It is no exaggeration to say that hacking and cyber security have become as much of an integral part of state sponsored warfare as the development of new weaponry. The escalating geo-political conflicts and tensions between different nations has made it essential to develop cyber-defences in response to increasing cyber risk and an equilibrium is reached. The increasingly hostile cyber climate is making security a lot more challenging and expensive for governments and organisations around the world.
According to an estimate by Frank Downs from the ISACA, the global damages due to cybercrime are expected to reach $6 trillion by 2021. Only last year, more than 445 million cyber-attacks were reported; the majority of them were related to financial incentives and almost 15% related to espionage. Personal citizen information, governmental operations, police activity and sensitive military data are a few of the things that are often subject to cybercrime.
Everyday occurrence of ransomware incidents, hacking of classified information and financial data from around the world show that cyber threats are a dangerous and menacing reality for all governments. They are becoming increasingly sophisticated and the consequences are expensive. For example, on 22nd January, cyber criminals released thousands of digital files belonging to Scottish environment agency Sepa because they refused to pay the ransom to unlock these files. Similarly, California University had to pay $1.14M as a result of a ransomware attack. Aadhaar in India, had the data of 1 billion subscribers stolen and sold online by hackers and a malware planted in the Ukrainian government offices reached the UK, Germany, France and the US, causing almost $10 billion of damage. According to BBC, ransomware is a scourge that is costing organisations billions of pounds and every time a victim pays, it fuels further attacks.
State and non-state actors operate from around the globe and on average 30,000 websites are hacked daily. The top 3 industries hit by the hackers include the government, retail and technology sectors.
Because of Covid-19, there has been greater implementation of technology than ever before. More people and organisations are therefore being exposed to the increased risk of cyber-attacks and this has become a major drive for establishments around the world to reinforce security. Every government needs to develop strategies to combat cyber risk. Some are more vulnerable than others due to poor cyber governance and lack of relevant legislation, training and security infrastructure in place.
A report by McKinsey & Company identifies 5 elements of successful national strategy to mitigate the damage of cyber-attacks, protect citizens, businesses and protect critical national infrastructure. These 5 elements may be summarised as follows:
To set up a dedicated national level cybersecurity agency along the lines of NSA in the US and the NCSC in the UK. Usually, such an organisation is setup in the style of intelligence agencies, having a defence wing and a public facing interface. This organisation would drive the national cyber strategy involving critical national infrastructure, which may include national communication infrastructure, nuclear assets, defence and energy.
To setup a “National Critical Infrastructure Protection” program. NCI’s are the most attractive target for state actors. Disruption to energy or telecommunications can cause serious damage to the economy, business confidence and national security. In Ukraine, hackers got into the system of an energy company leading to a failure for electricity to reach 225,000 households. The virus was delivered through an e-mail which simply highlights the caution necessary for those with access to sensitive and critical systems. The national organisation would collaborate with the regulator of each sector to prepare and protect them from potential cyberattacks. It is important to follow the best practices and cybersecurity standards to protect the national assets. There should be a robust governance system in place to coordinate between various stakeholders. National cyber security standards should be introduced, which must be followed by all the government departments.
A national incident response and recovery plan should be in place. Clearly defined reporting procedures should be implemented and active monitoring of cyberthreats should be carried out rather than passively waiting for something to happen. This monitoring can mitigate a lot of challenges and even offset them before the challenges arise. Threat intelligence should be shared between government and private sector so that preventive measures can be put in place at all levels. A severity assessment index should be used to identify the level of each threat, what measures could be taken to avoid it and this risk matrix may dictate the design of an incident response plan.
There should be clearly defined laws pertaining to all cybercrimes. One recommendation would be to adapt the guidelines laid out in the Budapest Convention, an international treaty agreed by 60 countries covering the cyber laws. The treaty outlines two types of cyber laws, substantive laws which could cover online fraud, pornography and violations of network security etc and the procedural laws defining the authority and responsibilities each country must keep in mind while implementing the laws. Both types of laws and regulations should be updated on regular basis.
A vibrant cybersecurity ecosystem should be created where an environment of cooperation and information sharing is developed. A good example of this is the NCSC in the UK which provides guidelines to various stakeholders in the UK, including the general public, most organisations, the public sector and for cybersecurity professionals. The NCSC even promotes education at the school level, keeps the nation informed about any cyberthreats and promotes a culture of awareness and good governance.
Keeping in view the scale and impact of the cyber threats, it is also important for the governments to ensure the availability of a competent workforce to protect its national interests. In this aspect, globally there would be an estimated shortage of 1.8 million cybersecurity professionals. In a time of increased cyber risk in such a hostile environment, every government must ensure there is available manpower and infrastructure to secure its public and national assets.
Ajaz Ali, holds an MBA from the University of Birmingham and doctorate in computer science from University of Sunderland. Aside from his role as academic head of computing at Ravensbourne University London, he occasionally writes about education, technology and business. You can reach him on Twitter @DrAjazUK