The End of Cyber Innocence
Tommi Rasila, Jetico
Years ago in Finland people used to put a broom in front of their door, so passers-by knew that there is no-one home. Hence they shouldn’t waste their time looking for someone inside. There were no locks as these would have been expensive, and there was little to steal in most houses. And even if there was, the thief would have been caught soon, due to everything being easily identifiable before the age of mass production.
Many of us still carry the values of that time. What is owned by another person, is his/her property, and doesn’t need to be put behind a lock. So every time a toy is stolen from ones backyard or a phone that was accidentally left in a restaurant isn’t there anymore the next day, people are surprised. Our world has changed too: a thief takes what is loosely attached, and a more dedicated thief takes also that what is tightly attached.
The same goes for cybersecurity. In Finland as well as other parts of the world, we have traditionally trusted that information or systems that seem to have no monetary value are safe from criminals.
Only tabloids would care about medical records, and they would only care about the records of celebrities. Control systems of power plants and traffic lights do not interest anyone. Except that they do, now.
Medical records can be sold, them coming publicly available would be a scandal, and their destruction would be a disaster – and the people delivering ransomware know this. Power plants or traffic lights can be used as a part of a hybrid operation, or they can be used in a botnet – the biggest known DDoS attack of 2016 was executed using millions of IoT-devices like security cameras, lamps and thermostats.
Some attackers don’t even want to gain anything, they just want to cause harm. Even in the physical world you protect yourself and your property from thieves, spies and vandals in different ways. You should do the same in the cyberworld: Stuxnet was an attack by governments to harm Iran’s nuclear program, while hacktivists may want to harm companies they see as enemies. Sadly, a very common type of attack is ransomware, which harms your files, unless you pay the ransom: A criminal doesn’t care about your lost files, just the lost ransom.
In our hands, we have the end of innocence in cybersecurity. Nowadays every door in the countryside has a lock. Similarly, we should properly secure every part of our computer systems that someone can get their hands on. When I say properly secure, I mean that we must think what are the ways someone could attack the system and also the ways someone could gain from attacking the system, and use this information to properly secure our systems. We cannot isolate our systems, and even if we could, it wouldn’t work: also systems that are isolated from the internet are successfully attacked regularly.
We still hold trust to a high regard in Finland, and that can help us turn threats to opportunities. Finland is one of the most non-corrupted, politically stable, transparent countries, with a high quality of life. Our cyber security laws don’t require companies to build backdoors to their products, and my appreciation of Finland as a constitutional state grows the more I follow current events around the world.
We trust, and we are trusted. Let’s put this trust to our products, and make sure that Finnish products are secure. A “made in Finland” mark in an elevator, machine or a cybersecurity program should be a sign, like a broom in front of a door: Do not bother, there is nothing for you inside.
The writer is the founder and chairman of Jetico Oy, and a member of the FISC board.