A real cyber war is something we must consider in the future. Cybersecurity specialist at DNS Belgium, Kristof Tuyteleers explains what the possible consequences are and how you can arm yourself as a citizen or as a company against a large-scale cyber-attack.
As ordinary citizens, can we protect ourselves against the consequences of a cyber war?
Kristof Tuyteleers: "As with a traditional warfare, a cyberwar is waged over the heads of ordinary citizens. In a physical war you can flee the war zone. That is not possible in a cyberwar. Our world is digital, and nearly everything is connected to the internet.
We see that in cyberwarfare, utilities and public infrastructure are often targeted to destabilise a society or a country. That’s something you can’t arm yourself against as an individual. Manipulation of democratic elections by foreign governments is also popular when it comes to cyberwarfare.
The European Union launched legislative initiatives such as NIS, NIS2 and the Cyber Security Resilience Act. This is done to encourage companies and governments to secure everything the best they can and to make our digital society cyber resilient.
You can count on all critical providers to do everything possible to make their services sufficiently resilient, to withstand cyber-attacks and to quickly bring the underlying infrastructure back online if attacked."
"Depending on your goal, you choose a different weapon. You also use a different weapon to knock out a tank than to bring down an aeroplane. It is the same with cyber warfare."
Can cyberwar also be waged in the living room by, for example, blocking connected devices or spying on citizens via those devices?
"That depends on what you want to achieve and how visible you would like such an attack to be. For cyber espionage you want to stay under the radar, so hacking user devices on a large scale isn’t that smart. If it is mainly about flexing your muscles and posing a threat, it is more important to show that you have these (cyber) weapons at your disposal than to actually deploy them. The deterrent effect takes precedence.
If the aim is indeed to disrupt society, then IoT (Internet of Things) devices such as home routers are remarkably interesting devices to hack. They are still too often delivered with unsafe settings and are not always easy to update. As a result, security problems are not or barely solved. The user is often unaware that the device has been compromised.
But if you want to disrupt a society, you need a lot of digital firepower. The more devices with an internet connection, the bigger the attack can be. If you want to cripple an internet service provider for example, a DDOS attack is an effective strategy. Then the goal is really to disrupt the ISP's service and not to steal data.
So, depending on your goal, you choose a different weapon. You also use a different weapon to knock out a tank than to bring down an aeroplane. It is the same with cyber warfare."
So, what should we do if a cyberwar breaks out? Delete our accounts and withdraw as much money as possible from the ATM?
"A bank run does not seem very sensible to me. When a nation sponsors a cyber-attack, it is often to disrupt the (digital) society. So, by removing all your money from the bank, you play into the hands of the attackers. The only thing you can do as a citizen is to sit out the cyberstorm. Incidents are now happening but they’re not widely communicated. Because action is taken in time, diplomats intervene behind the scenes, the impact is limited or because the attacks are simply not detected.
There are all kinds of doomsday scenarios imaginable in which civilians are also in physical danger. For example, cyber-attacks that cause a nuclear reactor to melt down or a dam to overflow in a densely populated area. In the scenario where the internet is completely lost, it is mainly safe to stay at home and go offline."
"As a citizen, you should trust that the developed contingency plans and the necessary government agencies will do their job."
That sounds pretty catastrophic. Is there any reason to panic?
"As a citizen, you should trust that the developed contingency plans and the necessary government agencies will do their job. For example, our government set up the National Crisis Centre and the Centre for Cybersecurity in Belgium (CCB). These organisations developed an emergency plan, together with our country's energy suppliers.
The operation and maturity of necessary services, such as DNS Belgium, must inspire confidence. There is more and more legislation that affects this. Companies must comply with many security rules. These are both general control measures, such as the ISO 27001 standard or the NIST cybersecurity framework, and sector-specific security configurations for products and services. The government oversees this with audits that check the cyber security of essential services. Think of transport, utilities, the financial sector and many more."
Can you give a few tips for companies to better protect themselves against the threat of a cyber war?
"As a company, there is no other way to arm yourself against a cyberwar than against cybercriminals. But the challenge is getting bigger. There are regimes that offer hackers almost unlimited financial and technical resources to carry out targeted attacks on another nation. They work closely with cybercriminals or have a whole army of state hackers on the payroll themselves. They are also highly active in zero-day exploits trade. These are bugs in software that have not yet been reported or for which no patch is available. If you are the target of such a regime, you are fighting with unequal weapons.
Realistically, you can hardly avoid being compromised sooner or later. But that does not mean that you should not do everything possible to minimise the chances that it happens, and the impact when it does.
Everything starts with basic security. You must keep systems and software up to date, monitor everything, know what the normal and unusual patterns are. The disaster recovery and continuity plans you make, must be aimed at getting critical data and services back online within a timeframe that is acceptable to the company.
Within a sector, companies need to join forces to be smarter and more efficient when it comes to cyber security. It is beneficial to work out security standards and procedures together and to exchange information.
Finally, it is important to draw up a good crisis plan and to check annually whether it is still adequate. Companies often forget to secure proof (log files and forensic copies). Getting services or production up and running as quickly as possible is a top priority, but what if that comes at the cost of destroying all traces of the digital intrusion?"
Who can companies turn to if they are the victim of an attack?
"It is best to start looking preventively for an external partner with relevant expertise and skills. Perhaps your sector has a security working group, a cyber emergency response team (CERT) or another knowledge centre you can fall back on.
Sectoral regulators and CCB/CERT.be are also important when an incident occurs. Government agencies can often help with information about the threat and with practical guidelines based on previous incidents they have investigated. As a company, you are not alone. But make sure you already know who you can turn to."
What should cybersecurity specialists focus on?
"First of all, identifying and understanding the threat. Know what the company's crown jewels are, what the biggest cyber risks are and who the main attackers might be. The profile of an attacker varies: cybercriminals, hacktivists, script kiddies, state hackers and so on. With all that information, you can do a thorough risk analysis and implement appropriate cyber security measures.
Cybersecurity evolves so fast that as a cybersecurity specialist, you can never keep up on your own. There are many people in the security community willing to share their experience and knowledge, so make use of it. DNS Belgium participates actively in national initiatives by the Cyber Security Coalition and Beltug. They hold theme meetings and publish very useful information on cybersecurity for their members. The CCB also publishes useful documents with guidelines for companies. I think you should make use of this wealth of knowledge. That way, you will have more time to focus on the specific measures that will better secure your company's infrastructure and data."
What is your conclusion?
"Cybersecurity is a kind of continuous arms race between hackers and security. It is a battle that will continue for some time. Extra legislation and good cooperation between the government and the business world will hopefully ensure that we will eventually win."