November 10, 2019

It is time to install video surveillance systems in the cyberspace

When organizations wish to protect themselves against cyber threats, they integrate certain technologies, engage experts, and order cyber security services. But this is not enough. Filing a lawsuit with a court and having offenders punished should be a real response to cybercrimes and cyber wars.

This process involves three key stakeholders: the state, the private cybersecurity sector, and business entities. And each of these parties must do their share of work to have cyber criminals punished for their crimes.

First, appropriate legislation is needed that will serve as the foundation for investigations and court hearings. The state should develop the laws on digital forensics and forensics of data transmitted in the networks. When relevant laws are applicable and there is liability for failing to comply with them, an overall culture of cybersecurity will start to develop. By introducing and amending the laws, the state can and must nurture the culture and rules of interaction in the cyberspace.

Ukraine currently has no inclusive legislation in this area and has no segregation with classical chapters of the Criminal Code. Many EU countries are still developing and improving such legislation and the main problem is that they must be technologically neutral and respond to not only present-day challenges, but also be relevant to the technology of tomorrow. And this is where Ukraine may profit from initiatives, as a result of which the private cybersecurity sector, in cooperation with the legal community, may yield a powerful synergetic effect and transform the laws in this sector.

Another important factor necessary for having cyber criminals punished is that the law enforcement agencies must have adequate operational and professional capacities to properly classify, investigate and complete such cases. At present, the cybersecurity community unanimously states that law enforcement officers in Ukraine lack adequate capacities to efficiently accomplish such tasks. Many companies are not ready to report on cyberattacks as they don’t believe that such crimes can be proven, and offenders may be punished in court because of the lack of required regulations. The only result they can expect is reputational damages and nobody wants that. In order to minimize their financial losses, some companies even try to classify cyberattacks as force majeure events just to default on their obligations toward their clients.

But Ukrainian law enforcement agencies are not the only ones suffering from this state of affairs. We are involved in many cybersecurity-related projects across the EU countries and we can see that European law enforcement agencies lack adequate powers to address cybercrimes as well. This is why we broadly use the public and private partnership by engaging the private cybersecurity sector.

And the third factor required to have cyber criminals punished is evidence: properly collected, saved, and transmitted digital data necessary to investigate and hear cases in court, i.e. digital forensics. It is important to understand that when it comes to cybercrimes, the only thing companies are interested in is protection against criminals or improvement of their security posture by way of technology, tools, and processes. All rely on technical or organizational means to ensure the proper security level. But nobody considers having criminals caught and punished and no tools, processes, and possibilities for digital forensics are available. However, cybersecurity is only about prevention whereas digital forensics is about liability for damages caused to individuals, businesses or states. And this also implies the punishment for cyberattacks, cybercrimes, and cyber wars.

In more developed countries when IT integrators introduce certain technologies or develop IT solutions for different organizations, they also provide possibilities for collecting evidence in case of a cyberattack that could be used in court. Yes, the component of readiness for digital forensics in cybersecurity products and solutions requires a special approach and additional resources. But this enhances the economic, financial, and legal security of organizations in the digital world.

It is extremely important that cybercrimes evidence could be collected and stored according to the best practices of various jurisdictions as in most cases cyber incidents are international in nature. In other words, a hacker from one country may use the server infrastructure of any other country and attack a victim in the third country through the network infrastructure of the fourth country. Therefore, collecting and storing such evidences require that they comply with the legislation of many jurisdictions.

Today we want technical solutions in information systems to contain a component of readiness for digital forensics: proper collection, storage, and transmission of digital data as irrefutable digital evidence collected, stored, and elaborated according to the best practices and laws of as large a number of jurisdictions as possible makes it possible to punish cybercriminals and administer justice.

Hackers actively use evidence destroying technology and have considerable resources to prevent any identification and, what is worst, they can accuse innocent people. And “flexible” or immature laws, lack of any organizational and technically equipped punishing agencies along with the result-oriented expert community poses a threat to the inevitability of punishment and a right to justice. For this reason, it is time to install “video surveillance systems” in the cyberspace that would ensure this forensic readiness.

Video surveillance systems physically monitor a certain area, store information they collect, but do not disclose or spread it until it is necessary to do so or required by the law enforcement agencies. In the cyberspace, we also have tools for collecting and storing digital data, which give us readiness for digital forensics. These tools are quite expensive and resource intensive to be implemented and used, but we believe that it is high time to employ them, particularly in critical infrastructure facilities and sectors providing important services in our country.

In the past, the cost of video surveillance systems was high, too, and they were installed only where the value of assets or their criticality was high, where regulators and international organizations clearly required this approach to be used. But later on, the cost of such systems decreased and people presently use them to a large extent in their living rooms, entrance halls, and cars as they feel more confident in their right to justice.

Entities risking suffering from cybercrimes should be equipped with tools enabling them to protect their rights so that we, as a state, could be proactive in our approaches to national cybersecurity, security of enterprises and individuals.

Artem Mykhaylov, Director for Corporate Solutions, ISSP