Did you miss a session at the Data Summit? Watch On-Demand Here.
Along with deadly Russian military operations, Ukraine continues to experience cyberattacks, which officials warn could spread to U.S. and European targets as well. So far, private tech companies have played a key role in revealing suspected Russian-backed threats, most notably with Microsoft informing the White House and Ukrainian officials about new Russian malware just hours before Russian military units entered the country. While private companies’ sharing this information is necessary and should indeed continue, it is the public sector that needs to take the lead here. This is especially important as national security and the safety of civilians could be at stake.
In addition to government- and military-related targets, the alleged Russian attacks have also targeted the websites of banks, which clearly affect civilians and cause fear, panic and disruption. In fact, this is cyberterrorism, an emerging phenomenon that will continue to grow as life becomes increasingly digitized and technology — and technological weapons — continue to advance. Cyberterrorism is no less dangerous than traditional physical terrorism and requires just as much effort and investment from the government to fight.
It has become clear over the last year that cyber attacks can kill. And many say they already have. For example, in September, an Alabama mother filed a lawsuit blaming the death of her infant daughter, who was born with complications, on the hospital, which, she claims, failed to provide adequate care due to some of its computer systems being down in a ransomware attack. While that attack has been blamed on a criminal gang out to make money rather than on a state-backed or political group, it nevertheless shows that interrupting networks and data — as Russia has allegedly done in Ukraine — can kill. Israel also experienced a close call with a potentially life-threatening cyber terrorist attack in 2020 when hackers allegedly backed by Iran attempted to drastically increase chlorine levels in the drinking water supply, which could have poisoned people or caused a fail-safe to kick in, shutting down the system and leaving people without water. Cybersecurity systems detected the attack and stopped it; but there is no guarantee they will catch the next attempt.
Cyberterrorism is still in its early days, with the tools still rather basic; in fact the most common type of cyberattacks Ukraine is experiencing now — known as a distributed denial of service attack in which hackers flood servers to shut down website — is of the same type that Russia used against Estonia in 2007, which shut down the websites of banks, government services, newspapers, businesses, and other sites that civilians relied on for online services and information.
We cannot assume that these tools will stay the same; they will likely get more advanced both in their capabilities and execution — a scary prospect indeed. But even more scary is that most governments around the world remain incapable of stopping even these known methods and tools of state-backed cyber attacks, much less the zero-day scenarios and future kinds of attacks. This needs to change; more advanced and coordinated action by governments is the only way to prevent the threat of cyberterrorism from turning into the equivalent of a 9/11.
Increasingly, cyberterrorists, backed by states, are targeting banks, hospitals, food manufacturers and other businesses that may well be private, but that the public very much depends on them for essential services. Civilian lives, entire economies, and the feeling of security present in democracies are all at stake here. Relying on private companies and their cybersecurity efforts as the main line of defense against attacks that are growing in number and severity is no longer sufficient or appropriate.
Governments everywhere, but especially those Western democracies increasingly threatened by advanced cyber players like Russia and China, need to step up — and with more than regulations. Even though financial services, critical infrastructure, and other sectors do need to adhere to cybersecurity regulations, the government needs to provide funding and training to lighten the burden on them. Governments that have invested heavily in recent years in cybersecurity departments also need to be more willing to set up systems to share information with the private sector, and to go on the offensive against cyberterrorists when needed. After all, governments are the only ones allowed to buy offensive cyberattack tools; the private sector is forbidden from buying and using them even when they could, potentially, be needed to stop attacks and save lives.
In Israel, we are seeing the beginnings of increased state-involvement in fighting cyberterrorism, with the establishment of a National Cyber Directorate in 2017. The directorate not only meets regularly with other government and military cybersecurity units but also collaborates with a number of private companies on disclosing vulnerabilities and engages in threat hunting on behalf of the private sector. As co-founder of a cybersecurity unit in the Israel Defense Forces and after more than a decade of experience now in the private sector, I can say that finding and mitigating state-backed threats requires professionals with government and military cybersecurity experience, something lacking in most private companies.
There should also be more cyber aid to vulnerable countries that lack resources. Perhaps one of the reasons the attacks on Ukraine have not caused such extensive damage, at least until this point, is due to the increased cyber help NATO announced last month that it would provide. While such help can be fragile because countries are careful about guarding their knowledge and capabilities even from allies, it is becoming more essential. It will no doubt begin to emerge more from its traditional place behind the scenes and play a more obvious role in diplomacy, especially since cybersecurity is now key to stability and protecting civilian lives.
But there is a long way to go if we want to avoid a scenario in which civilians are left without access to money, healthcare, or drinking water — or worse, if attempts at seeking medical care at hospitals under attack or filling a glass with water from a tap results in death. Governments can’t wait to play defense in the cyberwar; they must dictate the terms of how to fight it now. They must go on the offensive.
Reuven Aronashvili is Founder and CEO of CYE.