Is it too late to put Genie back in the bottle or simply prepare for inevitable? Is cyberwar reality or only scary fiction?
Cybercrime is here to stay!
The enemies are anonymous, their reach is global. As internet connections multiply so do threats. There are about 15 billion microprocessors attached to the Internet. That means 15 billion possible points of attack, and potential targets are everywhere: national critical infrastructure (e.g. electricity grid, water supply, telecommunications), organisations of all kinds (private, public, community-based), our homes, cars and even individuals.
We have, in recent years, learned to live with cybercrime such as denial of services, identity theft, stolen credit cards details, hacking and stealing personal information. Unfortunately, we are now facing much more frightening and destructive threats: cyber-attacks on critical infrastructure that can cause damages just as though it was attacked by the kinetic weapon. In fact, it is increasingly believed that kinetic weapons might be impotent against cyber-attack. In contrast to physical weapon attack that needs considerable preparation, cyber weapons can be anonymous and instantaneous.
Cybersecurity weapons were already unleashed before 2010 when allegedly the US and Israeli cyber commands attacked Iranian nuclear facilities with the infamous “Stuxnet” computer worm. This worm attacked uranium enrichment centrifuges and destroyed at least 60% of these machines. In retaliation, in 2012 Iran allegedly launched a destructive attack on Saudi Arabia’s Aramco, erasing data on three-quarters of the company’s computers: documents, emails, spreadsheets and other files- and replacing it with an image of a burning American flag.
Unfortunately, the worm went out of control infecting thousands of computers all over the world. It was needed many months to contain and eliminate this danger.
The document, leaked in recent years by Wikileaks and the former US National Security Agency (NSA) contractor Edward Snowden, show that the most powerful nation-states are aware of emerging danger and are preparing for cyberwar. Cyberspace is declared as the world’s largest crime and war zone. National security agencies, as Edward Snowden testified, became a “hacking agencies” for spying on everyone: other nation states, organisations, individuals and even its own citizens.
Moreover, agencies such as NSA are developing offensive cyber weapons for launching cyber attacks on perceived adversaries. “China continues to have success in cyber espionage against the U.S. government, our allies, and U.S. companies. Beijing also selectively uses cyber attacks against targets it believes threaten Chinese domestic stability or regime legitimacy” said James R. Clapper, the Director of the US National Intelligence. Cyberwar is happening!
The United States has a Cyber Command, Russian Federation established Kiber Voyska (Cyber Army), Israel has intelligent Cyber Unit 8200, People’s Liberation Army has a cyber unit deploying up to 100,000 individuals, the UK has National Cybersecurity Centre, and many other countries have established specifically dedicated cyber protection units or agencies. This clearly shows that cyberwar is not fiction but harsh and dangerous reality!
It seems that it would be impossible to put the genie back in the bottle. Instead, we must prepare for this war.
So let us get ready for the cyberwar
In order to coordinate national cybersecurity activities and establish coordination between all spheres of governments, the private sector, and civil society, the South African government adopted National Cyber Security Policy Framework in 2012, including policy considerations regarding cybercrime, national security threats in cyberspace, addressing cyber warfare and laws.
In 2013 South Africa also founded the National Cyber Security Advisory Council with the mandate to advise the government on cybersecurity issues. The National Integrated ICT Policy White Paper from 2016 also addresses some aspects of cybersecurity as well as the Protection of Personal Information Act, No 4 of 2013 (POPI Act). Recently, the second draft of the South African Cyber Bill has been tabled in Parliament and is in a process of being enacted.
In order to provide immediate assistance in the wake of an offence the Cyber Bill provides for the establishment of a point of contact to be available on a 24 hour, 7 days a week basis. This includes the following teams that should be able to assist and facilitate with enforcement and compliance issues: Cyber Response Committee, Cyber Security Centre, Government Security Incident Response Teams, National Cybercrime Centre, Cyber Command, Cyber Security Hub, and Private Sector Security Incident Response Teams.
Among other prescriptions, the Bill requires from electronic communications service providers to (i) take reasonable steps to inform clients of cybercrime trends which can affect them; (ii) establish procedures for clients to report cybercrime; and (iii) inform clients of measures to take to protect themselves against cybercrime.
National Cybersecurity Hub is, for example, mandated with the task to be the central point of collaboration for cybersecurity incidents and serves the South African cyber community through the following actions:
• Provide information and assistance in implementing proactive measures to reduce the risks of computer security incidents as well as responding to such incidents.
• Respond to computer security incidents when they occur and therefore to build confidence in the South African ICT environment.
There are, however, some concerns regarding the SA Cyber Bill. Handing over control of the Internet to the Department of State Security, increasing the state’s invasive surveillance powers or giving the state security structures the power to effectively declare ‘national key points’ of the internet and potentially grants backdoor access to any network are some of the concerns expressed by the Right to Know campaign. This suggests that there would always be trade-offs between privacy and security.
Are we really ready?
Are we ready for cyber warfare as a nation? At this moment, it does not seem so. Our recent survey indicated that many employees from private and public sector organisations as well as vast majority citizens in the Western Cape are not aware of serious cybercrime or cyberwar related risks and possible adverse impact on organisations, communities, individuals and the entire nation. Although there is an active Cybersecurity Hub, people are still insufficiently aware of its existence and function, hence they lack information whom to report and ask for help in case of serious cybercrime or cyberwar attacks.
Since the problem is already considerable and will, by all predictions, become even greater and more serious, it is urgently required by all relevant stakeholders (government, education institutions, private sector and civil society) to organise cybersecurity and cyberwar awareness and advocacy campaigns as well as to educate employees, learners and citizens about essential cybersecurity practices.