Cyberspace: ‘Everyone can attack everyone else’
Cyberattacks are nothing new. But they are becoming more sophisticated, and more frequent. This year alone, hundreds of thousands of Ukrainians were left in the dark after a power plant’s operations were sabotaged; a chain of hospitals was paralyzed by ransomware; and electronic voting systems in two U.S. states were apparently hacked. Most recently, a highly sophisticated virus designed to give hackers open access to, and control over, a victim’s phone was sourced to an Israeli firm.
On Tuesday, Eviatar Matania, the head of Israel’s National Cyber Bureau, spoke to several dozen attendees at the first public event hosted by the Cyber Security Project, at Harvard’s Belfer Center. The main topic: What strategies should governments adopt to defend themselves in cyberspace?
Despite its small size, Israel is regarded as a first-rate cyber power. It is the second-biggest exporter of cybersecurity products and services in the world, and Israel has been suspected of carrying out some of the most sophisticated cyberattacks the world has seen. “We are very small,” said Matania, but “cyberspace is where we can go to be much stronger and greater than our ratio in physical domain and population.”
‘The third revolution’
Matania began by asserting that cyberspace is “the third revolution,” after the industrial and agricultural revolutions, and that it “is going to totally change the way that we live.” But, he cautioned, “we won’t be able to use it [cyberspace] effectively if it is not secure.”
Unlike the traditional domains of land, sea, and air, cyberspace lacks borders and distance. “Everyone is connected to everyone, and everyone can attack everyone else,” Matania noted – meaning that businesses and other organizations, rather than a country’s government or military, can easily find themselves on the front lines of a cyber-offensive. “We [Israel] used to live with our interesting neighbors in the Middle East,” he said. But in the cyber realm, “suddenly you have a border with everyone in the world!”
As a result of this “distance-less” world, any effective governmental response to cyber threats must involve significant information-sharing with the private sector – which, Matania observes, is “unprecedented” in the national security world. Such coordination is difficult: it’s time-consuming, for one, and businesses may be reluctant to share sensitive information with one another. And while big companies may have the resources to deal with cyber threats, smaller firms may need assistance.
The importance of ‘cyber-hygiene’
Matania proposes viewing cyberdefense as a three-layer framework, which he calls robustness, resilience, and national defense.
The first layer emphasizes the importance of keeping potential targets in robust “health.” “Attacks and vulnerabilities may be mitigated through the right mechanisms, methods, doctrines, and technologies,” Matania said – which he compared to washing one’s hands regularly to keep germs off. (Health is perhaps the most common analogy used when discussing cybersecurity; the use of the term “virus” is the most obvious example.) According to Matania, more than 80% of cyberattacks can be prevented at this layer. For instance, cyberattacks like phishing – in which users are deceived into clicking on a link which then runs malicious software – are avoidable if users are knowledgeable and alert.
The second layer, resilience, focuses on speedily restoring to health computer systems affected by cyberattacks. “Once you are sick, we go to the doctor,” Matania said. “Once we know about a specific attack … we have procedures on what to do. Then we need to share information immediately … to contain the attack.”
Finally, at the national defense layer, national security organizations focus on thwarting the most sophisticated types of cyberattacks – and, if need be, to retaliate against those who launch them.
The cyber threat to critical infrastructure
Much has been written on the threat posed by hackers to “critical infrastructure,” like power plants, the electricity grid, and water and energy pipelines. Yet to date, only a few cyberattacks have succeeded in causing damage in the physical domain – the most famous being Stuxnet, believed to have been developed by the United States and Israel, which sabotaged centrifuges in an Iranian uranium enrichment facility.
Why do such attacks remain so rare?
“I think it’s a matter of evolution,” said Matania, explaining that the main motives behind most cyberattacks today are espionage and stealing money. However, he added, “I think that you will see in the future more and more attacks on what we call SCADA systems,” referring to systems that control industrial infrastructure. “I’m not sure we will see immediately the physical effects [from cyberattacks] … but I can tell you that terror organizations and states are building their ability. They’re simply not using it immediately.”