Given the choice between a cyberattack or a bomb, any IT-savvy person would choose the bomb, cybersecurity expert Gábor Matuz told Hype&Hyper. Interview on the effects of war, cyber defense, and cybersecurity tips for companies and individuals.
The Russo-Ukrainian war has also reached cyberspace, with hacker attacks on Russian state bodies, media outlets, and banks in the first weeks. Russia soon responded with retaliatory attacks. Even before the war, some analysts already said cyberspace had become a battleground long ago. To what extent did cyberspace security changed since 24 February?
Of course, war means a significant change for government bodies, the military, intelligence services, or for example, basic infrastructure providers. For most of them, the change means an increase in hacker attacks’ intensity. There is no major alteration in the nature and targets of attacks that would have a practical impact. We make risk decisions at every moment of our lives based on probabilities, potential outcomes, and how much control we have over the factors. The current situation is like the traffic on the highway to Lake Balaton on a summer Friday. If safety is important to us, we will buy a car with reassuring crash test results. We fasten our seat belts at the departure and leave a longer following distance because of the heavy traffic and the other drivers’ state of mind on a Friday afternoon. Presumably, there is also an increased likelihood of a 10-tonne truck breaking the guardrail just as we are driving past, but unfortunately, there is not much we can do about that. Psychologically, fears related to cybersecurity are different from driving a car, but only because they are less tangible, and we are not used to them. Addressing the issue of trucks crossing into oncoming lanes is a public responsibility. The state has the resources and the means to reduce the likelihood of such a scenario happening, for example, by stronger guardrails or adequate regulation. There will be some people for whom this risk is more important than leaving it entirely to the state, but for them, it would be disproportionately expensive to do something, and let us admit that most of us are not in that group. The trucks, so the hackers working for the Russian state, and here I have pretty much reached the limits of my analogy, have certainly changed their targets in line with the changing vulnerabilities of countries and their own strategic and political thinking. But it is too early to say what that means exactly. In general, the war has so far surprisingly few cybersecurity implications. Before the war, there was a strong consensus in professional circles that this would be the first hybrid war in which the cyberspace battleground would be almost as important as the physical one. It was a major surprise not only to information security analysts but also to war experts that this was not the case. There is no clear explanation yet for why we believed it so wrong. Perhaps the Russian services did not know that the invasion would really begin and, thus, did not have time to prepare, or maybe the Ukrainians received much more international support in this area than anyone imagined, and, therefore, the Russians did not escalate the conflict outside Ukraine immediately. But it is also possible that the current plight will change, and we will likely learn more about many things only after the events. In short, it is worth bearing in mind that our intuitions, and often the professionals, too, will overestimate the risks. In cybersecurity, we often talk about the worst possible scenario and what could theoretically happen, and lay people only hear these headlines. But the attackers’ real question is what is worth doing. To take a war example, if the aim is to cut off the power supply to a given area, and the choice is between a solution with software or a cruise missile with 500 kilograms of explosives, the decision will not be difficult for those who have ever been involved in IT projects. They will choose the bomb.
What challenges do private companies face in the current security situation? And what were the challenges before the war that needed to be addressed?
The fact that it is mainly the intensity and not the methods that have changed does not mean that companies have nothing to do. With the increased likelihood of attacks, the cost-benefit analysis results may change for many companies for whom the return on a security investment was previously uncertain. Since February, I have recommended to several clients that they should bring forward some of their planned investments and consider further developments. What does this mean in practical terms? If we are talking about small and medium-sized enterprises, and we are mainly focusing on hacker attacks and not data breaches, the list is, fortunately, reassuringly boring. The key remains multi-factor authentication for logins and automatic operating system updates, especially for Windows computers. Also, for Windows users, it is now essential to have good quality, up-to-date antivirus software. If any of these are missing, it is worth getting them as soon as possible. A more difficult but equally important task is to install security updates regularly. In this area, I usually recommend using services where this is not our responsibility but that of the service provider. For example, do not run your own e-mail server; instead, use a reputable company’s services. If we have to update an application manually, it is worth making sure that security updates that hackers actively exploit are updated within hours, or a few days at the latest, as my experience is that they are often still a problem for companies. Last year I launched an open-source, free service with my friends that alerts users when information about the exploitation of vulnerabilities is received. In my opinion, this helps to focus the work on updates, as tens of thousands of new vulnerabilities are reported in a year, but only a few hundred are exploited. Only after these „hygiene” tasks have been completed is it worth asking the question: what are the specific risks in our case?
Is cyber defense provided by in-house developers or external contractors in the private sector? Which model can drive innovation and respond to emerging challenges promptly?
For most companies, the tasks in the above list do not require external help. In fact, I think taking an approach where basic cybersecurity is the responsibility of all employees is also better from a company culture perspective. On the other hand, an in-depth understanding of the field and the relevant technology often requires specialist knowledge that may not be necessary to have in-house. The consultants’ role is to help companies to develop and implement the appropriate security strategy and to provide employees with the right tools and information to achieve the objectives set out in the plan. In addition, external assistance may be the right choice for specialist services such as security monitoring or IT incident management. The picture is slightly different for innovation, too; I see more justification for outsourcing there as the directions, and therefore the strategies are changing dynamically, and it is essential that the company can focus on the specific problems to be solved.
How much extra cost is system protection for a global private company or bank? Are these costs constantly increasing, or is there some optimization?
In recent years, the cybersecurity market has grown steadily, which is practically equivalent to companies’ costs to address these issues. But the question is the return on investment. It would be difficult to show a significant improvement in security based on incidents, and costs are not going down; they are actually going up. A good example of this is the trend in ransomware attacks. Over the last 2-3 years, insurance companies have been tightening the terms and conditions of cyber insurance policies, increasing prices, and limiting payouts as the cost of each incident keeps rising. If I remember correctly, last year, the average was $2.8 million per incident. Interestingly, the average amount paid to blackmailers is about $300,000 from this sum. Even if we had no control over the frequency of attacks, the industry would still be responsible for a significant increase in the cost margin, as this part is entirely up to us. It is not the only sign that we are often going in the wrong direction. To give a Ukraine-related example, when one of the most advanced Russian hacking teams attacked a Ukrainian energy service provider after months of preparation, their experts managed to restore service in roughly 6 hours, while for an international transport company with a much larger cybersecurity budget, it could take several days to restore service even after an untargeted attack. It would be very hard to explain why this is the case, but something is definitely not right. Therefore, I recommend that all decision-makers do the same rigorous return on investment analysis for cybersecurity investments as for any other investment.
Throughout your career, what have been the biggest security challenges and the most surreal stories that show how far the world of cyberspace is from the average user, despite all the everyday technological advances?
I started my career in penetration testing. At that time, we had a few bizarre cases, but I do not want to go into details because of my clients’ interests and the large number of non-disclosure agreements I signed. I would rather point out the interesting paradoxical thinking of most users. People often ask what they can do for their security in light of cases such as the Pegasus affair or the Russo-Ukrainian war, although they use an easy-to-guess password for their e-mail account and did not update their laptops for months. Although cybersecurity is full of very smart engineers coming up with exciting attack ideas, most attacks still start with a default, reused, compromised password, and user-run malicious software. The extent to which an attacker can rely on human curiosity, trust, and inattention should not be underestimated. From a professional point of view, an interesting and humbling moment was when I worked with an e-commerce company where phishers were hacking into vendors’ accounts to gain access to money in their accounts. The solution seemed obvious, we just add an additional verification step for payments, similar to internet banking transfers, and the problem is solved. But what actually happened was that the attackers continued to break into the vendors’ accounts, but instead of simply taking the money, they started selling iPhones for extremely low prices, and they were lying to the customers that their payments on the site failed. They told them that if they want their half-priced iPhones, they should transfer the money to their account. Because of the outraged customers, this kind of attack was a bigger problem for the company than just compensating a few sellers. We should be skeptical when someone tells us that there is a simple solution to a cybersecurity problem.
Many self-organized groups launch hacking attacks in support of Ukraine because of the war, such as the Lithuanian „Elves.” These are partially illegal activities, but where is the line between ethical hacking and illegal actions? To what extent does the war change the evaluation?
The short answer is that what these groups are doing is illegal in virtually every country. For the sake of simplicity, I say that everyone is committing an unlawful act who does something that negatively affects IT systems without adequate authorization. Another question is who would investigate these cases, and would the perpetrators ever be extradited? Russia is Russia, and the Russians were famous even before the war for never extraditing cyber criminals, and they only launched investigations when Russian companies were attacked. Similarly, I am not aware of any case where an EU or US citizen has been extradited to Russia in this field. But this does not mean I would recommend anyone to join these groups. In many cases, Russian cybercriminals have been arrested at European airports, and while it is unlikely that any of us will be going to a Russia ally country in the next few years, it still does not necessarily make sense to risk several years in a Russian jail. Especially since anyone who feels they want to support the Ukrainians in this field can legally get involved in the many projects focusing on cyber defense.
Gábor Matuz has been working in the field of IT security for more than a decade. He started his career as an ethical hacker, and in recent years he has been responsible for IT security in innovation projects for startups and large enterprises. He specializes in designing cybersecurity strategies that are appropriate to the company’s specific risk assessment and opportunities without unnecessarily limiting the dynamism needed for their development. Related to these topics, his main research interests are related to risks and the measurement of protection methods’ effectiveness. He writes regularly on his blog on both strategic and practical issues.
Graphics by Roland Molnár / Hypeandhyper