Red flags raised over the state cyber security policy

Stakeholders have raised red flags over the government’s strategy on cyber security after three major hacks have hit the country in the past month.

The snail’s pace at which things are done has reportedly left the country exposed to more threats but experts hope the experience can finally bring about positive change and raise awareness on the importance of cyber security.

In the past month, the University of Cyprus, the land registry and the Open University of Cyprus – in that order – have been hacked. Their sites were down and all three parties are still in the process of restoring systems.

Digital security authority commissioner George Michaelides told the Sunday Mail there is a lack of awareness of the importance of cyber security – which is slowly changing.

“Where the land registry hack is concerned, there were messages left there that demanded ransom. But we caught things in time so that it wouldn’t come to that dilemma,” he said.

Former Deputy Minister of Research Kyriakos Kokkinos stressed the rule when ransom is demanded is “you can’t pay. If you pay once, hackers will keep trying so you pay again.

“If they steal data, there needs to be the right backup.”

In the past week, questions have been raised about the Security Operation Centre (SOC) that Cyprus’ government was supposed to have. Current Deputy Minister of Research Philippos Hadjizacharias suggested it had been procured in 2019 but nothing had been done about using it since.

CTO at cybersecurity service Boltonshield Michael Ioannou said SOC was being presented as if it was a silver bullet that could have solved and prevented all problems.

“The government doesn’t even have a baseline level online security system. Security isn’t just one isolated thing. It includes employee awareness, processes, technical controls and access controls. There’s a whole host of procedures.”

For instance, he argues the land registry website would have been able to be restored within a day if it had a proper recovery policy in place. “There should also be a pre-set acceptable downtime.”

Instead the site will be back up next week, a month after the hack. Michaelides counters the slow process is not due to a lack of ability but because the experts want to be as thorough as possible. The government’s line has been that the new website will also be more user friendly.

Kokkinos himself proclaimed he was surprised over suggestions that SOC has been available since 2019. “The ministry was only set up in 2020. During my term as minister I tried to set up the infrastructure for proper cyber security. We’re about 30 to 40 per cent there.”

The core issue that makes cyber security drag on is that government procedures are not at all efficient, he explained. The department needs to prepare the plan for new positions, the budget must be approved by the finance ministry and consequently parliament, job positions need to be announced, interviews need to be carried out and then a selection has to be made.

“This can take one or two years.”

So in the meantime, departments often outsource services to the private sector.

“You can’t deter government attacks. You need to have proper defence, to realise that you’ve been hacked and protect the data,” the former minister stressed.

Ioannou said “the procedures could have been different and faster when it comes to technology”. He charges tenders are a lengthy and slow procedure when it comes to implementing new technology leaving the organisation exposed for a long time. Budgets to maintain a certain level of technologies and security should be implemented before hand and on a recuring basis.

“They pick the cheapest option rather than the best option.”

Michaelides said the legal framework allows the digital security authority to guide online services to meet a bare minimum of digital security and also impose it where necessary.

It also has oversight for 70 online infrastructures that are deemed of critical importance but cannot be disclosed for national security issues. They deal with matters concerning health, water supply and finance.

Michaelides specified there are currently forensic examinations underway to examine what exactly happened with the hacks. “We cannot know if the attacks were connected. They might be but they might not be.”

On the same day the University of Cyprus was hacked, a “huge number of hospitals and academic institutions in Israel were hacked,” he added.

The commissioner was not necessarily trying to draw a parallel or connection but rather highlight that “attacks happen all the time. Some are successful and some aren’t. Obviously, it is the successful attacks that make it to the public eye.”