Public services increasingly vulnerable to cyber attacks
The vulnerability to cyber attacks on companies providing public services highlights the gap between declarations of intent and the reality of existing government structures to address the danger. Can we trust the nascent National Cybersecurity Agency?
Carlo GALLI ZUGARO Giugno 15, 2021
On Wednesday, June 16, 2021 in Geneva, Presidents Putin and Biden will talk about the possibility of collaboration to reduce cybercriminal attacks on key sectors of their respective countries. It is no coincidence that just today the news of a hacker attack against Sol Oriens, a nuclear weapons contractor, which took place in May and was launched by the Revil group, which is supposed to be operating from Russia, is once again circulating.
During the G7 that just ended, cybersecurity was at the forefront of the agenda along with climate change. In Italy, the announcement of the National Cybersecurity Agency has already elevated the nascent structure to the role of guarantor of the implementation and safeguard of the PNRR (National Recovery and Resilience Plan).
While these reports bear witness to the importance that governments devote to cyber security, the most recent attacks and warnings that have not been heard in more than 20 years do not bode well.
The problem is not only Italian. Even the United States, perceived as an example in terms of structures, organization and operational efficiency, has its own problems of coordination, duplication of effort and waste of resources.
An article in thenationalnews.com by the Bloomberg Group analyzes the reasons behind the growing vulnerability of companies to the distribution of water and electricity, the backlog of measures never put in place and the importance of protecting strategic infrastructure.
For decades, even at the highest level, the American government has considered the security of computer networks to be of paramount importance. In 1998, the Clinton administration classified 14 private sectors as “critical infrastructure”, including chemical industries, defense, energy, and financial services suppliers. But various factors have held back the change, first of all the costs of modernizing or even replacing the technology to allow the hardware to run sophisticated cybersecurity tools. The second is simply the gap between saying and doing: Policy statements were not followed by operational support to deal with threats, leaving private individuals to do it themselves, even those providing public services.
A striking example is that of the One Gas in Tulsa, Oklahoma, which in January 2020 managed to successfully deal with a hacker attack. Richard Robinson of the company Cynalytica (which deals with prevention and protection systems for cyber attacks) collected data on corrupted files and “fingerprints” found in the hacker code and presented them to the FBI, to the Department of Homeland Security (born after the attacks of September 11 to protect Americans from terrorism), to the Energy and Defence Departments, asking for a check on suspicions that a national state operator was behind the attacks to jeopardize the supply of natural gas. To this day he has not received an answer..
In 2018, a group of “good” hackers paid by the city to enter the Los Angeles water and electricity system found 10 new vulnerabilities and highlighted 23 problems already identified in 2008. The city security team asked them to minimize the situation and declare the mishaps resolved. The mayor fired the hacking consultants and it was buried.
American digital security experts do not spare “j’accuse” in no uncertain terms and denounce the inadequacy of digital security of computer networks that control the production and distribution of water and electricity. The low level of priority that the US government has given to the IT security of infrastructure to date constitutes a national threat and an increasing vulnerability
“If we had a new world war tomorrow and had to worry about protecting infrastructure from a cyber attack from Russia or China… I don’t think we’d be where we’d like to be,” said Andrea Carcano, co-founder of Nozomi Networks, a security control system company.
Nor does it require a formal declaration of war to realize the dangers. When war was fought with traditional armaments and the critical points of infrastructure in each country were geographically identifiable, it was thought to protect structures such as bridges, Major roads, TV stations, and the military was the main focus. Now the scenario has completely changed. Infrastructures are also managed by software and remotely and the geographical location of both the target and the initiator of the attack is less important. The war is no longer called such and continues over time; the distinction between period/status of war and period/status of peace is lost.
The interdependence between private and public is accentuated in a system where consultants, contractors, service companies and individual users are part of an interconnected chain and subject to violation even in peacetime. The war is hidden between the folds of an apparent commercial competition between companies and between countries.
In this context, hackers raise the stakes. Until recently, ransomware hackers (those who ask for a payment from affected companies to unlock and make their computer system usable again) focused on universities, banks and local governments but now they have raised the target and hit energy companies, meat packaging plants, utilities.
Even in a moment of apparent calm, hackers can move undisturbed within computer systems. In its 2020 cybersecurity report, cybersecurity firm Dragos stated that 90% of its new customers “had extremely limited or no visibility” within their industrial control systems. This means that once inside, hackers have the freedom to collect sensitive data, investigate system configurations and choose the right time to launch an attack.
To date, a cyber attack on Italian users seems to have been averted, but while we’re waiting for the National Cybersecurity Agency to become operational, we wonder if the declarations of intent will really translate with urgency in structures with methodologies and instruments agile, efficient, quickly operative and not in conflict with existing structures.
The planned staffing of the ACN does not seem to go in the right direction. Many Italian cybersecurity experts believe that no more than 100 professionals in Italy are ready to assume operational and executive roles in the ACN from the beginning, while the institutional hypothesis is a structure that will start with 300 employees to reach 800. If the mantra of those who work in the sector is “the weak link in safety is the person”, the elephantine structure of the ACN becomes a risk for the same agency that should protect the country.
An agile structure also serves because success will be measured in terms of attack capacity and not just defense. After the May attack on the Colonial Pipeline which had to close 5500 miles of pipelines carrying 45% of the East Coast’s gasoline, diesel and kerosene needs, Major American energy companies have gathered to take stock of the necessary support from the government. Tom Fanning, CEO of Southern (electricity and gas distributor), said “If the bad guys are hunting us, there must be an eye for an eye, or rather… We have to make sure that the bad guys understand that there will be consequences”.