The Digital Security Authority (DSA) is bolstering efforts to enhance cybersecurity in Cyprus by addressing risks to essential services while creating a safer environment for investors and businesses.
Recent comments by high ranking state officials have put the spotlight on cybersecurity gaps in crucial state services such as ministries, ports, water, and electricity distribution networks.
Deputy Minister for Research, Innovation and Digital Policy Kyriakos Kokkinos sounded the alarm over the danger to state systems from cyberattacks, saying government services were essentially unprotected.
“The issue worries me very, very much as we open up to the outside world,” Kokkinos said.
He was referring to the lack of a specialist IT team in charge of Cybersecurity in his ministry, implementing guidelines and directives issued by competent bodies.
In Cyprus, the local DSA and the Computer Security Incident Response Team (CSIRT), set up under EU directives, have been tasked since 2017 with implementing the EU commission Directive on security of network and information systems (NIS).
The DSA and the CSIRT fall under the Commissioner of Communications office responsible for drafting protocols and guidelines for crucial services with the latter acting as a response team to cyber threats faced by any of these services.
Talking to the Financial Mirror, the Commissioner of Communication, George Michaelides, said the two bodies are there to implement directives and intercept threats to an essential service.
According to the NIS directive, Member States are required to be appropriately equipped with a Computer Security Incident Response Team (CSIRT) and a competent national authority implementing the NIS directive.
“These bodies should support and facilitate strategic cooperation and the exchange of information among the Member States.
They will also need to set a CSIRT Network, to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks,” Michaelides said.
He stressed that building a culture of security across sectors is vital for the economy and society that rely heavily on essential services such as energy, transport, water, banking, financial market, healthcare, and digital infrastructure.
Businesses in these sectors that are identified as operators of essential services have to take appropriate security measures and to notify serious incidents to the relevant national authority.
“We are not here to implement security measures; it is up to the services. We are, however, responsible for monitoring the implementation of these guidelines while also monitoring the services for unusual connections which could reveal possible cyber threats.”
Michaelides said having protocols on cybersecurity in place, along with a response team is crucial as any threat to a vital service could bring the whole economy to a halt.
Michaelides said the DSA and CSIRT are currently focusing solely on essential state infrastructure.
“The DSA does, however, issue guidelines for the private sector, but does not deal with threats. This is something which may be on the table in the future once a culture of cybersecurity awareness is embedded in the state, the society and the business world,” said Michaelides.
He argued that building a culture of cybersecurity awareness within the private sector is vital as a growing number of companies have dealings with the state.
“The majority of cyber-attacks on states and at a corporate level, take place through partner entities, such as providers. The state should only be dealing with certified companies.”
Referring to the kind of threats the state could face, Michaelides said that they are split into two categories.
“Those carried out by individuals who will give up if they fail to retrieve any information from which they could personally benefit, and the Advanced Persistent Threats, which are more likely to be carried out by states which have the luxury of time and are not worried about the cost”.
It is believed that Iran’s nuclear program was hit by such an APT through a malicious computer worm dubbed Stuxnet.
Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran.
No country has openly admitted responsibility, the worm is widely understood to be a cyberweapon.
An APT attack was responsible for the stealing of sensitive material from the European Commission in recent years.
Michaelides said this is why all corporations should have an IT team dedicated to cybersecurity.
“We would like to see corporations building such teams and being accredited as cyber safe not only to do business with the state but to enhance Cyprus’ image as a safe investment destination.”
“One of the items on our agenda is to build a cybersecurity ecosystem for the shipping industry, for which we are in close contact with the Deputy Ministry of Shipping.”
Michaelides said that once the bodies have done their bit in setting up cybersecurity culture and ecosystems within the public sector and big corporations, the DSA will turn to SME’s which represent 90% of the market.
The DSA is also preparing to launch several public awareness campaigns, put on ice due to the coronavirus outbreak.
Asked how safe Cypriots are, Michaelides noted that the public is faced with threats which more often than not are taken lightly.
“Anyone from kids to their parents could fall victim to a cyber-attack, from a phishing email or SMS on their phone or even by just joining an open Wi-Fi network set up to steal information such as credit card and Social Media codes.”
The DSA envisions a training centre where children could visit with their parents or their teachers to get a hands-on experience on how to deal with Cyber threats which they face daily, knowingly or not.