How to strengthen national cyber capacity shields?
Cyber threats have been on the rise for years. Data is currency – especially in the cyber underworld – and locking critical systems for ransom can lead to enticing paydays for cyber criminals.
The first half of 2021 already saw a number of significant cyberattacks against major actors, including Colonial Pipeline, Microsoft Exchange, and Bombardier. But it is not just large organisations at risk. At the start of the COVID-19 pandemic, global internet traffic increased by 30%. Growing connectivity and reliance on digital systems in every aspect of daily life also increases the importance of their security and availability.
Cybersecurity capacity is the shield that can prepare states, institutions, and individuals to face evolving cyber threats. As cyberspace knows no institutional nor national boundaries, capabilities need to be enhanced at all possible levels.
Methods for cyber capacity building
The Global Cyber Security Capacity Centre sees cyber capacity spanning across policy, strategy, social and cultural factors, education and training, law and regulation, technologies and standards. By extension, cyber capacity building refers to the activities pursued to enhance capabilities across these domains.
The focus of capacity building often boils down to improving foundational skills and knowledge. Commonly, this takes the form of formal education and training. On top of that, two advanced methods that states, and institutions turn to are pen-testing and cyber exercises.
Cyber exercise in Ukraine. Photo by eGA
The first – short for ‘penetration testing’ – entails carrying out hacking scenarios. As it targets actual systems, the method is highly advantageous to get an accurate risk assessment specific to the given institutions. Nonetheless, it also demands a lot of resources – such as a skilled workforce to organise effective testing – and the consideration of many critical details. For example, as testing can cause serious damage, it cannot be conducted during a time when the systems need to be available and running smoothly.
In this regard, the second method – technical and non-technical cyber exercises – provides a relatively low-risk alternative. A technical exercise involves carrying out attack scenarios in a controlled cyber range environment. “It is a cloned system, so if you mess something up, you don’t damage your everyday services,” Ragnar Rattas, Cyber Range Team Leader at CybExer Technologies, highlights in our recent podcast. “Furthermore, we can try various attacks and the defence principles will be applicable in everyday environments,” he says.
Strengthening trust and cooperation for the future
The insights gained from penetration testing and cyber exercises can be carried into daily practice. Focusing on his experience from the latter, Rattas brings examples of benefits in three main areas.
Cyber exercise in Ukraine. Photo by eGA
First, teams get to practice real-world information sharing, which is a critical collaborative skill during cyber incidents. Second, it is an opportunity to enhance personal skills and those of the whole team. During cyber exercises, there are many attacks packed into a short timeframe. Although real-world incidents may leave more time for investigation, the intensity of such exercises facilitates focused skills development.
And third, Rattas emphasises cooperation in general. He notes that often, there may be a rivalry between agencies and companies. Cyber exercises, however, bring all stakeholders together and demonstrate the useful capabilities of all parties.
“If you see in practice that colleagues in another agency are as good as you are, it will improve cooperation in the real world,” he says. “For example, if you witness the capabilities of the police, then in an actual scenario you are more likely to get in touch with them, when necessary,” Rattas underlines.
Introducing a culture of security
But above all, as the digital threat landscape is ever-evolving, security should be seen as a process, not a one-time project, emphasizes Epp Maaten, the Programme Director of Cyber Security. “Individual capacity building efforts need to be geared towards wider cultural changes. Becoming aware of the necessity of testing and exercises is just the beginning. Beyond that, actors must have the capacity to maintain vigilance in the long-term,” she adds.
Epp Maaten. Photo by Helen Aasa
This includes the creation and management of monitoring systems, conducting regular testing, and thereby having the skills to independently make inventory, choose target objects, and order the right method.
Cultural changes come about through continuous training and strategic guidance. This has been one of the aims of eGA’s recent collaboration projects in Ukraine. Currently holding 25th place in the National Cyber Security Index, the country has made a strong commitment to strengthen its national cyber competence and secure its rapid digital development.
The project “Cyber security readiness in Ukrainian public authorities” has helped conduct security assessments and pen-testing on mission-critical systems as well as develop testing guidelines and training materials.
“The most valuable aspects of this project are the changes in our [Ukrainian] legislation, and our approach to vulnerability assessments and testing of information and telecommunication systems,” Viktor Zhora, Deputy Head of the State Service of Special Communications and Information Protection of Ukraine, shares. “The project gave us a lot of practical results that significantly increase the protection of our information assets in the government,” he adds.
Viktor Zhora. Photo by Helen Aasa
Aleksey Vyskub, First Deputy Minister of the Ministry of Digital Transformation of Ukraine, also views this as an important step towards modernising the state’s approach to the digital security of public resources. “Building security is an ongoing process in Ukraine,” Vyskub comments. “As part of this joint cyber project, we have developed a methodology, which has already formed the basis of the draft resolution for legalising such tests in the state information systems of Ukraine,” he highlights.
Targeting skills and knowledge development on an individual, institutional, and state level, forms the foundation for strengthening national cyber shields in the long-term.