The director general of the Estonian State Information System Authority (RIA) recently said Estonia was very vulnerable to cyber attacks because of the country’s heavy reliance on e-services. The official, Taimar Peterkop, said that the greatest threat for ordinary computer users was cyber criminals, while the state was most at risk from cyber espionage. Indeed, the world has plenty of examples of, as Peterkop put it, “state secrets being stolen by very simple means.”
That is exactly what happened recently to allies from Europe and North America. It was probably Russia’s special services that breached the German Bundestag’s information system recently, sending infected email from Chancellor Angela Merkel’s account to members of parliament. They were able to gain access to the contents of MPs’ computers, including their e-mail correspondence. Due to security considerations, it hasn’t been divulged how much and what type of sensitive information was compromised. Meanwhile, in June the US announced that personal data of likely all federal employees, former employees and many subcontractors (estimated at 4 to 14 million people all told), including dates of birth, addresses and social security numbers, had been stolen, likely by China. The data could potentially be used for identity theft, taking loans or defrauding other people. The data go back to 1985.
Even worse, security clearance forms with detailed personal information were likely taken as well. The information on the forms could potentially be used to compromise the friends and close family members of people cleared for state secrets, and, it is believed, to identify undercover agents. If the data should fall into the hands of cyber criminals, the victims could sustain major financial losses. The state could face lawsuits from millions of people for failing to protect their personal data.
The situation is so serious that the representatives of the US were recently summoned to testify before the Senate (the leaks also involve data on congressional staffers) and US President Obama has stood by the relevant personnel management official after she was grilled by a House committee. The questions from American politicians as to why databases so important for national security were not sufficiently protected come after an audit conducted last year showed that security measures were insufficient (a lack of multi-factor personal identity authentication was cited). These and many earlier incidents in Europe and elsewhere show that often both government agencies and private contractors only learn of intrusions much later (the average detection time is more than 200 days).
Cyber experts are agreed that total cyber security is not possible. The goal of the protection is to increase the resistance or resilience of information systems. . Considering intruders will breach information systems one way or another, a good defence strategy should separate particularly sensitive data so that they would not be easy to steal.
Why were Germany and US; which allocate colossal sums of money for developing cyber defence capabilities, unable to defend the most likely targets – sensitive personal data and the content of politicians’ computers – from hostile state and cyber criminals? Did these countries spend the resources in the wrong places, developing military cyber capabilities and protecting vital services from sabotage, but neglecting to make government agency information system and databases a priority? Registers are a part of critical infrastructure, and should be subject to stricter security requirements. Critics are already exposing how poor US federal government information system security really is – other than the Pentagon’s computer networks, only 41% of the federal government institutions have implemented the minimum level of security standards.
(http://www.icds.ee/blog/articl...)