It has become clear: we are no longer (only) targets in cyber space – we are weapons used to attack others.
At the end of June 2017 several large companies – Maersk, DHL, Mondelez and others – almost ceased to exist due to the intrusion of a virus known as ‘notPetya’. The source of the ‘digital infection’ was a small Ukrainian company for production of accounting software – the virus was inserted into their servers by politically motivated attackers with a clever strategy to distribute it to the local offices of large companies that were their clients. It has become clear: we are no longer (only) targets in cyber space – we are weapons used to attack others.
COVID has put us into digitalisation on steroids. Every segment of our lives has become digital: our whole life, our memories and secrets, but also contacts, knowledge and business – fit into a small device in a dinner jacket pocket. We’ve also learned another lesson: there is no longer a cyber space – the two spaces have completely mixed.
Soon came a third lesson: everything that is digital, ‘smart’ and connected can be hacked. The famous example of breaking into a protected casino network by hacking an unprotected “smart” aquarium was soon replaced by much more painful ones: power plants (Ukraine, 2015), hospitals (Germany, 2020), gas pipelines (America, 2021) and even entire state systems. (Costa Rica, 2022) shot down with the help of a virus, at a distance; and the attacker can be anywhere on the globe.
The trouble does not end there: it is increasingly difficult to deal with seriously armed organized groups of cyber-criminals – and the borders they easily cross (still) present a big obstacle for cooperation between law enforcement agencies of various countries. The paradigm shift occurred with the entry of security services and state armies into this arena: they have almost unlimited resources for attacks at their disposal (and there are more and more commercially available highly sophisticated tools for breaking into systems and cyber-espionage, like the famous Israeli Pegasus system); neither one of the strongest cyber fortresses – the American company FireEye – nor the systems of the American administration have managed to defend themselves against these attacks (SolarWinds case, 2020). Mapping shows that over 50 countries have offensive cyber capabilities – and the number is growing.
Can we be saved? As always – it’s up to us.
Let’s start from the individual level. Let’s forget about ‘why would anyone attack me’ and realize that through us an attacker can break into devices and systems of our acquaintances and contacts. Similar to preventing the spread of covid, let’s do everything we can to be safer so that those around us stay safe. As a minimum: ‘update’ systems, programs and antivirus systems; install only verified apps; strengthen passwords; don’t fall for messages that sound too good to be true (‘some money was deposited into your account, unplanned and unexpected’) and don’t open suspicious links and documents…
Let’s protect organizations, companies and institutions. Again: protect yourself, because 90% of cyber-attacks are based on human error and social engineering. As leaders, let’s form a cybersecurity team (no, it’s not the same as an IT department) and invest resources in risk analysis, people and tools. As innovators, we invest in the safety of our technological solutions (safety standards and safety integrated in the design), so that our product does not have the fate of the infection source from the beginning of the story.
At the level of state policies, let’s support public-private partnerships – the state, academia, private and non-governmental sectors – which would create multidisciplinary educational programs to create more of currently highly deficient personnel in the field of cyber-security (which, at the same time, can also create a large export potential of technological solutions). Let’s use these partnerships to help the country shape digital policies – national strategy, legal framework, soft policies and action plan. Equally important: only a multi-actor approach can enable the implementation of those policies as well as an effective response to cyber incidents, because no one – not even the state – can defend itself in cyberspace. An excellent example of this kind of partnership in Serbia is the Cyber Security Network (also known as the ‘Petnička Group’).
Finally and indispensably: international cooperation. Cyber-attacks – like cyberspace itself – know no borders. Defense requires the international cooperation of cyber-incident response centers (better known as CERTs or CIRTs), and fight against crime the effective cooperation of law enforcement agencies. The global “rules of the game” in cyberspace are also being shaped: in the United Nations, a possible international convention to combat cybercrime is being negotiated in parallel, as well as rules for the (non)use of cyberattacks by states and some kind of control over cyberweapons. Serbia, as well as the Balkans, unfortunately, are not really present or have structures for cyber-diplomacy (as opposed to many countries that have cyber-ambassadors with larger teams behind them).
The famous student question is: ‘When is this due?’. Painful answer: it was due yesterday. New technologies are already arriving, we still don’t understand them properly, and as soon as tomorrow the world of our children will hang on that thread.
Vladimir Radunović, lecturer and director of educational programs in the field of Internet management, cyber-security and e-diplomacy at the Diplo Foundation