Planned and executed from some nebulous corner of the planet, during 2020 (
year one
of the pandemic) 60 cyberattacks jeopardized Spain's national security and the digital support of some of its critical infrastructures, that is, the essential services that make the country works and whose list is secret.
Silent assaults.
Cheap and anonymous.
One "critical" round every week.
Almost double that in 2019. Behind it were States (Russia, North Korea and China are always targeted, although there are
false flag operations
), organized crime and hackers.
Each time better geared: some finance, others manage and technicians (graduates or self-taught) do the dirty work: they open the doors of a system and sell the digital key to the highest bidder.
There is abundant supply and demand on the
dark web
.
The main goals: make money and achieve influence.
The mechanics do not vary, the goals do.
It is about spying, destabilizing, deceiving, swindling, stealing intellectual property, discrediting or gaining a business advantage over a country or a company.
And, going down to the bottom, harming citizens and violating their privacy to the point where they lose confidence in the system.
The two large Spanish defense and response centers for cyber security incidents (called CERT, Computer Emergency Response Team) are public.
One is dedicated to defending the networks and systems of the Administration (the National Cryptological Center);
the other, those of private companies, universities and citizens (the National Institute of Cybersecurity).
In total, they reported more than 200,000 attacks of different levels last year.
73,000 were against the Public Administrations.
Of the 130,000 privates, a third consisted of scams.
And, in general, more aggressive than ever.
The Armed Forces were not spared either, whose Joint Command of Cyberspace (which protects military networks), through the mouth of one of their analysts, a lieutenant colonel, claims to have analyzed 700 attacks against their systems last year: “For it to be an incident it has there had to be an impact, and they had it ”.
Beyond the technical aspect, 216,000 complaints for computer crimes were filed in Spanish police stations in 2020. Are there many or few?
It is not known, since no Administration seems able to glimpse the
black figure,
the thousands of cases that are not reported due to shame or fear: citizens and companies (sometimes listed on the Stock Market) with their computers pierced, their pages collapsed, their data kidnapped, their identity stolen, their information stolen and traded on the
black market,
and victims of fraud and blackmail, who also do not want to see their reputation eroded by making it public.
So they prefer to pay ransoms, and they do it in cryptocurrencies untraceable by the police.
The State Security Forces confirm that a minimum of the attacks is being investigated.
A report carried out in 2019 by the consulting firm Deloitte concluded that 76% of companies had suffered a cyber-incident.
And with success for the aggressor.
Most never came to light.
And if they are not notified, they cannot be investigated.
It is not possible to make a profile of the aggressor or his
modus operandi
;
no traces can be found or their nationality and technology known, or their behavior patterns unraveled.
The footprint they leave - the one we all leave with our browsing - is sniffed out by the police and data analysts patrolling the Internet and sifting
big data
with their technological tools
.
All the way to a server and perhaps a private address (IP).
And not always, the culprit.
"But when you don't have a cigarette butt to trace - like the policemen of before -, if you don't get evidence to link to previous attacks - which we call 'indicators of compromise' - you lose your investigative capacity," explains the inspector. Francoso, Head of Analysis at the Office of Cybernetic Coordination (OCC).
“Studying one attack leads you to prevent another.
It is key to carry out a forensic study of each incident and cross that information with the police around the world.
We alert them and they alert us.
Therefore, when a critical operator of the State notices an incident, it is obliged to notify us, and we make a report to anticipate future attacks.
And if we see signs of crime, we report it to the Civil Guard and the National Police Force for their investigation.
According to private industry sources, a single laboratory analyzes more than 40,000 different samples of
malware
every day
, that is,
malicious
software
.
A figure that doubles every year.
Something confirmed by the mathematician Marcos González, deputy director of the National Institute of Cybersecurity (Incibe): “When there is an incident, we ask that they send us that contaminated file and our team of 25 analysts dissects it.
And we give an account to the public about the risks.
We have the telephone 017 operating 24 hours a day, so that citizens and SMEs can notify us of their attacks ”.
As David DeWalt, president of the computer security company McAfee, recently stated, the invisible mafias that cover the range of attacks against internet security around the world move annually around 105,000 million dollars (about 87,000 million dollars). euros), obtaining more income than drug trafficking (data already advanced in a Europol report of 2019).
And with greater impunity.
In Spain, there are hardly any armed bank robberies, when in the 1990s one was perpetrated daily.
Today, banks and their customers are being hit digitally.
Scams have also disappeared from the street.
And you can buy kilos of heroin on the
dark web
.
Political and commercial manipulation flows in a more subtle and, above all, more personalized way: "Today's elections are won in the digital world, not in the bullrings," says Samuel Álvarez, engineer and cybersecurity consultant.
Everything happens on the Internet. But nobody knows who they are or where the bad guys are.
"Their server may be in Panama, they in Syria and the terrorist in France," explains an analyst from the Civil Guard.
Technology is your ally: it encrypts your communications and grants them anonymity.
They are increasingly
targeted
attacks
, less indiscriminate, more sophisticated and better projected.
Smart bombs against individual institutions, companies and citizens.
Plans that mature over years.
At the top of the pyramid of these attacks (usually against States and large companies) are the so-called "persistent advanced threats", harmful elements that once cast into a system remain dormant indefinitely.
Until they are activated.
And they take control of the infected computer.
And they spread.
They are like zombies.
“They enter your computer and leave a virus seed.
And years can go by without anyone detecting it.
And one day they activate it and an electoral process can bring you down, ”explains an Army officer specialized in electronic warfare.
Commissioner José García Serrano, from the Central Cybercrime Unit, emphasizes this progressive specialization: “Descending a few steps, the bad guys used to send false emails against thousands of scattered and random recipients to see who was biting, but now they are aimed at predetermined objectives.
They do a preliminary investigation, they look for weak points of security.
They use social media.
They attract unfair troops within a company to facilitate access to information.
They are not in a hurry.
His shots are more dangerous and better designed than before.
They are harder to stop and more expensive to repair.
They are ahead of us ”.
The Web was not conceived 30 years ago as a safe place.
And no one has ever exercised sovereignty over it.
It is global, open, fast, dynamic, easily accessible, highly anonymous, and poorly regulated.
In it is the information, services, ideas.
Our data.
And the computer systems we use are not secure either.
They have not been conceived under cybersecurity parameters.
And even if a critical infrastructure system is shielded (an airport, a refinery, a hospital ...), the companies that provide services, their suppliers, partners and subcontractors, those in charge of maintenance or their employees may not be.
“They no longer need to attack the head of the essential service, but rather anyone who is connected to it,” explains Juan Antonio Gómez Bule, political scientist, consultant and vice president of Ecix Group.
“And if that provider is vulnerable, it causes vulnerability in all critical infrastructure.
Network security traceability must be generated and each product must be certified.
And that does not happen now.
And they sneak in ”.
José de la Peña, head of the SIC group, dedicated to cybersecurity since 1991, confirms this: “All systems are susceptible to being attacked.
They are never invulnerable.
It is a game of barriers and attacks.
If you leave a hole and there is a profit, they will come in.
Crime goes for money, and States, for unspeakable matters, starting with the secrets and patents of other States.
The Web is the dark object of desire ”.
The technological tools used by those who attack and those who defend are the same.
The good guys also attack, even if they don't make it public.
The Europol, the FBI, the armies and the police can rob or crash the cybercriminal's server, look for back doors or leave a decoy (a
honey pot
), so that he ventures to enter yours and catch it.
The military, in the Cyberspace Command, carry out continuous maneuvers, true stress tests, from their C4D (Cyber Defense Command, Control and Conduction Center), where the battlefield is the Network. It is about dissuading.
Like during the nuclear race.
And in case of conflict, "leave the enemy deaf, mute and blind," according to its commander-in-chief, General Rafael García Hernández.
It is a question of investment in talent and R&D.
"And in that new capitalist order without rules that is the web, the one that gets the new technology, sweeps away," explains diplomat Nicolás Pascual de la Parte, special ambassador for Hybrid Threats and Cybersecurity.
There is consensus that no State can defend itself against these borderless risks.
It needs international collaboration and the support of the private sector, which has the technology and the technicians (for example, mobile phone operators such as Telefónica, or large technology companies such as Indra, but also micro-companies specialized in
listening to
social networks, detecting viruses or monitor suspicious traffic).
In Spain, the cybersecurity sector has, according to Incibe, more than 1,200 suppliers with 6,000 products and services.
Even the Presidency of the Government, the National Intelligence Center (CNI) or the military recognize that in this matter they pull companies, tools, engineers and analysts from the private sector, especially during the digital crisis linked to the COVID.
Israel (in permanent war) comes out in all the pools as the leading country.
And behind, the United States and the United Kingdom.
In France and Germany cybersecurity is a reason of state.
In Spain, the transfer of knowledge between the public and private sectors can be improved, according to the experts consulted.
"And in this race, you immediately fall behind," says Lieutenant Colonel Emilio Rico, of the Cyberspace Command.
“And those companies have to give you capabilities: not just a product, but its complete development.
Usually it is
software
that is integrated into your platforms ”.
Everything is online, including the opportunities of an open market and also the jihadists, who are already recruited, recruited, radicalized and virtually trained, according to Lieutenant Colonel FV, head of the Special Central Unit 2 of the Civil Guard (who is deals with international terrorism): “For them, the Internet has become a
multipurpose knife
in their operations, their communication and their propaganda.
And we have confirmed that during the pandemic ”.
In the UCE 2 they have undercover agents who, with a judicial mandate and an assumed identity, enter closed forums and circles to locate terrorists.
But it is not always easy to prove to a judge that, over and above his digital extremism, his intention is to kill.
Everything happens through the Internet. According to data from the World Bank, there are more than 4,000 million Internet users in the world and a similar number is already moving on social networks.
Various sources speak of more than 50,000 million devices around the planet connected to the great information highway, most of them for daily use;
from the gas meter, the refrigerator and the home alarms to the entrance lathes of the companies, the medical diagnostics and the digitized agriculture.
And they are vulnerable.
It is the internet of things (IoT).
And very soon, smart homes and cars will take advantage of the breakneck speed of information that the fifth generation of mobile communications (5G) will provide.
Everything connected and faster.
In Spain, according to the National Institute of Statistics (INE), 93.2% of citizens between 16 and 74 years old used the internet in 2020, which translates into 33 million users.
And that practice rises to 99.98% among young people.
We are hyper-connected.
Our business, studies, health and social relations.
Our life.
And yet we have no sense of risk.
We doubt whether what happens on the Internet is fact or fiction.
We expose our existence.
We give away our data.
We tend to be gullible in the face of misinformation.
90% of serious incidents start from human error.
A seemingly harmless email.
It may be an exact falsification of a communication from our bank or the Tax Agency in times of personal income tax.
We open it.
It explodes.
And the epidemic begins.
Which causes, for example, that all the information on our operating systems is encrypted and can only be released by hackers in exchange for a ransom.
They call this attack model
ransomware
.
It is the most frequent and lucrative.
It can happen to a nuclear power plant or a body shop.
In May 2017, the so-called Wannacry attacked more than 200,000 computers in 150 countries in seven hours;
and, in Spain, three critical operators: Telefónica, Gas Natural and Iberdrola.
From that moment the Government and the European Union realized that the matter was not a joke.
In Spain, the answer was the National Cybersecurity Strategy, drawn up in La Moncloa and published in 2019. A few months later the pandemic arrived, accompanied by a wave of attacks on hospitals and pharmaceutical companies;
disinformation, scams, espionage and propaganda, the
infodemic
.
In the era of covid-19, the attacks were particularly virulent with the health structure.
In its latest trend report, published last October, the National Cryptology Center cited
ransomware
against medical facilities as one of its big concerns.
Experts call these cyber deception techniques "social engineering."
A military officer simplifies it: “When you have been playing poker for five minutes and you haven't detected the nerd, don't hesitate, the nerd is you.
And that on the Net is a dogma of faith: the product is you ”.
“You are a walking device;
a network of sensors: you receive and emit information continuously ”, explains the security consultant Juan Antonio Gómez Bule.
“And the same happens with your house and your company.
And if you don't protect yourself, consider yourself lost.
There are large security gaps, especially in SMEs.
It is a subject that is not taken seriously.
And you never know when you're going to be the target.
Or you already are and you don't know it.
Putting money in cybersecurity is not an expense, it is an investment, to begin with, in the reputation of your company.
And that is listed today ”.
"The pandemic has been an accelerated digitization course for everyone," says Javier Candau, head of cybersecurity at the National Cryptological Center (the government CERT, integrated into the CNI and headed by the director of the intelligence service, Paz Esteban).
As of the establishment of the state of alarm, on March 14, 2020, teleworking became widespread throughout the country.
And shopping.
More than 90% of homes are in cyberspace.
Many of us have a computer at home connected to the corporate network of our company or ministry.
And that involves risks.
In a short time we have realized the vulnerabilities not only of the Internet, but also of the tools and applications.
For Colonel Candau, the avalanche of teleworking and the internet of things “have expanded our
surface of exposure
to attack.
There are more incidents.
And more serious.
And that is going to be the trend ”.
For Félix Arteaga, researcher at the
Real Instituto Elcano
think tank
, “cybersecurity must accompany the digitization of society, avoid its risks and favor business.
And that has been achieved in a correct way in the critical infrastructures of the State.
And listed companies have their response centers, sometimes more powerful than the Administration.
However, that cybersecurity ecosystem with the private sector has not been completed.
There is still no connection between the public and the private.
Our exposure is increasing;
we are unprotected and that increases the fragility of the system.
Social awareness and industrial capacity must be increased.
Cybersecurity must be a true public policy ”.
Who should do it?
Who is in charge of cybersecurity?
In Spain, there is no
cyber threat
, an executive head, a single window.
The command is, at least, two-headed, it is distributed between the Presidency of the Government and the CNI.
Without forgetting the ministries of Economic Affairs and Digital Transformation, Interior, Defense, Justice and Foreign.
"We have opted for a
soft governance
", explains Javier Candau, from the National Cryptological Center (dependent on the CNI).
"No one is in charge of everything, but the National Cybersecurity Council has been established, which depends on the National Security Council, which is directed by the President of the Government."
In addition, as a weak communication channel between public and private, there is the National Cybersecurity Forum, which lacks a budget.
And at the end of 2020, the creation of the Permanent Commission against Disinformation (baptized by the conservative opposition as the “ministry of truth”) was announced, which is already in operation.
Its objective is to detect and confront
fake news
, it is coordinated by the Secretary of State for Communication and its tasks have not been explained in depth by the Presidency of the Government, on which it depends.
In the cyber sector (public and private) many are suspicious of it.
Some sources envy the figure of the National Cyber Security Center (NCSC) of the United Kingdom, an organization that coordinates all the responsibilities of cybersecurity in that country, including critical infrastructures, except military matters, and has a budget of more than 2,000 millions of euros.
"The problem in Spain is that there is no single element of leadership", reflects Arteaga.
“There is no real public-private coordination mechanism;
there is no R&D policy;
there is no national research program.
And at the top, the Department of National Security (DSN), dependent on La Moncloa, mediates and sets the strategy, and the CNI has the means.
But there is no executive hand and each ministry goes free.
And then they are in the Basque Country and Catalonia with their CERTs and large companies with theirs ”.
When you visit all the public cybersecurity organizations (which are in Madrid except for Incibe, which President Rodríguez Zapatero installed in León), you have the feeling that, like everything else in Spain, they work very well separately, but to put them ok it must be complicated.
The muscle is held by the Department of Homeland Security (DSN) and the CNI.
The first, due to its strategic nature;
the second, by the power of intelligence.
General Miguel Ángel Ballesteros directs the first from the La Moncloa bunker, three minutes from Pedro Sánchez's office.
He is the adviser to the president on matters of national security.
The DSN should be the axis of the entire cybersecurity policy, as defined by the general in his office: "This department is the point of integration of all information and the point of contact with the EU."
However, it does not have its own budget nor does it head the National Cybersecurity Council, an attribution that the director of the CNI, Paz Esteban, has.
"At first it was thought of rotating that presidency of the Council between DSN, CNI, Interior, Defense and Economy, but then it was decided that the intelligence service should not move and that is how it has remained ...", comments one of the people who make it up .
In any case, everything comes together in the Prime Minister.
The CNI is the wisest body in the cybersecurity scheme in Spain through its technological arm, the National Cryptological Center (CCN), which has a defense and early warning service.
In this business, the CNI commands a lot.
And no one doubts it in the cybersecurity ecosystem.
From its headquarters, west of Madrid, it deals with all cyber incidents related to the General State Administration: constitutional bodies (Head of State, Congress and Senate), state companies (as powerful as Adif, Correos, Navantia or Red Eléctrica) and organizations such as the National Securities Market Commission (CNMV).
Not so for military systems.
And it does not stop at solving the technical part of the incident, it goes further, investigates whether the attacks come from other States and also has the attribution (by law) of counterintelligence, counterintelligence and the management of official secrets.
Perhaps the maximum power of the CNI in cybersecurity are the
probes
that it maintains deployed on the computer equipment of 350 public organizations of those mentioned, as confirmed by Colonel Candau.
They are
hardware
and
software
devices
that the technicians of the center install and update by remote control and that monitor the incoming and outgoing internet flow of these organizations.
They screen and detect intrusions and suspicious traffic;
They are filtered and sent to your central system for in-depth analysis.
All that security architecture is based on early warning.
Do these probes respect the privacy of public employee communications?
According to a document from the center, "at no time does it focus on the analysis of traffic content that is not relevant in detecting a threat."
On the outskirts of Madrid, in El Pardo, in a semi-hidden building on the banks of the Manzanares, there is another key structure in national cybersecurity.
It is the Office of Cybernetic Coordination (OCC) of the Ministry of the Interior.
It deals with the digital security of critical infrastructures, a secret inventory of 400 "essential operators", of which 80% are private companies, covering the sectors of energy, transport, health, financial, telecommunications, information, water, nuclear energy, chemical, space, Administration, food and navigation.
If someone were to suffer an attack and infect other operators, a chain reaction of unpredictable outcome could be unleashed.
The cyber doomsday.
From here they fight to avoid it.
It cannot be accessed with a mobile phone, as in the Joint Command of Cyberspace and in the CNI.
Commissioner Juan Carlos López Madera is in charge and his staff is made up of police and civil guards dressed in dark suits.
Everyone here is an analyst.
They are immersed in the development of the first Strategic Plan against Cybercrime.
Pure intelligence.
You have to prevent.
The pandemic and cyber work have awakened the digital beast, which will no longer return to its lair.
When covid-19 is a bad memory, the cyber virus will continue to spread its tentacles in its borderless reality.
And we lack a vaccine.
Veteran consultant Juan Antonio Gómez Bule, with 30 years in the business, confirms this: “If you are the target, consider yourself annoyed, because you don't know when or how they will attack you.
Or if you have already been ”.
