The cyber-attack using NotPetya on Maersk, the world’s biggest container shipper and one of Denmark’s largest companies, caused losses of up to US$300 million (£227 million), but this week it was described by Thomas Lund Sorensen, director at the Danish Center for Cyber Security, Danish Defence Intelligence Service as, "The best thing to happen to this country…"
Lund Sorensen was speaking at the Logpoint customer and partner conference in Copenhagen, going on to explain his reasoning: "... as it puts a price on the cost of poor cyber-defence, and you can get a lot of cyber security for that money."
Partly as a consequence of this attack, as well as WannaCry and Russian hacking of the defence department, he says that Denmark has seen a: "...rapid increase in awareness and understanding from the political side. It’s now very mature, with cyber-attacks now seen as the most important threat against this country, more than the likelihood of physical war or terrorist attack. There is a new defence spending agreement with cyber security front and centre, including a substantial amount of money provided to build capacity. This budget will run for next five years."
A surprising element of the budget is that it is acknowledged that in cyber-security, things are advancing so quickly, we don’t know what we will face and what will be needed. As a result, Lund Sorensen explained, "€100 million reserve has been put aside for what may be needed which is not currently known - this has never happened before - so in next say two years, if CISOs became more aware of the consequences of a particular attack they [the government] would be willing and able to spend more."
Lund Sorensen described how the Danish defence intelligence service sources information though all means available, including human intelligence, signals, network operations, and hacking of enemy systems. And this is conducted in relation to perceived threats against Denmark and its allies. It was relatively recently, 2012, that the Danish Defence Intelligence service set up a cyber-security division, which works inside the country, both reporting threats of value, but doing something against them.
Explaining, why is it set up in an intelligence agency? He said: "Because in the intelligence world, we have been working on cyber-security for many years as it’s one of easiest and most efficient ways to gather information on threats. So as we had been working in the hacking space, that gives us a lot of knowledge about how systems are vulnerable and thus how to protect them.
He added that just after set up came the Snowden revelations resulting in a difficult birth for the organisation because of mistrust by the public about government surveillance, adding: "Now we are able to exploit and use the mechanisms of the intelligence agencies in relation to our main threats from enemy nations." He defined Russia, China, Iran, and N Korea as the main intelligence collection agencies against whom cyber security protection was needed due to their focus on cyber-espionage.
"They are interested in everything military, foreign affairs, energy and strangely, water - including treatment and distribution. They are very active and often succeed in breaching our systems. The Ministry of Business has been hacked, likely by the Chinese - and the attackers potentially had access to lot of interesting information such as patent authorities, registration of who owns what etc. We were unable to track what was accessed as we had no record of those networks at that time. The Danish military had an unclassified email systems, that became important; there was no authorisation, no SIEM, so we don't know what was taken - but we believe the Russians had access to emails from our military including Generals, and specific lower level employees responsible for areas of interest to Russia. As there are no records we are unable to assess the damage."
He sees this situation still being repeated in the country at large, saying: "Whenever we go out to investigate a breach, some form of comprised system, we ask what they know about what's happened. In almost all cases either their logs are incomplete, or they don’t understand them, or the most common answer is, "We do not have logs." Without knowing what's going on the system, we are blind. We should keep the data as long as law allows - in Denmark its 12 months, which we consider to be the minimum time they should be kept."
To rectify the situation, in May this year the country implemented the Danish Cyber and Information Security Strategy: It is launching 25 initiatives and six targeted strategies addressing the most critical sectors’ cyber and information security efforts to enhance the technological resilience of digital infrastructure, improve citizens’, businesses’ and authorities’ knowledge and skills and strengthen coordination and cooperation in this area. The strategy aims to consolidate cyber and information security in Denmark and ensure systematic and coordinated action over the coming four years.
The Strategy is part of a broader initiative to put greater emphasis on cyber-security, and via the 2018-2023 Defence Agreement, Denmark’s cyber-defences will be reinforced through an injection of £166 million over six years. This will include better protection against sophisticated cyber-attacks by expanding the Centre for Cyber Security’s sensor network for authorities and businesses, plus, a national cyber situation centre will be established to provide a 24 hour overview of the national security situation with current and potential threats to Denmark’s most essential digital networks. The Centre for Cyber Security, which is a national ICT security authority, will also signifcantly strengthen its capacity to advise and support private businesses and public authorities.
Lund Sorensen says, "We have taken a number of initiatives, and have just published our new cyber security strategy. We are working from schools and tech companies up to the wider community to raise cyber awareness and have asked various vertical sectors to create a 12 point strategy for their sectors - including know what is happening on their network and tell government if they see any potential threat to national infrastructure."
He adds, "We will be putting out an advisory on insider threats within the next two weeks, but that's not our main focus. Our focus is on the 'getting into systems' rather than misuse by those who are inside."
Among other comments, Lund Sorenson noted that Ransomware is: "...a good business model for criminals as a lot of people are paying up for ransomware and other cyber-extortion. As long as we pay it will exist."
And for all the awareness that Maersk may have raised, Lund Sorensen concluded: "But CEOs memories are short and so there is now declining interest, and they are asking, 'will we get a return on the spend?', hence the need to find ways to sell the benefit. If we do not incorporate cyber-security into the business model, we won't take off the way we want to, so we need to look for the business opportunity."