International Policy Digest

Tech /05 Aug 2020

Cybersecurity from Governments to SME: Can You Validate your Security State?

Recently I had the opportunity to sit down with my colleague Alessandro Scarafile to discuss cybersecurity.

You were the Operations Manager for Hacking Team. What exactly does Hacking Team do?

Between 2004 and 2019, Hacking Team developed unique tools for offensive cyber investigations, exclusively available to law enforcement, government, military, and intelligence agencies. The company was the first to create and use the term “offensive security.”

What were your responsibilities in that position?

As Head of Operations, I was in charge of all technical activities deployed by Hacking Team for law enforcement agencies or LEAs worldwide. Activities included technologies introduction, demonstrations, systems delivery, training and knowledge sharing, and on-site support. This empowered governments to engage in cyber interceptions for counter-terrorism, the fight against drugs, and organized crime.

What are you doing now?

Today I cover the role of VP Cyber Security & Operations for Syneto, an international company focused on data protection and operating with branches in Italy, Romania, Belgium, and Spain.

How would you describe hacking?

The definition of a hacker is often misused. We are talking about people passionate about understanding. It is developing an understanding of the real functioning of technological systems of any usage, shape, and size.

Almost all people just want things to work – without worrying about the way they work. Hackers use the opposite approach – based on understanding first, rather than using.

Over time, these people acquire very specific approaches to learning and problem solving, and some of them may inevitably decide to use these skills for bad purposes. However, as you know we live in a world where bad news attracts more attention and can be sold much better than positive news.

Hackers who act for bad purposes – black hats – will always have more visibility than those who work for useful and good purposes – white hats.

Is it true that one of the primary tools available to governments is implementing an algorithm that searches for keywords or topics on a wide range of applications, not only emails, telephone calls, text messages, and social media, but even on such unlikely apps such as Kindle, Internet searches, YouTube videos viewed, and even the dark web?

This is certainly one of the most used practices. Many governments can obtain such “statistics directly from providers and technology operators to ensure international security and stability.

What exactly is an algorithm?

The academic definition of an algorithm is “a program that solves a number of problems.” Computer science would not exist without using algorithms. Algorithms are used everywhere: to turn on a computer, to operate a microwave oven, to make a phone call, to brake a car, to fly planes and to keep satellites in orbit.

Can a law enforcement agency (LEA) or an intelligence agency develop an algorithm to detect emails, phone calls, and other salient information as to potential and, sometimes, even catastrophic problems?

Absolutely yes. That’s exactly what computer experts do. Human behavior is the maximum expression of the functioning of an algorithm, being capable of repeating operations to achieve goals, in a more or less constant way, or in any case following patterns. Having the capacity to predict these patterns allows LEAs to intercept damaging behaviors before they can reach performance.

Is all of the hype about personal privacy exaggerated?

My professional opinion is that privacy concerns are exaggerated and wrong. The world we have decided to create is an information-based world and this information contains the keys to minimally preserve people’s safety and peace of mind. It is simply impossible to have the maximum level of privacy and the maximum level of security at the same time: the blanket is always the same, if you pull it to one side…the other side turns out.

Would you disagree with Edward Snowden that the NSA’s algorithm program required disclosure because it was harming Americans?

This question is particularly relevant to me, considering that there are thousands of my emails on WikiLeaks. Making the population aware of certain facts is one thing; publishing private documents and state secrets is another.

Do intelligence agencies in other countries share information with other countries to protect against terrorism or to track down terrorists?

It is supposed to be. And is.

Is it safe to assume that there have been terrorist attacks quietly thwarted based on this sort of noninvasive surveillance without the pubic ever knowing?

Absolutely yes. I would add that the less the public knows, the more effective the execution of covert operations to thwart these types of operations.

It is my understanding that some or all European countries are legally unable to engage in widespread surveillance of their own citizens, but that the United States can engage in monitoring abroad because it is not bound by their privacy laws. Is this correct?

This is partially true. The “formal” truth is that Europe knows well that it’s slowed down by its own laws, and for this reason, we are witnessing important internal discussions on the subject. The “real” truth is that when a country is forced to act for national security reasons…it acts anyway.

Is this why I often hear on the news that someone was arrested based on information from American intelligence?

American intelligence is known to be present almost everywhere, or at least to want to be.

There are formal methods of sharing intelligence. For instance, there is the “Five Eyes” group – the United States, New Zealand, Australia, the United Kingdom, and Canada. What is the Five Eyes group?

Five Eyes is an international alliance composed today of five countries and is based on intelligence collaboration, or what was originally called “signals intelligence.”

I know that adverse cyber activities cost the United States up to $109 billion in 2016. Have global costs risen since then?

Costs vary widely from country to country and in the public sphere – often – the data is not always clear. To understand the seriousness of the situation, we can consider some recently released data. For instance, in the global SME panorama, in 2019 there was an average of one attack every 39 seconds. In June 2020, Australia confirmed expenses of $15 billion over ten years, to protect from state-sponsored cyber attacks

What is ransomware?

It is similar to a virus, but very insidious due to its ability to replicate itself and encrypt, thereby making all of the data encountered illegible.

I read that ransomware experienced a phenomenal 21% increase from 2017 to 2018. What is the situation today?

The ransomware costs of 2019 have been higher than they ever have been, and they are expected to rise even further in 2020. However, it’s difficult to know exactly how much ransomware attacks cost annually.

Emsisoft estimated that the 2019 costs easily exceeded $7.5 billion. Among the countries Emisoft examined, only Italy came within 50% of the U.S. in the cost of ransomware demands for 2020. More globally, for 10 countries measured by Emisoft, ransomware cost victims from $6 billion on the low-end to $25 billion at the high end.

Keeping in mind that downtime is experienced whether or not a ransom is paid. When the average downtime period is added to the cost of a ransomware attack, the totals rise significantly, ranging widely from $42.4 billion to $169.8 billion worldwide.

Are large scale attacks typically undertaken by state actors, such as China, Russia, Iran, and North Korea?

Nowadays, victimized nations consider state actor security breaches as an act of cyberwar.

When malicious activity is conducted by a state actor is that cyberwarfare?

It is appropriate to call it “cyberwar” when critical infrastructures are targeted. In all other cases, the right domain needs to be correctly identified. Terrorism is one of them.

Up to 85% of U.S. infrastructure relies on private companies. Is the situation the same in Europe and elsewhere?

Private companies will always have an important role in the field of infrastructure, regardless of whether it is critical or not and their massive involvement is almost a constant in modern organized countries. Europe is no different.

What are the most critical private-sector infrastructures requiring protection?

Each country is different and must act with priorities based on the current social and economic context, as well as any ongoing critical events. Given the increasing connections between the public and private sectors, I would highlight healthcare and energy as priorities, followed by transportation and telecommunication.

What is the CIA triad?

Confidentiality, integrity, availability. Three principles that any organization’s security infrastructure should consider as the primary focus.

Based on your experience, what is the greatest risk confronting critical infrastructures?

There are multiple potential vulnerabilities in critical infrastructures, some of them strictly related to their “legacy” way of operating.

What is legacy software?

Legacy software is a lack of modern authentication mechanisms, lack of encryption, unaudited connections, the risk of code/commands injections, and so on.

Is this related to a distributed denial-of-service DDoS attack?

Here we are more in the field of networking, rather than software. But this is the definition: A DDoS attack aims to prevent the use of a network’s resources, such as a website. When many systems participate in the attack – often in the order of tens of thousands – we speak of a distributed DoS attack.

These types of attacks are serious since they can seriously block an entire IT infrastructure and, sadly there are surprisingly few organizations prepared to deal with DDoS attacks.

What happens when legacy software is connected with up-to-date software?

This operation requires an “alignment” by the legacy software, which on a side allows benefiting from a modernized use environment, but on the other side exposes it to potential vulnerabilities.

Hospitals, pharmaceutical companies, and related health care industries are critical infrastructures. For health care industries what is the worst-case scenario?

The healthcare industry is and will remain a major target for hackers. Healthcare facilities host a multitude of valuable and highly marketable information relating to patients and professionals.

For example, with the current COVID-19 pandemic, the World Health Organization has released information that it has experienced a dramatic increase in the number of cyber-attacks, directed at its staff via e-mail.

I think readers are familiar with the concept of the Internet of Things. If a hacker obtained hospital records, could they hack into a pacemaker or other life-preserving device that is either in a hospital or being monitored by a hospital? For some state actors, I assume the interest is elevated if there is a high ranking private or public official involved.

Absolutely. The security of IoT devices is now the center of great attention.

Could other things such as a thermostat, fire sprinkler system, or an HVAC system be hacked?

Yes. We are can include innumerable devices that fill our work and home environments, even games played by our children.

If I was in a position to interview companies to protect my company from cybercrime, what is the first question I should ask?

What is your level of experience in preventing, intercepting, and responding to cybercrime?

It has been my experience that once employees understand the reason for a rule, they are more likely to follow it. Concerning hacking, how important is employee education?

Training is the key to safety. You can’t protect yourself from something you don’t understand. The Ponemon Institute reported that most identity theft is preventable through employee safety awareness training.

Organizations of all types must have a robust security awareness and training program, and all members of the organization must participate in training, including board members and management.

When using social media, such as LinkedIn, which includes a messaging option, should employees publish their professional email address?

Sharing professional email addresses on web platforms like LinkedIn is becoming fashionable. It increases chances of risk; however, even without direct sharing, corporate emails can be identified very quickly by experienced attackers.

Does this relate to spear phishing? What is that?

Spear phishing is an email spoofing attack that targets a specific organization or individual. These kinds of attempts usually are not initiated by random hackers but are more likely to be started by perpetrators out for financial gain, trade/company secrets, intellectual property, or military and classified information.

If one person’s phone in the room is already hacked, does this give the hacker access to all of the other devices that show up via Wi-Fi or Bluetooth? I ask because several years back former Russian Prime Minister Dmitri Medvedev attended an event in London during which time his phone was hacked.

Network hacking and device hacking, whether mobile, desktop, or IoT, follow different paths.

On one side, we have a communication system that could be protected with several HW+SW levels: firewalls, IDS, etc. On the other side, we need to get into a specific device model, scouting for possible local vulnerabilities that are allowed to execute arbitrary code and to obtain “root access.”

This said, even if having a single fully compromised device allows an attacker to use that device in a pretty complete way, including accessing the local network or any other short-range communication channels, like Bluetooth, to spot possible targets. Then, the hacking process on those devices is possible.

Never underestimate the possibility – from the first hacked device – to retrieve or more precisely “to sniff” all not-encrypted information transmitted on the same network. Incredibly, there is still a lot of unencrypted information shared.

Are you protected if you turn your phone off before entering a meeting or conference?

Generally yes. Lately, there have been course experiments – some already deemed successful – that go further.

Just a few final questions. Is using complex passwords, such as a mixed 16-character password, a valid safety precaution?

I would like to be able to say that a complex password is sufficient – lowercase and uppercase letters, numbers, special characters – but this is no longer the truth. The truth is that the more complex a password is, the more likely that a user will store it elsewhere because it is impossible to remember. This increases the risk level. A secure password is a complex password that is changed very often.

What is multi-factor authentication and is it important?

MFA stands for Multi-Factor Authentication. It is one of the most effective mechanisms by which companies can use to protect their digital assets. This mechanism makes a single password no longer enough to obtain access to a resource, forcing the user to insert further evidence to prove that access is required by an authorized person. Companies should implement MFA on all critical systems.

Where to go for Help

If you live in the United States and you believe you’ve been the victim of cybercrime, please refer to the FBI website.

If you live in Europe, for more general information, you can visit Europol’s website.