All current, and future, EU members are slowly working towards better understanding of cybersecurity as one of the most important things in modern life. If we back up just a little bit the Directive on security of network and information systems (also known as NIS Directive) was adopted by European Parliament on 6 July 2016. Member States had to transpose the Directive into their national laws by 9 May 2018.
In general terms, NIS Directive provides legal measures to boost overall level of cybersecurity in the EU.
And last year, on 17 May 2019, the EU Council established a framework (so called cyber diplomacy toolbox) which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitutes an external threat to the EU or its member states. Cyber-attacks falling within the scope of sanctions are those which have significant impact and originate or are carried out from outside the EU.
Finally, on 30 July 2020, European Union, for the first time ever, imposed sanctions against cyber-attacks. The sanctions imposed included a travel ban and an asset freeze, plus anybody in the EU (persons or entities) are forbidden from making funds available to those listed. On the receiving end of the sanctions were six individuals (two Chinese, and four Russian nationals) and three entities (one Chinese, one North Korean, one Russian); more on those you can find here.
That’s good, right?
It is great, but in the end, if you get hacked, you’re still on your own. And that is indicative of hacking because other crimes are not taken lightly!
Since Infigo IS, among other things, makes Fraud Monitoring (Infigo FM) and Anti-Money Laundering (Infigo AML) software for financial institutions, we know how it is in that department. If somebody is laundering money, you can be sure the financial institution will react. Somebody will pay – probably the money launderer, and if the financial institution in question knows what is going on, and does nothing, they will pay a hefty fine, plus, somebody could end up in prison. So, financial institutions must have AML software.
Fraud, that’s a little bit different, nobody is forcing them to implement FM, but it is a good practice; if nobody has trust in you, nobody will do business with you. And in the end, if you don’t self-regulate somebody else will and it will be far worse.
So, why is hacking different?
Because often big hacks are coming from state-sponsored groups or states themselves. The problem is, the hacking is hard to prove; you can prove you’ve been hacked, but by whom, that is something quite different.
Nobody will go to war over hacking, even if you’re almost certain who is on the other side.
Moonlight Maze, discovered in 1999, was the first real APT (Advanced Persistent Threat) – Russian hackers hacked, from 1996, NASA, the Pentagon, the Department of Energy, numerous government agencies, it is a long list. And nothing really happened. Some people from the US government went to Moscow, hacking stopped, then it started again.
When the Brigadier General John “Soup” Campbell was briefed about that first APT he asked “Are you saying that we’re under attack?” “Should we declare war?”
But other than that, nothing came of it. There are many military cyber units around the world, and no matter what they say, they are not purely defensive. Every now and then the tools used in offensive operations leak, and whole range of criminal element will jump on them. And the people who made those tools will not be held accountable. The last big leak was in April 2017 when the hacking group the Shadow Brokers leaked EternalBlue, an exploit developed at NSA (National Security Agency). It took less than a month for the world to be hit with WannaCry ransomware that used the exploit to attack unpatched systems. And it was used again just a few months later when NotPetya hit.
It is a cold hard truth but when you get hacked, as a company, there is a big chance, a great chance, nobody will answer for it. Internet is a big place, and there isn’t a police force that could go around the world and catch cybercriminals. We have to rely on diplomacy and cooperation between governments, and that usually doesn’t produce results in desirable timeframe.
So, what can you do? You do all the work yourself! Nothing in the world is unhackable, but you’re not aiming for unhackable. You are aiming for hard enough so the people on the other side give up.
You do that by employing people like us at Infigo. You get consultants to go through your network and to advise you how to set all your processes and practices. You get vulnerability tests to comb through your network to try to find vulnerabilities. And then you get pen tests to try to pick your critical areas. And when all that is done, you do it again after a while. And then you implement a whole slew of technologies, from endpoint security to SIEM, just to give yourself a fighting chance.
Yes, that is a lot of steps, but they are necessary in this day and age. If you get hacked, and it would probably be better to say when you get hacked, the best-case scenario is that you lose man-hours getting all the backup up and going over your system to see if hackers left anything behind. Worst case scenario is what you see in lot of public companies – like Garmin paying 10 million in ransom just a few weeks ago. Or losing your data, your reputation, your livelihood.
We are not saying that to scare you. We are just stating how things work. Government won’t help you. Police won’t help you. They can’t help you. You are alone. Maybe one day we will live in a world where criminal minded hackers can be exposed and caught, but we are not there yet. So, get up and fight!
Goran Racic Infigo IS, Head of corporate communications
Infigo IS | Your data. Our responsibility.