România post-pandemică și antidotul digital

Dan Tofan: What does COVID-19 mean for cybersecurity?

An empirical analysis on how COVID-19 influenced cybersecurity globally, accompanied by a case study for Romania.   

You’ve all heard about COVID-19, an infectious disease caused by the severe acute respiratory syndrome coronavirus (SARS-CoV-2). When writing these lines, we have around 8 mil. infected people worldwide and 436.000 deaths. More that the actual medical impact, COVID-19 had a much broader global economic effect with many businesses being heavily impacted, especially in tourism and travel. The World Bank mentions that around 71 mil. people will be pushed into extreme poverty and global worth will contract with around 8%.

There’s a lot of data on the topic, if you’re interested, but we’re not going to dive too deep into it. The purpose of this article is to analyze how the COVID-19 crisis impacted cybersecurity globally, with a case study on Romania.

The global dimension

Several cyber related trends have been identified on a global scale, since the beginning of the pandemic. We’re going to take a deep dive into each one of them.

First of all, many reported an increased number of COVID-19 related attacks (malware/ransomware, phishing campaigns, scams)

If you were thinking that during such a crisis, hackers will act compassionately and spare us of some trouble so that we can take care of the real challenges raised by the pandemic, you were wrong. The most malicious among us have amplified their efforts to spitefully getting your money. Not only that COVID-19 related attacks started rising fast (source), but they have also started heavily targeting the healthcare system (source). The Red Cross call for global unity against healthcare cyber-attacks during Covid-19 did not matter too much.

Many hospitals were confronted with ransomware attacks, that paralyzed their activities, endangering the lives of the ones in need. Many security companies reported exponential increase in the number of threats, incidents and other malicious activities that indicated the extensive exploitation of this situation by malicious actors. An Interpol report mentions that during March 2,022 malicious and 40,261 high-risk newly registered domains were discovered, containing keywords Covid/Corona. Most probably they were all intended to be used for malicious activities.

On the bright side of this unfortunate trend, many security companies worldwide have hurried up in providing free services for hospitals. This is rather noble, nevertheless I could not find figures out there referring to the real added value brought by this offering. In general, onboarding any type of new software within an organization cannot be done in a couple of days. Hospitals might not have had the necessary time to take care of this, given the situation.

Secondly, the isolation brought a tremendous increased in the use of videoconferencing solutions. A notable story that happened during the first 2 months of the pandemic is about the wide adoption of videoconferencing solutions, such as Zoom.

Many companies owning such solutions, have updated their policies so that more features and capabilities are offered to users during the pandemic. You could have easily and at no cost organized video conferences for more than an hour and with more than 100 users, through many vendors. For some reason, one particular solution got everybody’s attention.

During the first 100 days of the pandemic, Zoom recorded a 2000% increase in the number of users, from 10 mil. (December 2019) to 200 mil. (March this year), according to this source. Currently (September 2020), Zoom has around 300 mil. users. That was a tremendous increase, that got them on the wrong foot, from a security point of view. Besides the ridiculous zoom-booming (outsider joining a Zoom meeting) attack, Zoom has encountered at least three major issues: privacy concerns related to the app’s conduct and privacy policy (Zoom was found sending analytics to Facebook even if the user didn’t have a linked Facebook account, possibility to collect extensive data about users and share it with third-parties), vulnerability that allowed malicious actors to access users’ webcams and failing to provide end-to-end encryption in all cases.

Nevertheless, Zoom has made tremendous efforts to address all issues reported. They bought the secure messaging and file sharing service Keybase, to address the encryption problem and they hired Alex Stamos, renown ex-Facebook CISO, as a consultant to take care of their security. As a result, we didn’t see any more serious complaints as of May.

Anyway, bottom line here is that the broad adoption of Zoom, brought the spot on its vulnerabilities. Hackers and security advocates will always turn attention to popular products/services (follow the money). Zoom might not have been the best option to discuss commercial or trade secrets during the pandemic, but it was surely ok for schools.

Thirdly, the workforce migration towards remote work. Working from home (WFH) has become the norm during the last several months, especially in the IT industry. We should feel very lucky, as other job families were not so fortunate. Anyway, while WFH has increased enormously several issues emerged. 

Foremost, companies had to grant access to employees working from outside their trusted network. Remote access has become a necessity, so you better had that VPN in place, Multi Factor Authentication (MFA), encryption at rest and in transit, adopted cloud on a large scale or just use some of the new technologies, such as Software Defined Perimeter (SDP). There is a funny meme that went viral online with a question on “Who drives the digital transformation within your organization?”, having possible answers such as CIO, CISO or COVID. It’s a rather hilarious but also very true type of situation. Many companies were forced to adapt to the new trend and deploy new types of security measures or technologies. A recent report mentions that around 33% of the respondents were not sufficiently prepared to adopt WFH. The percentage might be much bigger in reality as respondents were “over 400 IT security decision-makers, practitioners, and companies of varying sizes across multiple industries”. We might say the study has a bias for security professionals.

Additionally, often employees had to use personal equipment to fulfil duties, such as laptops, wi-fi routers etc. Suddenly, companies ended up approving access to many more devices than the usual. They also had to take care of their sensitive data that was now stored on unmanaged devices. Not being ready for this type of policy surely created a lot of issues. Not everybody can afford providing laptops to all employees, in such a short period of time.

Bottom line on the global dimension of COVID’s impact is that remote work has become the new norm in the industry, imposing a resizing of access control policies. Zero trust architecture and software defined perimeter are now on everybody’s lips.

The local dimension, a case study for Romania

As I am writing these lines, I come to realize that there’s not too much data available out there to produce a trustworthy evidence-based assessment on how COVID-19 influenced the national cybersecurity landscape.

The local press just took over international trends and applied them nationally, considering that we might be at least at the same level.

It is supposed that the isolation had an impact in the areas described above, that automatically created the need for more security. But the truth is that, I don’t think we know how much cybersecurity we do have in Romania currently.

On a personal note, I started working for CERT-RO early 2011, almost ten years ago. As a national responsible authority, we quickly realized the magnitude of the issue, meaning how we lacked even the basic measures nationwide. In a report published by CERT-RO for the year 2017, they concluded that more than 30% of the IP’s allocated to Romanian ISP’s are involved in at least one cyber incident reported to them. That could(!) translate into 30% of the whole country being hacked or vulnerable. That’s rather huge! I imagine that this percentage did not change too much in more recent years. But CERT-RO never got the chance to go deeper into those areas and really identify the root causes for this mess. Could it be the lack of awareness and proper measures, could it be that Romania still has a 59% rate of unlicensed software (source) or could it just be the economical situation that prevents organizations implementing the proper measures. It’s like we don’t know if Romanians don’t want to pay for security, don’t have the money to pay or they just don’t think they need to?!

On top of that, the real value of the cybersecurity market in Romania remains unknown. Nowhere have I seen figures about how much is spent on cybersecurity, what kind of solutions are being bought or the average size of security budgets nationwide. Given that, you cannot really draw a conclusion weather the increase in the use of technology also brought an increase in security spending.

Paraphrasing Sun Tzu and “The Art of War” winning a cyber battle requires knowing both yourself and the enemy (“if you know the enemy and know yourself, you need not fear the result of a hundred battles.”). Knowing just yourself still gives you roughly a 50% chance of winning. Knowing just the enemy (like we try to do), is a strategy not taken into account by the author. Is seems to me that, to a certain extent, in the last 10 years, Romania has focused too much on knowing the enemy without knowing itself. The broad majority of national publications and news items cite international sources, rather than internal. Maybe because there are no valuable internal sources to mention.

Nevertheless, on a regulatory level, it seems we’re doing just fine. We have successfully transposed most of the international related regulatory packages (NIS Directive, GDPR, Cyber Crime Convention etc.), but that’s just on paper. In reality our authorities are slow, rigid and lack the necessary resources to do the needful. They need more agility, vision and entrepreneurial skills. We need to get the job done, not just write papers on how to do the job!

A certain change in our mindset needs to happen rather fast. We are a country where the IT industry is growing fast (6% from GDP) and we better have a strategy for the near future (cybersecurity included) that is not based entirely on big players outsourcing work to us. Nowadays, a rather large number of security experts are working in Romania for global companies. The biggest national cybersecurity event counted 2000 participants last year, in Bucharest. We already have the workforce but working for others. As far as I am aware, in Romania, outsourcing is the prevalent business model in cybersecurity also.

The cybersecurity focus should go on building a national strategy having at the center the private sector and the population.

As a final note, not all is lost, but we could use a fresh start! What we need is to get to know ourselves better and a plan on how to approach the enemy (a practical strategy).

P.S. Here’s what happened in Romania, during the first 100 days of COVID-19, as depicted by the local and international press:

  • Within a blog post published by Bitdefender, Romania was among the top 10 countries targeted by the COVID related malware in Europe, in March. Also Bitdefender reported that one Romanian hospital got infected with ransomware and was forced to pay the ransom.
  • The international news publications hummed about Romanian police bust hackers allegedly plotting ransomware attacks on hospitals [1] [2] [3]. The hackers were apparently preparing some ransomware attacks in Romania and Moldova. 
  • Usually, springtime (as also autumn) is a time full of conferences and events where you can accumulate knowledge and identify business opportunities for the rest of the year. Many cybersecurity related events migrated in the online. In general, the number of participants dropped, but I guess the ones that were really interested remained. 
  • One of the economic areas seriously disrupted by COVID-19 in Romania, were schools. From an approach totally based on physical contact and paper or hard materials, the schools were suddenly forced to find a quick online alternative. There are roughly 3,2 mil. pupils and students in Romania and they all had to find an alternative for learning. If it were to find a Zoom related story for Romania, it will probably be called Kinderpedia, but of course at another scale. Before the pandemic, Kinderpedia, a management solution for schools, was used roughly around by 150 schools and 17.000 accounts (source). Once the isolation entered into place, usage grew to 1000 schools and 200.000 users. Nevertheless, no security issues were reported, but I would pay a close attention there.

Scurtă biografie: Dr. Dan Tofan is an experienced cybersecurity manager, with more than 10 years of practice, gathered in EU level institutions, national governmental agencies as well as in the academic and private sector. He holds a PhD in computer science as well as a number of international certifications in the areas of cybersecurity and project management. In the last 8 years, he occupied different cybersecurity-related positions, such as technical director within CERT.RO and major incident reporting responsible within ENISA; currently he is a security program manager for Secureworks. 

Acest articol face parte din proiectul “România post-pandemică și antidotul digital”, o inițiativă a Fundației C.A.E.S.A.R.

Opiniile, conținutul și originalitatea contribuției sunt atribuite exclusiv autorului și nu reprezintă în mod necesar poziția Fundației C.A.E.S.A.R. sau a partenerilor săi.

Articolele redactate sub egida acestui proiect pot fi republicate doar cu condiția indicării sursei originale (link/trimitere către articolul de pe site-ul Fundației C.A.E.S.A.R., însoțit de textul “Acest articol face parte din proiectul “România post-pandemică și antidotul digital”, o inițiativă a Fundației C.A.E.S.A.R.”). Vă rugăm să ne trimiteți și un mail pe adresa pentru a ne înștiința de preluarea articolului.