As the Internet evolved rapidly with accelerated adoption, cybersecurity became increasingly a challenge to grapple with. While commercial Internet became available in 1996, it was not until 2006 when nation-state sponsored "cyberterrorism" became a reality, with countries ranging from highly developed nations to emerging nations developing both offensive and defensive capabilities.
When it gets political
The origins of cybersecurity was all about securing nodes and devices. Today, it is much more nuanced and sophisticated, where the perimeter, nodes and devices are the baseline for cybersecurity.
For commercial Internet usage, sabotage and espionage tend to be the primary threats, resulting in denial of service (DoS) and financial payouts to the bad actors at large.
However, nation-state sponsored threats can include sabotage and espionage, but also the spreading of propaganda, disrupting infrastructures and economies, especially putting a dampener on societal and economic progress, and sometimes even bringing down the painstakingly built national brand.
In July 2018, Singapore sprung onto the world stage, with 1.5 million SingHealth patients' personal data stolen. Just about a year later in March 2019, 808,000 blood donors had their personal information breached in a breach of a Health Sciences Authority (HSA) database.
A few years ago, in April 2016, the website of the Philippines Commission on Elections (Comelec) was breached by "Anonymous Philippines" and defaced, exposing the personally identifiable information of about 55 million people online.
Cyberattacks get more sophisticated
Hackers today are no longer lone wolves targeting easy commercial targets for quick money. There are now sophisticated hacker groups that target large and small businesses, and even nation states. Some of these groups may even be state-sponsored groups.
While disruptions and economic gains seem to still be the key motivators for hackers, cyberattacks can have grave or even deadly consequences. Hypothetically, what if the electricity or water supply to a city gets cut off? Businesses would not be able to function; hospital patients and vulnerable people may perish. A large-scale attack on the banking system may paralyze the financial markets and cause businesses or even economies to fail. And attacks that disrupt transportation systems such as air-traffic control or mass rapid transit (MRT) or subways may have equally dire consequences.
What can national governments do to protect their citizens and infrastructure?
The current state of national cyber-security
It's important to remember that cyber risks to nations don't just come from individual hackers, hacktivists and cybercrime groups, but may also be state-sponsored organizations, all using sophisticated tools, including using state-sponsored cyber-weapons, which have leaked into the public domain; that was the case of the global WannaCry ransomware attack (and the subsequent NotPetya attack), which grabbed headlines in 2017.
It's no wonder the World Economic Forum's 2018 Global Risks Report placed cyberattacks high on both its likelihood and its impact indices. Thus, most nation states have already shifted from viewing cyber threats as "only" about financial, data or privacy losses to genuine threats to physical safety and life.
Many governments now take a three-pronged approach to cyber defense.
- First, they tend to build cyber defenses, developing committees and administrations which focus on exploring the best strategy, legislation and approach to dealing with cyber threats.
- Second, governments focus on programs of education and awareness, to at least attempt to close the global shortage in cyber security professionals, which is estimated to be of about 3.5 million.
- Third, they establish at least one civil national CERT (Computer Emergency Response Team), with the aim of confronting cyber threats and attacks.
Countries typically separate their military cyber defense from their civil defenses; for civil defense they may have a single centralized CERT, or few CERTs which focus on specific sectors. However, as their name suggests, CERTs are, by definition, reactive rather than proactive. They typically take action only after a major cyber incident has already started, or has taken place. Some CERTs are moving towards proactive capabilities - they collect intelligence and try to alert about new, emerging risks or predicted attacks, but the effectiveness of these measures is limited, since the overall cycle of detection, analysis, publishing and implementation may take weeks rather than seconds or minutes.
The majority of CERTs lack the legal, as well as the technical capability to proactively protect national interests in real or a near real-time manner. And this is where things need to change; today, even if a CERT is informed hours before a mega-attack, it has no means to proactively block the attack and defend major industries, utilities, hospitals, airports and other critical facilities.
Building effective national cybersecurity
Let us use a security model we are familiar with. In a military scenario, in addition to defending the borders of a country, national security defenses use tools such as radar to scan the skies for impending missile attacks against the country's cities and interior. This gives the ability to analyze enemy actions and make intelligent decisions on whether to send citizens to shelters, or launch anti-missile strikes.
A similar approach can be adopted for nationwide cyber defenses. Both perimeter and internal protections are needed, to protect against a range of threats, from large-scale DDoS (distributed denial of service) attempts to stealthy, damaging malware. The major access points into the country's critical infrastructures should all be proactively monitored, with threat intelligence feeds into an operations center to proactively identify, analyze and determine the correct response to incoming threats. This can be combined with real-time threat prevention to trap new, evasive malware threats before they can spread laterally at scale.
This overarching visibility and threat analysis layer should be an "umbrella" over organizations' own cyber defenses and intelligence feeds, securing the overall nationwide cyber resilience. Those protections need to be as automated as possible, to ensure an immediate response, with minimal need for human intervention, to match the speed at which today's threats can propagate. The protections should be driven by real-time intelligence and situational awareness to ensure they can defend against even new, never-before-seen threats.
The Internet has revolutionized every aspect of society - including international diplomacy and warfare. To defend against new generations of threats, the only valid approach is to take a holistic approach to national cyber defense, which can identify the earliest signs of attacks and contain them automatically, before they can cause widespread disruption.