Vladimer SVANADZE: "Protection of critical infrastructure suffers from severe shortage of skilled specialists"

10.10.2022 (Caucasian Journal) What is cybersecurity and how can it affect your life and work? Many people are aware about challenges of cybersecurity, but many others don’t care until getting into a serious trouble. What’s the situation in Georgia in the field of cybersecurity and internet governance? Are we well protected as individuals? What are the threats to business, and is there a connection to military security? 

This October is European Cybersecurity Month, so we thought it’s a good moment to discuss this theme with a top professional and are grateful to Vladimer SVANADZE for the interview. 

Vladimer Svanadze is Chairman of the Board at Internet Development Initiative (IDI). Being a leading Georgia’s expert in cyber security, he is Managing Partner of Cyber Security Academy (CSA) and Georgian Information Security Association (GISA). He was a chief advisor of Ministry of Defense of Georgia on cyber security, and participated in preparation of the National Cybersecurity Strategies and Action Plans of Georgia. He is the Chairperson of the “Digital Transformation and Cybersecurity Committee” at the ICC Georgia. 

▶ ქართულად: Read the Georgian version here.

Alexander KAFFKA, editor-in-chief of CJ: Dear Lado, welcome to Caucasian Journal! I guess you know there are still people who don’t care about cybersecurity – believe it or not. Why don’t we start by saying a few words to such individuals? Can you make them instantly alert and aware? Maybe there are examples that you can use as illustrations for our readers, most of whom are simple users, not experts in IT.

Vladimer SVANADZE: Thank you very much for the invitation. The fact that many people do not understand cyber security and its importance is natural, and a common computer user, so-called “end user” does not need to understand this field at a professional level. It is necessary for the user of internet services to know and follow the minor rules, even the requirements related to the correct operation of the internet, as end-users have to master the basic cyber hygiene skills, which help them to be as safe as possible in cyberspace. Protected as much as possible, and not 100% protected, because 100% protection is impossible, and no one can guarantee it. 

Cyber ​​hygiene includes even such a simple rule as the issue of a password, in particular, the password must be at least eight characters long and consist of numbers, letters, and symbols, or a combination of them, and in no case should be the name of the user or his spouse, children, loved ones, or a  combination of first letters of names, years of birth or other notable dates. The password should be changed systematically, at least once every 2-3 months, and under no circumstances should it be transferred to a third party, even for temporary use. Also regarding passwords, every device or account must have an individually assigned password. At this point, this is what I can say to your readers in short.

AK:  I guess that while some cybersecurity problems must be global, others are probably country-specific. With this question, I am trying to shift the focus to Georgia. How would you evaluate Georgia’s position in general, and what are the specific problems this country is facing – or will be facing soon – in the cybersecurity field?  

VS: In general, when we talk about cyber security, threats in cyberspace, and the protection of critical infrastructure, we must not forget that this is a global issue that is highly dependent on activities at the national level. That is why the recommendations at the international level, be it from the European Union, NATO, or any other international organization, oblige countries to develop cyber security policies at the national level. 

First of all, it includes the creation of the strategy and the legislative base, the introduction of internationally recognized standards, the deepening of institutional arrangements and international relations, as well as the necessary component related to raising awareness and education among the population. In the recent period, the strengthening of cooperation between public, private, and academic sectors is becoming more and more important. I think this is an important component in strengthening the cyber security policy of all countries.

As for Georgia's cyber capability and its policy, it can be said that taking into account the activities listed above, the situation is not bad. Last year, the country approved its third cyber security strategy and action plan, amended the law on information security, and adopted completely new legislation. Cooperation between private and public sectors is starting to become more and more active, in which academic circles are also involved. It can be said that the past year of 2021 was the year of certain changes, the beginning of a new period in the direction of the country's cyber security.

As for threats, the country is already so involved in international life that global threats and challenges also affect the stability of our country's cyberspace. For example, we can mention the cyber attacks carried out on September 1 and 2, 2020 on the health sector of Georgia, the main target of which was the Lugar Lab [Richard Lugar Center for Public Health Research - CJ].

AK:  What is being done to cope with the challenges you outlined? What are the roles of the organizations that you are leading – IDI, CSA, GISA?

VS: I am proud that these organizations were created at my initiative, and the best experts in the country are united in them, although I would still focus on the Internet Development Initiative (IDI) because the organization is older and has implemented many interesting projects. In particular, within the framework of IDI, various types of training and seminars were held in terms of awareness-raising in cyber security, and I am proud that the organization was one of the pioneers in this issue in the country. Also, an interesting project is the monthly online publication CyberStellar, which deals not only with cyber security but also with the internet and internet technologies in general. This year, the first Digital Culture School was implemented and held with the support of the Israeli Embassy (read our interview about the School here) and BTU, where young people were informed about the processes taking place in the internet space. The interest was great, and hopefully, this project will continue.

An interesting project was also the radio program CyberTalk, where we discussed current issues of cyberspace together with invited guests. IDI is a member of global corporations and organizations, for example, it is a member of such a large corporation as ICANN, which can be called as the "regulator" of internet at a global level. Finally, I would like to mention our best project "International Festival of Cyber ​​Security (IFCS)", which is held together with the University of Georgia, and this year it was held for the sixth time. This is the only large-scale event not only in Georgia, but in the entire region, and we are very proud of it, the event attracts all interested parties, stakeholders from public and private sectors, civil society, academic circles, technical community, and discussions are held within the plenary sessions.

AK:  Very interesting indeed. And, by the way, we are very proud that Caucasian Journal also was recently admitted to ICANN as as a new Organizational Member of  ICANN's Noncommercial Stakeholder Group, and we hope for cooperation with your IDI there.  But what about Georgia’s government and its bodies? Do you think the government is paying enough attention, and the efforts are sufficient? If not, is there anything else that must be done?

VS: Now the process of implementation of the activities outlined in the adopted strategy is underway, in which the country is assisted by strategic partners. The problem is global and it is related to the lack of specialists. The structures responsible for the protection of the country's critical infrastructure suffer from a severe shortage of skilled specialists, which is why close and consistent cooperation between the private and public sectors is necessary and within this framework, a large part of the services will be outsourced. 

 It would be good if the state pays attention to hackathons, which allow the revealing new talents among individuals as well as teams. 

This process will have a positive impact on the development of the field, a competitive environment will be created, specialists will appear, and new technologies will be developed and introduced. However, I think this is included in the new law and strategy, and little by little the private sector will have its rightful place in the country. Also, it would be good if the state pays attention to hackathons, which allow the revealing new talents among individuals as well as teams.

AK:  You have worked for the Ministry of Defense of Georgia in particular. How can you summarize your experience in this field? 

VS: Briefly, I would like to point out that positive processes are taking place in the field of cyber defense, and  in February 2014 the field of defense in terms of cyber security became a separate structural unit of the Ministry of Defense in the form of "SSP - Cyber ​​Security Bureau",  responsible for protecting the critical infrastructure of the country's defense field. It is a step forward that our strategic partners also welcome and which has found a positive reflection in the 2017 international and national cyber security indices. Cyber ​​security is developing in the field of defense, the Bureau participates in many international activities, including NATO cyber exercises, and international-level relations are deepening, and this is a positive process because all this contributes to the development of the field, which ultimately has a positive effect on increasing the security of the country's critical defense infrastructure.

AK:  Speaking more generally, what’s your view on the connection between cybersecurity and “traditional” security, which includes military security and other components? 

VS: Cybersecurity established its place in a short period of time and became one of the main components of both international - regional and national - security. Recent events, be it the pandemic or the rapid technological advancement, as well as the Ukraine-Russia war, have accelerated the processes even more, and cyber security has become the main component, as you said, in the context of "traditional" security. All of this is evidenced by the fact that the NATO assigned cyber security the fourth domain of military operations at the Wales Summit in 2016, that is, together with land, air, and sea military domains, cyber security, in general, become an area of ​​conflict. The fifth domain is the space warfare.

AK:  Your expert’s view into the future: What are the new challenges that are coming up?

VS: When we talk about new challenges, which in turn are related to threats from cyberspace, we must take into account the available statistics, and based on this, determine the classification of threats, and the areas that are often the targets of attacks by cybercriminals. Among the targets of such an attack, the banking and financial sector is again and again first place, followed by cloud hosting penetration, healthcare and insurance, and so on. That is, cybercriminals try to gain access to our accounts, thereby trying to appropriate our finances, and steal our personal data information. 

Secondly, cyber activities between countries are also a significant threat, related to both cyber espionage and cyber attacks on strategically important objects, and in many cases, such cyber attacks have a much greater effect than conventional military action. That's why experts talk more and more often about cyber war, where the winner will be the one who has good technologies and good human resources and talents. In my opinion, the cyber war is ongoing and it is not going away. By the way, during Russia's aggression against Georgia in 2008, active cyber-attacks on the critical infrastructure of our country were carried out simultaneously with military, air and naval military actions, and these cyber-attacks were so large-scale that experts called it the first cyber war, within the framework of the first "hybrid war". Such threats remain threats.

AK:  I guess the processes in your field must be rather speedy, so new threats might evolve without much advance notice. What’s your advice to our readers? What a simple user might do to “be prepared”?

VS: I absolutely agree with you, it is difficult to predict any action in cyberspace, because cyberspace activity depends on technological development, and this process is taking place at such an accelerated pace, it is really difficult to preemptively defend against any new and at the same time unknown technologies. In general, cybercriminals are always one or two steps ahead of law enforcement, and this is not only in bribery, it is the the case worldwide, everywhere, because cybercriminals use the latest technological advances, quickly implement them, and put them into action on which law enforcement cannot act for many reasons, even bureaucracy. Therefore, in many cases, prevention is very difficult.

"End-users", just basic users of computer equipment, should be careful not to open suspicious emails and PDF files attached to them, not to participate in their online surveys, and not to join groups of suspicious origin; I already talked about passwords above. The biggest threat for them is the illegal access to their personal data, which in itself leads to access to bank accounts, insurance policies, and illegal access to the latter is very dangerous because due to the personal illness data, they can become victims of a blackmail. In short, they should be careful with whom or where they share their data.

The private sector and business need to embrace the reality that their critical infrastructure is part of the nation's overall critical infrastructure, and that's under the umbrella of national security. 

AK: We have so far touched upon the individuals and the government, but not yet have spoken about the vast and critical area of business and corporate security. Can you name 3 “top cyber threats” to businesses, which exist in Georgia? And, of course, what are the cures?

VS: It's a good question, and that's why the private sector and business need to embrace the fact and the reality that their critical infrastructure is part of the nation's overall critical infrastructure, and that's under the umbrella of national security. Accordingly, the country's government is responsible for the protection of the common critical infrastructure and the established regulations oblige the business to ensure the protection of its critical infrastructure, which is necessary again based on national security norms. That is why it is necessary to strengthen cooperation between the state and the private sector. This is already reflected in the new cyber security policy of Georgia, and its implementation is only a matter of time. According to the new legislation, the private sector is included in the list of critical information system subjects, obliges businesses to have information security managers and cyber security specialists, conduct penetration tests and conduct information security audits, and submit reports to the state's responsible structures.

One of the serious threats and challenges for business is its "Top management", which in many cases does not understand the importance of security in general, and even more so cyber security... 

One of the serious threats and challenges for business is its "Top management", which in many cases does not understand the importance of security in general, and even more so cyber security, which is already much more virtual. Therefore, due attention is not paid to the private sector, unless "Top management" understands that the protection of the company's critical infrastructure is necessary and that its vulnerability is harmful. 

AK:  What can be improved in the corporate field in general, or in specific sectors – for example, banking, or perhaps in other business sectors that are especially vulnerable to cyber threats?

VS: I would like to point out that it is necessary to raise awareness of the threats that the private sector is facing, "Top management" should make a decision on the protection of the critical infrastructure of its organization/company, follow the obligations stipulated by the law, in particular, to conduct penetration tests an information security audit. Moreover, there should be an information security manager and a cyber security specialist, and the cyber hygiene training must be conducted among employees. All this will reduce the risks as much as possible. Also, the process of digital transformation is currently underway in companies, and security elements must be taken into account within this framework.

This is for all areas of the private sector, including the banking and financial sector, however, unlike others, they also have an obligation to their regulator, the National Bank.

AK: Internet governance is another subject that I wanted to touch on, if relevant. Caucasian Journal has covered this theme before, in particular talking with Estonian experts, whose country occupies a leading position (read more here). Is there substantial progress in his field in Georgia? 

VS: The Internet Governance Forum is what was convened by the UN Secretary-General in 2006 and since then annual general meetings, and regional and national level meetings have been held. Among them, the Georgian Internet Governance Forum GeoIGF was held for the first time in September 2016, and I am proud that I was the initiator and organizer of its implementation. It's a great platform to talk about the internet and internet technologies, internet politics, and in short, everything related to the internet. All interested parties participate in it, its supporters are ICANN, RIPE NCC, ISOC, and ITU, as well as the state structures of the countries where it is held. So Georgia has some experience in this direction as well.  By the way, this year, for the first time in Georgia, I created the educational module "Internet Governance and Cyber ​​Diplomacy", which is already being taught at several leading universities, and it deals with the issues we discussed. 

AK:  If there is anything that you would like to add for our readers, the floor is yours.

VS: I would like to point out that cyber security and cyberspace in general, and all the issues related to them, be it technical, strategic, or managerial, are constantly changing, and this change is happening very fast, so new challenges appear and they need constant study, analysis, that is why the role of academic circles, state and private sectors is very important for the development of the sector in the right direction. Fortunately, studies are conducted in this direction, moreover, two books have been published in Georgian and I am the author of both of them, however, I consider that it is influential to conduct scientific studies, which will contribute to the further development of the field. The topic is quite large and voluminous, and I think I have managed to give your readers as much information as possible in the given format.

Thank you very much for the invitation and I want to wish your journal success, progress, and many interesting interviews!

AK: Thank you very much!

Read the Georgian language version here

You are welcome to follow Caucasian Journal at:

Google News  *  Twitter  *  Facebook  *  Medium  *  LinkedIn  *  YouTube  *  RSS

To request an email subscription to Caucasian Journal, enter your email address:

No comments:

Post a Comment