State's cavalier attitude to cyberattacks
François-Marie Arouet – the 18th century French Enlightenment writer, historian and philosopher, famous for his wit and advocacy of freedom of speech, and better known by his nom de plume Voltaire – once said: “Common sense is not so common.”
On July 22 last year, a massive cyberattack on the state-owned Transnet Port Terminals (TPT), a division of transport logistics behemoth Transnet, paralysed the company’s and South Africa’s critical port terminal system.
The ransomware cyberattack, which affected the country’s key container terminals, forced Transnet to declare force majeure.
According to Transnet, TPT’s major customers represent a broad spectrum of the economy and include the shipping industry, vehicle manufacturers, agriculture, timber and forest products, the mining industry and exporters of minerals, metals and granite.
For Transnet to provide an efficient, cost-effective and reliable service to its customers, the company’s container terminals use the cloud-based Navis system, which provides integrated real-time shipping information and serves as the backbone for inland road freight logistics.
So the ransomware attack was practically an attack on the operational integrity of the country’s critical maritime and land infrastructure, at a critical time when global supply chain turmoil and this country’s economy, particularly its manufacturing base, had been severely affected by the Covid-19 pandemic.
Although the hackers that exploited Transnet’s security vulnerabilities reportedly didn’t succeed in their extortionist activities, the company and the economy suffered incalculable economic and financial losses as a direct consequence of this cyberattack.
NO ACTION
Common sense would have dictated that, following the incident, those responsible for the maintenance and security of critical public infrastructure would be jolted into action to ensure that identifiable information and communication technology (ICT) security vulnerabilities were addressed to mitigate any future cyberattacks, such as the one that took months for Transnet to address and caused financial and economic hardship to this country.
Alas! What did Voltaire counsel the world about common sense?
Folks responsible for IT systems in the justice department were clearly not paying attention to what had happened months earlier at Transnet.
If they had been, the ransomware cyberattack that would later paralyse Transnet for months could have been averted.
When black hat (malicious) cyberhackers came knocking at the department’s door last September, the intranet web portal used by transcribers to download court recordings for transcription – including the Integrated Case Management System, an administrative system used by all courts – was rendered inoperable.
This put a halt on court proceedings, including those of the alleged killers of Gauteng provincial government whistleblower Babita Deokaran.
But the marauding band of criminals didn’t stop there, as they also exploited security vulnerabilities in the department’s trusts, deceased estates and insolvencies system, which is maintained by the Master of the High Court.
It serves the public in respect of deceased estates, liquidations (insolvent estates), registration of trusts, tutors and curators, as well as the administration of the Guardian’s Fund, which is responsible for the management of affairs of minors and mentally disabled persons.
Crucially, the Master’s office is mandated by law to “protect the financial interests of persons whose assets or interests are, for various reasons, being managed by others”.
The impact of the denial of IT services at the Master’s office had, and continue to exact grave consequences to those who rely on it.
It is unclear what the current status of recovery of affected IT systems in that office is, but it is common cause that most major law firms are shying away from recommending trusts for their clients. Instead, section 21 companies have seen a boon.
What stands between black hat hackers and the operational integrity of government’s IT systems is the State Information Technology Agency (Sita) and diligent IT security managers in state entities.
Sita is responsible for public sector ICT system requirements and provisioning. It is to the public sector’s critical ICT infrastructure’s operational integrity and health what National Treasury is to the state’s financial health and operational integrity.
Sita’s mandate couldn’t be more clearly articulated than it is in its mission statement, which is to “render an efficient and value-added ICT service to the public sector in a secure, cost-effective and integrated manner, contributing to citizen convenience”.
If a desktop exercise conducted on key Sita clients’ website landing pages is anything to consider as a basic test of its attitude towards IT security best practice, the agency falls woefully short of its commitment to provide a “secure service, cost-effective and [convenient]” to its clients and the public who patronise government online service points.
Consider this fact:
almost 60% of government departments’ website landing pages do not provide secure connections to users or visitors.
A “not secure” message often appears before a vulnerable website’s uniform resource locator (URL). This indicates that there is an inherent privacy risk to anyone establishing a connection to the website.
For instance, anyone with rudimentary IT security skills can observe your detailed internet traffic and a lot of additional metadata that could be used to fingerprint you. This can allow someone to correlate the activity they can observe with other sites and potentially identify you.
But perhaps scarier is the fact that rogue actors could insert malicious content on to the site for unwitting users’ harm.
A site such as the Public Protector’s is a perfect example of a resource that poses a serious security risk to its users. In fact, not only is the site unsafe, it forcefully encourages patrons to download in defiance of security warnings by Google.
This doesn’t seem to concern the Public Protector’s office an iota, as, in what reads like a public challenge to an IT network penetration duel after being alerted to the issue, its spokesperson wrote: “your queries were brought to the attention of the website’s host, Sita. The agency has since assured the Public Protector that security measures other than the secure sockets layer (SSL) are in place within its website hosting infrastructure to mitigate against any potential attacks”.
“The Public Protector is further advised that it would be imprudent to reveal the finer details of the security measures in question to third parties, for obvious reasons. This notwithstanding, Sita will implement the SSL soon.”
It is important to note that an SSL protocol, which is crucial in mitigating a website’s security vulnerabilities, costs anything between R200 and R1 500 a year.
CAVALIER ATTITUDE
With such a cavalier attitude to IT security and apparent dare, it is plausible that successful, unauthorised but friendly network penetration tests may have already been conducted on the Public Protector’s IT networks to debunk the office’ claims that “security measures other than SSL are in place within its website hosting infrastructure”.
But the South African government is not the only one with a lax attitude towards IT security. Worldwide, institutions downplay the severity and long-term organisational effects that cyberattacks have on their operations as they seek to minimise reputational harm.
Private companies such as TransUnion, Absa and Standard Bank have all been subject to cyberattacks. What differentiates them from Sita is their attitude and unmistakable fidelity to IT security tenets.
Unlike the government agency, these companies seem to live by 18th century Scottish philosopher and Scottish school of common sense founder Thomas Reid’s treatise that:
The chain is only as strong as its weakest link, for if that fails the chain fails and the object that it has been holding up falls to the ground.
Considering the risk level posed by this, shouldn’t Sita prioritise the resolution of the security issue instead of kicking the can down the road or burying its head in the sand?
Lest we forget, as a member of the Internet Service Providers Association (ISPA) – an organisation that represents the interests of internet providers in the country – Sita is bound by clause G of the ISPA code of conduct, which enjoins its members thus: “ISPA members must take all reasonable measures to prevent unauthorised access to, interception of, or interference with any data on that member’s network and under its control.”
With an increased move towards working remotely and exponential IT connectivity diffusion, it is disheartening to learn that dithering over a mere R200 SSL protocol could be the missing link in the state’s IT security infrastructure.