Governments invest time and resources on activities that do not help prevent cyber attacks. Many agencies mount massive scans and surveillance in search of malware, but according to Borg, sophisticated and targeted malware attacks cannot be found through these efforts.
“Really damaging cyber attacks would employ small volumes of very sophisticated malware that is extremely difficult to detect,” he said. “The malware could be sent in separate pieces that assemble themselves at the destination. The malware could be mutating, changing shape or features, encrypting and decrypting itself. With this kind of malware, monitoring huge amounts of traffic is useless.”
Borg added, 'When we are searching for this malware, it could move to an area where we have already scanned, and erase itself from where we are scanning now.' Malware can go undetected even with a line-by-line code review. “An industrial system has lines of programme that control many variables, such as switching something on or off, turning up or down the heat, releasing or increasing pressure and so on. Creating a malware attack could be as simple as reversing the instruction at a critical moment, or activating the control at the wrong time,” he elaborated.
According the Borg, the most important thing governments need to do now is to be clear about their missions. He identified six government cyber security missions:
This is not easy, continued Borg, because these missions are conflicting. “Critical infrastructure are heavily dependent on their supply chain, and today, that is almost always international. If you want to help them defend themselves, you release information on plugging vulnerabilities and lose advantage in building offensive cyber capability,” he said.
Many government leaders today are not informed and familiar with technology, observed Borg. “This leads to wrong decisions, such as investing in technology solutions that are useless, or financing research that will never produce results. Moreover, leaders often confuse the six roles: they have the same people or organisation perform all these roles at the same one, and that normally results in failure to do any of them well. This is true for both small and big governments.”
Borg was recently in Singapore speaking on the economic advantage of organisations and countries with better cyber security. See article here.