Information security has been an issue of concern for many IT professionals for at least a decade, but recent years have seen a dramatic increase in threats and the consequences of suffering a security breach. From a mere nuisance at the start of the century, cybersecurity threats have increasingly become a major problem for all types of organisations, but for public sector entities in the region, the situation has become particularly severe, and there is little sign that the tidal wave of threats is likely to abate.
Time and again, the government sector rates among the top targets for cyber attackers. According to FireEye’s Advanced Threat Report, nearly 20% of all malware recorded by the FireEye Dynamic Threat Intelligence (DTI) cloud in the first half of 2015, and over 15% of advanced persistent threats in EMEA were targeted against government organisations. Malware attacks nearly doubled between January and June 2015 in EMEA. In the GCC region, Government, Education and the Finance sector were the most targeted verticals across the region, accounting for almost 92% of all attacks.
Government is increasingly in the cross-hairs of cyber-attackers for a number of reasons. For one, they are often custodians of financially-sensitive data or identity data that has value. The FireEye study found that the majority of attacks against government are carried out by financially-motivated hackers, who are looking for sensitive data. Central agencies and institutions that maintain citizens’ data, are likely particularly at risk, due to the potentially valuable information stored on their networks.
Another factor is the rise in politically-motivated attacks. While there has been a political aspect to some hacking for a while, such as defacement of government websites, political attacks are becoming more targeted, looking for specific targets or data, in the case of cyberespionage, and are also growing in complexity. They are also increasingly linked to real world conflicts, with attacks launched either for propaganda purposes, or to actually target critical infrastructure as cyber warfare.
Mohammed Abukhater, regional sales director – Government, FireEye, commented: “Without a doubt, the most sophisticated attacks against governments have been sponsored by other nation-states. Cyber wars are very much a reality these days, and have ramped up in intensity in recent times. As per FireEye’s latest Advanced Threat Report, the most targeted sector in the region, after the financial sector, is the government. This is because cyber warfare presents a better alternative to the military option; a well-organised cyberattack can be as damaging — if not more — and involves lesser cost and risk to the attackers.”
The government sector in the region is not blind to the risks of cyberattack. In fact, since a number of high profile attacks on oil and gas companies in the region in 2012, most notably against Saudi Aramco, there has been a sharp rise in the level of security awareness among government organisations.
Nicolai Solling, director of Technology Service at Help AG explained: “In general, government spending on security has been increasing steadily, specifically since the Oil & Gas breaches we saw back in 2012. From 2013 onwards, we have begun to see governments allocate a dedicated information security budget as compared to before when it was mainly coming from the infrastructure departments which didn’t even have an information security department and/or practice in place. The increased emphasis on information security is also apparent from actions such as the UAE government making compliance with information security (ADSIC, ISR, NESA) and business continuity (NCEMA) frameworks mandatory.”
Giampiero Nanni, Government Affairs, EMEA, Symantec, added: “There is so much awareness of cybersecurity [in the UAE], more than many other places, that is a very good sign. The UAE is always mentioned as a high tech [leader], the fact that there is good attention to security is very valuable.”
Awareness of security among government entities can be seen in several areas. Many of the countries in the region have founded Computer Emergency Response Teams (CERTs) which are responsible for promoting information security and managing threats. Organisations such as the UAE’s aeCERT have played an important role in developing the security readiness of government organisations in the region, and increased awareness has also resulted in an increase in security spending. Spending on security has also shifted focus, according to Haytham AlOhali, public sector manager, Cisco Saudi Arabia.
“Needless to say since the Aramco incident, security has been top of mind for many CIOs. It is not only buying security solutions, but making sure that all the solutions they buy are secure as well, for example those who are thinking of rolling out an IP telephony or video conferencing solution, they want to ensure that it is secured and hardened,” AlOhali said.
In general, while government entities have adopted the right tools and procedures for good security, there are still some areas that are posing an obstacle to attaining the highest level of security. Some organisations are struggling with creating end-to-end holistic approaches, and to develop policies to govern all aspects of operation and keep them current. Another major stumbling block is the lack of skilled security personnel.
“It is a worldwide problem,” said AlOhali. “We have talked to our colleagues and customers that have global reach, and it is the number one need.”
According to Gartner, around 40% of all security positions are unfilled at present, predicted to rise to 50-60% within the next few years. Greg Young, Research VP, Gartner said that the issue was not one of spending on security, which continues to increase, but rather that there are simply not enough staff to make effective use of all the security tools and applications:
“One problem we have in security is there is almost too much spending, we have a shortage of people — the same number of people have to use more and more tools, and they can’t deal with it. In some of the biggest attacks we’ve seen, people had a lot of tools, but it was just too much for them,” Young said.
Another area where lack of skills and education is posing a risk is at basic levels of security awareness. Across many organisations, even low level staff have access to sensitive systems or data, but don’t have the basic understanding of security to stay safe. A study by IT industry association CompTIA found that human error makes up more than half of all data breaches. Around half of all business professionals in the US receive no form of training on security best practices.
Mark Plunkett, regional director, Europe and Middle East and Emerging Markets at CompTIA, commented: “Organisations have recognised for some time that the employee using the PC, laptop, tablet or smart phone is the weakest link in an organisation’s security defence. These employees often are responsible for sensitive customer information, intellectual property and other corporate data. Yet they are frequently the least prepared and trained when it comes to cybersecurity vigilance.
“One way to strengthen defences and reduce the risk of becoming a cybercrime victim is to train and certify employees to ensure they have core necessary security knowledge. This means everyone in the organisation — from the receptionist at the front desk to the business owner or agency head in the executive suite,” he added. “It’s critical that we move cybersecurity out of the realm of IT, and make it a responsibility for all knowledge workers. We’re seeing that in some government agencies — they’re requiring that all their employees go through such training.”
The role of government in the security sector does not stop at securing its own systems. As digitisation of business processes means more and more organisations are going online, so there is a growing need for the government to both assist, and to define by law, how companies should protect themselves.
At a basic level, the security awareness that is required for all levels of staff in government needs to be replicated across the wider public. Programs such as ICDL training courses are going some way to addressing this wider public need, but the need for training is becoming more widespread.
“When it comes to digitisation, awareness is more important than ever, when you talk about digitisation, your reach is going up to the users, anyone with a mobile phone, people who are not your common IT industry users,” AlOhali said. “I think it needs direction within the government to raise awareness.”
Gartner’s Young said that government needs to balance legislation on security with practical help and assistance.
“What is clear is that government has a role, but many governments are struggling with it,” he said. “Too often governments want to tell people to secure things, rather than help them understand how to secure them. Governments try to put in rules to say ‘you must meet this standard, you must do this, you must do that’, instead of providing guidance on how to make your web server more secure, for example.”
There are some examples of good guidance and advice programs for IT security for the private sector, such as the US National Institute of Standards and Technology’s (NIST) Computer Security Resource Center.
Paul Nicholas, senior director, Trustworthy Computing, Microsoft, said that the NIST cybersecurity framework provides a flexible baseline of international standards which companies can work from for better security. The direction for policies in this area is still under development, Nicholas said, but government should avoid a prescriptive, compliance-based approach.
“We tend to really like risk-based approaches. Some approaches around the world are very authoritarian, some are very compliance focused — that’s a nice idea but compliance doesn’t equal security. The risk-based approaches are really the strongest ones we have seen. The future is being more resilience-focused, policies that drive readiness and responsiveness, and ultimately re-invention from a security perspective,” he said.
Nicholas said that no one country has a very strong approach to cybersecurity legislation as of yet, but there are some examples that are heading in the right direction: “There is a lot going on in Europe with the Network and Information Security directive, and in some ways there is a lot of positive things from this approach. It is trying to make sure every [EU] country has a strategy, and some sort of capability like a CERT to be able to deal with challenges, and that there is a security baseline that important infrastructures have, and that there is some way of reporting or sharing security related data for that.”
One area where analysts and vendors believe government could take a greater lead is in information sharing as related to threat intelligence. Gartner’s Young commented: “Governments are really good at intelligence gathering, but really bad at sharing it. It is often a hole that a lot of really useful information goes into, that could be used to stop attacks, and it wouldn’t really be a big problem to share it, or to let a company know that it is being targeted.”
Government could learn from organisations in the critical infrastructure and financial sectors, that have developed ‘grass roots’ communities to share threat intelligence, protection information, best practices, and so on, Young noted.
Information sharing programs would definitely be of benefit to the industry, added Nicholas, although the frameworks would operate better as voluntary ones, based on smaller industry groups facilitated by the government rather than groups where organisations were legally obliged to participate.
“We do a lot of work to talk about mandatory vs voluntary information sharing. Mandatory incident reporting is backwards looking, it tells you what happens. Voluntary information sharing where people say they saw indicators of compromise, and compare data with others, that tends to be more forward looking and more useful,” he said.
“If you are really going to deal with risk from a systemic perspective, and think about what you need to collaborate, what government can do is create an environment where sharing is easier for companies. Industry together with government can come up with solutions.”
Possibly the biggest security challenge facing government and the private sector today is the growth of the Internet of Things and smart cities. Governments are discussing the possibilities of connected city systems such as traffic, utilities, emergency services and so on, but the security level of these highly-integrated systems is under question.
Symantec’s Nanni, said that many of the internet-connected devices are not being created with security built-in, leading to potentially vulnerable networks.
“One problem with the IoT is the fact that everyone is pushing out IoT devices, with very little mind for security,” he said. “The surface of attack is going to be so huge, and the defence is going to be so limited, to put out a device with very little mind in security — I would say it is almost irresponsible.”
There are a number of working groups focused on IoT security, such as the International Telecommunications (ITU) working group, but Nanni said that legislation efforts from government will be key.
Harshul Joshi is senior vice president for Cyber Governance, Risk and Compliance at Dark Matter, a trusted advisor company to the UAE Government in the field of smart cities, which is heavily involved with Dubai Smart city. He said that IoT security must be tackled now: “Smart Dubai is in a set up stage and this is the right time to put in security protocols, and procedures, because once it is operational, it is too late,” he said.
With a highly connected environment of interconnected systems and sensors, the attack surface of a smart city becomes significantly larger, Joshi noted, allowing hackers more ways into a system, but in order to leverage the benefits of smart cities, those systems have to interconnect. This creates new demands on security for smart cities.
“One of the key things with smart cities is you have got to connect everything. When you connect things you expose yourself,” he said. “Securing a city is very different to securing an enterprise. You can’t shutdown access to a city, and you cannot change certain factors. Dubai or Abu Dhabi has to deal with water issues or sandstorms, we can’t change that.”
Joshi said that recovery and mitigation of damage in a smart city security incident will become as important as detection and prevention, in part to deal with the knock-on effect of one connected system failure on the wider city ecosystem.
“We have to have to bring security from a whole different standpoint, which is ‘what are the cascading effects if something fails at one entity?’ There was a blackout in New York in 2003, just one transformer failed, but there was a cascading effect that took the whole North East out. When you start adding sensors and connections, then things become connected in a way that you have no idea about.”
Greg Day VP & Chief Security Officer EMEA, Palo Alto Networks, said that the IoT sector at the moment is similar to the BYOD trend of recent years, where devices and systems are being rolled out despite the fact that CIOs don’t have strategies or tools to secure them. Managing the IoT environment will require refinement and automation of security tools to enable security personnel to manage the threat.
“The biggest challenge is typically not technology per se, but that we have so much information that we are drowning in it,” Day said. “We need to take the human out of the equation as much as possible, and we have to be much better in the quality of data we gather.”
Most importantly, government and industry need to be discussing how to secure IoT now, before it is too late, Day said:
“One thing I am proud to see is we have learnt from some of our mistakes, and as government organisations are starting to think about IoT, and put together their plans, they are reaching out to the security sector for best practice and experience, and they are trying to build security in by design. There are some tough challenges when you are still trying to agree what are the protocols and industry standards, but the right way to do that is pull all of the players together and have a joined up discussion.”
