What can we learn from the recent global cyberattack?

Interestingly Ukraine was the hardest hit country by the last cyber attack. Infrastructure, banks, even Chernobyl nuclear plant were hit. It is perhaps interesting also  because Ukraine is in the state of conflict with Russia, so no matter attackers intentions we see the country in the state of war, albeit low intensity, hit by massive cyber attack. Is it possible to learn some lessons from it in terms of “hard” defense how to protect the critical civil infrastructure better in case of real “cyberwar” attack? Read few comments.

Tobias Eggendorfer, Professor für IT-Sicherheit, Hochschule Ravensburg-Weingarten

To put it brief first: The only appropriate „hard“ defense is to get rid of the Windows mono-culture, have a broad spectrum of serviceable, stable, tested, potentially verified and hardened operating systems.

The key issue remains: Software quality assurance and measures to avoid security related issues aren’t up to standards we know from other industries. As long as this does not change, these issues won’t go away.

So it’s either a regulatory approach by enforcing quality assurance and damage compensation on software companies, or by switching away from known unsafe environments. Both will have the same result: Money will teach the companies how to do it properly.

I still can’t see them obeying to regulation alone: Windows 10, Office 365 does not comply with German privacy rules. One would expect the government would not buy these systems then. However, they do. There is no reason for Microsoft to provide privacy compliant systems, nor is there any reason to provide secure systems.

As soon as we stop using Windows just because everyone does, and require Microsoft to provide a secure system if they would like to stay in the market, they will learn.

I do know that by switching to Linux systems won’t become safe and sound, Android is a quite unfortunate example. But since its source code is available governments were able to modify it, patch it, if there are issues, they do not need to stick with odd update cycles, they weren’t forced to upgrade systems that cannot be upgraded, and could go on supporting „legacy“ systems, which were the systems which were hacked in Ukraine.

We also need to understand that IoT has it’s specific risks and should consider not having all devices connected to a network. Miele recently got their professional dish washers hacked. Why does a dish washer need Internet in the first place? A display on the device showing the remaining time and / or any error messages would do. And reduce the effects of being hacked massively.

The Internet is great, and we are now able to integrate it with everything. And it’s really cool to do so. However „cool“ and „safe“ don’t often go to well together.

Personally I’m waiting for the first pace maker patient being wirelessly hacked and killed. It will happen.

I do agree with German Chaos Computing Clubs statement: Governments should not want to try infiltrate their citizens computers, providing back doors for governments has never worked out well, it has always left open gates for hackers. The recent FREAK attack being a good example of long term side effects of odd regulations.

I do know terrorists organize themselves using encrypted communication, and I understand the wish to be able to listen in. However it is stupid to assume a terrorist would use „of the shelf“ software that’s not trustworthy. They have very high security and privacy requirements. Therefore all systems government is able to spy on will be those of  „lower class criminals“, tax offenders etc, but hardly ever those  they claim to catch.

Myriam Dunn Cavelty, Deputy for Research and Teaching, Center for Security Studies (CSS), Senior Lecturer for Security Politics, ETH Zürich – Eidgenössische Technische Hochschule Zürich

This is mainly an IT-security issue. As long as system operators do not update their machines (and as long as old platforms do not get security updates anymore), we will always see these kinds of attacks. It’s too easy!

Attribution remains very tricky and some of the explanations do not make sense. Why is Ukraine hit badly? It seems to me that it is a combination of being the country with a high vulnerability (many unprotected computers) and potentially being one of the “first” to be hit. It could or could not be because the real perpetrators (clearly criminals) sit in Ukraine or somewhere close by.

How to protect critical infrastructures? A) make sure they (esp. the critical services) are not easily manipulated from the outside. B) invest in IT-security.

Tim Stevens, Lecturer in Global Security, King’s College London

If this incident is partly the result of poor information security practices, i.e. not applying available patches, then improving basic information security will prevent many forms of malware from being successful against both private and public systems, critical and non-critical. I really can’t say anything else yet.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: