2020 was an exceptional year. In cyberspace, however, it was business as usual with opportunistic attacks, wide attack surfaces and resilience being key in response. What we can learn from last year for 2021 writes Liisa Past, Cybernetica’s Head of Cyber Security Business Development.
The speedy transition to remote work in spring 2020 brought with it a radical change in everyday life for office workers in all sectors and students across the world. Organisations, including governments and essential service providers, had to review their work processes as well as information security. The uncontrollable circumstances of home offices without a secure connection can lead to disaster if your security culture relies only on four strong walls and strict monitoring of the network perimeter. Therefore, the global pandemic also meant more responsibility for proper cyber hygiene and security on people and households.
Shifting to Remote Work Is Easier in an Already Connected Society
The communications infrastructure in Estonia is rather well-developed, so access to the internet did not become a bottleneck. The accessibility of digital services - especially the government-backed secure digital identity - and the fact that people are used to using these services online, meant that shifting to remote work was also somewhat easier than in most of the rest of the world.
Coming from a country, where nearly half the votes in the last general election were cast online, it was surreal to see reports of people queuing up for hours in kilometre-long lines in front of polling stations in the US last November. Perhaps this best illustrates the differences in culture, politics and technology between these two societies.
Attackers Did Not Take Time Off in the Pandemic
Of course, there is nothing ordinary about the pandemic. At the same time, it was close to business as usual with most things digital with little dramatic change. Attempts by undemocratic countries to redesign the global digital space to fit their agenda still continued. The bad actors were trying to use the pandemic for phishing, posing also as government institutions. Attacks against medical information systems increased, attempting to gain access to research on developing vaccines.
All of this was familiar attack methods implemented in a new field. There were almost no radically new attack types, nor were massive attempts to corrupt life-saving medical equipment. Generally, attack behaviour was opportunistic as expected, trying to exploit the pandemic.
It was recently revealed that a number of US government institutions and businesses were breached due to a weakness in widely used network software Orion by SolarWinds. The victims included US Treasury, Department of Homeland Security, institutions under the Department of Commerce, and even cyber security experts like FireEye. SolarWinds’ clients like NATO, European Parliament, UK Home Office, Ministry of Defence and the National Health Service are still trying to figure out the full impact.
The attackers had placed a piece of code in a legitimate software update that allowed remote access and basically gave them super-administrator-like rights on networks and servers: the access to download data, monitor traffic etc. CISA, the agency responsible for cyber security in the US Under Department of Homeland Security, distributed a clear alert: all affected devices must be shut down, unplugged and disconnected from networks immediately.
This Is the New Era of Asserting Power
This kind of behavioural pattern of patiently lining up the elements of attack is consistent with state-backed actors. The list of targets would suggest the same.
A few days before Christmas, the outgoing US Attorney General William Barr said that the Russian Federation is behind this attack. Specifically, it is believed to have been the unit of the foreign intelligence service (SVR) known as APT29 or Cozy Bear.
This kind of sniper attack on the digital lifestyle shows that the spy schemes of the Cold War have been updated with bits and bytes, while the governments’ desire to assert power in all domains has not changed. The attack surface in cyberspace is incredibly wide, including the supply chain of of devices and software, not to mention the end users.
No System Is 100% Secure All the Time, That’s a Fact
The only way to eliminate possibilities of attack is to take a step back from the comfort and convenience of electronic services and digital communications. A device that is disconnected from the internet and buried in concrete on the ocean floor is well-protected from electronic attacks. However, its accessibility and usability leave a lot to be desired.
To protect ourselves, governments, businesses, and citizens must, first and foremost, keep in mind that attacks cannot be avoided and no system is 100% secure 100% of time. You can only change your behaviour and the level of preparation, especially by acknowledging your most vulnerable areas. That means that awareness – both in terms of the risk exposure and attack surface as well as the situation inside of networks and systems – is key to resilience. Without knowing what is being protected, defensive steps become useless.
Written by Liisa Past
Originally published in Postimees.