include services such as navigation apps, algorithms offering targeted goods or services, banking and CYBERWATCH
FINLAND
|
11
financial commerce, maintenance and logistics systems, and more. As already mentioned, AI-based systems are used in the following national security fields: 1. Intelligence: AI has many uses in the field of intelligence. Today, machine learning and other algorithms are commonly used for image and text analysis. Algorithms are also used for language translation, video and audio analysis, and more. One of the best-known projects in this field is the Maven project, which was a collaboration between Google and the US Department of Defense; it used AI to analyze UAV’s photography.6 China and other countries are also working on creating systems for optimal categorizing of intelligence content and merging information from different systems in order to produce civil and military intelligence, using AI capabilities.7 2. Logistics: There are AI applications for military logistical use just as there are for civilian use. The US military has been using such systems since the 1990s; one AI system was used to plan and optimize troop movements during the first Gulf War, which enabled savings and a return of thirty years of investments in AI research.8 Among the most innovative systems are those that assist in system maintenance in ways that were not previously possible, such as by reporting in advance about future wear-and-tear of parts and making it possible to replace them on an individual basis rather than on the basis of generalized statistical information as in the past. This system makes it possible to save significantly while increasing safety.9 3. Command and control: Command and control systems will make increasing use of AI, including as advisory frameworks that assist in decision making, while being subject to and in cooperation with human operators. 4. Autonomous vehicles: Autonomous driving is commonly associated with driverless vehicles, archetypes now seen on the roads in various places around the world. This was, in fact, one of the central issues that DARPA dealt with over the past decade, enabling significant progress in this field.10 In civilian life, the primary use of autonomous vehicles is on the ground. In the past several decades, unmanned vehicles used for security purposes and with a variety of autonomous capacities have been developed for air, sea, and land. These vehicles play a significant role on the battlefield, and they can enhance or replace human presence in dangerous areas; however, most of these vehicles rely primarily on human operation and intervention, despite their autonomous capacities. 5. Autonomous military systems: This is one of the most widespread fields of AI. Many countries, led by the United States, Israel, the United Kingdom, and France, have identified the security potential of unmanned systems over the past few decades and 12
|
CYBERWATCH
FINLAND
took steps to purchase and develop independently their own autonomous military systems. Autonomous military systems include a sub-group of autonomous weapons systems that can search for, identify, and attack targets independently without human input.11 these are a game-changer systems, because they can cause fatal damage, without human involvement. These systems are subject of widespread public debate, and in the United Nations there is already a discussion regarding possible limitations on their use; nevertheless, they are being developed at an accelerated pace today, to the point that some fear that we are on the brink of a new arms race in this field,12 or even at its peak. Although this field is still in its infancy, multiple countries have already acquired battlefield experience with these systems. These include air defense systems, such as the American Patriot system and Israel’s Iron Dome. These systems are capable of being highly autonomous and even can operate completely autonomously; however, due to decisions of the countries that operate them, these systems are still dependent upon human operators who are a part of their operation cycle.13 In addition to air defense systems, there are also loitering munitions such as Harop. This is an airborne system that is capable of flying, hovering, locating, tracking, and attacking targets by means of homing via radar signal.14 Current research indicates that fully autonomous vehicles will become technologically possible within twenty years, and it is highly likely that they will become more significant in the activity of modern militaries.15 6. Cyber warfare: This is one of the leading fields in the use of AI. In this field, “first-generation” AI is still in use,16 while later-generation capabilities are being developed. Algorithms assist in preventing cyberattacks, or in locating attacks on various computerized systems. At the same time, the cyberattackers use AI capabilities in various ways as we further discuss. THE ARTIFICIAL INTELLIGENCE ARMS RACE
In recent years, many countries have identified the potential impact of AI on their economies and on national security.17 The United States is considered the leader in this field and is working to formulate a comprehensive strategy on the matter. Its national defense strategy includes a commitment by the US Department of Defense to invest in military implementation of autonomous technologies, AI, and machine learning, while also using groundbreaking commercial technologies, with the aim of maintaining the US military’s competitive advantage in this field.18 In early 2019, the White House updated the national research and development strategy for AI technologies that the Obama administration had published in 2016.19
The updated strategy calls for developing effective methods for human-AI collaboration and ensuring that AI systems are well protected. The United States invests large sums in this area and is working to lay out a broad strategy for promoting and defending AI technologies on a national level, via collaboration between the government, the private sector, academia, the public, and international partnerships.20 In July 2019, the Joint Artificial Intelligence Center (JAIC) called private companies to submit ideas and proposals for AI technologies for cyber defense, which would include automatically correcting weaknesses in military network-security collecting cyber intelligence about those active on the dark web, and more.21 Despite all its efforts, the United States’ main challenge is the increased competition with China, given its aspirations to become the leader in AI within the next decade. As a serious competitor in AI, China has already proven it can make rapid progress on advanced technological projects, such as by becoming a major manufacturer and exporter of unmanned aerial vehicles (UAVs) within a decade. The total sum China has invested in AI research and development is unknown to the public, but it is estimated at billions of dollars at a minimum. Some estimates say that planned future investments will reach $150 billion.22 This investment is partly due to China’s prominent advantages in this field, which is the almost total lack of distinction or boundaries between civilian and military uses, given that its civilian life is also subject to strict government supervision. Another prominent Chinese advantage is due to its nonadherence to Western norms of democracy, individual rights, and privacy. It has thus collected and coded information about its citizens for many years. This process has rendered China an enormous mine of big data, leading companies and entities from around the world to work with it in order to get access to this information. China notably also collects information about citizens of other countries by perpetrating cyberattacks and theft of vast information reserves as well as through Chinese-made systems and applications used by citizens of other countries. Legislation also allows Chinese government agencies to insert “backdoors” at the assembly line of all Chinese manufacturers. This same legislation obligates Chinese tech manufacturers to give the government their technologies’ source code.23 Some have assessed that China will become the most dominant country in the field of AI in the future. In November 2017, Eric Schmidt, then the chairman of Google, stated that China would equal the United States in its AI capabilities by 2020 and would surpass it by 2025.24 Current assessments support Schmidt’s prediction. In terms of research, Chinese researchers are expected to publish an equal number of academic papers on AI to that of their American peers, indicating the growing significance of the subject in China.25 In addition
to China and the United States, Russia is also administering AI programs, and in 2019, it formulated a national AI strategy.26 Russia, however, lags behind both the United States and China: In addition to low investments in this field relative to its principal competitors, it also suffers from problems in its tech ecosystem.27 Due to these conditions, analysts believe that Russia will only emerge as the leader in certain narrow sub- fields of AI and not in the field as a whole.28 Israel, known as a worldwide tech leader, particularly in cyber and unmanned aerial vehicles, is one of many other countries competing in AI. Israel does not currently have a defined strategy for AI, although a commission appointed by the prime minister is carrying out comprehensive research on the issue, and its conclusions and recommendations will be used to formulate strategy and policy. An AI headquarters may also be established.29 Israel has a significant advantage in its unique ecosystem, which includes close connections between the government, academia, industry, and the military, as well as the ability to respond rapidly to changes in the arena. Israel also has the advantage of significant knowledge transmission between the military and civilian companies in the industry, as a result of its unique model of mandatory military service and reserve duty. This model creates the opportunity for some workers to acquire and transmit knowledge between security agencies and the tech industry in an ongoing and productive manner.30 Many companies in Israel are working in AI. AI is the heart of some of the companies, and it is an enabling technology or a force multiplier for others. International companies, including Amazon, Intel, Microsoft, and Invidia have established R&D centers in Israel that focus on AI.31 Israel also has developed leading AI companies, which develop both software and hardware.32 In the security field, Israel also develops AI technology in the framework of the Ministry of Defense, the Directorate of Arms and Infrastructure Development, and various technological military units, as well as in its security industries. The international AI arms race, the increasing presence of these systems, and our reliance on them in different areas necessitate discussing the threats posed to AI systems and ways of locating, identifying, and preventing or thwarting these threats. CYBERATTACKS AND AI SYSTEM MANIPULATION
The increase in cyber threats over the past few years is a threat to AI systems. At the same time, it raises fears that AI technology will be exploited in order to carry out cyberattacks on a much wider scale than previously possible. The risk is even greater for security systems that are not completely disconnected from the network and given the increasing military use of AI technology. Although AI technology is considered inseparable from the possibility of cyberattacks, it can also be an CYBERWATCH
FINLAND
|
13
effective tool for more effective management of cyberattacks, such as by using deep learning techniques that are capable of tracking suspicious activity and classifying different viruses. At the same time AI systems are vulnerable to cyberattacks against them and are likely to be subject to different manipulations. Autonomous and AI systems are computerized systems and therefore are exposed, like other systems, to the kind of cyberattacks with which we are familiar on regular computerized systems. Due to their unique nature, however, autonomous and AI systems are also vulnerable to unique attacks for the following reasons: 1. The desire to allow them to function autonomously, without human involvement, due to considerations of efficiency, accuracy, and speed, may leave them vulnerable to cyberattacks. However, it can be surmised that these systems will inform their operator of any anomalies or attacks that they identify. 2. Some AI-based systems operate today in ways that we do not know how to explain or analyze retroactively. This is referred to as the “explainability challenge” or the “black box” challenge. This leaves an opening for attacks, which in some cases would be difficult to identify, because it is not clear whether it is an attack or the proper functioning of the system. 3. The processes of the training of AI systems, which are carried out using an enormous quantity of data, make it possible to introduce data that could deliberately “infect” the process and lead to incorrect or undesired results. A few recent examples illustrate these threats. In April 2019, Col. Stoney Trent, the head of the Operations Department of the JAIC in the US Department of Defense, said that the problems with assessing cyber threats against AI technologies stem from lack of awareness among decision makers and from a dearth of tools and methods for examining the immunity of AI systems to hacking. According to Trent, one of the JAIC’s tasks is to encourage the development of these tools, which civilian and commercial developers do not perceive as worthwhile.33 According to former research director at the National Security Agency (NSA), Frederick Chang, the race to develop military technologies based on AI will significantly increase the scope of the attack surface, but governments are still not aware of most of the vulnerabilities of these systems. Chang warned that attackers may mislead a system’s identification mechanism by using adversarial inputs, poison the data from which the system learns, or infiltrate it in order to understand how it operates and to thwart its functioning.34 In addition, the combination of cyber warfare and AI technology may lead to the development of new kinds of malware. For example, IBM researchers 14
|
CYBERWATCH
FINLAND
developed DeepLocker, an AI-based malware that aimed to understand how to combine multiple existing models of AI in order to create a new and more effective form of malware that has not yet been encountered. This malware disguises its aim until it reaches its target, which it identifies using voice or facial recognition. This kind of malware is considered especially effective because it may infect millions of systems without being discovered, unlike cyberattacks, which are sometimes widespread and use a noisy “spray and pray” approach. Given that autonomous systems are meant to function without human input or even with minimal human intervention, an effective manipulation or attack may not be discovered for a long time. In contrast to existing malware, a malware that incorporates AI will require significant expertise and advanced forensic tools in order to identify it. DeepLocker changed the rules of the game by hiding its activity in common applications, such as for videoconferencing. Its use of AI is almost impossible to detect or to reverse-engineer in order to discover its code. DeepLocker will only begin to function if it identifies its chosen target, and it will do so via use of the deep neural network model of AI. This model will only begin to work if it identifies a specific input or when it identifies its chosen target.35 Researchers estimate that AI systems will allow humans to carry out cyberattacks that were not possible prior to the use of these systems. They will also be able to identify new sources for attacks on AI systems by identifying new weak points. For example, a study published in 2017 showed that researchers used AI tools in order to decipher the passwords of LinkedIn users. In a sample set of 43 million user profiles, researchers successfully figured out 27 percent of the passwords.36 Attacks on the systems responsible for autonomous tools is another possible scenario and would likely create widespread disruption and affect multiple tools.37 Three major attacks on AI systems can be demarcated: (1) Inputting false data into a system, so that it will generate false conclusions; (2) minor alterations to photographs or other inputs that the system processes, whether by inserting visible items or by changing the pixels of a photograph, so that the item will be classified incorrectly; (3) disrupting the assessment of information by internally damaging the system’s sorting mechanism, instead of focusing on the particular data that was fed into the system.38 The following are several types of unique attacks against AI systems: Adversarial attacks: This is a technique for misleading AI systems’ machine learning classifier by exploiting their vulnerability to the manipulation of the data they are fed and which they use to train themselves. In this way, the attackers create an input that appears to have a misleading classification and thus “interrupts” the information fed into the system in order to cause
misclassification. The changes are almost invisible to the human eye. One study found that deep neural networks can easily be fooled by the input of false data.39 Data poisoning: This is a technique in which the attacker inputs false data and systematically disrupts the data inputs used for training the system. To accomplish this, the attacker must have access to the data used to train the model. This data may be disrupted in order to benefit the attackers or to harm other groups—for example, in models which calculate insurance premiums or grant loans.40 Evasion attacks: These are attacks in which the attacker manipulates a model’s classification ability with the aim of evading detection. This type of attack intends to evade spam filters, malicious password detectors, network traffic monitors, and anomaly detectors.41 Model extraction: These are attacks in which the attacker sends samples of data to the system model and analyzes its output in order to build the model on his own.42 Attacks on watermark tags: Watermarking refer to when the attacker adds specific pixels to a picture in order to cause a model to react in a certain way.43 An effective attack of this kind an intelligence or weapons system may be very problematic.
methods), and strengthening privacy by different means (differential privacy). Different types of attacks can also be carried out during the testing stage. The first is evasion, which uses attack methods capable of evading detection by the system. A second method is impersonation, which allows hostile entities to imitate legitimate ones in order to enter the system and disrupt its data. A third method is inversion, which allows the theft of sensitive data from the system. The system can be defended from these kinds of attacks by using noise, such as a smokescreen protecting data, or through the random use of protective measures during training (differential privacy).45 As shown above, various attacks on autonomous systems and AI systems are possible, some of which are unique to these systems and differ from “regular” attacks on computerized systems. It is important to distinguish between the types of cyberattacks relevant to computer systems in general and those unique to the AI and autonomy systems, as we have sought to demonstrate in this article. The risk from cyberattacks on AI systems is significantly greater, because it is usually impossible for any person to detect the problem within a short time frame, due to the system’s characteristics. The “black box” or “explainability challenge” already mentioned is another. This challenge relates to the fact that in spite of the successful results of different system actions
Systems based on machine learning sometimes contain sensitive information, such as facial recognition systems, and can be the target of a cyberattack in which attackers can take information about the people identified by the system. These attacks can be carried out in two different stages of the development process of the system: in the system training stage and in the stage of testing and drawing conclusions from system operation. However, there are also various methods of defense in this field, which can be built for both stages.44 During the training stage, a data poisoning attack can be carried out, which would include inputting false information into the system and changing the data markings. Methods to protect data at this stage include filtering false data that enters the system (data sanitization), acting on potential attack scenarios in order to learn about likely actions by the opponent (adversarial training), refining methods of defense (defense distillation), combining methods (ensemble
CYBERWATCH
FINLAND
|
15
of machine learning or deep learning, it is currently impossible to explain the way that a system arrives at its result.46 The lack of transparency makes it hard to verify system activities in general. This, together with the enormous quantity of data and the pace at which these systems process it, mean that human oversight of these systems is likely to be merely for show. Experts and military figures say that humans should be held accountable for the actions of AI systems, but this claim requires additional discussion, given that humans cannot locate and identify all risks and vulnerabilities present in these systems.47 Attention and effort should be invested in this issue from the research and development stage ahead, in order to try to build effective human oversight mechanisms. Efforts to solve the “explainability challenge� have been going on for some time,48 but until an adequate technological solution is found for this matter, regulatory and legal mechanisms are needed for managing the lack of transparency. This is particularly important for strategic systems, or those whose outcome may harm human beings. CONCLUSION AND RECOMMENDATIONS
The use of AI systems, including systems based on machine learning and deep learning, is becoming increasingly common in many fields, including security. These systems work at a quick pace, often making human oversight difficult. In addition, enabling these systems to run autonomously in order to reduce the human involvement necessary is desired for a variety of reasons. It is important to understand the potential of cyberattacks on these systems and to develop means of thwarting them. The unique attacks to which these types of systems are vulnerable must also be understood, in order to develop effective oversight and defense
16
|
CYBERWATCH
FINLAND
mechanisms that will allow proper functioning of these systems and trust in them. In order to achieve all of this, action should be taken in a few policy directions. Israel, which is a power in the field of cyber and one of the world’s leaders in AI,49 could potentially become a leader in the field of cyber research and defense as it relates to AI and autonomous systems. Thus, several policy recommendations for Israel are listed below, which may be relevant for other countries as well: 1. Standards should be defined for the field of AI-based systems. In this framework, these systems should have embedded means of oversight or methods of verifying that they have not been attacked or manipulated. The standards defined must apply not only to security systems but also to critical civilian systems (and ideally also to non-critical systems, which assist in maintaining routine.) Likewise, the government should fund system defense in fields in which there is a market failure and no commercial incentive for solving a given issue. 2. The relevant agencies in the defense system must invest in research for ongoing mapping and locating of fields with high vulnerability potential and the risk of attacks that specifically target autonomous systems. Investment in developing specific solutions for this field is also an imperative. 3. Relevant state bodies must define procedures for supervising AI-based cyber operations, in order to avoid unwanted consequences of such operations. These procedures must be backed up by effective means of enforcement.50 4. Joint exercises should be conducted with allies, in which the defense capabilities of AI are tested. The exercises will expose weaknesses that should be corrected and give these systems information from which they can learn. 5. The international discourse on this issue should be
expanded, in order to create collaborations between like-minded countries that are AI-power players and share common interests. The aim is to influence the entire international arena, given the difficulty rapidly affecting international institutions such as the United Nations. An international charter should also be formulated for this field. The importance of this issue will become clarified when cultural differences among different countries are taken into account, as well as the potential impact on both the design of AI in other countries and on the definition of decisionmaking ethics in this field.
The implementation of these policy recommendations and any additional ones formulated as the problem becomes better understood can assist in preventing potentially harmful attacks. This potential rises with the increased use of AI-based systems and their responsibility for various critical functions. Appropriate actions ahead of time may help prevent destructive outcomes on the national and international levels.
Sources: 1 “Whoever Leads in AI Will Rule the World’: Putin to Russian Children on Knowledge Day,” RT World News, September 1, 2017, https://www.rt.com/news/401731-ai rule-world-putin. 2 Edward Geist and Andrew Lohn, How Might Artificial Intelligence Affect the Risk of Nuclear War? (Santa Monica: RAND Corporation, 2018), 9. 3 John Launchbury, “A DARPA Perspective on Artificial Intelligence,” TechnicaCuriosa, 2017, https://machinelearning.technicacuriosa.com/2017/03/19/a-darpa-perspective on-artificial-intelligence. 4 Darrell M. West and John R. Allen, “How Artificial Intelligence Is Transforming the World,” Brookings, 2018, https://www.brookings.edu/research/how-artificial intelligence-is-transforming-the-world. 5 Kelley M. Sayler and Daniel S. Hoadley, Artificial Intelligence and National Security (Congressional Research Service, 2019), 2 6 Samuel Gibbs, “Google’s AI Is Being Used by US Military Drone Programme,” The Guardian, May 7, 2018, https://www.theguardian.com/technology/2018/mar/07/ google-ai-us-department-of-defense-military-drone-project-maven-tensorflow. It should be noted that this project generated opposition among Google employees, due to fears that the knowledge it created would not only be used for analyzing intelligence material but also for creating autonomous weapons systems that would be able to attack without human involvement. 7 For more on this topic, see Stephen Chen, “Inside the AI Revolution that’s Reshaping Chinese Society,” South China Morning Post, June 29, 2017, https://www.scmp.com/ news/china/society/article/2100427/chinas-ai-revolution-and-how-its-rivalling-us. 8 Nurit Cohen-Inger and Gal Kaminka, “And the Forecast: The IDF on the Way to an Intelligent Military—A Road Map for Adopting Artificial Intelligence Technologies in the IDF,” Bein Haktavim 18 (2018): 95 [Hebrew]. 9 Sayler and Hoadley, Artificial Intelligence and National Security, 9. 10 “The Grand Challenge for Autonomous Vehicles,” DARPA, 2019, https://www. darpa.mil/about-us/timeline/-grand-challenge-for-autonomous-vehicles. 11 “Autonomous Weapon Systems—Q & A,” International Committee of the Red Cross, November 12, 2014, https://www.icrc.org/en/document/autonomous-weapon systems-challenge-human-control-over-use-force. 12 Billy Perrigo, “A Global Arms Race for Killer Robots Is Transforming the Battlefield, Time, April 9, 2018, http://time.com/5230567/killer-robots. 13 Human Rights Watch, Losing Humanity: The Case Against Killer Robots (November 2012), 11–12, http://www.hrw.org/sites/default/files/reports/arms1112ForUpload_0_0. pdf. 14 Dan Gettinger and Arthur Holland Michel, Loitering Munitions (Center for the Study of the Drone at Bard College, 2017), http://dronecenter.bard.edu/files/2017/02/ CSD-Loitering-Munitions.pdf. 15 Yoav Zacks and Liran Antebi, eds., The Use of Unmanned Military Vehicles in 2033: National Policy Recommendations Based on Technology Forecasting— Expert Assessments, Memorandum no. 145 (Tel Aviv: INSS, December 2014) [Hebrew]; Paul Scharre, Robotics on the Battlefield Part I: Range, Persistence and Daring (Washington DC: Center for a New American Security, May 2014), https:// s3.amazonaws.com/files.cnas.org/documents/CNAS_RoboticsOnTheBattlefield Scharre.pdf?mtime=20160906081925; Launchbury, “A DARPA Perspective on Artificial Intelligence.” 16 Launchbury, “A DARPA Perspective on Artificial Intelligence.” 17 At the time of this writing, a type of arms race is taking place among the powers in developing advanced AI capabilities. In parallel, some are claiming that the discussion should be about combining competition and collaboration, and not about the “arms race,” which has a negative connotation, and instead call upon the United States and China to commence a dialogue that would lead to collaboration in developing AI. See Tim Hwang and Alex Pascal, “Artificial Intelligence Isn’t an Arms Race,” Foreign Policy, December 11, 2019, https://foreignpolicy.com/2019/12/11/artificial intelligence-ai-not-arms-race-china-united 18 Department of Defense, Summary of 2018 National Defense Strategy of The United States of America (Washington DC, 2018), 5. 19 Aaron Boyd, “White House Updates National Artificial Intelligence Strategy,” Defense One, June 22, 2019, http://bit.ly/2ZYY2U4. 20 White House and Office and Science and Technology Policy, “Artificial Intelligence for the American People,” The White House, 2019, https://www.whitehouse.gov/ai/ executive-order-ai. 21 “DoD’s JAIC to Call for Private Sector Cyber Tech Pitches,” MeriTalk, July 8, 2019, https://www.meritalk.com/articles/dods-jaic-to-call-for-private-sector-cyber-tech pitches/. 22 “DoD’s JAIC to Call for Private Sector Cyber Tech Pitches 23 The authors wish to thank Dr. Harel Minshari, the director of cyber studies at the Holon Institute of Technology, for his helpful comments on this issue. 24 Sam Shead, “Eric Schmidt on AI: ‘Trust Me, These Chinese People Are Good,’” Business Insider, November 1, 2017, https://www.businessinsider.com/eric-schmidt on-artificial-intelligence-china-2017-11. 25 Tom Simontie, “China is Catching up to the US in AI Research—FAST,” Wired, March 13, 2019, https://www.wired.com/story/china-catching-up-us-in-ai-research/. 26 Samuel Bendett, “Putin Orders Up a National AI Strategy,” Defense One, 2019, https:// www.defenseone.com/technology/2019/01/putin-orders-national-ai-strategy/154555/. 27 Bendett, “Putin Orders Up a National AI Strategy.”
28 Andrew P. Hunter and others, Artificial Intelligence and National Security: The Importance of an AI Ecosystem (Washington, DC: CSIS, 2018), 48, https://www.csis. org/analysis/artificial-intelligence-and-national-security-importance-ai-ecosystem 29 “The Science Committee: First Discussion on Government Readiness in the AI Field,” Knesset News, The Knesset, June 4, 2018, https://m.knesset.gov.il/News/ PressReleases/pages/press04.06.18ec.aspx [Hebrew]. 30 Dafna Gatz and others, Artificial Intelligence, Data Science and Smart Robotics, First Report (Shmuel Neeman Institute for National Security Research, 2018) [Hebrew]. 31 Amir Mizroch, “In Israel, A Stand Out Year for Artificial Intelligence Technologies,” Forbes, March 11, 2019, https://www.forbes.com/sites/startupnationcentral/2019/03/11/ in-israel-a-stand-out-year-for-artificial-intelligence-technologies/#13acbc7530a8. 32 For example, see the Israeli companies Mellanox and Habana Labs, which were sold to international companies for billions of dollars. For more on this topic, see Sagi Cohen, “Exit Warning: Tech Giants Fight over the Future of Computerization,” TheMarker, December 18, 2019, https://www.themarker.com/technation/.premium-1.8285726 [Hebrew]. 33 Theresa Hitchens, “Rush to Military AI Raises Cyber Threats,” Breaking Defense, April 25, 2019, https://breakingdefense.com/2019/04/rush-to-military-ai-raises cyber-threats. 34 Hitchens, “Rush to Military AI Raises Cyber Threats.” 35 Marc P. Stoecklin, “DeepLocker: How AI Can Power a Stealthy New Breed of Malware,” SecurityIntelligence, August 8, 2018, https://securityintelligence.com/ deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware/. 36 Matthew Hutson, “Artificial Intelligence Just Made Guessing Your Password a Whole Lot Easier,” Science, September 15, 2017, https://www.sciencemag.org/ news/2017/09/artificial-intelligence-just-made-guessing-your-password-whole-lot easier. 37 Allan Dafoe, AI Governance: A Research Agenda (Future of Humanity Institute and University of Oxford, 2017), 5, https://www.fhi.ox.ac.uk/wp-content/uploads/ GovAIAgenda.pdf; Miles Brundage and others, The Malicious Use of Artificia Intelligence: Forecasting, Prevention and Mitigation (Future of Humanity Institute and University of Oxford, 2018), 20, https://img1.wsimg.com/blobby/go/3d82daa4-97fe4096-9c6b-376b92c619de/downloads/MaliciousUseofAI.pdf?ver=1553030594217. 38 Jian hua Li, “Cyber Security Meets Artificial Intelligence: A Survey,” Frontiers of Information Technology and Electronic Engineering 19, no. 12 (2018): 1462–1474, https://doi.org/10.1631/FITEE.1800573. 39 Mesut Ozdag, “Adversarial Attacks and Defenses against Deep Neural Networks: A Survey,” Procedia Computer Science 140 (2018): 152–161, https://doi.org/10.1016/j. procs.2018.10.315. 40 Jacob Steinhardt, Pang Wei Koh, and Percy Liang, “Certified Defenses for Data Poisoning Attacks,” Advances in Neural Information Processing Systems, no. i (December 2017): 3518–3530 ; Patrick Hall, “Proposals for Model Vulnerability and Security,” O’Reilly Media, 2019, https://www.oreilly.com/ideas/proposals-for modelvulnerability-and-security. 41 Battista Biggio and others, “Evasion Attacks against Machine Learning at Test Time,” Lecture Notes in Computer Science, part 3 (2013): 387–402, https:// doi.org/10.1007/978-3-642-40994-3_25; Erwin Quiring and Konrad Rieck, “Adversarial Machine Learning against Digital Watermarking,” European Signal Processing Conference (September 2018): 519–523, https://doi.org/10.23919/ EUSIPCO.2018.8553343. 42 Florian Tramèr and others, “Stealing Machine Learning Models via Prediction APIs,” (Cornell University, October 2016), http://arxiv.org/abs/1609.02943. 43 Romain Artru, Alexandre Gouaillard, and Touraj Ebrahimi, “Digital Watermarking of Video Streams: Review of the State-Of-The-Art,” August 2019, https://arxiv.org/ abs/1908.02039. 44 Qiang Liu and others, “A Survey on Security Threats and Defensive Techniques of Machine Learning: A Data Driven View,” IEEE Access 6 (2018): 12103–12117, https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8290925. 45 Liu and others, “A Survey on Security Threats and Defensive Techniques of Machine Learning.” 46 Richard Gall, “Machine Learning Explainability vs Interpretability: Two Concepts That Could Help Restore Trust in AI,” KDnuggets, 2018, https://www.kdnuggets. com/2018/12/machine-learning-explainability-interpretability-ai.html. 47 Connor McLemore and Charles Clark, “The Devil You Know: Trust in Military Applications of Artificial Intelligence,” War on the Rocks, September 23, 2019, https:// warontherocks.com/2019/09/the-devil-you-know-trust-in-military-applications-of artificial-intelligence/. 48 Zelros AI, “A Brief History of Machine Learning Models Explainability,” Medium, September 24, 2018, https://medium.com/@Zelros/a-brief-history-of-machine learning-models-explainability-f1c3301be9dc. 49 Ori Berkovitz, “Investing 2 Billion Nis Per Year in Smart Cities, Agriculture and Academia: How Israel Plans to Become an AI Power,” Globes, November 18, 2019, https://www.globes.co.il/news/article.aspx?did=1001307714 [Hebrew]. 50 Mariarosaria Taddeo and Luciano Floridi, “Regulate Artificial Intelligence to Avert Cyber Arms Race,” Nature, 556, no. 7701 (April 16, 2018): 296–298, https://doi. org/10.1038/d41586-018-04602-6
The article has been published in Cyber, Intelligence, and Security | Volume 4 | No. 1 | March 2020 CYBERWATCH
FINLAND
|
17
When excel isn´t enough anymore!
4Ks ERM - software for comprehensive and centralized risk management.
beyond the obvious
4Ks toimisto@4ks.fi
www.4ks.fi
Haluatko mukaan kyberturvallisuusalan merkittävimpään verkostoon Suomessa? Rakennamme yhdessä turvallista digitaalista Suomea! www.fisc.fi 18
|
CYBERWATCH
FINLAND
CYBERWATCH FINLAND
QUARTERLY REVIEW
Q3 2020 CYBERWATCH
FINLAND
|
19
QUARTERLY REVIEW Q3/2020 1. Country Analysis: India 2. The Cyber Capabilities of Extremist Movements 3. Quantum Technology can Decipher encryption, but Hope is Not Lost 4. Cyber Maturity Models Provide a Better Understanding of the Existing Level of Cyber Security 5. Zero Trust helps Combat Internal Risks more Effectively
This review focuses on five interesting topics. This time around India is the topic of the country analysis. Digitisation and its advanced development in India can be regarded as world class by all measures. Although the development of ICT technology and business in India is rapid, the same cannot be said about the level of cyber security. In cyberspace, India is under constant pressure from China and Pakistan, posing an indirect threat to multinational companies that purchase ICT services from Indian subcontractors. However, the situation is rapidly improving for the better, especially through important partnerships. Extremist movements have focused their cyber capabilities on protecting their own activities and promoting propaganda. Both political extremists and terrorist organisations make effective use of the cyberspace to spread their ideology and protect internal communications from government intelligence. Thus, cyber operations play a supporting role in the core business, and there are currently no observations of significant development of offensive capabilities. Although the threat of large-scale cyber-terrorism is not likely at present, its possibility cannot be ruled out. Quantum technology will significantly change the playing field of cyber security. Much of the current encryption algorithms will become unusable in their current form, or at least the protection they provide for data confidentiality will be weakened. However, hope has not been lost. Despite recent successful tests, so far current applications of quantum technology operate only in laboratory conditions and their large-scale deployment is estimated to take another 10-15 years. In addition, new quantum secure algorithms are constantly being developed and over the coming years they will gradually replace existing cryptographic algorithms. In recent years, alongside traditional security standards, methods focusing on cyber security assessment have been developed to measure the state of cyber capabilities on a multi-level scale. A comprehensive set of indicators can be used to better identify the weak areas of your cyber security. The indicators have accounted for the specific features of cyber security. Threat intelligence has become an integral part of risk management and the situational awareness plays an important role in anticipating cyber attacks. During the latter part of the year, the Cyber Security Center will launch a domestic cyber maturity model , which will be based on an international frameworks and will also introduce new assessment methods to be used by domestic organisations. Zero trust is a rising trend in cyber security. The starting point for this idea, is a situation where the internal network is controlled by an outsider or the protection of the internal and external network does not exist. According to the “Never trust, always verify” principle, security should be implemented in small micro segments instead of the larger network segments, and users or devices would have to access the information each time separately. Zero trust is a model based primarily on technical controls, but at the same time seeks to change risk management and the security culture to take internal cyber security threats under stronger consideration.
20
|
CYBERWATCH
FINLAND
1. COUNTRY ANALYSIS: INDIA 1. India’s cyber capabilities are currently limited in relation to the great powers, but their performance is evolving rapidly through important partnerships.
2. India is in a constant cyber war with China, North Korea and Pakistan. China’s effective cyber espionage poses a serious threat to European companies outsourcing IT services from India. Through the subcontracting chains of cyber security, India has a global impact on the development of digital and cyber security.
3. Numerous projects are underway in India to improve the level of cyber security. India’s importance and influence in the field of cyber security will grow rapidly in the coming years.
India wants to develop into a global superpower and develop its national cyber capabilities with this in mind. The ICT business is an important source of welfare for India, currently generating a turnover of around 200 billion USD. The figure is predicted to grow to 350 billion USD by 2025, by which time the ICT business would represent 38% of total business in India. Nevertheless, India’s cyber capabilities are still limited compared to other great powers. For example, while the United States, China, and Russia have had cyber warfare forces for years, India was only able to organise cyber warfare operations under one organisation last year. The first tasks of General Mohit Gupta, Commander of the Defence Cyber Agency, established in autumn 2019, have been to create a doctrine of cyber warfare and to combine the separate cyber functions of the land, naval and air forces to achieve a common goal. The defence branches of the Indian Armed Forces have traditionally had an independent status and little cooperation, so there are challenges in joining cyber forces. The Defence Cyber Agency has also struggled with budgetary challenges, and General Gupta opened a
political debate on the subject earlier this year by proposing a 10% stake in the state’s IT budget to be used to fund cyber operations. In regards to national security, cyber security is the responsibility of the Ministry of the Interior. Established in 2015, the Cybercrime Coordination Centre has focused on developing the cyber capability of the police authority. Since its establishment, the function has been expanded from police authority to a separate division in the administration of the Ministry of the Interior. The Cyber and IT Security Division currently includes, for example, the CERT function and they also create national practices for cyber security to be implemented in the Indian business community. India relies on partners to develop their cyber capabilities. Within the last year, four important cooperation agreements have been announced. In addition to fintech and digitalisation, the topic of cyber security has been raised as a top priority for the traditionally strong partnership between the UK and India. At the end of last year, India and France signed a co-operation agreement concerning, for example, shared cyber intelligence, combating cyber threats related to 5G technology, security certification of software products, and research into artificial intelligence and quantum technology. In June, India signed a similar agreement with Australia and one with Israel in July. Last year, the Indian CERT Center also signed a letter of intent with Traficom for the exchange of information related to cyber security. Alongside these cyber security cooperation projects, India is likely to significantly improve its cyber performance over the next 2-3 years. India’s main cyber opponents are Pakistan, North Korea and China. Pakistan’s cyber capabilities are, at most, at India’s level and its position as India’s cyber enemy is mainly limited to occasional hacking of government websites and harassment of authorities through social media. North Korea and China are much more serious opponents. According to the Indian CERT Center, in the spring and summer, both countries have carried out DDOS and phishing attacks causing extensive damage, especially to the IT infrastructure of the Indian CYBERWATCH
FINLAND
|
21
government. In addition, in line with its strategy, China has been active in cyber espionage. China has been found to have broken into a number of not only public administration services, but also the information systems of multinational companies based in India. China knows that many large global companies have outsourced their IT services to India. Hence, this opens up the possibility of spying on large global companies as well, as the level of cyber security in this sector has been weak. This is also reflected in the interest and activities of cybercriminals in India. For several years now, India has been at the top of the list of being one of the most vulnerable countries in regards to cyber security. Investment in cyber security has not increased, even though over the past year, more than half of large Indian companies had, according to their own estimates, suffered serious damage as a result of cyber attacks and espionage. Although India is regarded a superpower of IT services, not enough has been invested in the implementation of cyber security. Data centres located in India provide services to several Western companies and organisations. Deficiencies in cyber security, and in particular China’s activity in cyber espionage against India, also pose a serious threat to Finnish and European companies. Cybercriminals and spies like to attack information systems where hacking is easiest to implement, increasing the likelihood of a socalled third-party risk scenario. India is one of the fastest digitising countries in the world in regards to almost all available meters. The share of people using the internet is growing rapidly, the number
of terminals is growing intensively and there is a constant increase in investment in telecommunications infrastructure. The ICT sector has more than a million employees. India has recognised the importance of cyber security as part of digitalisation as a whole, and several government-sponsored projects have been launched over the past year to support cyber security development and education. At least the Ministries of the Interior, Defense and Transport are involved in cyber security projects. In addition, numerous cyber security coordination groups have been set up in the country as a collaboration between the private sector and academia. Thus, there is enough activity, but there are challenges in clarifying the management model. In particular, however, training is currently being strongly increased on a number of different fronts, and with the expansion of cyber awareness, a clear change in work culture is expected. In Finland, it is often discussed that cyber security issues are not addressed enough at steering group level in corporate organisations. In India, there has been positive development, with surveys at the beginning of this year showing that about 70% of large Indian companies had a cyber security director sitting on the company’s management team or board. The outlook for cyber security in India has recently changed in a positive direction. Developments are still fragmented and management models unclear, but the direction is right. Given the country’s vast resources and knowledge capital in the IT area, India has the full potential to become one of the great powers in cyber security in the coming years.
Sources: https://www.indiatoday.in/india/story/china-north-korea-pakistan-cyber-attacks-warfare-india-websites-1693123-2020-06-26 https://www.ey.com/en_in/consulting/ey-global-information-security-survey-2020 https://eucyberdirect.eu/content_research/cyber-resilience-and-diplomacy-in-india/ https://www.dsci.in/sites/default/files/DSCI-Annual-Report-2019-20.pdf https://www.ibef.org/industry/information-technology-india.aspx Cyber Resilience and Diplomacy in India, EU Cyber Direct, 2019.
2. CYBER CAPABILITIES OF EXTREMIST MOVEMENTS
22
|
1. Extremist movements use cyberspace primarily to spread their ideology and gain followers. Communication strategies are carefully planned and often skilfully implemented.
3. Operational security, or OPSEC, is at the heart of extremist cyber operations. Highly innovative methods can be used to implement OPSEC.
2. Actual terrorist organisations have the greatest resources out of all extremist movements and a higher level of cyber expertise. There are no signs of the active development of offensive cyber capabilities.
4. The most prominent activity of extremist movements is causing physical harm as well as violence. Cyber action plays a supporting role in these. The likelihood of actual cyberterrorism is low, but it cannot be ruled out.
CYBERWATCH
FINLAND
The motives of extremist movements can be political, religious, or otherwise based on some ideology. Extremist movements often oppose and seek to destabilise Finland’s social system and parliamentary democracy. Extremist movements can endanger the internal security of the state through illegal activities, such as destruction, rioting and political violence. Sometimes extremist movements can also target individuals or groups, often referred to as hate crime. Extremist movements also often include terrorism itself, which is intended to spread fear and panic and to wreak havoc rather than to bring about social change. In contrast, activist movements such as the Anonymous Group are not classified as an extremist movement because their motivations range from resisting terrorists to disrupting government action. Cyberspace offers excellent opportunities for extremist communication and membership procurement. Through public communication, extremist movements strengthen their own motives and, above all, reach potential members from the general public. Extremist movements’ public communication strategy includes creating one’s own communication machinery, creating fear and uncertainty with false information, denying any kind of criticism, and reinforcing their message through social media. In addition, freedom of speech is easily appealed to when public communication approximates hate speech or otherwise reprehensible communication. Communication campaigns have often been carried out quite skilfully, taking advantage of current phenomena and the reactions they evoke from the general public. Extremist movements’ public websites and the use of disinformation are constantly in a gray area and often cross the line between freedom of speech and hate speech. In addition, their various methods of communication also include manifestos, in which a violent attacks have been announced in advance, for example on social media, just as the attacks are about to take place. If state supported hacker groups are excluded from the analysis, then the cyber capabilities and resources of extremists are moderate at best. Terrorist organisations have the greatest resources. For example, United Cyber
Caliphate, part of the ISIS organisation, or the Fallaga Team from Tunisia are more tightly organised IT organisations supporting terrorist activities, with members ranging from a handful to a few dozen. The activities of such organisations focus mainly on the protection of actual terrorist activities, the publication of propaganda material and the most eye-catching but simple cyberattacks, such as hacking public administration websites and replacing content with propaganda. Protecting one’s own activities, the so-called OPSEC, is one of the core tasks of extremist cyber operations. Communication between members takes place in closed networks that are often also encrypted. The Telegram communications application has become famous as an encrypted communications platform for several terrorist groups and extremists. In addition, the Darknet has numerous closed forums for extremists, where it is possible to exchange opinions belonging to one’s own ideology more freely and to prepare for illegal activities. Ready-made applications and standard solutions are usually used for operational security, but implementation can also be very innovative. In 2016, American cyber forces managed to paralyse ISIS cyber operations in an operation called Glowing Symphony. After the intelligence phase, it was found out that ISIS servers and data were not located on the terrorists ’own servers in Iraq, Pakistan, or Syria, but they had infiltrated the public cloud services of businesses and public administration services. ISIS services could not be paralysed by attacking the servers directly, but the attacks had to be focused very precisely on the right targets so as not to harm the bystanders. The prominent activities of extremist movements focus on the implementation of physical harm and violent attacks. Cyber operations play a supporting role in OPSEC and communication, and there is no sign of extremist movements investing in enhancing cyber operations. There is currently no extensive evidence of serious cyber attacks caused by extremist movements. There is no current offensive cyber activity, with the exception of occasional website hacking and data breaches. One of the reasons for this is the development
CYBERWATCH
FINLAND
|
23
of public administration and corporate cyber defence. Cyber defence is most often strengthened against state actors or cybercriminals, who are often a more serious threat than extremist movements. In order for extremist movements to be able to cause serious harm to overall cyber security, they should invest more in developing their cyber capabilities.
With their current resources, extremist movements do not pose a serious threat to overall cyber security. However, the possibility of a serious and unexpected cyber attack cannot be ruled out. Extremist movements, and terrorist organisations in particular, have in the past been able to upset social order with completely unpredictable actions.
Sources: http://visionofhumanity.org/terrorism/hydra-the-evolving-anatomy-of-extremism/ https://intermin.fi/en/police/cybercrime https://www.supo.fi/fi https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis?t=1597644504237 Sisäministeriö. Väkivaltaisen ekstremismin tilannekatsaus 2020. https://www.researchgate.net/publication/315212548_Cyber-Extremism_Isis_and_the_Power_of_Social_Media International Institute for Counter-Terrorism. The Virus of Hate: Far-Right Terrorism in Cyberspace. 3/2020. https://icct.nl/wp-content/uploads/2019/11/Right-Wing-Extremists-Persistent-Online-Presence.pdf https://www.rms.com/blog/2019/11/13/cyberterrorism-a-risk-assessment
3. QUANTUM TECHNOLOGY CAN DECIPHER ENCRYPTION, BUT HOPE IS NOT LOST 1. The development of quantum technology will decipher the majority of current cryptographic systems over the next 10-15 years. The same is true for the digital signature in its current form, which will no longer be seen as an indisputable method of authentication in the future.
2. Quantum technology is not just a threat to cyber security. The development of quantum cryptography systems is underway and the protection they provide can take cyber security to a new level.
3. An organisation’s cyber security requirements affect quantum technology preparation measures. High-security organisations need to critically evaluate today’s practices for quantum technology. Software vendors are developing future quantum algorithms for their current products, providing a solution for most users.
24
|
CYBERWATCH
FINLAND
Quantum technology and its theoretical impact on computer performance has been talked about for a long time, but the debate gained new impetus in October last year when Google’s Sycamore quantum computer passed the latest performance tests without any errors. Sycamore performed the tests in 200 seconds, whilst it would have taken about 10,000 years from the world’s fastest known computer to date. The calculation process of a normal computer is based on testing combinations of values in the bit string 0 and 1, one at a time. A quantum computer is capable of handling several consecutive combinations of 0 and 1simultaneously in so-called qubits. The success of the practical tests is a significant achievement, but the functionality of quantum computers is still far from the requirements of real life. The handling of qubits is complicated and so far only possible under laboratory conditions. It is estimated that the utilisation of quantum computers in everyday use will be possible at the earliest after 10-15 years.
Quantum computing has a different effect on the degradation or cracking of symmetric and asymmetric cryptographic algorithms. A better understanding of the implications therefore requires at least knowledge of the basics of cryptography. Asymmetric algorithms such as RSA are predicted to break down rapidly because the socalled Shor algorithm makes it easier to find the prime numbers of asymmetric encryption keys more efficiently than just improving computing power. As a result, the digital signature in its current form will be unusable in the future. The effect on symmetric encryption is not as strong. Encryption is deciphered faster than current supercomputers, but increasing the key length to 256 bits has been thought to protect against quantum computing brute-force attacks as well. The effects, with their new quantum algorithms, are complex and difficult to predict at this stage, so an accurate estimate cannot yet be made. In any case, the protection provided by current encryption methods to the confidentiality, integrity and indisputability of data suffers significantly with quantum technology. Quantum technology is not just a threat to cyber security. New algorithms based on quantum technology are already being developed at a rapid pace, and the cryptographic systems of the future that develop alongside them can take the security of information systems to a whole new level. New encryption solutions are commonly referred to as post-quantum cryptography. The goal is to develop encryption solutions that could directly replace implementations based on, for example, the RSA algorithm. Quantum technology has been estimated to benefit cyber security application the most, especially where security is weak by current standards. For example, many IoT environments have been criticised as being insecure. More and more devices are connected to the Internet and cyber security has not always been implemented in the best possible way. Indeed, numerous development projects are underway in which new cryptographic solutions will be applied to the reliable identification between devices in the IoT environment and the encryption of communications. The United States is at the forefront of quantum technology development, both in the private sector and in state-funded projects. Scientific research and the
development of quantum technology standards in the United States is led by NIST (National Institute of Standards and Technology). The United States is followed by Japan, China, South Korea and Canada. Both the EU and individual European countries, including Finland, have launched their own research projects. Quantum technology is one of China’s spearheads in building the status of a technological superpower. Indeed, China has invested by far the most in state-funded projects in recent years. China’s funding of ten billion euros for 2017-2020 is more than five times that of the United States. However, given the pace of technological development in the United States and the strong private sector, China is not yet a world leader in quantum technology even with this investment. Preparations for quantum technology, and the threat it imposes in the area of cyber security, are already underway. Post-quantum cryptographic solutions and their rapid development seem promising, at least in theory. It is likely that new encryption solutions will be incorporated by software companies into everyday applications, For example in, Internet browsers, communications applications, e-mail, cloud services, etc. Taking quantum technology into account in today’s operations depends on the organisation’s security requirements. For companies engaged in nonsecurity-critical business, general monitoring of developments and the introduction of new quantum algorithms for firmware in the future will suffice. Organisations handling high-security information should already take a critical look, for example, at possible tactics of protecting archived information. It is possible that the data that is encrypted today will be decrypted very quickly in 20 years. In this case, one must consider extending symmetric keys or protecting data by means of physical security. The practical application of quantum technology is still a long way off, according to general estimates, perhaps 10-15 years away. It is possible, perhaps even probable, that quantum technology is already being used in the intelligence systems of the great powers today. History provides a great example of this from the 1970s, when mathematicians at the British Signal Intelligence GCHQ developed a public key encryption method in secret, about five years before the RSA
algorithm was born. Sources: https://www.livescience.com/google-hits-quantum-supremacy.html Barker et al. (2020). Getting Ready for Post-Quantum Cryptography. NIST Cybersecurity White Paper. https://thequantumdaily.com/2020/04/30/is-aes-256-quantum-resistant/ European Commission. Digital Economy and Society Index (DESI) 2020. https://www.thalesgroup.com/en/germany/magazine/quantum-computing-and-cybersecurity https://www.etla.fi/en/latest/quantum-computing-is-coming-will-cybersecurity-be-compromised/ https://ec.europa.eu/digital-single-market/en/news/future-quantum-eu-countries-plan-ultra-secure-communication-network
CYBERWATCH
FINLAND
|
25
4. CYBER MATURITY MODELS PROVIDE A BETTER UNDERSTANDING OF THE EXISTING LEVEL OF CYBER SECURITY 1. Cyber security maturity models are better suited in assessing the current state of cyber security and improving performance than traditional security standards.
2. Maturity models take better account of the specificities of the cyber environment. They are able to expand the area of risk management through threat intelligence and they emphasise the importance of situational awareness in preparedness.
3. Maturity models are well-suited especially for critical infrastructure operators, but also to all organisations whose business is dependent on the operation of information systems and networks.
Traditional security standards such as ISO27001 and the National Security Assessment Criteria Katakri are commonly used methods for assessing and developing information security and cyber security within organisations. In addition to these core standards, there is a wide range of industry-specific standards and regulations that emphasise industryrelevant information and cyber security components. The main purpose of these standards is to ensure the confidentiality, integrity and usability of information throughout the information lifecycle in accordance with the basic pillars of information security. Cyber
26
|
CYBERWATCH
FINLAND
security is largely based on the same principles as information security, but cyber security, places more emphasis on information networks and systems and their smooth operation. In addition, emphasis must be placed on identifying threats in the cyber environment, protecting against them, maintaining an up-to-date situational picture and recovering from cyber-attacks better than with traditional security models. In the United States, critical infrastructure operators, and the first of these, the energy sector, noticed the lack of cyber security-focused assessment criteria in the early 2010s. In 2015, the US Department of Energy released the first Cybersecurity Capability Maturity Model (C2M2). According to the model, cyber security is divided into ten different domains, i.e. domain management. These include cyber risks, ICT assets, access rights, cyber threats and vulnerabilities, situational pictures, information sharing and communication, continuity of business, supply chain and external dependencies, and personnel and cyber strategy. Shortly after the C2M2 model, the US standardisation body NIST completed its own model called CFS (Cyber Security Framework), which looks at aspects of cyber security divided into five main functions: identification, protection, detection, response, and recovery. In Europe, the UK and Germany have also released their own versions of cyber maturity models. During the current year, a national model called Kybermittari has been developed in Finland under the auspices of the Cyber Security Centre, which is largely
based on the above-mentioned and other international models. Kybermittari includes a self-assessment tool that allows an organisation to assess, on its own or with the assistance of an expert partner, its cyber security fitness at four levels of maturity. The model includes comprehensive cyber security elements in accordance with international models. Based on the evaluation, the indicator produces a numerical rating of the organisation’s level of maturity, as well as the necessary reports for management and other stakeholders. Sectoral comparisons are possible as long as a sufficient number of organisations have made the assessment and industryspecific statistics can be compiled. Developing cyber security is difficult if the current state and the areas for development are not known. Measuring the level of security using security standards is often a yes or no assessment, in other words, either this requirement is met or not met. Some standards are based on the organisation’s own risk analysis and the goals set for their information security are based on it. Cyber security maturity models can be used to assess cyber security at several levels, making it possible to form a more realistic picture and to identify areas for development that can be influenced by a sensible investment. In addition to more accurate measurements, cyber security maturity meters both expand and enhance risk management planning and implementation. Risk management seeks to identify precise risks and threats related to the cyber environment. Maturity meters also include cyber threat intelligence, which has long been an upward trend in cyber security. Not only is the threat sought to be identified, but the motivation, methods and the ability to implement the threat should be assessed for each one, thus forming an overall assessment of the probability and effectiveness of the threat. In addition, the results of threat intelligence should be used more
efficiently as a starting point for both tactical and strategic preparedness. Creating and maintaining a situational picture is another example of an aspect of cyber security that maturity models approach, from a new perspective. Log systems generate raw data for the situational picture but external data sources should also be included in it if possible. At higher maturity levels, situational picture generation is automatic, kept up to date, and should be accompanied by threat intelligence and the prediction of probable threats it produces in both the short and long term. The use of a maturity meter, like any measurement, should not be a one-off, but should be done regularly. In this way, the impact of the measures taken on the development of the overall situation can be assessed. At their best, meters can be used to analyse the interdependencies of technology, people, and processes. For example, if results improve or deteriorate in one of these areas, is it due to positive or negative developments in an other area and the reasons behind it. To get the most out of maturity meters they must be used regularly and the results and their effects must be analysed in a comprehensive way. Cyber security maturity meters bring many improvements to the assessment, measurement, and development of an organisation’s level of cyber security. Maturity meters have highlighted cyber security-related elements that are not sufficiently addressed in the more general information security frameworks. However, the principles of information security are the same in different operating environments, so the indicators are more about a stronger emphasis on the cyber environment and ensuring the operational reliability of the systems. Maturity meters are well-suited especially for critical infrastructure actors, but also to other cyber-intensive organisations where information systems and networks play a critical role.
Sources: https://www.nist.gov/cyberframework https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-0 https://www.kyberturvallisuuskeskus.fi/fi/kybermittari https://www.cmmcab.org/
CYBERWATCH
FINLAND
|
27
5. ZERO TRUST HELPS COMBAT INTERNAL RISKS MORE EFFECTIVELY on the network or access all the information it contains, or malware that has entered the internal network could spread to other parts of the network. The zero trust model security principles should also be extended to off-grid resources such as cloud services. With security management centralised at a lower level and in smaller units, the use of organisational-level security controls is no longer necessary. Many organisations nowadays always connect to ICT services 2. Zero trust can also enhance the use of ICT resources as the need for organisationalvia a VPN connection, even when using data or level security controls decreases. For applications exported to the cloud, for example. With example, a remote worker can be routed the zero trust model, these services could be routed directly to a cloud service without a VPN directly to the user, provided that security is tunnel passing through the organisation. This is if security is implemented in accordance implemented in accordance with the zero trust with the zero trust model. principles. Traditionally, it has been found, that most security threats come from within the organisation. 3. Zero trust’s technical solutions become part Nevertheless, security implementation has focused on of the features of the Off-the-Shelf Software. The introduction of zero trust will security between the internal and external network. also require technical changes to the Email filtering, anti-malware, and network-based existing infrastructure and, above all, a intrusion detection are centralised at the boundary change in risk management priorities and between the internal and external networks and are security culture. carried out through firewalls and DMZ zones. The full implementation of the zero trust model requires 4. Zero trust can be implemented at different network redesign and segmentation which is neither a levels in different environments. For cheap nor a simple exercise. The zero trust model can security-critical organisations, zero trust also be implemented in part with software solutions brings tangible benefits to improving the level of cyber security. However, overkill provided by software vendors such as Cisco, CheckPoint, should be avoided and assessed through a Symantec and Microsoft. careful risk analysis to understand at what Zero trust has a big impact on current security level the zero trust model should be thinking. In risk management, the internal threat factor implemented within your organisation. must be taken into better account. Each organisation should concretely assess the impact of a situation where, Over the past year, zero trust thinking has become a for example, network admin rights have been revealed prominent theme of cyber security. Zero trust is also to an outsider or are misused by an employee. Most data called as an architecture (Zero Trust Architecture), but leaks are made in this way. The most prominent example actually it is more of a loosely defined model that is Snowden’s data leak, in which he had been granted emphasises intranet security. The starting point for this extensive rights to the NSA network, hence, gaining way of thinking is a situation where an external party has access to secret documents was possible without anyone invaded the network or a corrupt user, device or noticing. In practice, the situation can be improved by application is operating on the network. According to tightening access control. Extensive rights are granted zero trust, intranet access rights can be better managed, only on very good grounds and their necessity and for example, by segmenting the network into small timeliness are regularly and frequently monitored. The entities, encrypting the data and data connections stored most critical measures should use the so-called four eyes in the network, and with strong user authentication. In principle, ie the rights are implemented by two the case of the zero trust model, intranet operators, ie administrators or at least in such a way that another users, devices and applications, are not trusted according person regularly reviews the changes made by the to predefined access rights, but the rights to the network administrator. data and resources are always checked on a case-by-case At the moment, cyber security is primarily basis. The key principle of zero trust is “never trust, implemented to prepare for cyber attacks. An integral part always verify”. This is to prevent situations in which, for of attack detection is a situational picture maintained by example, a person with admin rights could operate freely log management and SIEM systems. Detected threats are 1. According to the Zero trust model, the starting point for network security is a situation where security controls between the internal and external network are bypassed and the attacker operates within the organisation. In the worst case scenario, the attacker has also gained admin rights.
28
|
CYBERWATCH
FINLAND
responded to either by the staff or an outsourced SOC service blocks the attacks and initiates recovery if necessary. Zero trust thinking also brings new challenges to this operating model. In addition to external threats, intranet data traffic and connections between users and devices should be monitored with the same accuracy as external traffic. Similarly, in addition to servers visible on the Internet, regular vulnerability scans should be extended to the intranet, its servers and workstations, as well as users’ mobile devices. At its best, the Zero trust model brings discipline to implementing and keeping up to date with cyber security. Many of the principles of the zero trust model can be implemented with existing technologies and, above all, by introducing a new perspective on risk management that takes better account of internal threats. At the core, zero trust is a very technical model in which the aim is to reduce internal risk by segmenting
the network into smaller entities and by building technical controls, for example, on data access. This is to prevent harmful user activity, which may be intentional or unintentional. Despite the technical emphasis, the development of a security culture with the visible support of the organisation’s management and the increase of user safety awareness are important factors in detecting and combating internal security threats. The zero trust model can be implemented on many different levels. For example, for critical infrastructure organisations, more detailed analysis of the model and investment in implementation may be very necessary. However, it is a good idea to avoid overkill and evaluate the exact level and investment at which your zero trust model is worth implementing. The best answer to this is a careful and truthful risk analysis that takes into account all the factors that affect your own situation and its development.
Sources: Defence Innovation Board of the DoD. The Road to Zero Trust. DIB white paper. Armed Forces Communications and Electronics Association (AFCEA). Zero Trust and Identity: How DISA Continues to Protect the Warfighter in Cyberspace. Webinar 16.9.2020. https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture https://www.forbes.com/sites/insights-vmwaresecurity/2019/06/12/zero-trust-the-modern-approach-tocybersecurity/#553fc9094e9d https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
CYBERWATCH
FINLAND
|
29
Cyberwatch Finland
SHAPING DEPENDABLE CYBER SECURITY WITH A COMPREHENSIVE APPROACH We help our customers to anticipate the risks and to manage the process of cyber security in a coherent and consistent way. At the same time, we are building a safer and more sustainable world together. Cyberwatch Finland provides comprehensive cyber security solutions. Cyber security strategies, risk analysis and roadmaps Strategic situational awareness to support management and decision-making Strategic analysis of the developments in the cyber world AI-powered analysis and information services based on our expertise Modern education with e-learning and hybrid-learning methodologies Innovative and unique cybersecurity technologies We have a holistic and global view of the cyber security ecosystem and the ability to implement tailored and integrated solutions in all markets. We operate on a network based model, that includes respected Finnish and international cyber security companies and experts. The company is owned by members of the core management team.Our experts are, for example, the authors of the first Finnish Cyber Security Strategy. Our concept is built on academic research of different national cyber security approaches. The Finnish comprehensive security concept and its holistic approach is proven to be the most effective in addressing complex and wide-ranging cyber threats. Our mission is to be our clients most trusted partner. Therefore we are constantly looking for the best ways to create a steady strategic cyber security roadmaps to conduct your cyber security to the highest possible level.
OUR STRENGTH IS THE UNIQUE COMBINATION OF SECURITY AND CYBER EXPERTICE Unique strategic-level international expertise and understanding is based on an extensive network of experts and the utilisation of new innovations and artificial intelligence-based analysis methods. Our experts have the ability to interpret and present complex cyber world phenomena and developments in an easy-tounderstand format, utilising the latest technology, easily adaptable methods, and various media formats. Comprehensive strategic management skills, experience, know-how and the ability to divide it into smaller entities. Easily approachable and understandable entities, we do not mystify or intimidate, but we improve our customers' daily lives by increasing awareness.We rely on the model of continuous improvement and boldly look for new business models. We are always one step ahead, taking into account cyber world trends, phenomena, threats and opportunities, analysing their impact on organisation’s ’operating models at both the strategic and operational levels. Without forgetting the most important thing in society, which is the human being.
STRATEGIES, RISK ANALYSIS AND RODMAPS
FACILITATION OF CYBER SECURITY LEADERSHIP
INNOVATIVE TECHNOLOGIES
TAILORED REVIEWS AND SPECIAL REPORTS
TRAINING, SEMINARS, GAMES AND WORKSHOPS
OUR SERVICES
BENEFITS FOR CUSTOMERS
COMPETITIVE ADVANTAGE
Cyberwatch Finland offers strategic cyber security services for state-level operations, corporations and organisations, based on a holistic view of the cyber world and hybrid threats. Our expertise is cyber security strategies, risk analysis and roadmaps.
Improved situational awareness is the basis for better decision-making Our clients can establish a holistic cyber security strategy, build situational awareness across the organisation, and take the necessary measures to build cyber resilience.
Our mission is to secure the functions of critical infrastructure as well as protect your organisation's most valuable assets. We guide you to a solid cyber security culture that strengthens your organisation’s resilience to crises and reduces business risks. We provide a holistic understanding of the interdependence of people, practices and technology, and their development opportunities.
Our analysis gives you strategic situational awareness to support your management and decision-making. Additionally, we offer modern education with e- learning and hybrid-learning methodologies.
We provide the comprehensive roadmap for a realistic cyber culture and cyber hygiene for your entire organisation.
Our scope of delivery includes innovative cyber security technologies.
CYBERWATCH FINLAND office@cyberwatchfinland.fi
Tietokuja 2, 00330 Helsinki FINLAND
www.cyberwatchfinland.fi
CYBERWATCH KVARTAALIKATSAUS Q3/2020 1. Maa-analyysi: Intia 2. Ääriliikkeiden kyberkyvykkyydet 3. Kvanttiteknologia murtaa salauksen mutta toivoa ei ole menetetty 4. Kybermittarien avulla parempi käsitys kyberturvan tasosta 5. Zero trust auttaa torjumaan sisäisiä riskejä nykyistä paremmin
Tämän vuosineljänneksen katsaus pureutuu viiteen mielenkiintoiseen aiheeseen. Maa-analyysin vuorossa on tällä kertaa Intia. Digitalisaatio ja sen eteneminen on Intiassa maailman kärkiluokkaa kaikilla mittareilla arvioituna. Vaikka Intiassa ICT-teknologian ja -liiketoiminnan kehitys on nopeaa, kyberturvallisuuden tasosta ei voida sanoa samaa. Intia on Kiinan ja Pakistanin jatkuvassa puristuksessa kyberavaruudessa, mikä aiheuttaa välillisen uhkatekijän monikansallisille yrityksille, jotka ostavat ICT-palveluja intialaisilta alihankkijoilta. Tilanne on kuitenkin kehittymässä nopeasti parempaan suuntaan erityisesti tärkeiden kumppanuuksien avulla. Ääriliikkeiden kyberkyvykkyydet ovat keskittyneet oman toiminnan suojaamiseen ja propagandan edistämiseen. Sekä poliittiset ääriliikkeet että terroristijärjestöt käyttävät kyberavaruutta tehokkaasti oman sanomansa levittämiseen ja sisäisen viestinnän suojaamiseen viranomaisten tiedustelulta. Kybertoiminnalla on siis varsinaista ydintoimintaa tukeva rooli, eikä esimerkiksi offensiivisen kyvykkyyden merkittävästä kehittämisestä ole tällä hetkellä havaintoja. Vaikka laajamittaisen kyberterrorismin uhka ei ole tällä hetkellä todennäköinen, sen mahdollisuutta ei voida sulkea pois. Kvanttiteknologia tulee muuttamaan kyberturvallisuuden toimintakenttää merkittävästi. Suuri osa nykyisistä salausalgoritmeista tulee nykymuodossaan käyttökelvottomaksi tai ainakin niiden tarjoama suoja tietojen luottamuksellisuudelle heikkenee. Toivoa ei ole kuitenkaan menetetty. Viime aikojen onnistuneista testeistä huolimatta nykyiset kvanttiteknologian sovellukset toimivat toistaiseksi vain laboratorioolosuhteissa ja niiden laajamittaiseen käyttöönottoon arvioidaan kuluvan vielä 10-15 vuotta. Lisäksi uusia kvanttiturvallisia algoritmeja kehitetään jatkuvasti ja tulevien vuosien aikana ne tulevat asteittain korvaamaan nykyiset salausalgoritmit. Perinteisten tietoturvastandardien rinnalle on viime vuosina kehitetty kyberturvallisuuden arviointiin keskittyviä menetelmiä, joiden avulla kyberkyvykkyyden tilaa voidaan mitata monitasoisella asteikolla. Monipuolisen mittariston avulla voidaan tunnistaa nykyistä paremmin kyberturvallisuuden heikot osa-alueet. Mittareissa on otettu entistä paremmin huomioon kyberturvallisuuden erityispiirteitä. Uhkatiedustelu on otettu kiinteäksi osaksi riskienhallintaa ja tilannekuvalla on tärkeä rooli kyberhyökkäysten ennakoinnissa. Kyberturvallisuuskeskus lanseeraa loppuvuoden aikana kotimaisen Kybermittarin, joka perustuu kansainvälisiin viitekehyksiin ja tuo uudet arviointimenetelmät myös kotimaisten organisaatioiden käyttöön. Zero trust on nouseva kyberturvallisuuden trendi. Ajattelun lähtökohtana on tilanne, jossa sisäverkko on ulkopuolisen hallinnassa tai sisä- ja ulkoverkon suojauksia ei ole olemassa. ”Never trust, always verify” -periaatteen mukaan turvallisuus tulee toteuttaa verkkorajapinnan sijasta pienissä mikrosegmenteissä sekä varmistamalla käyttäjän tai laitteen pääsyoikeus tietoon joka kerta erikseen. Zero trust on pääasiassa teknisiin kontrolleihin perustuva malli, mutta samalla muuttaa riskienhallintaa ja turvallisuuskulttuuria huomioimaan paremmin sisäiset kyberturvallisuuden uhkatekijät.
32
|
CYBERWATCH
FINLAND
1. MAA-ANALYYSI: INTIA 1. Intian kyberkyvykkyys on suurvaltojen mittapuulla tällä hetkellä rajallinen, mutta suorituskyky on kehittymässä nopeasti tärkeiden kumppanuuksien avulla.
2. Intia on jatkuvassa kyber sodassa Kiinan, Pohjois-Korean ja Pakistanin kanssa. Kiinan tehokas kybervakoilu aiheuttaa vakavan uhkatekijän eurooppalaisille yrityksille, jotka hankkivat IT-palveluita alihankintana Intiasta. Kyberturvallisuuden alihankintaketjujen kautta Intialla on globaali vaikutus digija kyberturvallisuuden kehitykseen.
3. Intiassa on käynnissä lukuisia hankkeita, joiden tarkoituksena on parantaa kyberturvallisuuden tasoa. Intian merkitys ja vaikutusvalta kyberturvallisuuden kentällä kasvaa nopeasti lähivuosina.
Intia haluaa kehittyä globaaliksi suurvallaksi ja kehittää kansallisia kyberkyvykkyyksiään tästä näkökulmasta. ICT-liiketoiminta on Intialle tärkeä hyvinvoinnin lähde tuottaen tällä hetkellä noin 200 miljardin USD:n liikevaihdon. Luvun ennustetaan kasvavan 350 miljardiin vuoteen 2025 mennessä, jolloin ICT-liiketoiminta edustaisi 38%:n osuutta kaikesta intialaisten yritysten liiketoiminnasta. Tästä huolimatta Intian kyberkyvykkyydet ovat kuitenkin muihin suurvaltoihin nähden vielä rajalliset. Kun esimerkiksi Yhdysvalloilla, Kiinalla ja Venäjällä on ollut jo vuosia kybersodankäyntiin erikoistuneet joukot, Intia sai vihdoin viime vuonna organisoitua kybersodankäyntiin tarkoitetut toiminnot yhden organisaation alle. Syksyllä 2019 perustetun kyber puolustusviraston (Defence Cyber Agency) komentajan kenraali Mohit Guptan ensimmäisiä tehtäviä on ollut
kybersodankäynnin doktriinin luominen sekä maa-, meri- ja ilmavoimien erillisten kybertoimintojen yhdistäminen yhteisen tavoitteen saavuttamiseksi. Intian asevoimien puolustushaaroilla on ollut perinteisesti itsenäinen asema ja keskinäinen yhteistoiminta vähäistä, joten kybervoimien yhdistämisessä on haasteita. Kyberpuolustusvirasto on myös kamppaillut budjettihaasteita vastaan ja kenraali Gupta avasikin alkuvuodesta poliittisen keskustelun aiheesta ehdottamalla 10% osuutta valtion IT-budjetista käytettäväksi kybertoimintojen rahoittamiseen. Kansallisen turvallisuuden osalta kyberturvallisuus on sisäministeriön alaisuudessa. Vuonna 2015 perustettu kyberrikollisuuden koordinointikeskus (Cybercrime Coordination Center) on keskittynyt poliisiviranomaisen kybertoimintakyvyn kehittämiseen. Perustamisensa jälkeen toimintoa on laajennettu poliisiviranomaisen alaisuudesta omaksi divisioonaksi sisäministeriön hallinnossa. Kyber- ja IT-turvallisuuden divisioona sisältää nykyisin esimerkiksi CERT-toiminnon ja luo kansallisia käytäntöjä myös intialaisen elinkeinoelämän kyberturvallisuudelle. Intia tukeutuu kyberkyvykkyyden kehittämisessä kumppaneihin. Viimeisen vuoden sisällä on julkistettu neljä tärkeää yhteistyösopimusta. Iso-Britannian ja Intian perinteisesti vahvan kumppanuuden yhteistyöaiheiden kärkeen on nostettu kyberturvallisuus fintechin ja digitalisaation lisäksi. Viime vuoden lopulla Intia ja Ranska solmivat yhteistyösopimuksen koskien mm. kyber tiedustelutiedon jakamista, 5G-teknologiaan liittyvien kyberuhkien torjuntaa, ohjelmistotuotteiden turvasertifiointia sekä tekoäly- ja kvanttiteknologian tutkimusta. Kesäkuussa Intia solmi vastaavanlaisen sopimuksen Australian kanssa ja heinä- kuussa Israelin kanssa. Intian CERT-keskus on solminut myös Traficomin kanssa viime vuonna periaatetason aiesopimuksen kyber
turvallisuuteen liittyvästä tiedonvaihdosta. Kyberturvallisuuteen liittyvien yhteistyö hankkeiden myötä Intia tulee todennäköisesti parantamaan kybertoimintoihin liittyvää suorituskykyään huomattavasti seuraavien 2-3 vuoden aikana. Intian keskeisimmät kybervastustajat ovat Pakistan, Pohjois-Korea ja Kiina. Pakistanin kyberkyvykkyys on korkeintaan Intian tasolla ja sen asema Intian kybervihollisena rajoittuu lähinnä satunnaisiin viranomaissivustojen tietomurtoihin ja viranomaisten häirintään sosiaalisen median kautta. Pohjois-Korea ja Kiina ovat paljon vakavammin otettavia vastustajia. Intian CERT-keskuksen mukaan keväällä ja kesällä molemmat maat ovat kohdistaneet merkittävää haittaa aiheuttaneita DDOS- ja phishing-hyökkäyksiä erityisesti Intian julkishallinnon ITinfrastruktuuriin. Kiina on lisäksi ollut strategiansa mukaisesti aktiivinen kybervakoilussa. Kiinan on havaittu murtautuneen lukuisiin paitsi julkishallinnon palveluihin, myös Intiassa sijaitsevien monikansallisten yritysten tietojärjestelmiin. Kiina tietää, että monet globaalit suuryritykset ovat ulkoistaneet IT-palveluitaan Intiaan, joten tätä kautta avautuu mahdollisuus vakoilla myös globaaleja suuryrityksiä, koska kyberturvallisuuden taso on ollut tällä sektorilla heikko. Tämä näkyy myös kyberrikollisten kiinnostuksena ja toimintana Intiassa. Intia on jo useita vuosia ollut kärkisijoilla kyberturvallisuuden haavoittuvimpien maiden listoilla. Kyberturvallisuuden investoinnit eivät ole kasvaneet, vaikka viimeisen vuoden aikana yli puolet intialaisista suuryrityksistä oli kärsinyt oman arvionsa mukaan vakavia vahinkoja kyberhyökkäysten ja -vakoilun seurauksena. Vaikka Intia on IT-palvelujen suurvalta, ei kyberturvallisuuden toteutukseen ole panostettu riittävästi. Intiassa sijaitsevat datakeskukset tuottavat palveluja useille länsimaisille yrityksille ja organisaatioille. Puutteet kyberturvallisuudessa ja erityisesti Kiinan
CYBERWATCH
FINLAND
|
33
aktiivisuus kybervakoilussa Intiaa kohtaan muodostavat vakavan uhkatekijän myös suomalaisille ja eurooppalaisille yrityksille. Kyberrikolliset ja -vakoilijat hyökkäävät tietojärjestelmiin mielellään siellä missä murtautuminen on helpointa toteuttaa, jolloin niin sanottu third-party risk -skenaarion todennäköisyys kasvaa. Intia on yksi maailman nopeimmin digitalisoituvia maita lähes kaikilla käytettävissä olevilla mittareilla. Internet-käyttäjien osuus väestöstä kasvaa nopeasti, päätelaitteiden määrän kasvu on voimakasta ja tietoliikenneinfrastruktuuriin panostetaan jatkuvasti enemmän. ICT-alalla on yli miljoona työntekijää. Intiassa on tiedostettu
kyberturvallisuuden merkitys osana digitalisaation kokonaisuutta ja viimeisen vuoden sisällä on käynnistetty useita valtion tukemia hankkeita tukemaan kyberturvallisuuden kehitystä ja koulutusta. Kyberhankkeissa on mukana ainakin sisä-, puolustus- ja liikenneministeriöt, ja sen lisäksi maahan on perustettu lukuisia kyberturvallisuuden koordinointiryhmiä yksityisen sektorin ja yliopistomaailman yhteistyönä. Aktiivisuutta siis riittää, mutta johtamismallin selkeyttämisessä on haasteita. Erityisesti koulutusta kuitenkin lisätään tällä hetkellä voimakkaasti usealla eri rintamalla ja kybertietoisuuden laajenemisen myötä odotetaan työskentelykulttuuriin selvää muutosta.
Suomessa keskustellaan usein siitä, että kyberturvallisuusasioita ei ole noteerattu riittävän korkealla yritysten organisaatioissa. Intiassa kehitys on positiivinen, tämän vuoden alussa tutkimusten mukaan noin 70% intialaisista suuryrityksistä kyberturvallisuudesta vastaava johtaja istui yrityksen johtoryhmässä tai hallituksessa. Kyber turvallisuuden kehitysnäkymät ovat viime aikoina Intiassa muuttuneet selvästi positiivisempaan suuntaan. Kehitys on vielä hajanaista ja johtamismallit epäselviä, mutta suunta on oikea. Ottaen huomioon maan valtavat resurssit ja tietopääoman IT-alueella, Intialla on täydet mahdollisuudet nousta lähivuosina kyberturvallisuuden suurvaltojen joukkoon.
LÄHTEET: https://www.indiatoday.in/india/story/china-north-korea-pakistan-cyber-attacks-warfare-india-websites-1693123-2020-06-26 https://www.ey.com/en_in/consulting/ey-global-information-security-survey-2020 https://eucyberdirect.eu/content_research/cyber-resilience-and-diplomacy-in-india/ https://www.dsci.in/sites/default/files/DSCI-Annual-Report-2019-20.pdf https://www.ibef.org/industry/information-technology-india.aspx Cyber Resilience and Diplomacy in India, EU Cyber Direct, 2019.
2. ÄÄRILIIKKEIDEN KYBERKYVYKKYYDET 1. Ääriliikkeet käyttävät kyber avaruutta pääasiassa oman sanomansa levittämiseen ja jäsenhankintaan. Viestintä strategiat ovat tarkasti suunniteltuja ja usein myös taitavasti toteutettuja.
2. Varsinaisilla terroristijärjestöillä on ääriliikkeistä suurimmat resurssit ja korkeampi kyberosaamisen taso. Offensiivisen kybertoiminta kyvyn aktiivisesta kehittämisestä ei ole merkkejä.
3. Operaatioturvallisuus eli OPSEC on ääriliikkeiden kybertoiminnan keskiössä. OPSECin toteutukseen voidaan käyttää myös hyvin innovatiivisia menetelmiä.
4. Ääriliikkeiden pääasiallinen näkyvä toiminta on useimmiten fyysistä haitantekoa sekä väkivaltaa, ja kybertoiminnalla on näitä tukeva rooli. Varsinaisen kyberterrorismin todennäköisyys on matala, mutta sitä ei voida sulkea pois.
34
|
CYBERWATCH
FINLAND
Ääriliikkeiden motiivit voivat olla poliittisia, uskonnollisia tai muutoin perustua johonkin ideologiaan. Usein ääriliikkeet vastustavat ja pyrkivät horjuttamaan Suomen yhteiskuntajärjestelmää ja parlamentaarista demokratiaa. Ääriliikkeet voivat vaarantaa valtion sisäistä turvallisuutta laittomalla toiminnalla, esimerkiksi tuhotöiden, mellakoinnin ja poliittisen väkivallan keinoin. Joskus ääriliikkeiden kohteena voivat olla myös yksittäiset henkilöt tai ryhmät, jolloin usein puhutaan niin sanotuista viharikoksista. Ääriliikkeisiin luetaan usein myös varsinainen terrorismi, jonka tarkoituksena on enemmänkin levittää pelkoa ja kauhua sekä tuottaa tuhoa, kuin saada aikaan yhteiskunnallisia muutoksia. Sen sijaan Anonymous-ryhmän kaltaiset haktivistiliikkeet eivät kuulu ääriliikkeiden piiriin, koska niiden toiminnan motivaatio vaihtelee terroristien vastustamisesta viranomaisten toiminnan häirintään. Kyberavaruus tarjoaa erinomaiset mahdollisuudet ääriliikkeiden viestinnälle ja jäsenhankinnalle. Julkisen viestinnän avulla ääriliikkeet vahvistavat omaa motivaatiotaan ja ennen kaikkea tavoittavat suuren yleisön joukosta potentiaalisia
jäseniä. Ääriliikkeiden julkisen viestinnän strategiaan kuuluu oman viestintäkoneiston luominen, pelon ja epävarmuuden synnyttäminen valeinformaatiolla, kaikenlaisen kritiikin kieltäminen sekä viestin vahvistaminen sosiaalisen median avulla. Lisäksi sananvapauden taakse mennään herkästi, kun julkinen viestintä lähentelee vihapuhetta tai muutoin tuomittavaa viestintää. Viestintäkampanjat on usein toteutettu varsin taitavasti käyttäen hyväksi ajankohtaisia ilmiöitä ja niiden herättämiä tuntoja laajassa yleisössä. Ääriliikkeiden julkiset nettisivut ja disinformaation käyttö liikkuvat koko ajan harmaalla alueella ja ylittää usein sananvapauden ja vihapuheen rajan. Oma viestinnän osa-alueensa ovat lisäksi erilaiset manifestit, joissa väkivaltainen isku on julkistettu etukäteen esimerkiksi sosiaalisessa mediassa juuri iskun toteutumista. Jos analyysin ulkopuolelle jätetään valtioiden tukemat hakkeriryhmät, niin ääriliikkeiden kyberkyvykkyydet ja resurssit ovat parhaimmillaankin keskitasoa. Suurimmat resurssit ovat terroristijärjestöillä. Esimerkiksi ISISin organisaatioon kuuluva United Cyber Caliphate tai tunisialainen Fallaga Team
ovat tiiviimmin järjestäytyneitä terroritoimintaa tukevia IT-organisaatioita, joiden henkilövahvuus vaihtelee kourallisesta muutamiin kymmeniin. Tällaisten organisaatioiden toiminta keskittyy pääasiassa varsinaisen terroritoiminnan suojaamiseen, propagandamateriaalin julkaisemiseen sekä mahdollisimman näyttäviin mutta yksinkertaisesti toteutettuihin kyberhyökkäyksiin, esimerkiksi julkishallinnon kotisivujen hakkerointiin ja sisällön korvaamiseen omalla propagandamateriaalilla. Oman toiminnan suojaaminen eli niin sanottu OPSEC on ääriliikkeiden kybertoiminnan ydintehtäviä. Jäsenten välinen viestintä tapahtuu suljetuissa verkoissa ja usein myös salattuna. Telegram-viestintäsovellus on tullut kuuluisaksi useiden terroristiryhmien ja ääriliikkeiden salattuna viestintäalustana. Lisäksi Darknetissä toimii lukuisia ääriliikkeiden suljettuja foorumeita, joissa on mahdollista vaihtaa vapaammin omaan ideologiaan kuuluvia mielipiteitä ja valmistella laitonta toimintaa.
Oman toiminnan suojaamiseen käytetään yleensä valmiita sovelluksia ja ratkaisuja, mutta toteutukset voivat olla myös hyvin innovatiivisia. Vuonna 2016 amerikkalaiset kyberjoukot onnistuivat lamauttamaan ISISin kybertoiminnan operaatiossaan Glowing Symphony. Tiedusteluvaiheen jälkeen kävi ilmi, että ISISin palvelimet ja data eivät sijainneet terroristien omissa palvelimissa Irakissa, Pakistanissa tai Syyriassa, vaan toiminta oli solutettu julkisiin pilvipalveluihin yritysten ja julkishallinnon palvelujen sekaan. ISISin palveluja ei voitu lamauttaa hyökkäämällä suoraan palvelimiin, vaan hyökkäykset piti kohdistaa hyvin tarkasti juuri oikeisiin kohteisiin, jotta sivullisille ei aiheudu vahinkoja. Ääriliikkeiden näkyvä toiminta keskittyy fyysisen haitanteon ja väkivaltaisten iskujen toteuttamiseen. Kybertoiminnalla on päätoimintaa tukeva rooli OPSECin ja viestinnän osalta, eikä näköpiirissä ole ääriliikkeiden halua panostaa erityisesti kybertoiminnan tehostamiseen. Ääriliikkeiden tekemistä
vakavista kyberhyökkäyksistä ei ole toistaiseksi laajaa näyttöä. Satunnaisia kotisivujen hakkerointeja ja tietomurtoja lukuun ottamatta offensiivinen kyber toiminta ei ole aktiivista. Yhtenä syynä tähän on myös julkishallinnon sekä yritysten kyberpuolustuksen kehittyminen. Kyberpuolustusta vahvistetaan useimmiten valtiollisia toimijoita tai kyberrikollisia vastaan, jotka muodostavat usein ääriliikkeitä vakavamman uhkatekijän. Jotta ääriliikkeet kykenisivät aiheuttamaan vakavaa haittaa yleiselle kyberturvallisuudelle, niiden pitäisi panostaa nykyistä enemmän kyberkyvykkyyksien kehittämiseen. Nykyisillä resursseillaan ääriliikkeet eivät muodosta vakavaa uhkaa yleiselle kyberturvallisuudelle. Vakavan ja odottamattoman kyberhyökkäyksen mahdollisuutta ei kuitenkaan voida sulkea pois. Ääriliikkeet ja etenkin terroristijärjestöt ovat ennenkin kyenneet synnyttämään mustia joutsenia ja järkyttämään yhteiskuntajärjestystä täysin ennalta arvaamattomilla toimilla.
LÄHTEET: http://visionofhumanity.org/terrorism/hydra-the-evolving-anatomy-of-extremism/ https://intermin.fi/en/police/cybercrime https://www.supo.fi/fi https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis?t=1597644504237 Sisäministeriö. Väkivaltaisen ekstremismin tilannekatsaus 2020. https://www.researchgate.net/publication/315212548_Cyber-Extremism_Isis_and_the_Power_of_Social_Media International Institute for Counter-Terrorism. The Virus of Hate: Far-Right Terrorism in Cyberspace. 3/2020. https://icct.nl/wp-content/uploads/2019/11/Right-Wing-Extremists-Persistent-Online-Presence.pdf https://www.rms.com/blog/2019/11/13/cyberterrorism-a-risk-assessment
3. KVANTTITEKNOLOGIA MURTAA SALAUKSEN MUTTA TOIVOA EI OLE MENETETTY 1. Kvanttiteknologian kehittyminen murtaa valtaosan nykyisistä salausjärjestelmistä seuraavien 10-15 vuoden aikana. Samoin käy nykymuotoiselle digitaaliselle allekirjoitukselle, jota ei tulevaisuudessa voida enää pitää kiistämättömänä varmennusmenetelmänä.
2. Kvanttiteknologia ei ole kyberturvallisuudelle pelkästään uhka. Kvanttiteknologiaan perustuvien salausjärjestelmien kehitystyö on käynnissä ja niiden tarjoama suojaus voi nostaa kyberturvallisuuden uudelle tasolle.
3. Organisaation kyberturvallisuuden vaatimukset vaikuttavat kvanttiteknologian varautumisen toimenpiteisiin. Korkean suojaustason organisaatioiden tulee kriittisesti arvioida jo tämän päivän menettelytapoja kvanttiteknologian varalta. Ohjelmistotoimittajat kehittävät nykyisiin tuotteisiinsa tulevaisuuden kvanttialgoritmeja, mikä tarjoaa ratkaisun suurimmalle osalle käyttäjiä.
Kvanttiteknologiasta ja sen teoreettisesta vaikutuksesta tietokoneiden suorituskykyyn on puhuttu jo kauan, mutta keskustelu sai uutta pontta viime
vuoden lokakuussa, kun Googlen valmistama Sycamore-kvanttitietokone läpäisi virheittä viimeisimmät suoritus kykytestit. Sycamore suoriutui testeissä 200 sekunnissa laskutoimituksista, joihin maailman nopeimmalta tähän asti tunnetulta tietokoneelta olisi kulunut noin 10.000 vuotta. Normaalin tieto koneen laskenta perustuu bittijonon 0 ja 1 arvojen kombinaatioiden testaamiseen yksi kerrallaan. Kvanttitietokone kykenee käsittelemään useita peräkkäisiä 0 ja 1 tilojen kombinaatioita samanaikaisesti niin sanotuissa qubiteissa. Käytännön testien onnistuminen on merkittävä saavutus, mutta kvanttitietokoneiden käytännön toiminnallisuus on CYBERWATCH
FINLAND
|
35
kuitenkin vielä kaukana tosielämän vaatimuksista. Qubittien käsittely on monimutkaista ja onnistuu toistaiseksi vain laboratorio-olosuhteissa. Kvanttitietokoneiden hyödyntämisen jokapäiväisessä käytössä arvellaan olevan mahdollista aikaisintaan 10-15 vuoden kuluttua. Kvanttilaskennalla on erilainen vaikutus symmetrisen ja epäsymmetrisen salausalgoritmien heikkenemiseen tai murtumiseen. Vaikutusten tarkempi ymmärtäminen edellyttää siis vähintäänkin salausteknologian perusteiden tietämystä. Epäsymmetristen algoritmien kuten esimerkiksi RSA:n ennustetaan murtuvan nopeasti, koska niin sanottu Shor-algoritmi helpottaa epäsymmetristen salausavainten alkulukujen löytymistä tehokkaammin kuin pelkkä laskentatehon parantuminen. Tämän seurauksena digitaalinen allekirjoitus nykymuodossaan on tulevaisuudessa käyttökelvoton. Vaikutus symmetriseen salaukseen ei ole yhtä voimakas. Salaus murtuu nopeammin kuin nykyisillä supertietokoneilla, mutta avaimen pituuden kasvattaminen 256 bittiin on arveltu suojaavan hyvin myös kvanttitietokoneiden brute force -hyökkäykset. Vaikutukset ovat uusine kvanttialgoritmeineen monimutkaisia sekä vielä tässä vaiheessa vaikeasti ennustettavia, eikä tarkkaa arviota voida näin ollen vielä muodostaa. Joka tapauksessa nykyisten salausmenetelmien antama suoja tietojen luottamuksellisuudelle, eheydelle ja kiistämättömyydelle kärsii merkittävästi kvanttiteknologian myötä. Kvanttiteknologia ei ole pelkästään uhka kyberturvallisuudelle. Kvanttiteknologiaan perustuvia uusia algoritmeja kehitetään jo vauhdilla, ja niiden avulla kehitetyt tulevaisuuden salausjärjestelmät voivat nostaa tietojärjestelmien turvalli-
suuden aivan uudelle tasolle. Uusia salausratkaisuja kutsutaan yleisnimellä post-quantum cryptography. Tavoitteena on kehittää salausratkaisuja, joilla voitaisiin suoraan korvata esimerkiksi RSA-algoritmiin perustuvia toteutuksia. Eniten kvanttiteknologiasta on arvioitu hyötyvän kyberturvallisuuden sovellusalueet, joiden turvallisuus on nykyisen mittapuun mukaan heikko. Esimerkiksi monia IoT-ympäristöjä on moitittu turvattomiksi. Yhä useammat laitteet ovat yhteydessä Internettiin eikä kyberturvallisuutta aina ole toteutettu parhaalla mahdollisella tavalla. Käynnissä onkin lukuisia kehityshankkeita, joissa uusia salaratkaisuja sovelletaan IoT-ympäristön laitteiden väliseen luotettavaan tunnistamiseen ja tietoliikenteen salaukseen. Yhdysvallat on kvanttiteknologian kehityksen kärjessä niin yksityisellä sektorilla kuin valtion rahoittamissa hankkeissa. Tieteellistä tutkimusta ja kvanttiteknologian standardien kehitystä Yhdysvalloissa johtaa NIST (National Institute of Standards and Technology). Yhdysvaltojen perässä seuraavat Japani, Kiina, Etelä-Korea ja Kanada. Sekä EU että yksittäiset eurooppalaiset valtiot, myös Suomi, ovat käynnistäneet omia tutkimushankkeitaan. Kvanttiteknologia on yksi Kiinan keihäänkärjistä teknologisen suurvalta-aseman rakentamisessa. Kiina onkin panostanut ylivoimaisesti eniten viime vuosina valtiorahoitteisiin hankkeisiin. Kiinan kymmenen miljardin euron rahoitus vuosille 2017-2020 on yli viisinkertainen Yhdysvaltoihin verrattuna. Ottaen kuitenkin huomioon Yhdysvaltojen teknologiakehityksen etumatkan ja vahvan yksityissektorin, Kiina ei vielä tälläkään panostuksella nouse maailman kärkivaltioksi kvanttiteknologiassa.
Varautuminen kvanttiteknologiaan ja sen uhkavaikutuksiin kyberturvallisuuden alueella on jo käynnissä. Post-quantum -salausratkaisut ja niiden nopea kehitys näyttävät lupaavilta ainakin teoriassa. Todennäköisesti uudet salausratkaisut saadaan ohjelmistoyritysten toimesta osaksi jokapäiväisiä sovelluksia eli käytännössä Internet-selaimiin, viestintäsovelluksiin, sähköpostiin, pilvipalveluihin jne. Kvanttiteknologian huomioon ottaminen tämän päivän toiminnassa riippuu organisaation turvallisuusvaatimuksista. Ei-turvakriittistä liiketoimintaa harjoittaville yrityksille riittää kehityksen yleinen seuraaminen ja valmisohjelmistojen uusien kvanttialgoritmien käyttöönotto tulevaisuudessa. Korkean turvaluokan tietoa käsittelevien organisaatioiden kannattaa jo tänään tarkastella kriittisesti esimerkiksi arkistoitavan tiedon suojaamisperiaatteita. On mahdollista, että tänään salattavat tiedot saadaan purettua hyvin nopeasti 20 vuoden kuluttua. Tällöin tulisi harkita symmetristen avainten pidentämistä tai tietojen suojausta fyysisen turvallisuuden keinoin. Kvanttiteknologian käytännön sovellukset ovat vielä kaukana, yleisten arvioiden mukaan ehkä 10-15 vuoden päässä. Julkisen totuuden taustalla on kuitenkin mahdollista, ehkä jopa todennäköistä, että kvanttiteknologiaa käytetään jo tänään suurvaltojen tiedustelupalvelujen järjestelmissä. Historia tarjoaa oivan esimerkin 1970-luvulta, jolloin brittien signaali tiedustelun GCHQ:n matemaatikot kehittivät julkisen avaimen salaus menetelmän kaikessa hiljaisuudessa noin viisi vuotta ennen RSA-algoritmin syntyä.
LÄHTEET: https://www.livescience.com/google-hits-quantum-supremacy.html Barker et al. (2020). Getting Ready for Post-Quantum Cryptography. NIST Cybersecurity White Paper. https://thequantumdaily.com/2020/04/30/is-aes-256-quantum-resistant/ European Commission. Digital Economy and Society Index (DESI) 2020. https://www.thalesgroup.com/en/germany/magazine/quantum-computing-and-cybersecurity https://www.etla.fi/en/latest/quantum-computing-is-coming-will-cybersecurity-be-compromised/ https://ec.europa.eu/digital-single-market/en/news/future-quantum-eu-countries-plan-ultra-secure-communication-network
36
|
CYBERWATCH
FINLAND
4. KYBERMITTARIEN AVULLA PAREMPI KÄSITYS KYBERTURVAN TASOSTA 1. Kyberturvallisuuden kypsyys mittarit sopivat perinteisiä tietoturvastandardeja paremmin kyberturvallisuuden nykytilan arviointiin ja suorituskyvyn parantamiseen.
2. Kypsyysmittarit ottavat entistä paremmin huomioon kyberympäristön erityispiirteet. Mittarit laajentavat riskienhallinnan osa-aluetta uhkatiedustelun avulla ja korostavat tilannekuvan merkitystä varautumisessa.
3. Kypsyysmittarit soveltuvat hyvin erityisesti kriittisen infrastruktuurin toimijoille, mutta soveltuvasti myös kaikille organisaatioille, joiden liiketoiminta on riippuvainen tietojärjestelmien ja -verkkojen toiminnasta.
Perinteiset tietoturvastandardit kuten ISO27001 ja kansallinen turvallisuuden arviointikriteeristö Katakri ovat yleisesti käytettyjä menetelmiä organisaatioiden tieto- ja kyberturvallisuuden arvioinnissa ja kehittämisessä. Näiden perusstandardien lisäksi on toimialakohtaisesti käytössä laaja joukko standardeja ja säädöksiä, jotka painottavat toimialan kannalta tärkeitä tieto- ja kyberturvallisuuteen liittyviä osatekijöitä. Näiden standardien päätarkoitus on tiedon luottamuksellisuuden, eheyden ja käytettävyyden varmistaminen tiedon koko elinkaaren aikana tietoturvallisuuden peruspilarien mukaisesti. Kyberturvallisuus nojaa pitkälti samoihin periaatteisiin kuin tietoturvallisuus, mutta kyberturvallisuudessa korostuvat tietoturvallisuutta enemmän tietoverkot ja -järjestelmät sekä niiden häiriötön
toiminta. Lisäksi on huomioitava kyberympäristön uhkatekijöiden tunnistaminen, niiltä suojautuminen, ajantasaisen tilannekuvan ylläpitäminen sekä kyberhyökkäyksistä toipuminen perinteisiä tietoturvamalleja paremmin. Yhdysvalloissa kriittisen infrastruktuurin toimijat ja näistä ensimmäisenä energiasektori heräsivät kyberturvallisuuteen keskittyvän arviointikriteeristön puutteeseen 2010-luvun alkupuolella. Yhdysvaltojen energiaministeriö julkaisi vuonna 2015 ensimmäisen kyberturvallisuuden mittariston C2M2 (Cybersecurity Capability Maturity Model). Mittariston mukaan kyberturvallisuus jakautuu kymmenen eri osa-alueen eli domainin hallintaan. Nämä ovat kyberriskit, ICT-omaisuus, käyttövaltuudet, kyberuhkat ja -haavoittuvuudet, tilannekuva, tiedonjako ja viestintä, toimintojen jatkuvuus, toimitusketju ja ulkoiset riippuvuudet sekä henkilöstö ja kyberstrategia. Pian C2M2-mallin jälkeen Yhdysvaltojen standardointielin NIST sai valmiiksi oman CFS-nimisen mallinsa (Cyber Security Framework), joka tarkastelee kyberturvallisuuden osa-alueita viiteen eri päätoimintoon jaettuna: tunnistaminen, suojautuminen, havainnointi, reagointi ja toipuminen. Euroopassa Iso-Britannia ja Saksa ovat myös julkaisseet omat versionsa kyberturvallisuuden kypsyysmittarista. Suomessa on kuluvan vuoden aikana Kyberturvallisuuskeskuksen johdolla kehitetty kansallista Kybermittari-nimistä menetelmää, joka suurelta osin perustuu edellä mainittuihin ja muihin kansainvälisiin malleihin. Kybermittari sisältää itsearviointityökalun, jonka avulla organisaatio voi arvioida itse tai asiantuntijakumppanin avustamana kyberturvallisuutensa valmiuden neljällä kypsyys-
tasolla. Mittari sisältää kansainvälisten mallien mukaiset kyberturvallisuuden osa-alueet kattavasti. Mittari tuottaa arvioinnin perusteella numeerisen arvosanan organisaation kypsyystasosta sekä tarvittavat raportit johdolle ja muille sidosryhmille. Toimialakohtainen vertailu on mahdollista, kunhan riittävän moni organisaatio on tehnyt arvioinnin ja toimialakohtaisia tilastoja on mahdollista muodostaa. Kyberturvallisuuden kehittäminen on vaikeaa, jos ei tunneta nykytilaa ja siinä olevia kehityskohteita. Tietoturvastandardien avulla tapahtuva turvatason mittaaminen on usein mustavalkoista kyllä/ei arviointia eli joko täytetään tai ei täytetä kyseistä vaatimusta. Joidenkin standardien lähtökohtana on organisaation oma riskianalyysi ja sen perusteella asetettavat tavoitteet tietoturvallisuudelle. Kyberturvallisuuden kypsyysmittarien avulla kyberturvallisuutta voi arvioida useammalla tasolla, jolloin on mahdollista muodostaa todenmukaisempi kokonaiskuva ja löytää kehityskohteita, joihin voi vaikuttaa järkevällä panostuksella. Tarkemman mittaamisen lisäksi kyberturvallisuuden kypsyysmittareissa sekä laajennetaan että syvennetään riskienhallinnan suunnittelua ja toteutusta. Riskienhallinnassa pyritään löytämään nimen omaisesti kyberympäristöön liittyviä riskejä ja uhkia. Kypsyysmittarit tuovat arviointiin mukaan myös kyberuhkatiedustelun (cyber threat intelligence), joka on jo pitkään ollut nouseva trendi kyberturvallisuuden kentällä. Uhkia ei ainoastaan pyritä tunnistamaan, vaan uhkatekijöiden osalta tulisi arvioida uhkaajan motivaatiota, menetelmiä sekä kyvykkyyttä uhkan toteutukseen, ja näin muodostaa kokonaisarvio uhkan todennäköisyydestä ja vaikuttavuudesta. Lisäksi uhkatiedustelun tuloksia tulisi käyttää nykyistä paremmin sekä taktisen että strategisen varautumisen lähtökohtana. Tilannekuvan muodostaminen ja ylläpito on toinen esimerkki kyberturvallisuuden osa-alueesta, jota kypsyysmittarit lähestyvät uudesta näkökulmasta. Lokijärjestelmät luovat tilannekuvan raakadatan, mutta tilannekuvaan tulisi CYBERWATCH
FINLAND
|
37
liittää myös ulkopuolisia datalähteitä mahdollisuuksien mukaan. Korkeammilla kypsyystasoilla tilannekuvan muodostaminen on automaattista, sitä pidetään jatkuvasti ajan tasalla ja siihen tulisi kytkeä uhkatiedustelu ja sen tuottama ennuste todennäköisistä uhkatekijöistä sekä lyhyellä että pitkällä aikajänteellä. Kypsyysmittarin käyttö, kuten mikä tahansa mittaaminen, ei pitäisi olla kertaluonteista, vaan mittaamista pitäisi tehdä säännöllisesti. Näin voidaan arvioida tehtyjen toimenpiteiden vaikutus kokonaistilanteen kehityksessä. Parhaimmillaan mittareita voidaan
käyttää teknologian, ihmisten ja prosessien keskinäisriippuvuuksien analysointiin. Esimerkiksi, jos tulokset paranevat tai heikkenevät jollain näistä osa-alueista, onko siihen syynä toisen osa-alueen positiivinen tai negatiivinen kehitys ja mistä syystä. Parhaan hyödyn kypsyysmittareista saa irti, kun niitä käytetään säännöllisesti ja tuloksia ja niiden vaikutuksia analysoidaan monipuolisesti. Kyberturvallisuuden kypsyysmittarit tuovat monta parannusta organisaatioiden kyberturvallisuuden tason arviointiin, mittaamiseen ja kehittämiseen. Kypsyysmittareissa on korostettu
kyberturvallisuuteen liittyviä osatekijöitä, joiden huomiointi yleisemmissä tietoturvallisuuden viitekehyksissä ei ole riittävän syvällä tasolla. Tietoturvallisuuden periaatteet ovat kuitenkin samat eri toimintaympäristöissä, joten mittareissa on kyse enemmänkin vahvemmasta painotuksesta kyberympäristöön sekä järjestelmien toimintavarmuuden takaamiseen. Kypsyysmittarit sopivat hyvin erityisesti kriittisen infrastruktuurin toimijoille, mutta myös muille kyberintensiivisille organisaatioille, joiden toiminnan kannalta tietojärjestelmät ja -verkot ovat kriittisessä roolissa.
LÄHTEET: https://www.nist.gov/cyberframework https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-0 https://www.kyberturvallisuuskeskus.fi/fi/kybermittari https://www.cmmcab.org/
5. ZERO TRUST AUTTAA TORJUMAAN SISÄISIÄ RISKEJÄ NYKYISTÄ PAREMMIN 1. Zero trust -mallin mukaan verkon suojauksen lähtökohtana on tilanne, jossa sisä- ja ulkoverkon väliset turvakontrollit on ohitettu ja hyökkääjä toimii organisaation sisällä. Pahimmassa tapauksessa hyökkääjä on saanut haltuunsa myös admin-oikeudet.
2. Zero trust voi myös tehostaa ICT-resurssien käyttöä, kun organisaatiotason turvakontrollien tarve vähenee. Esimerkiksi etätyöntekijä voidaan reitittää suoraan pilvipalveluun ilman organisaation kautta kulkevaa VPN-tunnelia, jos turvallisuus on toteutettu Zero trustin mukaisesti.
3. Zero trustin tekniset ratkaisut tulevat osaksi valmisohjelmistojen ominaisuuksia. Zero trustin käyttöönotto edellyttää myös teknisiä muutoksia nykyiseen infrastruktuuriin sekä ennen kaikkea muutosta riskienhallinnan painopisteissä ja turvallisuuskulttuurissa.
38
|
CYBERWATCH
FINLAND
4. Zero trust voidaan toteuttaa eri tasoilla erilaisissa ympäristöissä. Turvakriittisille organisaatioille Zero trust tuo konkreettista hyötyä kyberturvallisuuden tason parantamiseksi. Ylilyöntejä tulee kuitenkin välttää ja arvioida huolellisen riskianalyysin avulla, mille tasolle Zero trust kannattaa omassa organisaatiossa viedä.
Zero trust -ajattelu on kuluneen vuoden aikana noussut näkyväksi kyberturvallisuuden teemaksi. Zero trustia kutsutaan myös arkkitehtuuriksi, mutta kyse on enemmänkin väljästi määritellystä mallista, joka korostaa sisäverkon turvallisuutta. Ajattelun lähtökohtana on tilanne, jossa verkkoon on tunkeutunut ulkopuolinen taho tai verkossa toimii korruptoitunut käyttäjä, laite tai sovellus. Zero trustin mukaan sisäverkon käyttöoikeuksia voidaan hallita nykyistä paremmin esimerkiksi segmentoimalla verkko pieniin saarekkeisiin, salaamalla verkkoon talletetut tiedot ja datayhteydet, sekä käyttäjien vahvalla todentamisella. Zero trust -mallissa
sisäverkon toimijoihin eli käyttäjiin, laitteisiin ja sovelluksiin ei luoteta ennalta määritettyjen käyttöoikeuksien mukaisesti, vaan oikeudet verkon tietoihin ja resursseihin tarkistetaan tapauskohtaisesti aina erikseen. Keskeinen zero trustin periaate on kirjattu muotoon ”never trust, always verify”. Näin pyritään estämään tilanteet, joissa esimerkiksi admin-oikeuksilla voisi verkossa toimia vapaasti tai päästä käsiksi kaikkiin sen sisältämiin tietoihin, tai että sisäverkkoon päässyt haittaohjelma voisi levitä verkon muihin osiin. Zero trust -mallissa sen turvallisuusperiaatteet tulisi ulottaa myös sisäverkon ulkopuolisiin resursseihin kuten esimerkiksi pilvipalveluihin. Kun turvallisuuden hallinta keskitetään alemmalle tasolle ja pienempiin yksiköihin, organisaatiotason turvallisuuskontrollien käyttö ei ole enää välttämätöntä. Monessa organisaatiossa ICT-palveluihin kytkeydytään nykyisin aina VPN-yhteyden kautta, silloinkin kun käytetään esimerkiksi pilveen vietyjä tietoja tai sovelluksia. Zero trust -mallissa nämä palvelut voitaisiin reitittää suoraan käyttäjälle, edellyttäen että turvallisuus
on toteutettu Zero trust -periaatteiden mukaisesti. Perinteisesti on todettu, että suurin osa tietoturvauhkista tulee oman organisaation sisältä. Siitä huolimatta turvallisuuden toteutuksessa on panostettu sisäisen ja ulkoisen verkon väliseen suojaukseen. Sähköpostisuodatukset, haittaohjelmien torjunta ja verkkoon tunkeutumisen havaitseminen on keskitetty sisä- ja ulkoverkon rajalle ja toteutettu palomuureilla ja DMZ-vyöhykkeillä. Zero trustin täysipainoinen toteutus edellyttää verkon uudelleen suunnittelua ja segmentointia mikä ei ole halpa eikä yksinkertainen harjoitus. Zero trust -mallia voidaan osin toteuttaa myös ohjelmistotoimittajien teknisillä ratkaisuilla, joita tarjoavat esimerkiksi Cisco, CheckPoint, Symantec ja Microsoft. Zero trustilla on suuri vaikutus nykyiseen turvallisuusajatteluun. Riskienhallinnassa tulee sisäinen uhkatekijä ottaa entistä paremmin huomioon. Jokaisen organisaation tulisi arvioida konkreettisesti mitä vaikutusta on tilanteella, jossa esimerkiksi verkon admin-oikeudet ovat paljastuneet ulkopuoliselle tai oma työntekijä käyttää niitä väärin. Suurin osa tietovuodoista tehdään juuri tällä tavalla. Näkyvimpänä esimerkkinä on Snowdenin tietovuoto, jossa hänelle oli myönnetty liian laajat oikeudet NSA:n verkkoon ja pääsy salaisiin dokumentteihin oli mahdollista kenenkään huomaamatta.
Käytännössä tilannetta voidaan parantaa tiukentamalla käyttöoikeuksien hallintaa. Laajoja oikeuksia myönnetään vain erittäin hyvillä perusteilla ja niiden tarpeellisuutta ja ajantasaisuutta valvotaan säännöllisesti ja usein. Kriittisimpiin toimenpiteisiin tulee käyttää niin sanottua neljän silmän periaatetta, eli ne toteutetaan kahden ylläpitäjän toimesta tai vähintäänkin niin, että toinen henkilö katselmoi säännöllisesti ylläpitäjän tekemät muutokset. Kyberturvallisuudessa varaudutaan tällä hetkellä ennen kaikkea kyberhyökkäyksiin. Olennaisena osana hyökkäysten havaitsemisessa on tilannekuva, jota ylläpidetään lokienhallinnalla ja SIEM-järjestelmillä. Havaittuihin hälytyksiin reagoidaan joko oman henkilöstön toimesta tai ulkoistettu SOC-palvelu torjuu havaitut hyökkäykset ja käynnistää tarvittaessa toipumisen. Zero trust -ajattelu tuo tähänkin toimintamalliin uusia haasteita. Ulkoisten uhkien lisäksi tulisi tarkkailla myös sisäverkon dataliikennettä ja käyttäjien sekä laitteiden välisiä yhteyksiä samalla tarkkuudella kuin ulkopuolista liikennettä. Samoin säännölliset haavoittuvuusskannaukset tulee ulottaa Internetiin näkyvien palvelinten lisäksi sisäverkkoon, sen palvelimiin ja työasemiin sekä käyttäjien mobiililaitteisiin. Zero trust -malli tuo parhaimmillaan ryhtiä kyberturvallisuuden toteutukseen
ja ajan tasalla pitämiseen. Moni zero trust -mallin periaatteista on toteutettavissa nykyisillä teknologioilla ja ennen kaikkea ottamalla käyttöön uusi näkökulma riskienhallintaan, joka ottaa huomioon sisäiset uhkat entistä paremmin. Pitkälle vietynä zero trust on hyvin tekninen malli, jossa sisäistä riskiä pyritään pienentämään segmentoimalla verkko pienempiin kokonaisuuksiin sekä rakentamalla teknisiä kontrolleja esimerkiksi tietoihin pääsyyn. Näin pyritään estämään käyttäjän vahingollisia toimenpiteitä, jotka voivat olla tahallisia tai tahattomia. Teknisestä näkökulmasta huolimatta turvallisuuskulttuurin kehittäminen organisaation johdon näkyvällä tuella sekä käyttäjien turvallisuustietoisuuden lisääminen ovat tärkeitä tekijöitä sisäisten turvallisuusuhkien havaitsemisessa ja torjunnassa. Zero trust -mallia voi toteuttaa monella eri tasolla. Esimerkiksi kriittisen infrastruktuurin organisaatioille mallin tarkempi analysointi ja toteutukseen panostaminen voi olla hyvinkin tarpeellista. Ylilyöntejä on kuitenkin hyvä välttää ja arvioida juuri oman organisaation kohdalla, mille tasolle ja millä panostuksilla Zero trust -malli kannattaa toteuttaa. Parhaan vastauksen tähän antaa huolellinen ja todenmukaisesti laadittu riskianalyysi, jossa on otettu huomioon kaikki omaan tilanteeseen ja sen kehitykseen vaikuttavat osatekijät.
LÄHTEET: Defence Innovation Board of the DoD. The Road to Zero Trust. DIB white paper. Armed Forces Communications and Electronics Association (AFCEA). Zero Trust and Identity: How DISA Continues to Protect the Warfighter in Cyberspace. Webinar 16.9.2020. https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture https://www.forbes.com/sites/insights-vmwaresecurity/2019/06/12/zero-trust-the-modern-approach-to-cybersecurity/#553fc9094e9d https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
CYBERWATCH
FINLAND
|
39
CYBER SOVEREIGNTY – ANARCHICAL DREAM MEETS WESTPHALIAN NECESSITIES text: JUHA KUKKOLA Doctor of Military Sciences National Defence University
B
y 2020 the libertarian or even anarchical dreams for cyberspace have been replaced with fear, honour, and interest – what Thucydides called the prime motives of state behaviour. Cyberspace has become a national security interest for all states. Consequently, issues around state sovereignty will have significant influence on how global cyberspace will develop. National borders, laws, and the state’s monopoly on violence will shape future legitimate use of cyberspace – even though private actors will largely own it. The idea of cyber sovereignty has Russian and Chinese roots. It is based on a fear that the United States controls the Internet and can use this control to its advantage in the eternal competition among great powers. In context of this competition, sovereignty is a recipe for resistance and can possibly be used as an advantage. This novel type of sovereignty includes control of national information space and technological self-sufficiency. From Russian and Chinese perspectives, it makes sense to divide cyberspace into state-controlled segments. These segments help in controlling populations and protect ruling regimes from external and internal threats. Technological independence
40
|
CYBERWATCH
FINLAND
provides power through innovativeness and competitiveness of the national ICT-sector. Cyber sovereignty is more complex for less powerful states. For starters, they have limited resources to develop technological independence. Moreover, the idea of cyber sovereignty creates challenges for states who consider their core values to be democracy, market economy, the rule of law, and respect for human rights. These challenges are not unsurmountable but must be thought through and openly discussed. Implementing haphazard national policies in a semi-transparent way can undermine the legitimacy of these chosen policies. Definitions are important. It is vital to separate information environment from cyberspace. The latter is part of the former. Cyber sovereignty is about technology whereas information sovereignty would include the information content and even the minds and thoughts of people. Cyberspace can be further divided into physical, logical, and cyber-persona layers. If the third layer is included into sovereignty, our Internet accounts etc. should be connected to physical individuals or legal entities. Internet anonymity would become a myth. Conversely, if cyber sovereignty contains everything on the logical layer, then data moving
through networks should have ‘nationality’. This would require a total reconfiguration of the Internet. If cyber sovereignty applies only to the physical layer or systems and networks inside state borders, defining sovereignty becomes easier. However, it is unclear how a state can claim sovereignty over what is mostly privately owned ICT equipment and, in the extreme, their production and supply-chains. The concept of critical information infrastructure seems to offer a way out of this dilemma. Public and private actors can catalogue their systems based on the importance of these systems to the nation’s critical services and infrastructure (e.g. electricity, transportation, and healthcare). This catalogue could form the basis of state and private rights and responsibilities concerning critical information infrastructure. The problem here is threefold; what is ‘critical,’ who gets to decide this, and what does responsibility for something ‘critical’ mean? Currently, the discussion about critical information infrastructure revolves around threats. International debate is concentrated on answering what is an armed attack in cyberspace and how states can respond to these attacks. Domestic debates focus on hybrid threats, that is, how critical infrastructure should be made resilient against the peacetime interference by hostile states. These debates threaten to militarize the issue of cyber sovereignty. Cyber borders and territory are associated with defence, which seems to suggest that the military should defend critical information infrastructure. This would require the presence of cyber forces in private and civilian networks even during peacetime. To legitimize such a mission would require an open public debate, incentivising the private sector to accept state
interference, drafting new laws, and increasing the resources of defence forces. The non-great power states cannot and should not shape their national cyberspace into technologically self-sufficient and sovereign segments like, for example, Russia is trying to do. There are several arguments against this. First, these states would not be able to create truly alternative cyber ecosystems. Small states do not have the resources to create competitive full-spectrum national ICT-industries and service platforms. Second, these states would lose the benefits from international cooperation and markets. As their critical information infrastructure might be owned by foreign companies and located outside their nation’s borders, ‘nationalizing’ this infrastructure could be quite difficult to achieve. Third, these states would convert national cyber security into cyber defence executed by the military in peacetime. This would ultimately hinder innovation and investment. Moreover, international cyber security cooperation would become difficult for non-allied states. Finally, these states would adopt an authoritarian way of managing cyberspace with high state intervention in markets. Consequently, the non-great power states would not be any more secure on their small ‘cyber islands’ than they are today. State security has become inescapably intertwined with cyberspace. However, before we try to solve the challenges that this state of affairs presents, we should take a hard look at what cyber sovereignty entails. Small states and regional powers represent the majority of the world’s nations. How they define cyber sovereignty will determine how cyberspace will look like in the 2048, that is, on the 400th anniversary of the Peace of Westphalian.
CYBERWATCH
FINLAND
|
41
IMPROVE CYBER SECURITY WITH DEEP LEARNING AND SEMANTIC ANALYSIS text: PERTTI JALASVIRTA Partner Cyberwatch Finland
T
he challenges in the cyber domain, in terms of security threats and their management, increase day by day. The cyber domain is fraught with state-backed and non-state actors which try to exploit the vulnerabilities and loopholes in the system. It becomes increasingly important to understand and tackle the current threat scenarios so that we can
42
|
CYBERWATCH
FINLAND
prepare for the future. The way forward, as the industry sees it today, is through the harnessing of terabytes of data and all the digital information that is generated every second across the cyberworld, and eventually preparing automated defense strategies against bad actors. It is impossible to understand and collect such a large amount of data manually. However, artificial
intelligence-based technologies are evolving rapidly and are becoming an important tool for data processing and analysis. Over the last decade or so, the development of artificial intelligence, machine learning, and data science - terms that are used almost synonymously- have caused a paradigm shift in the tech industry and their success has depended on how they have been able to take advantage of digital information using the available paced computers. Among the many different techniques that have become a part of the ‘AI toolbox’, deep learning and Natural Language Processing (NLP) appear to be two major success stories. For instance, the use of deep learning and NLP is evident in the efficient detection of anomalies in HTTP requests and responses [Sources: 1]. This application demonstrates how the defense of communication networks can be strengthened against malicious traffic. A similar and practical example comes from Domenic Puzio, who during his career at Capital One developed a system which scaled up regular corporate traffic in real time and sent out alarm signals that can be analysed by cyber security analysts [Sources: 1, 3]. The use of AI in the analysis of cyber threats in smaller capacities has been present for more than a decade. Data from Internet traffic and security logs are usually multidimensional, and for such scenarios dimensionality reduction and clustering have been part of the more traditional AI methods. A technique called Principal Component Analysis (PCA) is used to reduce the effective number of dimensions or facets in the data and provide a parsimonious description. It can be used to efficiently create records of a large number of security incidents and subsequently identify latent or dormant threats. The resulting analysis is able to clump together or categorize similar patterns of attacks [Sources: 3]. The automatic categorization becomes useful in risk management whereby fast identification of security lapses and threat actors are possible. Interestingly, methods such as PCA can be used simultaneously with sophisticated methods like deep learning given the high complexity of the data available in practice and the wide variety of input data. However, deep learning algorithms are, by design, expected to work on data that comes with volume, variety and complexity and in principle, can
analyse all the available data and explore the raw data files without being explicitly asked to consider hand-engineered features. For its application in cyber security, deep learning models are able to combine data from a variety of input sources. [Sources: 2] UNDERSTANDING THE OVERALL THREAT SCENARIO
Apart from the issues related to the classification of threats and detection of anomalous traffic, questions arise relating to the understanding of the overall cyber threat scenario, how that evolves in time and how it is fuelled by different state sponsored actors. These questions are far from easy to answer and require incorporating complex information on world politics, technological trends, economic and military interests and conflicts. This brings in the need for the processing of textual data which is precisely tackled by NLP based methods. The challenge and utility for NLP is to convert textual data into structured numerical data that can be fed to algorithms like deep learning. The approaches in NLP vary between the processing of short and long ranged semantics of written texts, like news pieces or social media posts. A culmination of the above methods can be found in artificial threat intelligence systems in the form of ‘Knowledge Graphs’ where textual data from the cyber domain is converted into a web of entities and their interrelationships. The latter then powers a deep learning algorithm to make predictions about vulnerabilities and attacks. [ref: Mittal S, Joshi A, Finin T. Cyber-all-intel: An AI for security related threat intelligence. arXiv preprint arXiv:1905.02895. 2019 May 7.] Given the many different techniques available to us, it finally becomes an association of AI, digital sources of data, and human analysts that act together to extract valuable knowledge, building predictive models of the future and designing defense strategies. While there may not be a real silver bullet, ideally there are tools and models that are robust across diverse domains, and whose predictions can be interpreted via human wisdom. As the amount of data, threats, technology solutions, and alternative tools grow, we should be able to make the right choices. If we now focus on solving current problems in light of today’s knowledge and skills, would we be able to solve future problems without fear that something was missing?
Sources: 0 1 2 3 4
http://www.lesliesikos.com/data-science-in-cybersecurity-and-cyberthreat-intelligence/ https://medium.com/@ursachi/role-and-applications-of-nlp-in-cybersecurity-333d9280c737 https://www.deepinstinct.com/2019/11/06/ai-beyond-the-semantics-heres-what-you-need-to-know/ https://nsfocusglobal.com/machine-learning-algorithms-power-security-threat-reasoning-and-analysis/ https://journalofbigdata.springeropen.com/articles/10.1186/s40537-014-0007-7
CYBERWATCH
FINLAND
|
43
THE U.S. AND CHINA TECH RIVALRY ESCALATES FURTHER text: PASI ERONEN International security analyst and consultant
I
n early August, White House issued an Executive Order that threatened to ban TikTok, a hugely popular social media platform owned by Chinese ByteDance Ltd.1 With over 175 million downloads in the U.S. alone, and over a billion downloads globally, the U.S. authorities view TikTok as a national security threat. One of the key concerns is that the user data, such as location data and biometric information, may end up in the hands of the Chinese government and allow them to use the data, for example, for espionage purposes. TikTok was also banned by the Indian government together with 58 other Chinese apps following the border clashes and rising tensions with China.2 At the same time with the executive order banning TikTok, White House issued another executive order that targeted banning WeChat. WeChat, a Chinese Tencent owned social media and electronic payment application has got a limited market penetration in the West, but a near society-wide adoption rate in China.3 The recent bans issued against Chinese-owned mobile applications are another move in the great game, where the heating geopolitical rivalry between the U.S. and China is taking a greater role also in the technology domain. Measures taken against popular mobile applications were preceded by rounds of sanctions levied against the Chinese mobile technology giant, Huawei. Sanctions were aimed at not only severely limiting Huawei’s role in the 5G networks in the U.S. and elsewhere, but also limiting Huawei’s access to core technologies crucial for its business, such as sophisticated chip designs manufactured using the U.S. export licensed technology.4 Other Western powers, such as the United Kingdom and France, have after their own investigations followed the U.S. lead in their efforts to
44
|
CYBERWATCH
FINLAND
gradually phase out Huawei from their next-generation networks having national security significance.5,6 The tightened sanctions regime is beginning to produce the expected results, as Huawei has reported running out of their in-house designed sophisticated chips used in their smartphones. The depletion of Huawei’s chip stock follows the closure of chip production by their foreign suppliers, such as Taiwanese TSMC, by mid-September in compliance with the U.S. sanctions.7 As could be expected, Huawei and the Chinese government are working hard to limit the sanctions’ effects. According to some reports, Huawei has been trying to poach talent to prop up indigenous production of lithography machines8, and the Chinese government is pushing long-term national industrial policies to boost the semiconductor industries.9 At the same time, news reports are emerging about a long-term hacking campaign by a Chinese threat actor against Taiwanese chip companies. Reportedly, Chinese hackers stole intellectual property, including chip designs.10 The bans and sanctions are a part of the broader struggle against questionable Chinese competitive practices ranging from hacking and intellectual property stealing to standards setting11 aimed at gaining an edge against Western companies and countries alike. For example, in the U.S. alone, the FBI reportedly opens a new China-related counterintelligence case every 10 hours.12 To stem and counter the malicious activities the U.S. authorities have recently, for example, ordered China to close their consulate in Houston for purported intelligence activities13 and issued a proclamation banning Chinese graduate students and researchers with ties with the People’s Liberation Army from entering the U.S.14
KEY FINDINGS Both the ongoing COVID-19 global pandemic and the tech rivalry between China and the Western powers, the U.S. in particular, have made the vulnerabilities in the global supply and value chains visible. The ownership of intellectual property rights, necessary know-how and tools, and production capacity is scattered around the world across several nation-states and jurisdictions. For example, Huawei’s statement about their inability to source their in-house designed advanced chips for their phones shows that China and Chinese companies may lack some core parts in their value chain. In this case, the lack of indigenous production of sophisticated chips in scale makes their economy and global enterprises vulnerable for carefully targeted sanctions policies.
The overlapping crises burdening the global supply and value chains, combined with increased political and image risks associated with China-based operations, have already forced global enterprises to re-evaluate their global footprint. It has led some of the companies leaving China, though not necessarily back to their native countries.15 This development will most probably continue and be encouraged by the political leadership in various countries, as was exemplified recently by Japan.16 This might, in turn, lead to even more aggressive intelligence collection both in the cyber domain and by other means by Chinese actors in support of the development of their national capabilities.
It can also be expected that there will be some tit-for-tat retaliation against Western companies, some of which are dangerously exposed to China’s political risks. According to one assessment, these companies include Apple, with a fifth of its total sales of $270 billion from China. Similarly, the U.S. semiconductor giants, such as Qualcomm and Intel, depend heavily on their sales in China.17
The most recent escalatory steps seen in the technological rivalry between the U.S. and China are an outcome of more than a decade of Chinese intellectual property theft, their penetration of the Western research institutions, suspected use of private and state-owned enterprises for collection of data for the benefit of the state and the Chinese Communist Party, and most recently more brazen Chinese geopolitical posture. Taking over the commanding heights of technological development serves as another front in the geopolitical struggle between authoritarian China and the countries upholding the liberal order. Thus, it is highly unlikely that the rivalry in the tech domain will cease to exist in short to medium term. China making major concessions and policy changes regarding their more aggressive global presence appears improbable.
After decades of enjoying the peace-dividends and the seemingly unstoppable onwards march of increasingly efficient global supply and value chains, it appears currently that the pure economic calculus is about to take the backseat in the international politics. Instead, the geopolitical and security considerations are reintroduced as the primary driving force behind setting the political priorities. Should this be true, among other developments, this will lead to even more fragmented internet together with increasingly walled-off information spaces, diverging global technological standards, and increasingly aggressive economic and political maneuvers in geographic areas, where spheres of influence are overlapping. These developments will mean a more risk-laden operational environment for companies that are engaged in global business, particularly in the areas of high-tech and dual-use technologies, and having an association with national security. Such companies should pay particular attention to improve their resilience and solidifying their security footing, especially in the cyber domain.
Sources: 1 https://www.whitehouse.gov/presidential-actions/executive-order-addressing-threat-posed-tiktok/ 2 https://economictimes.indiatimes.com/tech/software/india-bans-59-chinese-apps-including-tiktok-helo-wechat/articleshow/76694814.cms 3 https://www.whitehouse.gov/presidential-actions/executive-order-addressing-threat-posed-wechat/ 4 https://www.commerce.gov/news/press-releases/2020/05/commerce-addresses-huaweis-efforts-undermine-entity-list-restricts 5 https://www.reuters.com/article/us-france-huawei-5g-security-exclusive/exclusive-french-limits-on-huawei-5g-equipment-amount-to-defacto-ban-by-2028-idUSKCN24N26R 6 https://www.cfr.org/blog/united-kingdom-bans-huawei-5g-networks-0 7 https://apnews.com/270e93e985733a4d086c06a01375cea0 8 https://www.globaltimes.cn/content/1195696.shtml 9 https://www.cnbc.com/amp/2020/08/11/china-policies-to-boost-chipmakers-as-tensions-with-us-rise.html 10 https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/ 11 https://www.latimes.com/opinion/story/2020-06-11/china-5g-global-standards-war 12 https://www.fbi.gov/news/speeches/the-threat-posed-by-the-chinese-government-and-the-chinese-communist-party-to-the-economic-and-national-security-of-the-united-states/layout_view 13 https://www.nytimes.com/2020/07/22/world/asia/us-china-houston-consulate.html 14 https://www.whitehouse.gov/presidential-actions/proclamation-suspension-entry-nonimmigrants-certain-students-researchers-peoples-republic-china/ 15 https://www.nytimes.com/2020/07/22/business/companies-may-move-supply-chains-out-of-china-but-not-necessarily-to-the-us.html 16 https://www.washingtonpost.com/world/asia_pacific/japan-helps-87-companies-to-exit-china-after-pandemic-exposed-overreliance/2020/07/21/4889abd2-cb2f-11ea-99b0-8426e26d203b_story.html 17 https://amp.ft.com/content/cbb6a75b-2b12-4a21-aed6-41965d3d15d6
CYBERWATCH
FINLAND
|
45
THE U.S. AND CHINA TECH RIVALRY ESCALATES FURTHER
CAN YOU ENTRUST YOUR OT/ICS SECURITY TO YOUR SOC-AS-A-SERVICE? text: FRANCO MONTI
S
ince about five years specialized service providers offer companies to take over the entire security monitoring as a service for them. At the beginning only larger companies, sometimes those with international business activities started to take Security Operation Center services on board. In most cases these were typically threat monitoring and vulnerability management. Threat monitoring was used to identify
any incident occurring and provide immediate alarming of the company monitored with enriched data about what happened and about how critical the situation is. In the case of vulnerability management in most cases of-theshelf products were used and directly included into the SOC service in order to provide detailed information about any security issue by non-patched system components or security weaknesses in a customer’s infrastructure.
Figure 1 - Traditional IT-centric SOC Model
FRANCO MONTI – SENIOR PARTNER MONTI STAMPA FURRER & PARTNERS AG (MSFPARTNERS.COM), SWITZERLAND Franco Monti is co-owner and co-founder of MSFPartners.com, a Swiss cyber security boutique with offices in Switzerland and Dubai. He can draw on many years of experience in protection for critical infrastructures (IT & OT/ICS). Over this period, he has accumulated a wealth of expertise in developing cyber security strategies and drawing up complex cyber security programmes. He takes responsibility for Swiss and international projects that focus on setting up security operations centres, introducing incident management and protecting IT and OT infrastructures. Franco has graduated in engineering at the Swiss Federal Institute of Technology (ETH) and in business administration at the University of St. Gallen (HSG).
46
|
CYBERWATCH
FINLAND
D
In order to be capable monitoring a customer, SOC providers usually install a SIEM (Security Information and Event Management). The SIEM is a core element of any SOC services, providing correlation on millions of events happening in every company in a single month. These events are correlated inside a SIEM and filtered in a way that all ongoing malicious activities become visible to the SOC and its customer – usually not more than a few dozen per months. Using the SIEM and further subject matter expertise, SOC organizations are mapping every incident found to any known attack pattern. They provide their customer with detailed information, the criticality of the incident and assistance about what to do next to respond to the incident and how to recover best. Traditionally, the service portfolio of large national or international SOC providers has been focused on the IT of their customers. Over last years they gained significant expertise how effectively and efficiently protect an IT environment with office automation, corporate networks, firewalls, proxy servers or clients and servers. By collecting log files from all relevant IT infrastructures, they feed this information for correlation into the SIEM. When it comes to the protection of manufacturing facilities or of critical infrastructure such as e.g. components of the grid or of power plants in utility companies, the classic SOC mechanism does not work anymore. In this environment industrial specific control infrastructure has been established. In the past this was used to isolate from IT and to separately manage dedicated industrial components. Such an environment is called Industrial Control Systems (ICS) in manufacturing or Operational Technology (OT) in the utility industries. ICS/OT infrastructure consists of control systems (SCADA) to manage industrial controllers (PLCs) which again are driving industrial equipment such as e.g. robots, any production line equipment, turbines, water purification or gas pipelines. ICS/OT environments are driven by real-time processes. There, it is no longer possible to easily retrieve security log files from the infrastructure without risking
interrupting the industrial processes or to put the controllers out of sync. In cases where industrial controllers stumble because of unforeseen process intervention, the danger of significant industrial damage or accidents immediately rises. This is why special methodology and care needs to be applied to monitor ICS/OT environments against cyber security attacks. That is why we consider the establishment of an OT concept as key before any installation of OT monitoring. Traditional SOC providers have been faced with new requirements to connect as well ICS/OT infrastructure to their SOC and to correlate events happening in the IT environment with those coming from ICS/OT. Given the attack pattern of many well-known industrial cyber-attacks this makes perfectly sense. However, most SOC providers have not yet gained enough experience on how to deal with these classes of industrial events. Therefore, they don’t know how to absorb best OT monitoring into their service. All the expertise gained from monitoring typical IT environments cannot be used to understand events, incidents and even vulnerabilities coming from an industrial environment. Today’s SOC provider’s personnel are IT professionals with excellent skills to protect their customer’s corporate business IT. When it comes to understand the dynamics of an industrial process in many cases their experience is NIL. The challenge is huge for SOC providers. In order to understand how to react on an ICS/OT event coming from the OT monitoring there is a need to have employees in the SOC who deeply understand industrial processes, networks and all relevant components. Those who understand these events are typically specialized, well trained industrial engineers who hardly ever change their jobs to work for a SOC provider. On the other hand, when connecting the OT monitoring to the SOC service, those ICS/OT engineers in many cases do not recognize a value-add brought by the SOC provider. They argue, that they already have full security transparency using their OT CYBERWATCH
FINLAND
|
47
monitoring management console in their control centers and act accordingly when an alert arrives. So, does it then make sense to connect OT monitoring to a SOC and can you entrust them to keep your ICS/OT safe? Our experience tells us yes but… there need to be some measures in place to benefit from connecting OT monitoring to a SOC. First of all, in most industrial environments ICS/OT engineers to not monitor cyber security 7x24x365 due to a lack of resources and due to the cost evolving with this. In such a constellation, a SOC could already provide a significant increase of protection by monitoring the ICS/ OT infrastructure around the clock. If an incident arrives, say during the weekend, a best-effort incident response process could be initiated by the SOC provider alarming plant engineers on duty or trying to contact the cyber security officers of their customer. Second, as most attacks are beginning in the IT environment of a company before they touch ICS/OT. Example attacks are Ukraine 1 and 2 on Ukraine’s electricity infrastructure, or TRITON when the Safety Instrument Systems (SIS) became attacked for the first time in history. The usual way is to get access to a company by social engineering. Once the attacker lands inside the IT, he or she moves laterally into the ICS/OT network. There, SCADA systems and PLCs are target
equipment which the attacker tries to compromise, using either well known vulnerabilities or zero-day approaches to e.g. modify the firmware or to add malicious code to a controller. A SOC helps to find quicker ways to stop such an attack by providing correlation not only between its log sources, but as well between IT and ICS/OT. This could become critical to immediately stop an attack as early as possible in the kill-chain. Third, we experienced in our projects a huge advantage in establishing ICS/OT specific scenarios which help the security monitoring personnel in the SOC to quicker and better understand the technical nature of an ICS/OT incident or vulnerability. ICS/OT scenarios are linked with the typical use cases every SOC offers to its customers. A classic use case can have one or several scenarios. These have a significant benefit for the plant engineers as they gain an additional view by the SOC when malicious activities occur. Finally, it is fair to say, that if a SOC provider and his customer work together in establishing the right ICS/ OT scenarios, it becomes very beneficial to connect OT monitoring to the SOC and to establish a companywide security posture, not only covering IT but as well ICS/ OT – at least that is what we observe every day in real life projects protecting ICS/OT environments.
Figure 2 - SOC Use Cases have one or several ICS/OT scenarios - Example scenario
It is no use saying, ‘We are doing our best.’ You have got to succeed in doing what is necessary. – Winston Churchill
48
|
CYBERWATCH
FINLAND
www.msfpartners.com
About Monti Stampa Furrer & Partners AG (MSFPartners.com), Switzerland MSFPartners assist our clients in protecting their operational and business activities in developing an integrated cyber security framework and identifying supportive technologies that enable to identify and prevent cyber-attacks on critical infrastructure and systems, protecting data privacy, prevent data leakage and as well help to respond systematically when attacked. Based on our IT and OT protection projects with companies in various industries over the past years, MSFPartners has gained a significant reputation in protecting critical infrastructure in both IT and OT but as well in Smart Metering or IIOT environments. MSFPartners is based in Zürich with several offices in Switzerland and has a subsidiary company in Dubai, UAE.
MSFPartners.com – Offering a broad cyber security service portfolio
© MSFPartners 2020
Our Services
Characteristics
1
Cyber Security IT and OT Strategies
• Deriving necessary Cyber Security blueprint from business needs • Formulating Cyber Security roadmaps and programs • Providing financial cyber security investment planning
2
Maturity y Assessment IT and OT
• Assessment of cyber y security y maturity y score and resilience against g attacks in both,, IT and OT
3
Cyber Security Technology Evaluation
• Scouting for new technologies and cyber security methodologies • Formulation of RFP specifications • Leading entire RFP processes
4
Red Team and S Security it Assessments
• Conducting complex penetration tests, assessing cyber security weaknesses and incident response capabilities biliti • Verifying robustness of VPN access to corporate resources and home-office configurations
5
Cyber Resilience
• • • •
6
Incident Response
• Conducting emergency engineering support in case of severe attacks
7
GDPR/DSGVO
• Auditing GDPR compliance • Formulating g GDPR p programs g • Proposing measures to prevent data loss
Establishing Incident Response Plan and Runbooks Emergency cyber response organization Cyber contingency and recovery plans (BCM) Cyber crisis exercise (C-Level, operational Level)
1
NEW OPPORTUNITIES EMERGE WHEN EAST-WEST INTEGRATE WITHIN RADIOLOGICAL SAFETY text: TIMO HELLENBERG CEO, Hellenberg International Ltd
S
ymbiosis of terrorism and radiological safety is one of the most challenging new threats. There are more than 840 research reactors worldwide, many of which are located in large cities. These are not often properly protected as other critical infrastructure (CI) targets of our societies. Handling of sunken nuclear- and radiation-hazardous wastes in the world seas sets an additional challenge. For instance, seven nuclear-hazardous facilities sunken or submerged in the waters of the Arctic are currently known. Submarine
50
|
CYBERWATCH
FINLAND
B-159 sank in 2003 only about 60 kilometers from Murmansk and presents the greatest hazard to the environment. Submarine K-27, which sank in 1981, contains two reactors with liquid metal coolant containing highly enriched uranium, which could lead to mis-usage by terrorist and extremists. European countries building new nuclear energy capacity such as Finland, Turkey, Hungary and Belarus. These are based on nuclear partnership with Russian technology. Belarussian NPP “Astravets� will be a
2,400-megawatt-electric (MWe) plant, with two VVER-1200 reactors. It is being built by Atomstroyexport, an affiliate of Russia’s state-owned Rosatom. The full launch of the first reactor was recently postponed (RFE/RL, 9.10.20) until 2022. Finland is constructing an analogous nuclear power plant “Hanhikivi 1” AES-2006 designed by Rosatom which is based on same “VVER-technology”. Turkey signed an agreement in May 2010, that a subsidiary of Rosatom would build, own, and operate a power plant at Akkuyu comprising four 1,200 MW VVER units. Rosatom’s 12.5 billion euro project to build two Russian VVER 1200 reactors in Hungary could come online in 2026 and 2027 respectively. Rosatom’s international strategy BOO (Build, Own, Operate) concept means that Rosatom will build the nuclear power plant, provide the necessary technical know-how and provide the main funding, as well as continue to lead the construction of the power plant and, ultimately, operate its operations. As the European Commission states, “Russia is a key competitor in nuclear fuel production and offers integrated packages for investments in the whole nuclear chain. Therefore, particular attention should be paid to investments in new nuclear power plants to be built in the EU using non-EU technology..”(European Commission, 2014). This should also mean that EU starts building comprehensive security and safety strategy with the selected service provider, including comprehensive cyber safety. During 2020, the creation of a technically modern, cost effective, and environmental friendly radioactive waste management system for disused radioactive sources of ionizing radiation treatment should be completely established. Russia (RADON) has decades of experience in dealing with disused radioactive sources and radioactive waste materials at its facility. Long-term storage of disused radioactive sources in specialized storage containers allow transportation to the final disposal site when necessary. Specialized containers that do not require extraction of the disused radioactive sources minimize the possibility of losing control of the sources through loss or theft while providing opportunities for temporary storage and then final disposal of the radioactive waste. This is particularly important as emerging concern is prevention of access by terrorists to radioactive mobile sources, lost radioactive materials, and uncontrolled radioactive waste storage facilities. During past years Europol has reported a steady increase in the number of individuals in concluded court
proceedings for CBRN related terrorism activities. Verdicts for incidents concerned jihadist terrorists, mostly linked to ISIS are rapidly growing. At the same time the number of disrupted jihadist terrorist plots have increased. These included attempts to produce and deploy CBRN substances although most have been carried out using knives and firearms, predominantly on civilian targets. All plots relying on explosives have been disrupted. As to use of CBRN materials, Europol reported for instance plots in Paris to use black powder extract from pyrotechnics and possibly ricin, in Cologne and in Sardinia where the water supply of the Lebanese army would be poisoned. In addition, two Georgians were detained in 2018 in Kobuleti attempting to sell uranium. Meanwhile there has been steady increase of CBRN terrorism propaganda and related threats on sport halls, shopping malls, and ferries, all of which provide suitable locations for large attacks. As in previous years, intentions to use CBRN materials mainly by jihadists have increased. Finally, an ISIS-affiliated group launched a campaign titled Bio-Terror via Telegram promoting the use of biological weapons. EU is taking fast steps forward and several projects are now underway, such as the Mall-CBRN Project aiming at creating prevention, response and consequence management mechanisms and interoperable capabilities, recommendation for equipment for internal security service as well as algorithms of cooperation with services in cases of CBRN acts in shopping centres also applicable to other large scale venues (http://mall-cbrn. uni.lodz.pl/). Intergovernmental and governmental agencies, non-governmental organizations, and individuals that are involved in the handling or protection of nuclear material have a responsibility to contribute to increasing need of radiological and nuclear safety. Atomic Energy Agency (IAEA), Nuclear Safety and Espoo Conventions, Aarhus and Helsinki Water Conventions, organisations of the European Union and European Nuclear Safety Organisation (WENRA, ENSREG), the United Nations and other organisations such as the International Civil Defence Organisation (ICDO) and the Baltic Civil Defence Network should be involved. While protecting well-known nuclear storages, national critical nuclear assembles, and vital functions for radioactive material is very important, terrorists are often few steps ahead on the move searching for any types of radiological weapons or materials that can cause collective damage or deaths. CYBERWATCH
FINLAND
|
51
EXCELLENCE OF CYBER SECURITY IN AN ELECTRICITY ORGANIZATION text: JOUNI PÖYHÖNEN University of Jyväskylä jouni.a.poyhonen@jyu.fi
T
he functioning of a modern society is based on the cooperation of several critical infrastructures, whose joint efficiency depends increasingly on a reliable national electric power system. Reliability is based on cyber security and thus on trust in organizations business processes that are part of the power system. Furthermore, reliability is linked to the usability, reliability and integrity of system data in the operating environment, whose cyber security risks are continuously augmented by threatening scenarios of the digital world. Finland’s electricity system is in various ways decentralized and its systems and process controls are highly automated and today also networked. In order to create efficient cyber security measures into practice, the leadership of an electricity organization must regard trust-enhancing measures related to strategic goals, maintain efficient processes and communicate their implementation with a policy that supports the strategy. Because the electric power system provides a basis for almost all services in society, its operation must be as uninterrupted as possible. Even short power failures are broadly visible as disturbances in other critical services. Therefore, achieving and maintaining a high availability level in the operation of various processes within the power system is the primary goal of the organizations responsible for them. For this
52
|
CYBERWATCH
FINLAND
purpose, the continuity of operation must be ensured and recovery from disturbances must be quick. Creating and maintaining situational awareness related to cyber security in individual organizations play a key role in these activities. Controlling process operations and taking coordinated situation-specific decisions call for real-time, comprehensive situation awareness regarding the organizations’ cyber readiness and the factors that affect it in a dynamic operating environment. The general networks and working processes involved in the operation of an electricity organization can be illustrated with a logistics framework that comprises a supplier network, a production process, a client network, and information and material flows that connect them. Information technology (IT) systems are part of an organization’s infrastructure and thus constitute a significant part of the operations that support an organization’s core processes. Corporate-level IT systems are related to administration and to the management of information and material flows in the network. The production level includes industrial automation systems (industrial control systems, ICS). The highest levels of IT system hierarchy include the general information systems of administration and the enterprise resource planning (ERP) system. The top level of a typical ERP system includes overall process management
Even short power failures are broadly visible as disturbances in other critical services.
by, for example, guiding the production and supply chain activities. If needed, between ERP software and control rooms there may be a manufacturing execution system (MES), which makes it possible to transfer the information obtained from the control room to the ERP system. The ICS systems of production within an electricity organization comprise their own hierarchy levels. Topmost of them is the control room, from which the operation of the entire process is presented to the supervisors in graphic form. Based on the information, process alarms are handled and the operation of the process is monitored and controlled. The next level consists of process stations, which house devices for process control, measuring and regulation. The same level also includes the actions taken to monitor faults and interferences in devices. The lowest level comprises the field equipment used to control and monitor process actuators and to gather measurement data. Almost of all companies and other organizations of the electric power system have variable high-level technologies in their business processes. These combination of organization´s IT-systems, ICS-systems and supply chains are complex systems of systems construction with different kind of sub-processes. The combination is typical for the electricity organizations it is rare comparing many other branches of business. Acording to process statistical management theory (SPC, Statistical Process Control) all processes involve operational variation, variation was classified into two types according to its causes: variation due to common causes (or the system itself) and variation due to special causes (i.e. named and assignable causes). Almost without exception, serious cyber security disturbances occurring in the operating process cause blackouts. They do not represent normal process variation but are deviations resulting from special causes. They are not in the normal range of variation. Taking these special causes into account in planning and proactively
implementing security activities reduces related risks and improves the overall reliability of the organization’s operations. The excellence of an organization’s cyber security operations is needed in order to handle complicated technologies and complex system environment. To promote the most significant cyber security culminates in systems thinking and the point of views of strategy, operational and technical/tactical measures to have comprehensive cyber trust. The key words of organization’s excellence are leadership, management, capabilities, and the measures to have continuous improvement actions. The cyber trust is related to the excellence of organization. The summarized measures be taken in all decision levels to increase an organization cyber trust is illustrated in enclosed figure (Pöyhönen J. & Lehto M. 2020. Cyber security: Trust based architecture in the management of an organization security.) Building organization cyber security measures begins from the level of vision and strategy work. The visions created by leadership to enhance cyber trust are translated into strategic goals, operational-level actions, guidelines, and a policy. The practical measures derived from the strategy are realized at the technological-tactical level. Organizational capability factors enable the success of the measures. Establishing measures that increase cyber world security and trust is primarily the responsibility of corporate leadership. Integrating the necessary measures with the idea of ensured business activities increases their significance and benefits through better processes for the entire organization, interest groups and society. The continuous improvement of activities related to cyber security enhance the organization’s capability to proactively prevent disturbances and tolerate potential changes into the operational processes. The competence and the possibilities it open to fully influence in the
CYBERWATCH
FINLAND
|
53
organization, develops the overall operations of the organization. The continuous development of activities and staff competence support the measures taken at the strategic, operational and technological-tactical levels. The major cyber security excellence of the organization within the system thinking principles of leadership, management, process, and measures support that trust is enhanced and maintained at all levels of business activity. Comprehensive altitude to increase cyber trust, together with the development of capabilities related to cyber activity, also improve a company’s competitive edge.
Operational
CyberTrust
System level views
Strategic
Technical/tactical
Your Your employees employees canstop stop can
99%
of all online attacks attacks
Make them them your your strongest link Make 54
|
https://hygiene.badrap.io/watch/ https://hygiene.badrap.io/watch/
CYBERWATCH
FINLAND
CYBERWATCH ENERGY SECTOR
STRATEGIC REVIEW THE DISPUTE OVER THE GRAND ETHIOPIAN RENAISSANCE DAM TURNS INTO DEFACEMENTS OF ETHIOPIAN WEBSITES
H
ackers allegedly originating from Egypt took over a number of Ethiopian government websites back in June. Hackers defaced the websites by leaving threatening messages on the websites suggesting that lowering water levels on the Nile river would lead to a military action taken against Ethiopia. So far, there has not been a connection made between the hacking group, Cyber_Horus Group, and the Egyptian authorities.18,19 The defacements have been connected with the nearing final stages of the Grand Ethiopian Renaissance Dam, which is a massive 6,000MW hydroelectric project on the Nile. The project that started already back in 2011 has caused friction between Ethiopia and its neighboring states Egypt and Sudan, which see the dam as a threat to their water supply.20 The multi-billion-euro project has been backed indirectly by China.
ISRAEL AND IRAN CONTINUE EXCHANGING CYBERSTRIKES
During past months, numerous mysterious explosions have rocked Iran. The explosions have had Iran’s nuclear and other armaments programs in their crosshairs. One
of the explosions took place on July 2 at Natanz, known as an Iranian uranium-enrichment site. According to some sources, the blast that took place destroyed some of the more advanced nuclear centrifuges that Iran had in place for its nuclear program.21 According to some Iranian sources, the explosion at Natanz was caused by a cyber strike.22,23 Experts have assessed that the explosions may have set the Iranian nuclear program back up to two years. In mid-July, it was reported that two separate cyberattacks were launched against Israeli water infrastructure, but the attacks caused little damage.24 TAIWANESE STATE-OWNED OIL AND GAS COMPANY CPC CORP HIT BY CHINESE HACKERS
On the eve of the inauguration of Taiwan’s President Tsai Ing-wen on May 19, the inauguration was greeted by a Chinese penetration of the Taiwanese state-owned oil and gas company CPC Corp.25 There had been warnings about the upcoming attacks, as there was an uptick of attacks in weeks leading towards the inauguration.26 The same company has been targeted by Chinese hackers earlier, the most recently with a ransomware
CYBERWATCH
FINLAND
|
55
attack that forced the company to rebuild some of its IT infrastructure.27 According to some news sources, the cyberattack that took place on the eve of the inauguration was successfully repelled by cooperative actions conducted by national authorities and private sector representatives. The United States has supported Taiwan’s development of cyber defense capabilities. A recent example of co-operation is the joint cyber exercise that took place last November.28
KEY TAKEAWAYS Nation-states, and in some cases also non-state actors, can take advantage of cyber means in support of their political agenda. Cyber means can be deployed to signal dissatisfaction with the target’s decisions, amass political pressure to the perceived opponents, and cause actual real-world damage to the enemy. Cyber means can also be used as a retaliatory tool or show of force across physical distance. It is a reminder to the adversary that they and their societies are also vulnerable.
Major infrastructure construction projects, particularly ones with wide geographically dispersed impacts causing widespread dissatisfaction, serve as lucrative targets for cyber-attacks. They may also serve as a spark for cyberattacks taken against other, often symbolic targets, such as government offices or other significant organizations associated with the target or the host country.
Such attacks may have second and third-order effects, particularly if global superpowers have vested interest in the projects and parties involved. Effects could include increased cyber defense co-operation and deeper entanglement of the actors, whose project was under direct or indirect attack. Should competing powers become involved, a regional issue could become an arena for proxy fighting, particularly in the cyber domain.
Recent allegations from Iran suggest that cyber means have again been applied to create kinetic effects supporting the larger campaign. Regardless, if the allegations are true or not this time, they serve as another reminder of cyberattacks’ potential to cause real-world effects. Secondly, even if direct kinetic effects were not caused, the cyber means can be used to support sabotage operations. This could take place, for example, by manipulating the physical access control systems to grant access to premises, or by taking over the surveillance system sensors and thus effectively diminishing the adversary’s ability to have an accurate situational awareness at their critical locations.
While not as potentially dangerous as earlier, the renewed attacks against civilian water infrastructure in Israel still showed the inherent vulnerabilities existing in civilian critical infrastructure sitting exposed in the cyber domain. In addition to the apparent need to better protect the critical infrastructure from the cyber-attacks, there is also the continuous need for careful cost-benefit analysis before engaging in offensive cyber operations that may invite retaliatory action from the adversary. Offensive cyber operations may also require better coordination with the parties responsible for the protection of civilian society and those planning and conducting the offensive actions so that civilian society’s defensive posture would be in the level needed while embracing for the upcoming retaliation.
The experiences reported by CPC, Taiwanese state-owned oil and gas company, show that national champions may serve as convenient targets for utilizing cyber means to send a political message of dissatisfaction. Even though it has been disputed, some sources alleged that cyberattacks targeting CPC were repelled in tight co-operation between national authorities and private sector resources and know-how. Should that have taken place, it would serve as a good example, how a coordinated and most probably previously well-rehearsed counteraction by combined forces of public and private sector proved to be effective against a resource-rich perpetrator. Taiwan’s experiences of attacks attributed to Chinese threat actors, like the experiences collected in Georgia and Ukraine about attacks attributed to Russian threat actors, offer a treasure trove of lessons learned to international partners interested in gathering more information about the threat actors they are also facing. Collected information may include details about the tools deployed, operational patterns, resources available, and capabilities exhibited.
56
|
CYBERWATCH
FINLAND
T
he White House issued on May 1, 2020, an Executive Order on Securing the United States Bulk-Power System.29 The executive order states that the cyber threats against the bulk-power system30, and the supply chain risks associated with foreign designed and manufactured equipment procured and installed as part of the bulk-power system, constitute such a significant risk, which necessitated the declaration of a national emergency. Among other things, the executive order gives a mandate to the US Department of Energy to prepare lists of pre-qualified equipment and manufacturers and to identify prohibited equipment already in use for their later isolation and removal.31 Setting the newly released executive order into its wider context; understanding the cyber threats targeting the power grid, acknowledging the vulnerabilities residing in the wider bulk-power system and the electric equipment it contains, and presenting the potentially catastrophic aftermath of an attack targeting the grid and wider critical energy infrastructure, has been a very often visited topic in recent years. Some of the most recent examples include the latest publicly available ’Worldwide Threat Assessment of the US Intelligence Community,’ where nation-states such as Russia and China have been publicly identified to have cyber capabilities to cause disruptive effects on electrical distribution networks and natural gas pipelines.32 The former White House cybersecurity czar, Richard A. Clark, dedicated in his latest book, ’The Fifth Domain,’ a whole chapter to discussing the disruptive potential of cyber-attacks against the US power grid. He suggested that the US power grid has already been penetrated by Russians and that they have already managed to gain access to the air-gapped control systems.33 Lastly, an American cybersecurity company specialized in industrial control systems, Dragos, released a report in January 2020, where they listed 11 different activity groups targeting electric utilities not only in North
America, but also in Europe, Middle East, Africa, Asia, and Asia Pacific region.34 Dragos’s findings are in line with news emanating from Europe, where the European Network of Transmission System Operators for Electricity (ENTSO-E) released a statement in March 2020 telling that its office networks had been successfully penetrated.35 While ENTSO-E plays a coordinating role in the European electricity markets and has a limited impact on the operational side of transmission system operators (TSO), the successful penetration of ENTSO-E could be seen as an intelligence collection effort to gain information on the TSOs and their operations, and serve as a stepping stone for further intrusions in the network of operators. Taking a look at the energy sector outside the electric grid, the executive order signed by President Trump to protect the bulk-power system comes roughly six months after a disruptive cyber-attack had hit another part of the broader energy network. A ransomware attack using ’Ryuk’ malware against a natural gas compression facility caused a controlled shutdown of the processes and two days of downtime at the facility and the pipeline it serves.36 The language used in the executive order, particularly the term ’foreign adversary’ and references to malicious activities targeting the US critical infrastructure, suggest that the key goal of this executive order is to rid US bulk-power system from components originating from China, Chinese companies, or companies where Chinese interests play a key role. The secondary element is to support the growth of local manufacturing and further implement Trump administration’s ’America First’ policy. Depending on the implementation of the executive order, it could also have a limited impact on European producers of power system components that might end up losing some American market share in a longer timeframe.
CYBERWATCH
FINLAND
|
57
KEY FINDINGS After years of continued warnings about the vulnerability of the electric grid and energy sector, and supported by the increasing geopolitical tensions, the US has finally made a major political move to protect its bulk-power system from malicious foreign actions. According to some comments, the principal target for this executive order appears to be China and Huawei in particular.37
Aiming to remove potentially malicious foreign components from energy infrastructure can be seen as a natural continuation of the work started earlier in the telecommunications sector. It remains to be seen if other countries will follow suit now that the United States has opened the game.
Should manufacturers from countries considered friendly towards the US and its interests be greatly impacted by this executive order, it might lead to further titfor-tat protective actions taken. For example, the European Union could issue protective measures against critical infrastructure components designed and manufactured in the US, or by American companies.
As the decoupling of markets and establishing protective market barriers continues, the locale of manufacturing and ownership continues to play a more significant role than before. This development, together with growing distrust in fragile just-intime global supply chains, will move more production of various kinds of critical components closer to their locale of use and operation.
European Union and its member states are forced historically important transatlantic connection may not prove to be China-centric, but that the be increasingly alienated from China because of posture.
to make painful choices between the and China. The new emerging world Western world, in particular, will China’s more aggressive geopolitical
Apart from the supply chain protection measures, the US government and private sector findings concerning the foothold that Russia and other countries may have successfully built within the US bulk-power system give a raise to an uncomfortable question. What is the current situation with the bulk-power systems in Finland, other Nordic countries, and the wider European Union?
Sources: 18 https://qz.com/africa/1874343/egypt-cyber-attack-on-ethiopia-is-strike-over-the-grand-dam/ 19 https://www.al-monitor.com/pulse/originals/2020/06/egypt-cyber-attack-ethiopia-nile-dam-dispute.html 20 https://www.bloomberg.com/news/articles/2020-07-15/rising-water-level-in-ethiopian-nile-dam-brings-unease-to-region 21 https://www.timesofisrael.com/israels-alleged-natanz-strike-as-complex-as-stuxnet-a-major-blow-to-iran/ 22 https://www.reuters.com/article/us-iran-nuclear-natanz/iran-threatens-retaliation-after-what-it-calls-possible-cyber-attack-onnuclear-site-idUSKBN2441VY 23 https://www.nytimes.com/2020/07/10/world/middleeast/iran-nuclear-trump.html 24 https://www.timesofisrael.com/cyber-attacks-again-hit-israels-water-system-shutting-agricultural-pumps/amp/ 25 https://www.taiwannews.com.tw/en/news/3959608 26 https://www.taipeitimes.com/News/taiwan/archives/2020/05/07/2003735983 27 https://www.cyberscoop.com/cpc-ransomware-winnti-taiwan-china/ 28 https://www.bbc.com/news/technology-50289974 29 https://www.whitehouse.gov/presidential-actions/executive-order-securing-united-states-bulk-power-system/ 30 Bulk-power system is defined in the executive order in the following way: ”The term “bulk-power system” means (i) facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof); and (ii) electric energy from generation facilities needed to maintain transmission reliability. 31 https://www.energy.gov/articles/president-trump-signs-executive-order-securing-united-states-bulk-power-system 32 https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf 33 Clarke, Richard A. and Knake, Robert K. (2019) The Fifth Domain. Penguin Press, New York, NY, United States. Pp 155-166. 34 https://dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf 35 https://www.entsoe.eu/news/2020/03/09/entso-e-has-recently-found-evidence-of-a-successful-cyber-intrusion-into-its-office-network/ & https://www.cyberscoop.com/european-entso-breach-fingrid/ 36 https://thehill.com/policy/cybersecurity/483711-dhs-warns-of-cyber-threats-to-critical-systems-after-attack-on-pipeline & https:// dragos.com/blog/industry-news/assessment-of-ransomware-event-at-u-s-pipeline-operator/. 37 https://www.bloomberg.com/news/articles/2020-05-01/trump-looks-to-secure-u-s-power-grid-from-foreign-attacks 38 https://www.bloomberg.com/news/articles/2020-05-01/trump-looks-to-secure-u-s-power-grid-from-foreign-attacks
58
|
CYBERWATCH
FINLAND
FOR SECURE AND RESILIENT COMMUNICATION PRIVE communication solutions provide secure and resilient mobile devices and independent networks for all core communication applications including voice, video and data transfer. PRIVE platform secures operating capability in all circumstances even when public networks are not available.
Privecomms Oy
|
sales@privecomms.com
|
www.privecomms.com
YOUR STRATEGIC CYBER SECURITY PARTNER AND ADVISER
Shaping Dependable Cyber Security with a Comprehensive Approach When looking for an experienced partner to aid in the development of situational awareness in the prevention of cyber attacks, we are the answer. We will strengthen your organisation's ability to recover from possible crisis situations, and guide you in acquiring a comprehensive approach to cyber security. Our mission is to secure the functions and services of critical infrastructure as well as protect your organisation's most valuable assets. We will guide you to a strong cyber security culture which will strengthen your organisation’s resilience to a cyber crisis and reduce your business risks. We provide a holistic understanding of the interdependences of people, practices and technologies, and recommend steps to improve this whole ecosystem. Cyberwatch Finland is a strong and dependable partner, helping you respond to the challenges posed by cyber space.
WELCOME TO OUR NEW STUDIO-OFFICE Tietokuja 2 00330 Helsinki FINLAND
A Passion for a Cyber Safe World
CYBERWATCH FINLAND www.cyberwatchfinland.fi
