Mr. Jiménez, during this year, about 150 countries have been affected by cyberattacks. How could it have been so easy?
Cybersecurity awareness is still quite low in companies and organisations and, even more so in end users, who are too often connected to the devices and resources of their organization without being aware of the risks they are incurring. Numerous vulnerabilities have been published this year (deficiencies and weaknesses in software and hardware that affect their security and can be used or operated) that have greatly facilitated the attackers' work.
On the other hand, we continue to find that the installation of security updates or stopgaps of the different technologies that are there to remedy vulnerabilities is still quite slow. Thus, in two of the most well-known crises of this year (Apache Struts web application creation tool and the ransomware Wannacry), two months have passed since the vulnerability became known until the first attacks occurred. In the time available, systems could have been updated and therefore made invulnerable to them. Unfortunately, we operated in crisis mode only when the attack was under way. These preventive measures should be priority processes in both the public and private sectorss.
How should governments deal with these events?
Governments should promote the implementation of preventive measures for the public sector and audit their compliance through audits. This is, identify, itemise and describe vulnerabilities of the organization's networks and communications to establish preventive measures for reinforcement or correction. Different regulations that complement existing national regulations are being grown by the European Union, which will oblige organisations to report incidents and implement security measures. We urgently need that this regulation be fully implemented. In addition, collaboration tools between public and private sectors security teams should be developed.
Do we have enough tools to deal with these types of attacks?
In my opinion, the existing set of defensive tools available is sufficient. However, we have a problem of lack of security personnel in the public and private sectors, as well as resources allocated to cybersecurity, which in many cases prevents the acquisition of products and the creation of projects to achieve significant improvement.
Is Spain vulnerable, considering that it is the third most attacked country?
Spain is not more vulnerable than other countries in the European Union. Incident tracking systems are quite fragmented and there is no single estimate. Comparing numbers between countries are therefore not relevant. What Spain does the same as other countries is to have common detection systems that allow us to act when faced with these attacks.
Can cyberattacks be avoided?
Attacks can be avoided to the extent that we have preventive, detection and response measures.
With these sets of measures, we try to be difficult targets to attack and thus achieve two things:
Know when, how and why we are being attacked
Deter the attacker enough so that they go for easier targets
Who is behind these attacks?
There is a wide range of attackers based on their motivation, and they employ different methods of attack. I invite you to read the Trends and Threats Executive Report (issue 2017) developed by the Incident Response Team (CCN-CERT) of the Spanish National Cryptological Centre. This report details the most active threat agents, including:
https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/2221-ccn-cert-ia-16-17-ciberamenzas-y-tendencias-edicion-2017-executive-research -1/file.html
Among the attackers are:
States, which carry out cyberspying activities (economic, political or strategic) and cybersabotage.
Organized crime or other agents that use the Internet as a means to obtain an economic benefit. They rely on professional hacking services and on what has been called cybercrime as a service. This model is repeated in other agents.
Cyberactivism or groups that justify their actions as being ideologically motivated. Its purpose is to give visibility to cause or make claims (an example is Anonymous).
Terrorist groups that use the Internet to fund themselves, radicalize their community, deliver propaganda or coordinate the actions of their attack groups. However, attack activities against essential services using cyberspace are currently few and far between.
States that use cyberattacks as a tool of destabilization in the context of conflicts or wars with other countries.
Researchers and individuals who take discovering vulnerabilities as a challenge or fun.
