Gearing for cyber attacks - Defence Secretary

Text of the speech by Defence Secretary Gotabhaya Rajapaksa at the inauguration of the Fifth Annual National Conference on Cyber Security held in Colombo recently

The theme chosen for this conference is 'Strategize, Plan, Act: A Recipe for Effective Security'. In today's highly inter-connected environment, in which Information Communications Technology is rapidly becoming an integral part of our lives, this theme is most appropriate. Ensuring cyber security is important because the number of cyber threats to governments, organisations and society at large are constantly increasing.

I am personally aware of the many difficulties that can be caused by hacking and other threats to computer systems. For about a decade, I was a UNIX system administrator at a leading university in California. My responsibilities included administering different kinds of systems, including the University's mail servers, web servers, mailing list servers and the main student system, which was on an Oracle database.

There were constant attempts by hackers to infiltrate these systems, and on some occasions, their attempts were successful. The downtime that resulted from these attacks caused great difficulties to the students, faculty members and the university staff. The system administrators had an even worse time: whenever the system was compromised, the operating system and all the applications had to be reinstalled. The cost to the university as a result of these attacks was enormous. This illustrates the importance of strong cyber security.

Need to optimize ICT benefits

Even though Sri Lanka is a developing country, it is clear that many aspects of our society have become highly dependent on ICT. ICT has been identified as a key driver of growth for the national economy and our software development and Business Process Outsourcing industries are mature and well respected on the global stage. The automation of our power distribution infrastructure, water supply and traffic control systems is constantly increasing. More and more state institutions are providing information and services to the people using ICT as a delivery mechanism.

The government is also making a conscious effort to increase access to and awareness of ICT among students at the secondary and tertiary education levels. As Sri Lanka develops further, our reliance on ICT for service delivery, as well as the impetus that ICT will provide for future economic growth will only become more significant. It is therefore critical that we strategise to maximise the benefits provided by ICT whilst minimising potential harms.

Security threats to ICT can be broadly grouped into two categories: internal and external. Internal threats can include unintentional threats such as the disruption of services or accidental release of sensitive information due to faulty equipment or software errors. They can also include threats posed by unhappy or lax employees who bypass security controls in IT systems and leave them vulnerable.

For example, the measures they may quite innocently use to bypass existing controls to block social network sites may open a gateway into the IT system for those who wish to harm it. External cyber threats are diverse and dynamic, and can be carried out by states and non-state actors, which can even include teenagers who engage in hacking for fun. Cyber attacks can be used to steal vital information and funds, scam unsuspecting victims into fraudulent schemes or even completely destroy ICT infrastructure.

Potential threats

Private citizens are particularly vulnerable to cyber crimes because they are mostly ignorant about the nature of these activities and the potential threats that exist. As a result of this lack of understanding, people can often give up vital information to phishing operations, or accidentally fall victim to online scams that promise them various rewards. Individuals also engage in bad practices, such as using the same password across a number of online services.

This can leave them vulnerable to a cyber criminal who can scam them into signing on to a fake service, thereby gaining access to the user's password and potentially even his or her bank account. We have already seen an increase in financial services crimes, with criminals use skimming devices at ATM machines or even at stores to obtain credit and debit card information of customers. In time, it is likely that criminals will use more sophisticated methods, particularly online, to obtain such sensitive data.

For individuals, cyber security is about increasing awareness, education and greater vigilance. Software, including the web browser, operating system and virus guards, must be kept up to date so that they can be protected against malware and unintended systemic vulnerabilities. The public must also be educated about the need to be careful in giving out personal information online. Through these very simple remedies, it will be possible to greatly decrease the vulnerability of the individual citizens to cyber crimes. It is an important task of organisations such as the ICTA and SL CERT to educate the general public in this regard.

Ensuring corporate cyber security

Ensuring cyber security at the enterprise and government level is a more complex challenge. The ICT systems and platforms at this level can be very large, with many computers being interlinked and access to systems being shared across a large number of people. With this increased complexity, the risk of there being serious security vulnerabilities also increases.

These vulnerabilities can be exploited by hackers, organised criminals and even terrorist organisations and foreign states, and used to gain access to critical information or cause harm to the ICT systems and infrastructure.

Unfortunately, it has to be acknowledged that the attention paid to cyber security at this level is insufficient. Officers responsible for ICT systems and administration find it difficult to make compelling business cases to for their institutions to invest in proper security systems and conduct frequent system audits.

Most decision makers at private companies as well as the administration of large organisations including state entities are reluctant to invest in these because of their high cost. However, it is important for them to be educated so that they are aware of the risks of not having proper ICT security. These risks can vary from institution to institution and from application to application, but they are tangible and serious risks that it is unwise to ignore.

For example, the student information systems at universities can be vulnerable to student hackers. There have been instances of hackers changing the marks of students and exposing sensitive data, which has caused a lot of problems. Ordinary businesses that rely on ICT systems for critical functions can be gravely affected by cyber threats. The damage that can be caused by cyber attacks on financial institutions can be significantly more dangerous. By exposing credit card information, altering transaction data or causing systems to malfunction, hackers and organised criminals can cause losses that may even threaten the stability of the financial system. In all instances, the money that is saved by not investing in proper ICT security is inconsequential when compared to the loss of revenue, work and damage to an institution’s reputation that can be caused by cyber attacks and other cyber security threats.

At the organisation level, particularly in organisations that have significant ICT systems, it is critical that there are separate officers who are specialised in security who constantly monitor the systems for weaknesses and possible attacks. They need to be constantly updated about emerging threats, and keep up with the latest research and international best practices with regard to cyber security. It is no longer sufficient to react to attacks as they occur. What is important is to be proactive and guard against all likely threats. ICT is a field that is changing very fast, and what is true today will no longer be entirely true tomorrow. Therefore it is very important to remain focused on continuing education about cyber security, and to implement proper safeguards against all significant risks.

Need of national standards for cyber security

At the national level, it is important to develop cyber strategies that hold true across the state sector as well as the private sector. The protection of critical national information infrastructure such as the Lanka Government Network through the implementation of proper policies, procedures and best practices is very important. National standards for cyber security need to be established. These must be aligned with international standards but adapted to suit the local context. Government departments, state enterprises, financial institutions, private sector companies, universities and all other institutions that rely on ICT should practice safe security techniques in line with the national standard in order to maintain system integrity and minimise incidence of successful cyber attacks. The certification of the cyber security readiness of such entities by a national body would no doubt be an encouraging step in this regard.

As Sri Lanka embarks on a rapid economic transformation based on its present platform of peace and stability, it is important that we make maximum use of ICT. I have every confidence that with the country’s highly educated and highly skilled professionals in the ICT industry, we will be able to maximise the benefits that ICT can provide whilst simultaneously safeguarding against the threats that it can face. In concluding, I wish all of the participants at this conference an informative and educational day, and wish you every success.