Governments must prioritize people to win the cyber war
It is only a matter of weeks since the WannaCry assault was widely declared the “biggest ransomware” offensive in history. It appears to have been eclipsed already by the Petya attack. It is still unclear how far Petya spread, but it clearly caused mass turmoil throughout the world. What is clear, is that Petya is yet another huge wake-up call to governments that cyber warfare is now part of the everyday security landscape. Cyber warfare has become mainstream warfare and as such it must be tackled with the same resolve. In doing so, governments must realise that it is not primarily a battle between technology and know-how, but a conflict in which people play the most important role.
The impact of Petya has been felt far and wide. In addition to Ukraine and Russia, it also infiltrated Poland, Italy, Germany, France, UK and the United States. Petya also infected multiple sectors and infrastructure. Ukraine’s airport, power grid and banks were disrupted. Even the Chernobyl power plant was forced to monitor radiation levels manually. Other victims include Danish shipping company Maersk, Spanish food giant Mondelez, US pharmaceutical manufacturer Merck and Russia’s biggest oil producer Rosneft.
If ever proof were needed that cyber warfare knows no borders or boundaries, then this is it. National affiliations and industrial variations matter little to the digital criminals whose simple goal is to make money or instil chaos, fear and disruption to daily life. Governments must understand that because we are all digitally connected, an attack which breaches one government department, one company, one institution, can reach all. In today’s world, nobody is immune to cyber attacks. Cyber enemies are constantly successfully finding new ways to reach new victims. Their assaults will only increase in sophistication and frequency.
Just as the hackers are expanding their ambitions and methods of attack, the time has come for governments to step up their game. No doubt the wave of serious attacks over the past few weeks — WannaCry, the UK Parliament and of course Petya — will prompt some kind of reaction from global leaders. However, it would be a huge mistake if their response is simply to think that the answer lies solely in ever-more advanced and expensive technology. Of course, the right tools must be applied, but this is never a solution in and of itself. Technology quickly becomes outdated and invariably outflanked by hackers. In terms of national cyber security, it is the equivalent of expecting a band aid to heal the entire body.
Crucially, if technology is to provide solutions, it must be understood and operated effectively by people. The Petya tool itself has been available for over a year, while the vulnerabilities it exploited were also well known. Meanwhile, many of the Petya victims could have protected themselves had they used a technological patch which was issued after the WannaCry attack.
In short, the technological capability to stop Petya was available. People were simply ignorant or chose not to use them. That is precisely why the Petya hackers used a phishing technique to breach systems, which relies on human error. When it comes to cyber security, the problem is invariably not with the technology, but with people. Or more specifically, the problem lies in the lack of proper procedures and processes which would equip people with the ability to combat cyber assaults effectively.
Rectifying the situation starts at the very top. If governments truly want to protect their infrastructure, utilities, financial institutions and other key national assets, then they must adopt a holistic, comprehensive strategy, which can assess needs and put the correct systems in place across public and private sectors. They must operate and manage in light of this strategy. This will allow for the kind of coordinated approach necessary in order for all strategic national assets to accurately identify vulnerabilities and then respond correctly.
A technology-led approach is nothing more than a piecemeal approach to cyber security. It will inevitably leave gaps in national defences for intruders to expose. Only governments can organise, educate and train the right people to deliver a truly nationwide cyber solution. In military terms, new and costly cyber tools will equip a few battalions, pushing in different directions. A comprehensive, strategic approach will enable an entire army to achieve a coordinated cyber goal. Anything else will mean that the next WannaCry or Petya is just a click away.