Scores of water companies, hundreds of food and basic goods factories, pharmaceuticals manufacturers and distributors, and important financial institutions must take major steps to protect their computer systems against cyber attacks, Institute for National Security Studies (INSS) cyber warfare program director Dr. Gabi Siboni told "Globes".
Siboni's remarks are based on comprehensive staff work which he is heading on the subject. The study's main points will be submitted as recommendations to the relevant government ministries and to the Israel National Cyber Bureau at the Prime Minister's Office, which is drawing up an optimal defense concept against cyber threats in the civilian arena.
"Cyber defense in the civilian arena is not being dealt with, in contrast to the defense sector, including defense industries, and scores of critical national infrastructures, because they receive regular guidelines on the issue from government departments," says Siboni. "But telecommunications carriers, including Internet service providers and other entities with systems which, if attacked, are liable to substantially disrupt service to a large clientele, are not defined by the government as critical infrastructures, and there is no authority which directs them how to prepare against a possible cyber attack. While dozens of critical national infrastructures are protected, someone deciding on an attack will prefer to focus his efforts on the soft underbelly, against those who are unprotected. The target could be the water company of a large city. Today, water companies and critical entities in the economy are not prepared for such a situation, because no one demands that they should prepare."
Start with the financial world
Siboni will present the main points of his plan at an INSS conference next week on the financial industry's preparedness for a cyber attack. He says, however, that his position is not representative of all his colleagues on the forum which is discussing the issue. He proposes that the solution to the gap between the ever increasing threat of cyber attacks and the scale of preparedness by the civilian arena against them should lie with the regulators of the different entities, who will receive guidelines from an umbrella organization responsible for cyber defense in the civilian arena.
"When a business of any kind goes to the authorities to obtain a license for its activity, it has to meet many requirements in the areas of environmental quality, the handling of hazardous wastes, sanitation, the electricity system, approval from the fire department, etc. No one dictates to the relevant business-owner threshold conditions for cyber defense," says Siboni.
Siboni says that civilian enterprises and organizatons should be ranked according to their how critical they are to the economy in an emergency, and that on this basis they should be assigned to one of 4-5 categories. For each category, there will be threshold conditions which these entities will be required to meet for protecting information systems and various operating systems, and they will submit a detailed review which will examine the survivability of the organization's systems in the face of a cyber attack.
"We should avoid a situation of establishing another regulator in the country. It will be possible to implement these regulations through the existing system: the Water Authority, which is the regulator of the municipal water companies, will also supervise their cyber preparedness; and the same will apply to other sectors. The regulator will be given the authority, the criteria, and regular updates on network attacks from the central organization that will be set up, and this will be binding regulation on the entities in its sector," says Siboni.
As for the huge damage and disruption to day-to-day life from a targeted cyber attack, the Siboni-led forum believes that fairly simple and inexpensive measures can foil them. "All in all, it is necessary to invest thought in the authorization of access to the computer systems of every organization, to ensure that there are command and control systems, and to isolate systems that are critical for day-to-day operations from other systems, establishing separate defense systems. This is not too expensive, but definitely requires alertness," he says.
"I identify the financial world as the best place to begin providing a good response to the emerging cyber threat. Everywhere in the world, cyber attacks are used for online fraud, and crime in this area is huge. Since the common denominator of all financial institutions in the world is money, they represent an excellent platform for developing for developing an appropriate response to the cyber threat in the civilian arena."
Published by Globes [online], Israel business news - www.globes-online.com - on July 3, 2013
© Copyright of Globes Publisher Itonut (1983) Ltd. 2013