Cyber-war: Time for our agencies to step up
Digital News Asia (05 March 2013)
By A. AsohanMar

• Cyber-warfare is raging between Malaysian and Filipino hackers
• It is time for the Malaysian Govt to harden our cyber-defenses

LAST month, US President Barack Obama issued an executive order to bolster his nation's cyber-defenses, a move unpopular with some hacker movements and civil society advocates, eagerly awaited by many, and considered insufficient by some experts.

Delivered as part of his State of the Union address, Obama said, "We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air-traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy," the Los Angeles Times reported.

The daily described it as a "stopgap measure" that would improve "how classified information is shared between the government and the owners and operators of crucial infrastructure, including electric utilities, dams and mass transit."

MIT Technology Review said the Executive Order Improving Critical Infrastructure Cybersecurity won't amount to much, adding that it only "requires new information-sharing, standards-setting, and R&D plans to get up and running over the next few months to two years."

"The executive order … won't force companies to introduce measures that would protect infrastructure like the power grid," the Review noted.

But as I read the backlash against Obama, and in the wake of reports of cyber-warfare raging between Malaysian and Filipino hackers, all I could think was that at least the United States is waking up to the reality of the new front in hostilities: The Internet.

According to The Star Online, Filipino blog Pinoy Tech News first reported that some of their government websites were hit by denial-of-service (DoS) attacks, while others were defaced. Filipino hackers then retaliated, attacking and defacing several Malaysian private and government-owned websites.

A statement allegedly made by Anonymous has called for hackers of both countries to stand down, to no avail, the Malaysian daily said in its online edition.

Last July, when I wrote about Stuxnet - courtesy of the US Government - heralding a new era of state-sponsored terrorism, espionage and warfare in cyberspace, I felt that I may have been stretching it a bit. But remember, it's not paranoia if they're really after you.

Since then, malware such as Red October, Gauss, miniFlame and Madi have been identified, all designed for targeted cyber-espionage campaigns in varying degrees. More recently, Kaspersky Lab has identified MiniDuke, which was used to attack multiple government entities and institutions worldwide recently.

Among the victims were government entities in Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland; a research institute, two think-tanks, and healthcare provider in the United States; as well a prominent research foundation in Hungary, Kaspersky Lab said.

The March 3 and 4 attacks in cyberspace between Malaysian and Filipino ‘patriots' targeted relatively low-hanging prey: The websites and e-commerce portals of commercial entities, some colleges and universities, and so on. There have been no reports of attacks on the national grid of either country, but that doesn't mean a quiet little war isn't raging on that front either.

It is past high time the Malaysian Government recognizes that cyber-security is not just a ‘hacker' problem, but one of national security. We have perhaps the most number of government and quasi-government agencies looking into cyber-security for a country this size; it is time for them to put their heads together and harden the nation's cyber-defenses.

We have the National Security Council, an agency under the Prime Minister's Department which is responsible for managing and coordinating the implementation of policies related to national security; Cybersecurity Malaysia, the national cyber security specialist agency under the Ministry of Science, Technology and Innovation; and the Malaysia Computer Emergency Response Team or MyCERT which is concerned about the security of Internet users.

And let's not forget that Cyberjaya houses the headquarters of the International Multilateral Partnership Against Cyber Threats (Impact), which says its mission is to enable "governments and stakeholders with vested interests in cyber-security to converge, connect and collaborate for a tighter and a more cohesive move forward in the defense against adversaries online."

At a separate briefing last week, Hewlett-Packard IT management evangelist (software) Paul Muller told Malaysian technology media that security is not a problem that can be fixed with a product or two - it has to happen at all layers. (I would venture to add that neither can security be fixed by one-week workshops - it has to be built into the entire process).

"So let's look at hardening the attack surface - it not just the infrastructure that is causing the problem; it's the information, it's the applications … it's the whole stack," he said, adding his concern that small companies which don't even have their own IT personnel - let alone the entire cyber-security teams that a large enterprise or government entity can bring to bear - are facing the same kinds and levels of threats as their bigger brothers. And their information is just as valuable.

Also at the briefing was Computerworld Malaysia editor Avanti Kumar, who wondered why governments didn't get their agencies together with selected security organizations and professionals and offer security-as-a-service to smaller entities.

I think it is a brilliant idea. All of us at the briefing did, and we told him so. We also noted that the Multimedia Development Corporation or MDeC, the national ICT custodian, paid scant attention to the issue of national cyber-security in its ambitious Digital Malaysia plan to transform the nation into a "digital economy."

Indeed, Digital Malaysia only recognizes national security as a "business opportunity" it calls the Unified Net, which proposes the development of a "managed and secured national communication backbone channel through a single platform to ensure critical information protection for critical national information infrastructure."

MDeC has been gathering expertise and has launched a number of initiatives around the cloud; how about marrying those moves to the Unified Net and taking the whole thing to another direction and a higher level?

‘Business opportunities' are not immediate priorities for the Digital Malaysia plan, but I suggest we move it up the chain and make it a high, if not the highest, priority.

It's war, gentlemen, and it's time our agencies got cracking.