E-viruses up the ante in economic battlesIntroA single e-mail can be enough to partially cripple a company, yet many Swiss firms are unaware of the dangers lurking on the web – as Solange Ghernaouti (SG), an international expert on cybercrime, tells swissinfo.ch (SI).
A new virus called Gauss, for example, has already infected hundreds of computers in the Middle East. It can spy on bank transactions and steal passwords. According to Kaspersky Lab, a company specialising in computer science security, Gauss was invented in the same laboratory that created Stuxnet – the virus that infiltrated Iran’s nuclear programme.
The discovery of Gauss has fuelled the discussion of how IT tools can be used for criminal purposes. This is a development that affects Swiss companies, too, as such protection is essential in order to remain innovative and competitive, points out SG, an economics professor at Lausanne University, member of the Global Cybersecurity Agenda of the International Telecommunication Union. She is currently working on the development of an international agreement on cyberspace.
SI: Symantec, an antivirus software company, has reported that virus attacks have increased steadily in the first six months of 2012. One out of three attacks is aimed at small and medium enterprises (SMEs). Who are the perpetrators?
SG: The authors are very diverse and the viruses can come from every corner of the earth. But it turns out that most of these computer attacks originate in China – not to point the finger at the Chinese government.
That having been said, China would like to become a superpower, and to that end, a useful tool is industrial espionage – the acquisition of know-how and information. The Internet and cyberspace have become the new battlegrounds of the global economy.
But it’s not just the Chinese. There are also other state actors, or those that operate against governments. And let’s not forget regular criminals – operating individually or in gangs – who will do anything to get rich. Systems and operations are vulnerable. Those looking for the weak spots will usually find them.
SI: What are the most sophisticated methods?
SG: Social engineering, or the collecting of passwords and confidential information through interpersonal contact. This exploits human weakness rather than the vulnerability of the technology.
For example: A company will be contacted by someone posing as an administrator who says that there is a problem with the network and the computers need to be reconfigured, so he gets the passwords. This method always works.
Slightly more sophisticated is the technology of spear phishing, which seeks sensitive information. So a manager will be tricked into believing that he has been emailed by an employee or someone he trusts. They send him a document that he opens and downloads, which activates a Trojan horse that is installed on his computer without him realising it. Even RSA Security was pirated in this way – and it’s the world's largest supplier of IT security instruments.
SI: What are the most vulnerable industries and sectors?
SG: All service-oriented businesses, like banks and insurance companies. In Switzerland a lot of pharmaceutical and chemical companies are affected, although I’ve never heard of a drug giant becoming a victim. But that doesn’t mean it has never happened – they often keep quiet for image reasons.
Personally, I’m more anxious about attacks on key infrastructure – such as hospitals, power stations or water supplies. At the start of the last decade, a disgruntled employee of an Australian water treatment plant took control of its IT system. He was able to divert contaminated water into a river.
Attacks on the food industry also worry me. This could mean production plant sensors being manipulated to insert harmful substances into coffee capsules, for example.
SI: A survey states that one out of five Swiss companies has suffered a digital attack. Are companies aware of their vulnerability?
SG: In Switzerland, the most feared attacks are those involving industrial espionage or the theft of data, trademarks and know-how. For this reason, all of the major banks and companies have their own IT protection service.
The medium-sized businesses, on the other hand, are rather defenceless. Moreover, not all of them are aware of the risks. And the moment when they become aware it is often too late; the damage has already been done.
IT-related risks are constantly on the rise. SMEs that want to minimise their vulnerability need to invest in protection. In addition to putting money into technical measures like fire walls and anti-virus software, they also need to implement operational processes to ensure constant IT security.
SI: Some companies mirror their data to external servers through so-called cloud computing. Is this wise?
SG: This outsourcing to an external service provider can reduce costs, but then you lose control of your intangible capital. You become totally dependent upon a third party.
These external data centres usually store the data of several companies. All of the information is therefore in a single cloud, which may attract the interest of criminals.
SI: What is your advice for these companies?
SG: I would suggest that they think about the data and the assets of their operation, as well as the location of these. They should consider what data could be lost without compromising the entire operation. Companies should be proactive and analyse their internal security measures.
It’s not enough to install a fire wall correctly. The entire organisation needs to be rethought – including the activities of the staff. For example, there are employees who use social media during working hours. In addition, contingency plans should be developed to allow work to continue after a cyber attack.
In an increasingly globalised and more competitive economy, IT security is becoming more important. SMEs that don’t know how to protect their innovative capacities properly are less competitive because cyber criminals start where it is easiest. The most competitive firms are those that can protect their IT assets better than the competition.
SI: Cybercriminals are often thousands of kilometres away from their targets. Would international cooperation be effective?
SG: Switzerland has signed and ratified the European Convention on Cybercrime, and is a global player in the battle against computer science criminals. International cooperation works, as demonstrated by the coordinated actions which have led to various arrests.
However, there is a lack of police, lawyers and judges specialising in IT crimes. But there are fewer holes in the existing system, than in countries that have shown no desire to cooperate.
So there are some real ‘digital havens’ from where cybercriminals can launch their attacks knowing with near certainty that they will not be prosecuted. I can’t name names, but I can say that some tax havens are also cyber and digital havens.