Gearing for cyber attacks - Defence Secretary
Text of the speech by Defence Secretary
Gotabhaya Rajapaksa at the inauguration of the Fifth Annual National
Conference on Cyber Security held in Colombo recently
Defence Secretary Gotabhaya Rajapaksa delivering keynote address
at the inauguration of the Fifth Annual National Conference on
Cyber Security.
|
The theme chosen for this conference is 'Strategize, Plan, Act: A
Recipe for Effective Security'. In today's highly inter-connected
environment, in which Information Communications Technology is rapidly
becoming an integral part of our lives, this theme is most appropriate.
Ensuring cyber security is important because the number of cyber threats
to governments, organisations and society at large are constantly
increasing.
I am personally aware of the many difficulties that can be caused by
hacking and other threats to computer systems. For about a decade, I was
a UNIX system administrator at a leading university in California. My
responsibilities included administering different kinds of systems,
including the University's mail servers, web servers, mailing list
servers and the main student system, which was on an Oracle database.
There were constant attempts by hackers to infiltrate these systems,
and on some occasions, their attempts were successful. The downtime that
resulted from these attacks caused great difficulties to the students,
faculty members and the university staff. The system administrators had
an even worse time: whenever the system was compromised, the operating
system and all the applications had to be reinstalled. The cost to the
university as a result of these attacks was enormous. This illustrates
the importance of strong cyber security.
Need to optimize ICT benefits
Even though Sri Lanka is a developing country, it is clear that many
aspects of our society have become highly dependent on ICT. ICT has been
identified as a key driver of growth for the national economy and our
software development and Business Process Outsourcing industries are
mature and well respected on the global stage. The automation of our
power distribution infrastructure, water supply and traffic control
systems is constantly increasing. More and more state institutions are
providing information and services to the people using ICT as a delivery
mechanism.
The government is also making a conscious effort to increase access
to and awareness of ICT among students at the secondary and tertiary
education levels. As Sri Lanka develops further, our reliance on ICT for
service delivery, as well as the impetus that ICT will provide for
future economic growth will only become more significant. It is
therefore critical that we strategise to maximise the benefits provided
by ICT whilst minimising potential harms.
Security threats to ICT can be broadly grouped into two categories:
internal and external. Internal threats can include unintentional
threats such as the disruption of services or accidental release of
sensitive information due to faulty equipment or software errors. They
can also include threats posed by unhappy or lax employees who bypass
security controls in IT systems and leave them vulnerable.
For example, the measures they may quite innocently use to bypass
existing controls to block social network sites may open a gateway into
the IT system for those who wish to harm it. External cyber threats are
diverse and dynamic, and can be carried out by states and non-state
actors, which can even include teenagers who engage in hacking for fun.
Cyber attacks can be used to steal vital information and funds, scam
unsuspecting victims into fraudulent schemes or even completely destroy
ICT infrastructure.
Potential threats
Private citizens are particularly vulnerable to cyber crimes because
they are mostly ignorant about the nature of these activities and the
potential threats that exist. As a result of this lack of understanding,
people can often give up vital information to phishing operations, or
accidentally fall victim to online scams that promise them various
rewards. Individuals also engage in bad practices, such as using the
same password across a number of online services.
This can leave them vulnerable to a cyber criminal who can scam them
into signing on to a fake service, thereby gaining access to the user's
password and potentially even his or her bank account. We have already
seen an increase in financial services crimes, with criminals use
skimming devices at ATM machines or even at stores to obtain credit and
debit card information of customers. In time, it is likely that
criminals will use more sophisticated methods, particularly online, to
obtain such sensitive data.
For individuals, cyber security is about increasing awareness,
education and greater vigilance. Software, including the web browser,
operating system and virus guards, must be kept up to date so that they
can be protected against malware and unintended systemic
vulnerabilities. The public must also be educated about the need to be
careful in giving out personal information online. Through these very
simple remedies, it will be possible to greatly decrease the
vulnerability of the individual citizens to cyber crimes. It is an
important task of organisations such as the ICTA and SL CERT to educate
the general public in this regard.
Ensuring corporate cyber security
Ensuring cyber security at the enterprise and government level is a
more complex challenge. The ICT systems and platforms at this level can
be very large, with many computers being interlinked and access to
systems being shared across a large number of people. With this
increased complexity, the risk of there being serious security
vulnerabilities also increases.
These vulnerabilities can be exploited by hackers, organised
criminals and even terrorist organisations and foreign states, and used
to gain access to critical information or cause harm to the ICT systems
and infrastructure.
Unfortunately, it has to be acknowledged that the attention paid to
cyber security at this level is insufficient. Officers responsible for
ICT systems and administration find it difficult to make compelling
business cases to for their institutions to invest in proper security
systems and conduct frequent system audits.
Most decision makers at private companies as well as the
administration of large organisations including state entities are
reluctant to invest in these because of their high cost. However, it is
important for them to be educated so that they are aware of the risks of
not having proper ICT security. These risks can vary from institution to
institution and from application to application, but they are tangible
and serious risks that it is unwise to ignore.
For example, the student information systems at universities can be
vulnerable to student hackers. There have been instances of hackers
changing the marks of students and exposing sensitive data, which has
caused a lot of problems. Ordinary businesses that rely on ICT systems
for critical functions can be gravely affected by cyber threats. The
damage that can be caused by cyber attacks on financial institutions can
be significantly more dangerous. By exposing credit card information,
altering transaction data or causing systems to malfunction, hackers and
organised criminals can cause losses that may even threaten the
stability of the financial system. In all instances, the money that is
saved by not investing in proper ICT security is inconsequential when
compared to the loss of revenue, work and damage to an institution’s
reputation that can be caused by cyber attacks and other cyber security
threats.
At the organisation level, particularly in organisations that have
significant ICT systems, it is critical that there are separate officers
who are specialised in security who constantly monitor the systems for
weaknesses and possible attacks. They need to be constantly updated
about emerging threats, and keep up with the latest research and
international best practices with regard to cyber security. It is no
longer sufficient to react to attacks as they occur. What is important
is to be proactive and guard against all likely threats. ICT is a field
that is changing very fast, and what is true today will no longer be
entirely true tomorrow. Therefore it is very important to remain focused
on continuing education about cyber security, and to implement proper
safeguards against all significant risks.
Need of national standards for cyber security
At the national level, it is important to develop cyber strategies
that hold true across the state sector as well as the private sector.
The protection of critical national information infrastructure such as
the Lanka Government Network through the implementation of proper
policies, procedures and best practices is very important. National
standards for cyber security need to be established. These must be
aligned with international standards but adapted to suit the local
context. Government departments, state enterprises, financial
institutions, private sector companies, universities and all other
institutions that rely on ICT should practice safe security techniques
in line with the national standard in order to maintain system integrity
and minimise incidence of successful cyber attacks. The certification of
the cyber security readiness of such entities by a national body would
no doubt be an encouraging step in this regard.
As Sri Lanka embarks on a rapid economic transformation based on its
present platform of peace and stability, it is important that we make
maximum use of ICT. I have every confidence that with the country’s
highly educated and highly skilled professionals in the ICT industry, we
will be able to maximise the benefits that ICT can provide whilst
simultaneously safeguarding against the threats that it can face. In
concluding, I wish all of the participants at this conference an
informative and educational day, and wish you every success. |