Aleš Špidla: Education and responsibility means greater ability to defend in cyberspace
Is it possible not to be in cyberspace? Is cyberspace more of a means or a place to share information more easily? Can the tools we use here also be weapons? Is quantum data transfer the solution to ensuring security in cyberspace? We talked about all this with a leading expert on cybersecurity, a lecturer at the CEVRO Institute and honorary president of the Czech Institute of Information Security Managers (ČIMIB) Ing. Aleš Špidla. Moreover, this episode of our discussion programme CZ DIALOGY clearly shows how thin the line between civilian and military space is.
Video: Interview with leading cybersecurity expert Ing. Aleš Špidla / CZ DEFENCE
According to Aleš Špidla, it is impossible not to be in cyberspace in an advanced society. Technology is promoting our society in a way that is actually impossible. And what about the boundary between civilian and military space? Civilian assets can also become weapons. "The weapon is not the mobile phone as much as it is what certain apps contain," explains a leading expert on cyber threats, adding, "Civilian apps can be misused for an attack, which then has implications for national defense because the apps are vulnerable. Sometime around 2014-2015, when the fighting was going on in eastern Ukraine, the Russian side used this method, although it was not talked about much at the time. Thanks to a hacked app, the Russians got into the mobile phones of Ukrainian soldiers, who used them to calculate the ballistic trajectory of howitzers. The moment the Ukrainians used the app, the Russians knew their exact location and sent a missile there. Another example is that Ukrainian soldiers were receiving fraudulent text messages saying, "Volodya, flee across the border! Signed by mom, fiancée, or lover. When they replied, they were located at that moment." But the key is also in setting up the protection system. "The system just can't allow it. It's the same as Private Manning downloading two hundred and fifty thousand dispatches and putting them on a CD with Lady Gaga written on it in marker. And then he sold them to WikiLeaks. "How come there aren't sirens blaring and red light bulbs going off?" Špidla asks.
The question arises as to how long the war in cyberspace has actually been going on. According to Aleš Špidla, we need to see that after 2010 there was an entire division in China dedicated to cyber attacks, i.e. around 29 000 people. When you add in the various support organisations, you are talking about up to 50 000 people. "If we take information operations as part of the fight, the Russians are very good at it. They've figured out that when it comes to conventional weapons, the West doesn't arm. But they have found that all they need is a few computers, and that's the way to go for them. With attacks, you always have to calculate the damage, and the damage is great in the case of attacks conducted in this way. Worldwide, the average damage of a single cyberattack on a company is $28 million. In our country, the damage to municipalities or city districts is in the order of millions of crowns, and in the lower units of millions of crowns when a municipality or city district is prepared for possible attacks and can recover quickly," Špidla said. As an example, he cites the Prague 5 municipality, where thanks to good preparedness they were able to recover within nine days after the attack, which he says is almost a miracle in our conditions. According to Špidla, the damage is generally not just about direct data loss, but also about other costs, such as specialists working to repair the system. This raises the question of whether and how much companies should invest in their protection. According to Aleš Špidla, investment in cyber threat defence can be determined as a gross ratio of investment in ICT technologies, with the volume of protective equipment being somewhere around 10%. But it is definitely not a one-off investment, it is a never-ending battle. Investment in experts must be taken into account, because cyber gangsters are always one step ahead and use even higher systems, such as artificial intelligence, to do so.
Picture: In this episode of our discussion show CZ DIALOGY, we talked with leading cybersecurity expert Ing. Aleš Špidla | Jan Juřica / CZ DEFENCE
According to Špidla, Czech strategic and ordinary institutions are not in a bad position in terms of protection against cyber attacks. Most strategic companies fall within the critical infrastructure of the state. The problem is with public administration, especially municipalities, because municipalities do not fall under the law on cyber security. "But imagine if no hospital fell under the Cybersecurity Act until 2017 or 2018. Then came the attack in Benesov and the damage of seventy million crowns. University Hospital Brno – 190 million in damage," Špidla recalls. The solution to this situation, according to him, is the amendment to the European Directive on Network and Information Security, known as NIS II. According to Špidla, this is a significant tightening that will help to combat this problem more effectively. "Currently, 360 entities are obliged to comply with the law on cybersecurity. This is terribly low. After the amendment to the law comes into force, there will be at least six thousand of them, but we are already talking about twelve to fifteen thousand entities," explains Aleš Špidla. "My motto, which I have had for many years on LinkedIn, is: Cyber information security is not a question of laws, it is a question of self-preservation. All those who boast that we will not take any measures, we will not invest in cybersecurity, have switched off their instinct for self-preservation," adds Špidla.
The basis for progress in improving cyber security in the Czech Republic is clearly education. According to Aleš Špidla, it should start as early as pre-school age, but with the child's development in mind. "One colleague boasted to me that her two-year-old son is faster on a tablet than she is. So it should start there somewhere. There's a huge role for parents to know what the child is doing. She's quiet and doesn't get angry. It's just that the problem with the tablet is that if the child has it too often and too early, they don't develop fine motor skills. He doesn't understand that things have three dimensions. Or then he taps on a book page and expects it to turn. At the point when the child is quiet and not angry, parents should be afraid of what the son is downloading from the internet and terrified of what the daughter is uploading to the internet. Cybersecurity should be taught in schools because there is already and will be a growing demand for professions that can be part of the cybersecurity solution," explains a leading expert on cyber threats. "Ten thousand institutions and companies will fall under the Cybersecurity Act and will need experts. The NCIB as a regulator will need to hugely expand the scope of that regulation, which involves inspection activities. So again, it will need experts. There is already a shortage of hundreds, if not thousands, of cybersecurity experts in state institutions."
Language is also part of communication in cyberspace. The general language of communication is English. But can an adversary gain an advantage by using other languages, such as Navajo during World War II or Chinese or Russian today? "I don't know if Russian can be used to hide anything more. There is a humorous story from the field of robo-rolling that relates to this. The Russians have launched artificial intelligence systems that can generate tweets, can change their meaning, and can reply to them on Twitter. The Americans were late to the party, and for a simple reason. Even though they have a cutting-edge analytical tool that recognises that it's a robot, they didn't turn on Russian at the time because they thought everything had to be done in English," says Aleš Špidla. According to him, the only safe information is that which has never been taken in life. And the best secrecy is silence.