The series of recent cyber attacks on Croatian institutions and companies is a reminder for the country to become more vigilant and its response more transparent, says Croatian IT expert Marko Rakar.
He notes that there is little difference between the private and public sectors in terms of vulnerability to attacks of this kind. He adds there is also no reason why Croatia’s IT security should be worse than that of Germany, France, or America.
“We all use similar software solutions, similar or the same operating systems, the same equipment – it’s all bought from the same suppliers,” Rakar said.
“As far as that is concerned, we are all equal, there is no big difference. Some countries are in a worse condition than us because their state IT systems are mostly outdated. They are not designed to be safe…[and] if the system is not built to be safe from the beginning, it is very difficult to improve it afterwards,” he explained.
Motives behind hospital attack still unclear
Zagreb’s Clinical Hospital Centre was targeted by Russian hackers. Photo: kbc-zagreb.hr
“The attack on the hospital in Zagreb came from Russia but the question is whether they knew in the first place that it was a hospital,” he said.
“Entry into the system happens automatically, it is not that someone makes an individual decision. They probably realized it was a hospital when they entered the system,” Rakar suggested.
He noted that although the attackers demanded money, a political background cannot be ruled out.
“That was done by a Russian group, maybe they did it for money, and that is a very likely reason. Another possibility is that they did it according to instructions with sponsorship or some kind of tacit permission of the Russian state,” said the expert.
He emphasized that there are known Iranian, North Korean and Chinese hacker groups that are state-sponsored and actively try to create chaos.
“Politics can’t be excluded but since they downloaded the data and are demanding a ransom, the assumption is that it is just ‘business’,” Rakar said.
But the hospital attack had potentially serious consequences, he observed.
“You [might] have a doctor who has to make a diagnosis but the patient’s health information is unavailable to him, so there is a possibility that critical information will not reach the doctor in time and, because of this, a patient can get sick or even die,” he warned. “This is a very serious problem.”
Rakar observes that stolen data can also have value in the market, because such a database could theoretically be very useful for a pharmaceutical company, for example.
Although Rakar did not want to speculate about it, the fact that Croatia helps Ukraine, and that Ukrainian wounded people are treated in Croatian hospitals, could be a factor.
“It is not just a matter of physical network infrastructure, routers, firewalls and software solutions that are used. There is also the issue of the end users who, as a rule, are irresponsible, uneducated, and unmotivated to take care of security,” Rakar said.
He emphasizes that a system consists of many links in the chain, and a single weak link is enough for the entire system to be compromised.
State cyber security agency ‘not transparent’ enough
Photo illustration: EPA/ANTONIO BAT
Under Croatia’s Cyber Security Act, adopted in February, the central government agency in charge of cyber security is the Security Intelligence Agency, SOA.
Rakar said that is not the best solution.
“I was criticized for criticising the Law on Cybersecurity and the decision to make the intelligence agency the central state body for cyber security,” he recalled.
“By its definition, it is not a transparent organisation, it does not have to explain its decisions or explain to anyone what it does and why. In the context of cyber security, it just doesn’t make sense,” Rakar insisted, noting that transparency and publicity contribute to security, when it comes to cyber security.
“If you have border security or the fight against some criminal groups, then of course measures are secret. But when it comes to cyber security, there needs to be a much more transparent organisation that will speak publicly about security issues. The intelligence agency neither has the people for that nor are they culturally ready for open communication, so in my opinion it is not the happiest solution,” he said.
“On the other hand, it’s better to have someone than no one to take care of it,” Rakar added, noting that he has no data on the SOA’s readiness to fight cybercrime.
The SOA submits a report every year, including a section related to cyber security. However, as the report does not detail the exact budget allocated for money, people, and equipment it is difficult to assess its efficiency.
Cyber security ‘is like road safety’
Photo illustration: EPA/RITCHIE B. TONGO
Rakar says cybersecurity is more like road safety or preventive health care than defence policy.
“Just as you have to educate people to wash their hands regularly, you have to educate people to have safe passwords, to think before clicking on unknown links, and think twice before answering a message from an unknown number,” he explained.
“We have to inform people about the need to think before doing something at the computer that will have real-life consequences,” he warned.
“When such breakthroughs occur, it is very important that we talk about how and why it happened. What have we done to prevent this? And what to do so that it doesn’t happen again.”
“The disaster that happened in the hospital in Zagreb has the potential to help society as a whole to be more prepared for the next attack. If we keep quiet about it, no one will learn anything,” he said.