GOVSI podkast

Dr. Uroš Svete: Vsi sodobni konflikti imajo tudi kibernetsko dimenzijo

Urad vlade za komuniciranje Season 1 Episode 12

Dr. Uroš Svete: Vsi sodobni konflikti imajo tudi kibernetsko dimenzijo

Oktober je v mnogih državah in tudi v Sloveniji mesec ozaveščanja o kibernetski varnosti. O tej temi sta se v 12. epizodi GOVSI podkasta pogovarjala direktor Urada vlade za informacijsko varnost dr. Uroš Svete in direktorica Urada vlade za komuniciranje Petra Bezjak Cirman.

Življenja brez interneta si danes ne znamo več predstavljati, žal pa imajo sodobne tehnologije tudi temno plat. Vedno večjo nevarnost predstavljajo kibernetski napadi, ki so v porastu in ogrožajo gospodarstvo, državne institucije in posameznike. Lahko celo ogrozijo varnost države, saj imajo vsi sodobni konflikti tudi kibernetsko dimenzijo.

Kibernetski incident se lahko zgodi tudi meni, tebi, komurkoli, zato dr. Svete v podkastu poudari, da na spletu ni vse varno, zato sicer zaupaj, ampak preveri. Pozorni moramo biti tudi na dezinformacije, ki se velikokrat odvijajo tudi kot naslednja faza kibernetskega napada. Podobno kot smo se naučili cestno prometnih pravil, naj varnost postane neločljiv del uporabe tehnologije.

Vabljeni k poslušanju in ogledu podkasta.

Program Varni na internetu izvaja Nacionalni odzivni center za kibernetsko varnost SI-CERT, ki deluje pod okriljem javnega zavoda Arnes. SI-CERT predstavlja nacionalno kontaktno točko, ki opravlja posredniško in svetovalno vlogo ter prevzema tudi koordinacijo programa ozaveščanja javnosti o informacijski varnosti.

Na posebni spletni strani Dezinformacije najdete definicijo dezinformacij, ključne elemente ter pojasnilo glede tujega manipuliranja z informacijami in vmešavanja (FIMI). Navedeni so tudi nasveti, kako prepoznati dezinformacije in pojasnilo, kaj je globoki ponaredek. Za večjo ozaveščenost prebivalcev izvajamo kampanjo »Ustavimo dezinformacije: preBERI, preMISLI, PREVERI«.

[ENGLISH VERSION]
Dr. Uroš Svete: All Modern Conflicts Have a Cyber Dimension

October is Cyber Security  Month in many countries, including Slovenia. In the 12th episode of the GOVSI podcast, Dr. Uroš Svete, Director of the Government Office for Information Security, and Petra Bezjak Cirman, Director of the Government Office for Communication, discussed this topic.

We can no longer imagine life without the internet today, but unfortunately, modern technologies also have a dark side. Cyberattacks, which are on the rise, pose increasing threats to the economy, state institutions, and individuals. They can even jeopardize national security, as all modern conflicts also have a cyber dimension.

A cyber incident could happen to me, you, or anyone, which is why Dr. Svete emphasizes in the podcast that not everything online is safe. Trust, but verify. We must also be mindful of disinformation, which often follows as the next phase of a cyberattack. Just as we learned the rules of road safety, security should become an inseparable part of using technology.

You are invited to listen to and watch the podcast.

The Safe on the Internet program is run by the national cyber security response center SI-CERT, operating under the public institute Arnes. SI-CERT serves as the national contact point, fulfilling a mediating and advisory role, and also coordinates the public awareness program on information security.

On the special website Disinformation, you can find a definition of disinformation, key elements, and an explanation regarding foreign manipulation of information and interference (FIMI). It also includes advice on how to recognize disinformation and an explanation of what deepfakes are. To raise public awareness, we are conducting the campaign »Stop disinformation – reREAD, reTHINK,

GOVSI Podkast

Voditeljica Petra Bezjak Cirman: Dober dan, spoštovane gledalke, gledalci, poslušalke in poslušalci. To je že 12. epizoda vladnega podkasta Gov.si v produkciji Urada Vlade Republike Slovenije za komuniciranje. Z vami sem Petra Bezjak Cirman. Spremljate nas lahko, kjerkoli spremljate podkaste. Oktober je v mnogih državah in tudi v Sloveniji mesec ozaveščanja o kibernetski varnosti. Zato bomo danes govorili ravno o tej temi. Z nami je edini pravi človek v Sloveniji, bi lahko rekli, za to področje. To je dr. Uroš Svete, ki vodi Urad. Dober dan.

Gost dr. Uroš Svete: Dober dan.

Voditeljica: Življenja brez interneta si ne znamo več predstavljati. In vaš urad se prav s tem ukvarja. Ustanovljen je bil pred petimi leti in je še zelo mlad.

Gost: Tako je. Ta naš urad je bil ustanovljen na osnovi prvega Zakona o informacijski varnosti, ki ga je Slovenija sprejela leta 2018 in je tudi morala kot članica Evropske unije, se pravi organizirati en pristojni nacionalni organ za kibernetsko varnost, tako da smo mi nastali na osnovi implementacije te direktive. Seveda, kot si že sama rekla, pa je sama tematika, se pravi digitalna tehnologija in internet in tako naprej bistveno starejša od našega urada.

Voditeljica: Rekla sem, da si edini primeren za to področje. Verjetno še je kakšen v Sloveniji, ampak ko se zgodi nek napad ali incident, kakor mu vi rečete, in boš potem pozneje tudi razložil, kakšna je razlika, vsi kličemo tebe in ti si vedno pred kamerami in pojasnjuješ, kaj se je zgodilo.

Gost: Ja, na ta način je postavljena sistemska rešitev. Namreč tudi zakon sedanji zelo jasno definira, kako se komunicira v primeru incidentov. To se pravi, kdo daje izjavo za javnost v soglasju seveda z žrtvijo, ki je tak napad doživela. Tudi zelo se mora izbrano govoriti o tem, ker se namreč danes v digitalnem svetu lahko ali potencira preveč ali pa premalo kibernetske incidente in v kolikor bi prišlo do, bi rekel nekega ne ravno najbolj organiziranega komuniciranja, ima še več težav, tako da sistem je postavljen na način, da naš urad dejansko zbira podatke ne glede na to, za katere organe gre, za vse zavezance, ali gre za državne organe ali gre za podjetja, ki potem preko SI-CERT-a prijavljajo incidente. Torej, mi smo tista špica piramide, ki imamo seznam in seveda tudi pregled nad dogajanjem v Sloveniji.

Voditeljica: Tako sva se tudi midva spoznala. Zato se danes tikava.

Gost: Ja.

Voditeljica: Ravno v teh primerih sodelujeva. Zelo si že ločil med seboj kibernetski napad in incident. Ali nam pojasniš, kakšna je razlika?

Gost: Zakon je izhajal iz tega, da imamo lahko različne tipe samih kibernetskih incidentov, pa tudi stopnje resnosti. Se pravi incidenti se lahko dogajajo ali organizirano po več strukturah hkrati, se pravi po več sektorjih hkrati, lahko so pa naključni, lahko gre za naključno izrabo nepazljivosti uporabnikov, za naključno izrabo neposodobljenih sistemov, ki jih imamo, in od tega je odvisno potem, ali mi govorimo o incidentu ali govorimo o napadu. Incidentov je seveda več vrst. Za nas so najbolj občutljivi kritični incidenti. Tisti so res incidenti, ki imajo zelo jasne direktne posledice na delovanje storitev. Se pravi, če imamo neko storitev, ne vem, servisa za državljane, ta mora delati, če ne dela, je to direktno motenje. Če recimo nekdo je zavezanec za to, da zagotavlja električno energijo, če to bi bilo pač omejeno ali pa seveda tudi ustavljeno, ima to posledico na storitev. To je najbolj resen, kritičen incident. Napad pa, o tem se govori pa takrat, ko bi mi zaznali neko organizirano kampanjo proti državi, pri čemer bi tudi na neki točki že lahko ugotovili, kdo je za takim napadom. Seveda v takih primerih se mora angažirati tudi Svet za nacionalno varnost. Vlada potem lahko sproži ostale mehanizme kriznega upravljanja, tako da zato mi ne govorimo o napadih. Govorimo raje o incidentih in po novem bomo tudi govorili o skorajšnjih dogodkih. To so pa tisti tehnični dogodki, ki še niso pripeljali do incidenta, ampak so neke vrste tipanje nasprotnika, da poskuša našo infrastrukturo osmisliti, da poskuša tudi ugotoviti, kje so kakšne ranljivosti, pomanjkljivosti. Temu se reče skorajšnji dogodki. 

Voditeljica: Mi smo se v Sloveniji v zadnjega pol leta srečali z DDoS. Jaz imam tukaj en prevod. Boš me popravil, če ni v redu. Napad DDoS je usmerjen proti spletnim mestom in strežnikom, tako da ovira delovanje omrežnih storitev in poskuša izčrpati sredstva aplikacije. Se pravi, v tem primeru recimo spletne strani gov.si niso delovale. Ali je bil to zelo resen napad, incident ali ne?

Gost: Sami DDoS napadi niso nič novega. Pravzaprav so zlasti volumetrični napadi, to so tisti, kjer je napadalec z ogromnim številom podatkovnih zahtev na nek strežnik dejansko povzročil preobremenitev samega mrežnega dela informacijskega sistema, to so že kar stari in če se spomniš, smo imeli mi nekih 10, 12 let nazaj tudi določene skupine recimo, ki so takrat kot aktivistične skupine tudi v Sloveniji omejevale dostope do raznih državnih storitev. Potem je to malo zamrlo, ker je tudi obramba seveda postajala vse boljša. Pa tudi sama internetna oziroma infrastrukturna zmogljivost komunikacijsko se je povečevala in seveda, ko se ti povečuje pretočnost, potem je tudi manj možnosti, da pride do ozkih grl. Ampak so se pa DDoS-i, oziroma, če zdaj povem v originalu, gre za distributet denial of service. Se pravi, gre za neke vrste decentralizirane postopke napada na konkretne strežnike oziroma storitve z namenom, da ta servis ali storitev ali strežnik več ni odziven in da več ne dela. To je osnovna taktika in tudi način oziroma namen, zakaj napadalci to uporabljajo. To je pa nova zadeva zakaj? Zato, ker kot veš sama, se je v zadnjih dveh, treh letih hektivizem, to se pravi neke politično angažirane hekerske skupine se veliko večkrat povezuje z državnimi akterji danes in so tudi zelo vpletene v vse sodobne geostrateške konflikte, najsi gre za vojno v Ukrajini ali za vojno na Bližnjem vzhodu. Torej pravzaprav vsi sodobni konflikti imajo danes tudi kibernetsko dimenzijo in potem se del hekerskih skupin postavi na eno stran, del na drugo stran in seveda oni, potem pa zato, ker je to zelo vidno in ker lahko zelo hitro dobijo pozornost medijev in uporabnikov, pa tudi najbolj enostavno je tak napad izvesti, potem uporabljajo DDoS napade. Tehnično načeloma mi ne govorimo o nekih zelo naprednih napadih, res pa je, da so določeni DDoS napadi tudi takšne narave, da lahko celo poškodujejo infrastrukturo, kar pa je potem tudi po zahtevnosti bolj sofisticiran napad. Tega pri nas ni bilo, so pa prevzeli odgovornost ruski hekerji.

Voditeljica: In zdaj, ko omenjaš, da je to vse geostrateško povezano. Zakaj smo bili tako pomembni, da so se odločili za to?

Gost: Mislim, da kar se te zgodbe tiče, je zadeva zelo jasna. Slovenija od samega začetka ruske agresije na Ukrajino ima zelo jasno zunanjepolitično orientacijo. Mi tudi zelo jasno podpiramo Ukrajino pri pravici do obrambe, vključno s tem, da se je, kot veš, tudi vlada odločila, da Ukrajini pomagamo z vojaško opremo in tako naprej. In seveda smo ena od držav, ki ne izstopa v kvantitativnem smislu, če bi pa zdaj to preračunali na slovensko velikost, na velikost slovenskega obrambnega sistema, pa mislim, da smo kar ena od držav, ki Ukrajini bolj pomaga kot ostale države. In jasno, s tem smo tudi prišli v neko cono delovanja proruskih akterjev. Potem ko je bilo tudi javno sporočeno, smo imeli tudi prvič v zgodovini Slovenije, če se ne motim, zgodbo, z aretacijo vohunov. In tudi to je seveda povzročilo, da smo se znašli bolj na prvih straneh in jasno, potem ko so izbirali tarče hekerji, so izbrali tudi Slovenijo in jasno, kot si rekla, potem prevzeli samo odgovornost.

Voditeljica: Vsi ti izrazi so zelo vojaški napad, grožnja, varnost. Kako se branimo?

Gost: Ja, mogoče se zdi na prvi pogled. Seveda je daleč od tega, da bi jo danes obravnavali zgolj in samo skozi prizmo vojaške obrambe, ampak je pravzaprav varnost, varnost nas posameznikov je varnost podjetij in je varnost države, tako da imamo že tukaj ogromno različnih nivojev varnosti. Ja, obramba, napad. To pa je v tem smislu zelo vojaško in tukaj moram reči, da se danes ta del tudi vse bolj digitalizira. Torej vse bolj postaja avtonomen. Imamo danes ogromno nekih orodij za napadna delovanja, pa tudi za obrambna, vključno z umetno inteligenčnimi orodji. Tako da tukaj neka taka dialektika kibernetskega prostora je zelo živa in obstaja celo neka statistika, da je 60 % vseh komunikacij v internetnem prostoru tako imenovani internetni šum oziroma neka dialektika med napravami, ki v resnici nima nobenega smisla za nas uporabnike, ampak gre za neke izmenjave podatkov med napravami kot rečeno, ki jih v končni fazi uporabniki ne zaznamo.

Voditeljica: In kakšna je naša strategija pri tem, kako bomo izboljšali sebe, državo?

Gost: Ja, to je dobro vprašanje. Definitivno slovenska strategija je strategija vključevanja pravzaprav tudi zasebnega sektorja. Glede na to, da sama tehnologija je rezultat razvoja v zasebnem sektorju, torej države nekje po svetu ne razvijajo IT-ja, ampak ga pravzaprav, če že same začenjajo razvoj, ga skupaj z privatnimi podjetji. Ena strategija je vključenost več akterjev. Mi smo tudi že v sedanjem zakonu, 2018 sprejetem, dejansko zasnovali kibernetsko obrambo. Čeprav je v civilnem zakonu zapisano, ki vključuje izmenjavo podatkov med več organi, tako organi pregona, obveščevalno skupnostjo, Slovensko vojsko oziroma MORS-om in tako naprej. Skratka, tukaj smo dejansko želeli narediti en sistem izjemno hitre izmenjave podatkov, izkušenj, pa tudi vektorjev napadov. Torej to mislim, da je edina prava pot, ker kakršnakoli druga oblika bi v Sloveniji imela problem. In seveda, da smo se odločili, da bo en organ, ki bo na vrhu te koordinacije. To smo se odločili pravzaprav že večkrat. Tudi v Resoluciji o strategiji nacionalne varnosti iz 2019. Zadnjič smo tak organ predvideli, zdaj smo ga dobili in to je pravzaprav nek slovenski poskus, da z relativno maloštevilnim kadrom, ki pa je vrhunski, to se pravi tukaj moram povedati, da to, da v Sloveniji ni znanja, to ne drži. Večja težava je, da je malo tega znanja v kvantitativnem smislu, da se ga na ta način poveže.

Voditeljica: Prenesti moramo tudi Direktivo o ukrepih za visoko skupno raven kibernetske varnosti. Sliši se zapleteno, uporablja se pa kratica NIS 2. S čim se torej zdaj ti ukvarjaš?

Gost: Ja, NIS 2, to je v bistvu sicer malo tudi ta terminologija evropska je zanimiva, ker namreč NIS pomeni Network and Information Systems Security. V bistvu že tukaj vidimo, da ko se je prva NIS direktiva sprejemala 2016. leta, se termin kibernetska varnost še ni uporabljal, medtem ko danes pa že, kot si sama rekla, to omenjamo. Ja, to je v tem trenutku za urad ena glavnih nalog, ker je pač dejstvo, da moramo kot država izvesti prenos v slovenski pravni red po načelu minimalne harmonizacije, kar pomeni, da mi s tem ne prenašamo, to moram poudariti, mi ne prenašamo samo NIS-a v slovenski pravni red, ampak postavljamo sistemski zakon, eden in edini, ni drugega, o informacijski varnosti v Republiki Sloveniji. Torej, to je že kar nekaj bilo prej, pa tudi nekaj sedaj predvidevamo rešitev, ki so nam lastne, ki so refleksija našega okolja, naših izkušenj, naše, nenazadnje tudi kadrovske in tehnične zmogljivosti. In tukaj nas Evropska unija ne omejuje. To je pač popolnoma naša nacionalna suverenost, da se lahko tudi tovrstne rešitve zapiše v zakon.

Voditeljica: Katera podjetja bo vključeval ta zakon? Kaj bodo morala narediti? Sliši se zelo, da bodo morali vložiti sredstva, poskrbeti za svojo varnost, da nam država, kot sem si prej rekel, ne poklekne pred temi napadi.

Gost: Ja, seveda. Velika večina novih zavezancev bo prihajala iz gospodarstva, pa ne samo iz gospodarstva, tudi iz ostalega nedržavnega dela. Namreč dejstvo je, da ravno NIS kot takšen, kot mehanizem Evropske unije, izhaja iz mehanizma notranjega trga. Torej Evropska unija ne razume NIS-a in kibernetske varnosti kot strošek, ampak jo razume kot dodano vrednost podjetij v globalnem tržnem spopadu. To se pravi bolj kot so varna kibernetsko evropska podjetja, večja bo lahko njihova dodana vrednost in seveda bolj bo tudi stabilno njihovo delovanje v globalnem okviru. Tako da to je osnovni postulat. Jasno, samo število bo v tem trenutku malce drugače definirano. Namreč mi smo v sedanjem stanju, pravzaprav vsakega zavezanca morali predlagati vladi. Država, URSIV oziroma ministrstva so morali oceniti, ali je nekdo pomemben, ali ima neke specifičnosti, kompetence in tako naprej za državo Slovenijo, da opravlja neke kritične bistvene storitve. In smo potem tudi seveda šli na vladno proceduro in ga je vlada s sklepom določila. Tega sedaj ni več. Kaj se je pokazalo? Mi smo določili takšnih zavezancev mislim, da okoli 70. Finska jih je določila 10 000. Ko se mi seveda sestajamo, torej kibernetski organi in tako naprej, smo ugotovili, da to je ena ogromna diskrepanca. Tudi komisija to ugotovila, so rekli, da je to nekaj narobe, ali je narobe z metodologijo ali pa je narobe z implementacijo metodologije. Ne more biti tako velika razlika. Pa Slovenija tukaj še ni niti najbolj izstopala. V bistvu so bile še države, ki so še manj zavezancev določile. Na koncu smo se odločili, da se zavezance določi na osnovi obsega poslovanja in števila zaposlenih. Metodologija evropska, se pravi srednja, velika podjetja, ki so recimo v sektorju energetika, transport, oskrba z vodo, imajo toliko in toliko zaposlenih, točno določen obseg poslovanja na leto, so avtomatsko zavezanec in to mislim, da je način, da pridemo do ene bolj jasne slike. Še vedno mi predvidevamo, da bo teh zavezancev v Sloveniji 1000, v Nemčiji ocenjujejo med 25 in 50 000.

Voditeljica: Je pa tudi večja Nemčija.

Gost: Jasno.

Voditeljica: Kaj to pomeni za ta podjetja, kaj bodo morala narediti?

Gost: Jasno, najprej bo morala biti izvedena samo registracija. Se pravi, naš urad bo postavil registracijsko platformo, kjer bodo podjetja lahko preverila ali so zavezanec ali ne. Ko bodo ugotovila, da so dobila kljukico, se pravi, da so zavezanec, se bodo morali prijaviti, vnesti podatke in takrat začnemo delati z njimi. Potem pa, kar je zelo pomembno, ta direktiva se tudi zelo dobro nanaša na to, kako se kibernetska varnost umešča v poslovanje podjetja. Kibernetska varnost z novim zakonom, tudi z novim NIS-om 2, ni več stvar IT osebja, ampak je stvar poslovodstva, tako kot mora poslovodstvo skrbeti za tveganja, ki so tržne narave, naravne nesreče, požare in tako naprej, bo tudi odgovorno za kibernetsko varnost. Odgovornost je na poslovodstvu, ne več na nekih tehničnih ekspertih. Druga zadeva. Ukrepi. Ukrepi so tukaj bistveno bolj konkretni, se pravi od zagotavljanja neke kriptirane izmenjave podatkov, večfaktorske avtentikacije, prijava incidentov bo morala biti bistveno bolj natančna in predvsem hitrejša. Potem seveda bodo morala tudi podjetja izvajati samoevalvacijo oziroma te evalvacije naročiti, da se bo njihova zrelost v bistvu ugotavljala periodično. Torej, tukaj je kar nekaj ukrepov, ki nalagajo stalno kondiciranje kibernetske odpornosti oziroma zrelosti. To ni več enkraten dogodek. Mi smo se zdaj tamle prijavili, smo dali svoje podatke in zdaj smo svoje opravili. Ampak morate se zavedati oziroma vsi se moramo zavedati, da danes lahko zaradi kibernetskega napada podjetje gre v stečaj, da lahko imamo na državni ravni nepopravljivo škodo, ki pravzaprav bo imela posledice leta vnaprej. In to je dejstvo, da ta tveganja obstajajo. Seveda ne, ali bodo realizirana ali ne, je pa tudi od nas odvisno oz. od naših ukrepov na strani obrambe.

Voditeljica: Pa verjetno od vsakega posameznika. Zato me zanima, kako se bodo pa zaposleni v teh podjetjih na to navadili? Zdaj si omenil dvostopenjska avtentikacija, malo več časa ti vzame, pa večkrat moraš maile vpisat, kode, ne bo več tako preprosto, bo pa večja varnost.

Gost: Ja, to je pa seveda ta stalna relacija med varnostjo in uporabnostjo. Mi ne želimo biti, definitivno, kot varnostni organ, bi rekel cokla v razvoju storitev ali pa infrastrukture. Po drugi strani pa, v kolikor želiš imeti višjo stopnjo varnosti, te malce omejuje. Če pogledamo recimo letališko varnost ali pa ne vem, če začnemo s prometno varnostjo. Jaz se spomnim, mogoče se boš tudi ti. Če se ne motim, je v Sloveniji bil obvezni varnostni pas uveden v 80. letih. Ko se je varnostni pas uvedel, da je obvezen, še v prejšnji državi, so se ljudje izgovarjali, da jih veže, da pozabljajo, da ne morejo se gibati, da jih skratka tako moti, da pač je to neka ovira, ki je nočejo, ne želijo in ne morejo izvesti. Danes, pustimo, da nam vsak avto nekaj piska in tako naprej, če se ne privežemo. Ampak danes je teh kršitev izjemno malo, ker ko se usedeš avto, varnostni pas potegneš. Sploh ne občutiš, da ga imaš na sebi. In podobno je z drugimi varnostnimi ukrepi. To, kar si omenila večfaktorsko avtentikacijo. Nenazadnje bančništvo. Danes jo vse banke uporabljajo. Bančništvo, finance so najbolj izpostavljene bile v zgodovini seveda tveganjem. Tudi veš sama, da je ogromno škode tako za banke kot tudi za uporabnike teh storitev. In one so se odločile, seveda ne same od sebe, ampak tudi s pomočjo regulativ, da je danes MFA obvezen za njih in smo se s tem vsi sprijaznili, tako da že davno več ne moreš samo z geslom ali pa uporabniškim imenom vstopati v spletno banko. In podobno bo tudi z drugimi storitvami. Torej, zavedati se bo treba, da ni vse varno, da je seveda koristno, ampak jaz bi rekel, da se držimo enega pravila. Zaupaj, ampak preveri. To je tisto, kar mislim, da je ključno tudi za uporabnika kot takega, ne samo za ostale organe.

Voditeljica: To je zelo lep nasvet. Če se spomniš teh fishingov ... Se tako reče?

Gost: Ja.

Voditeljica: Ko kar vpišemo svoje kode in že tam se pustimo prepričati nekim napadalcem.

Gost: Ja.

Voditeljica: Verjetno bomo morali veliko pri sebi narediti. Ne samo, da bo treba vložiti nekaj denarja v to, ampak tudi na ljudeh bo treba graditi. 

Gost: Ja, seveda, to si dober primer dala, čeprav tukaj pri fishingih imam jaz mogoče malce ločeno mnenje od svojih kolegov na tem področju. Tukaj mislim, da smo počasi izčrpali sposobnost človeka, da bo zaznaval, kaj fishing je. Namreč, če pogledaš, nekoč smo dobili neka nigerijska pisma princev in tako naprej. Vse v neki polomljeni, kvazi slovenščini. Na prvi pogled vidimo, da to ni nikoli pisal avtentični pošiljatelj. Danes imamo fishing z umetno inteligenco, ki celo lahko neke naše prejšnje korespondence pobere, iz njih naredi neko nadaljevanje zgodbe, ki ima smisel, torej, ki ima kontekst. Bi rekli v komunikologiji, ima narativ, ima nek okvir in zdaj človeku na koncu reci, ti boš tisti, ki bo ugotovil, da to ni, da je to nelegitimno pošiljanje nekega maila. Mislim, da smo dejansko pri tej človeški zaznavi zelo pri koncu in bomo morali delati tudi na tem, da bomo, če se že umetna inteligenca uporablja za oblikovanje fishingov, torej za ofenzivno, za napadno stran, da bo še zaznavala tovrstna, bi rekel, saj to že počne, ampak v resnici še vedno gre veliko skozi. Tako da fishing na žalost, ribarjenje, če smo zdaj pri slovenščini.

Voditeljica: Se opravičujem. Veliko novih izrazov, tako da komaj sledimo temu.

Gost: Ja. Že samo po sebi, kaj hoče fishing povedati? Da nasedemo, torej, da smo nepozorni, da smo podvrženi manipulaciji, mogoče celo v neki osebni stiski. In potem se zgodi, kar se zgodi. Tako da to bo še vedno vektor napadov, dokler bomo uporabljali komunikacijska orodja. Spomnim se, kot zanimivost, enih razprav, ali bo mail izumrl, ker če gledava zgodovino interneta, že mnoga, že več teh servisov interneta ali pa kakšni news groupi, je že izumrlo. Mail še kar živi in pravzaprav to je zanimiva zadeva. Pa tudi če bi se odločili, da je mail prenevaren v smislu komuniciranja in tako naprej, mi imamo danes toliko komunikatorjev na naših mobilnih napravah, na desetine aplikacij za komuniciranje. Človek je komunikacijsko bitje in seveda, dokler bo komunikacijsko, torej bitje, ki bo živelo in obstalo zaradi komunikacije, potem bodo tudi orodja za komunikacijo in potem tudi zlorabe orodij za komunikacijo.

Voditeljica: Pri ribarjenju potem ponavadi kakšne podatke poberejo ti nepridipravi. Kaj se v bistvu zgodi, kaj je sploh namen? Eno je, da nam grozijo, drugo je, da se okoristijo s kakšnimi podatki, kaj se potem s temi vsebinami, ki so zaplenjene, zgodi?

Gost: Ja, seveda. Ribarjenje, v kolikor je uspešno z vidika napadnega akterja, v kolikor mi nanj kliknemo, vnesemo naše podatke, recimo gesla, uporabniška imena ali pa celo drugi faktor, recimo kodo iz MFA, se pravi avtentikacije, potem oni dejansko s tem lahko izvedejo neavtoriziran vstop v informacijski sistem. Oni se predstavljajo kot mi in vstopijo v informacijski sistem, recimo neke spletne banke in prenesejo nek denar, danes se več ne prenaša na račune, ampak se prenaša na kripto denarnice, ker bistveno večjo stopnjo anonimnosti zagotavljajo. To je ena zadeva. Druga zadeva, in tam smo mi oškodovani direktno, torej naš račun, pa tudi banka, v kolikor bi se sklicevali na to, da bi zahtevali od banke, da se nam ta denar vrne. Moram povedati, da so tukaj zneski, kako so bili tudi v Sloveniji oškodovani državljani, so res zelo visoki. Gre za tudi več sto tisoč evrov. In tukaj pazljivost nikoli ni odveč. Druga varianta, ki je za napadalce pomembna, pa je, da se oni s tem, ki dobijo naše, mi rečemo temu <i>credentials</i> oz. poverilnice po slovensko, se s tem prijavijo v naš informacijski sistem in potem ugotavljajo, kam se lahko premaknejo, torej do katerih občutljivih podatkov bi se lahko premaknili. V kolikor je segmentacija omrežja slaba, ni nekih zelo jasnih politik gesel in poverilnic, da imamo odprta in ne ugasnjena admin gesla oziroma račune, oni lahko zelo veliko podatkov ali izločijo, to se pravi, da jih eksfiltrirajo, jih prenesejo k sebi, ali jih uničijo. To je oblika izsiljevalskega virusa oziroma mi temu rečemo <i>ransomware</i>, izsiljevalske programske kode, ali kar je pa pravzaprav zelo zoprno, samo malce modificirajo podatke, da postanejo še manj vidni. Tu gre pa za napad na integriteto podatkov, se pravi, da niti niso podatki zbrisani niti niso skopirani navzven, ampak so samo delno modificirani in napadalec čaka na primeren trenutek, kdaj bi lahko potem svojo prisotnost zlorabil. Tako da več motivov, kaj se zgodi s tem, ko smo mi uspešno aktivirali fishing.

Voditeljica: Pri ostalih incidentih, recimo pri podjetjih, kaj to pomeni? Prej si rekel, da bi lahko država nehala delovati, če pride do resnih napadov. Kaj vse bi lahko zajelo? Saj sem že prej rekla, imeli smo samo nedelovanje spletne strani. To ni še nič tako resnega, ker smo jo potem vnovič vzpostavili.

Gost: Tako.

Voditeljica: Kaj vse iščejo? Zakaj se bo podjetjem splačalo vlagati v kibernetsko varnost?

Gost: Lahko povem zadnji primer, ki ni bil kibernetski napad, je bil pa seveda incident z vidika nedelovanja storitev, v Sloveniji sicer na srečo precej manjši kot v drugih državah. To je bil v bistvu izpad Windows računalnikov, ki so nameščali določeno programsko opremo ne od Microsofta, ampak od tretje strani, za kibernetsko varnost celo. To se pravi, šlo je za posodobitev orodja za kibernetsko varnost. Naj tukaj povem, da se danes v realnem času stalno orodja za kibernetsko varnost posodablja, zato ker so tudi grožnje seveda vse številnejše in vse bolj različne in morajo stalno te posodobitve izvajati. In ker program ni bil očitno dovolj dobro testiran, je preprosto Windows mašino pognal v tako imenovani blue screen oziroma v  stanje restarta, ne da bi se potem izvedel recovery oziroma obnovitev nazaj.

Voditeljica: Se moram zdaj nasmejati, ker je bila tudi družba v restartu, ker so vsa letališča obstala.

Gost: No, recimo letališča, podjetja, recimo, so nehala proizvajati raznorazne zadeve, proizvodne linije so obstale, letališča so obstala. Zdaj, kar se tiče oskrbe z elektriko, mislim, da nekih problemov ni bilo. Vem, da se je tudi pojavila potem na neki točki oskrba z vodo. Potem jasno, ko so ljudje spraševali, ko so bili panični, ko so videli, da se nekaj dogaja, so potem v nekih državah celo podrli razne linije za pomoč, ker je bilo preveč naenkrat klicev za informacije. To se dostikrat dogaja. To imamo tudi izkušnje iz nekih bližnjih držav, ki so imele težave na elektro distribuciji v večjem obsegu. Potem so sistemi za odzivanje in pomoč uporabnikom počepnili. Kar povejva po filmsko. Svet bi lahko obstal. Svet bi lahko obstal in je obstal. Saj če pogledamo danes letališča, transport. Danes poglej, vsak avto, ki ga danes vozimo, ima neko začasno ali stalno povezavo v internet, tako da tukaj ne bi bilo nič nenavadnega. Lahko bi se dejansko zgodila za krajši čas ena ponovitev korone, lockdown.

Voditeljica: Tisti, ki izvajajo napade. Prej sva že geostrateško povedala, katere države, pa vseeno sva omenila, verjetno namenjajo kar nekaj denarja. Kako pa smo v Sloveniji s tem? Zdaj bomo dobili tudi nove zmogljivosti. Morda bi kaj več o tem povedal.

Gost: Ja, seveda. To je zanimivo, da pravzaprav po eni strani kibernetski napadi seveda zahtevajo veliko sredstev, sploh ko govoriva o osebju, ko govoriva o orodjih, po drugi strani pa če gledava države, so še vedno najcenejša oblika za zagotavljanje moči države. Če si recimo predstavljaš, da stane en tank nekaj milijonov evrov, ko to prevedeš v kibernetsko varnost, za ta denar dobiš zelo veliko, ali v napadnem ali v obrambnem smislu. In tudi druge države, seveda, kar počnejo, je, da ne samo, da same vzpostavljajo neke lastne zmogljivosti. Ogromno gre za podporo skupnostim, hekerskim skupnostim, ki so voljne sodelovati z državo. In tukaj se ta moment zelo širi. Tudi ofenzivne zmogljivosti, ki jih države imajo, se širijo. Vse več držav odkrito priznava, da imajo ofenzivne zmogljivosti, ne samo defenzivne. S tem seveda tudi želijo malce narediti več na odvračanju. In v Sloveniji, recimo, mi smo pravzaprav, če pogledamo, kako smo mi začeli. Slovenska zgodba kibernetske varnosti gre v leto 1995, ko se je na Arnesu ustanovil SI-CERT. Torej, bili smo ena prvih držav, ki je imela neko entiteto, ki se je ukvarjala s kibernetskimi problemi. Potem smo pa imeli nekaj zakonov, nekaj strategij in nacionalne varnosti in ne vem še kakšnih, leta so minevala in smo potrebovali pravzaprav 20 let, da smo prišli do neke približno delujoče in spodobne strukture. Torej ta preskok tukaj oz. ta zamuda je bila ogromna. Ko si me vprašala o sredstvih. Jaz v tem trenutku ocenjujem, da se sredstva seveda dvigujejo, in to primerno tako na ravni podjetij kot tudi na ravni države. In tukaj seveda jaz vedno pravim, ne se samo spraševati, kaj bodo državljani in podjetja naredili za nas, ampak tudi mi kot državni organ, kaj bomo lahko ponudili zavezancem in ponudili dejansko državljanom oziroma našim podjetjem, da ne bo ostalo samo pri inšpekciji, če se malo pošalim. Država mora dati tudi korenček. To je bistvo. In kibernetski center, ki se bo vzpostavil v naslednjih dveh oziroma treh letih, bo tak poskus, da se na državne organe in na najbolj pomembno kritično infrastrukturo v začetku, da se dejansko vzpostavi sistem senzorike, ki bo na neki točki omogočal bistveno hitrejše odzivanje na kibernetske incidente. Zdaj delamo mi zelo še šablonsko, zelo birokratsko. Tako kot delamo pri drugih, recimo temu grožnjah nacionalni varnosti, medtem ko kibernetika pa je v resnici stvar trenutnega in takojšnjega odziva. In tukaj želimo seveda, da se bo izmenjava tako informacij o zlorabljenih sistemih kot tudi predvsem informacij o tem, kaj bi se lahko zlorabilo, pa bodo preventivne narave širila takoj. Tak kibernetski center, to se gradi s pomočjo oziroma v sodelovanju z Ministrstvom za obrambo in Slovensko vojsko. URSIV ga bo, kot seveda pristojni nacionalni organ, tudi vodil in uporabljal. In tukaj mislim, da bomo dobili neko jedro, ki bo dejansko lahko potem sčasoma evolviralo za ostale zavezance, da se kibernetske varnosti res lotevamo na času primeren način, torej tako z vidika podatkov, ki jih bomo dobili, z vidika njihove obdelave, podprto z umetno inteligenčnimi orodji in tako naprej. To je vse seveda še pred nami, smo pa na pravi poti.

Voditeljica: Omenil si korenček. Kaj pa palica v predlogu novega zakona? Kakšne sankcije predvidevate?

Gost: Ja, sankcije tudi zakon predvideva. Sankcije so tudi delno določene s strani direktive in kar je mogoče ključno, bi poudaril, da se dejansko usmerja odgovornost na podjetja, na poslovodstva podjetij. Torej ne na to, da bodo, kot sem že prej omenjal, posamezni oddelki v podjetjih za IT odgovorni za varnost, ampak da se seveda poslovodstvo zaveda, da kibernetska varnost je pomembna, da je to stalen proces in da je kibernetika veda o upravljanju, da to ni veda o računalnikih, da to ni veda digitalnih tehnologijah, ampak da je to veda o upravljanju. Seveda, kazni bodo višje, lahko pa še vedno rečem, da so po GDPR bistveno višje, kot bodo po novem zakonu. Ker kot vemo, so kazni zaradi nespoštovanja osebnih podatkov bistveno večje, kot so v primeru kibernetskih incidentov. Tako da mi vsekakor, tudi naša inšpekcija deluje kot neka vrsta podpore, torej predvsem, da se dobi pravi odziv na terenu, sama veš, če je zakon sprejet, pa nima inšpekcijskega nadzora, je dejansko lahko samo mrtva črka na papirju. In da tukaj država ima svojo moč in svojo odgovornost. Namreč tudi seveda potem, ko se izvede preglede, ko se dejansko vidi, kakšna je situacija, lahko na tej osnovi prilagajamo svoje aktivnosti in to že počnemo. Saj ko naši inšpektorji poročajo, kaj se dogaja, ko naredijo nadzore, potem mi vidimo, kateri sektorji, v kakšnem stanju, se lahko potem tudi sredstva iz Evropske unije ali pa naša lastna preusmerjajo in se potem lahko lažje odziva na to, da se v povprečju dobi čim višja stopnja odpornosti.

Voditeljica: Naš urad skupaj z Ministrstvom za digitalno preobrazbo vodi kampanjo Ustavimo dezinformacije. Kako pa je to polje tujega manipuliranja z informacijami in vmešavanjem iz tujine na naše javno mnenje povezano s kibernetskimi napadi?

Gost: Ja, povezano je zelo. Namreč, obe dimenziji sta tako imenovani dimenziji hibridnega delovanja. To se pravi, tako dezinformacijski del kot kibernetski del sta oba pomembna ali pa mogoče celo ključna elementa hibridnega delovanja. Po drugi strani pa je dejstvo, da se lahko dezinformacije odvijajo tudi kot naslednja faza kibernetskega napada. Torej, v prvi fazi seveda pride do tega, da napadalec prevzame nadzor nad računom, nad nekim komunikacijskim orodjem in potem v tem imenu širi naprej seveda na videz zelo verodostojne informacije, ki so pa lahko dezinformacije. Tako da v resnici je ta del zelo povezan. Seveda, kot veš sama, imamo ogromno nekih trolov, ki sicer niso kibernetski incidenti, napadi ali pa niso posledica tega. Lahko se seveda pa tudi na ukradeni infrastrukturi, tako imenovanih botnetih, lažje potem farme trolov postavi. In tudi jasno, potem lažje z njimi operira. Mislim, da tukaj bo sploh problem v tem, da dezinformacije danes odkrivamo podobno kot kibernetske napade, da se tukaj zelo hitro umetna inteligenca v bistvu uporablja ali pa zlorablja za tovrstne napade. Recimo, če govoriva o globokem ponaredku in tako naprej, tukaj vemo, da bo zelo težko za uporabnika samega, da bo ugotovil, kaj je dejansko res prava objava oziroma kaj je neka montaža ali pa celo s strani umetne inteligence podprta objava.

Voditeljica: In sedaj, ko se s tem več ukvarjam, imam eno ugotovitev, da se laž širi hitreje kot resnica in je to zelo težko zaustaviti.

Gost: Je, seveda. Težava je v tem, da po navadi je laž tudi bolj udarna.

Voditeljica: Malo čustveno nabita. 

Gost: Čustveno nabita. In jasno, potem z nekim suhoparnim podatkom, s katerim poskušaš nasprotovati oziroma delovati proti tej dezinformaciji, je to težava. V vsakem primeru pa smo mi danes v eni taki točki, kjer smo res na prelomnici. Namreč človek, mislim, da ima vseeno neko omejeno sposobnost absorpcije. Seveda mlade generacije, če se primerjamo z njimi, vidimo, da je še veliko manevrskega prostora in rezerve. Pa vendarle, tu bo dejansko zelo hitro prišlo do neke točke, kot bi temu lahko rekli, točke singularnosti, ker preprosto več ne bomo ugotovili, ali pa razlikovali, kaj je resničnost in kaj je konstrukt, kot bi rekel, produkt IKT-ja.

Voditeljica: Potrjuješ torej mojo ugotovitev.

Gost: Ja, potrjujem tvojo ugotovitev.

Voditeljica: Veliko sva govorila o IT-ju, torej računalništvu, ampak ti si obramboslovec.

Gost: Ja, pravzaprav drži. Jaz sem ves svoj študij, ki sem ga začel leta 1994, opravil na katedri za obramboslovje. Res pa je, da sem gledal na varnostni izziv mogoče malce drugače, kar je bila posledica dejstva, da sem mogoče z eno tako zelo zanimivo situacijo prišel v stik z IT-jem. Torej, bil sem seveda navdušen uporabnik tedanjih orodij. Konec 80. let, ko smo ... Jaz sem bil generacija ZX Spectrum, Amige, PBS-ov in tako naprej. In potem zelo hitro zašel v svet PC-jev. Še hitreje pa sem zašel v svet omrežij. Namreč v kraju, od koder prihajam, iz Kočevja, sem imel možnost delati v enem podjetju, ki je pravzaprav bilo zelo razvejano po svetu, je imelo več poslovalnic, od Nemčije, Slovenije, Hrvaške in tako naprej. In seveda, tedaj so bile že vse te poslovalnice povezane v matično podjetje s seveda operacijskimi sistemi. Takrat je bil to Novell, a kar je bilo zanimivo, je, da je prišlo do neke reforme tega IT-ja in v bistvu se je zgodila nesreča. Namreč backup sistem je crknil. Po domače povedano, niso imeli klima naprave v tisti sobi, kjer se je backup izvajal. Temperatura je bila visoka in so diski odpovedali in je podjetje ostalo brez podatkov za kar nekaj mesecev, tako da so morale potem predvsem takrat delavke delati ogromno število nadur, da so pridobile nazaj vse podatke. Ko je to direktor videl, je videl, da je zadeva zelo resna in jaz sem takrat imel neke ideje, kako to rešiti, in sem dejansko dobil zelo hitro to možnost, da sem potem tudi to postavil. Potem seveda na fakulteti sem pa prišel v stik leta 1994, takoj ko sem začel študirati, z enim odličnim člankom, ki ga še dandanes rad citiram. In to je članek, ki ima naslov <i>What is Information Warfare</i>. Kaj je informacijsko vojskovanje? Avtor tega članka Martin Lisicki je leta 1993 pisal o tem, kako bo pravzaprav prihodnost vojskovanja temeljila na ne več kinetični vojaški moči, ampak na dezinformacijah, na kibernetskem oziroma hekerskem vojskovanju, na uničevanju digitalne infrastrukture, ki bo postala kritična. Takrat je bilo to še vse, pravzaprav v veliki meri stvar ...

Voditeljica: V povojih.

Gost: Tako je. No, in meni se je to zdelo zelo zanimivo z vidika dejansko drugačnega koncipiranja družbene moči. Torej, da države, to se mi je zdelo tudi zanimivo za Slovenijo kot majhno državo. Da moč države ni stvar samo njenega ozemlja, števila tankov, letal in prebivalcev, ampak da je dejansko znanje lahko zelo močno orožje v smislu pozicioniranja države kot take. In potem sem to delal naprej tudi v magisteriju, v doktoratu, potem tudi kar nekaj let predaval kibernetsko varnost in informacijsko vojskovanje. Do leta 2018.

Voditeljica: Kaj so te študentje na Fakulteti za družbene vede najpogosteje o tem vprašali?

Gost: Ja. Vprašanj je bilo ogromno, ampak morda se bom ... Pravzaprav eno zanimivo vprašanje je bilo na zagovoru doktorata, ki je bil takrat bolj javen. Kdaj bomo dosegli stanje, da se bosta dve strani v nekem spopadu samo kibernetsko vojskovali? To se pravi, zdaj mi govorimo, da je kibernetska dimenzija neka dodana vrednost ali pa nek dodatek k pravemu vojskovanju. In odgovor je bil, ko bosta imeli podobno, torej ne asimetrično, ampak simetrično razvito tehnologijo.

Voditeljica: Potem je dobro, da zaostajamo.

Gost: Se bojim, da je naš zaostanek že tako majhen, da vseeno smo že na neki točki, kjer smo podobni najbolj razvitim državam v svetu z vidika uporabnosti, z vidika, nenazadnje odvisnosti. Tukaj ni več nobene bistvene razlike med nami. Smo celo na nekaterih področjih, ko gre za tudi seveda povezljivost in tako naprej, med državami, ki so najbolj razvite. In s tega zornega kota so pogoji tudi za to, da pridemo do tega spopadanja stroj na stroj, se pravi, potem orodja za izvajanje napadov proti XDL, EDR antivirusom in ostalim rešitvam, smo zelo blizu tega. Tako da je vsekakor situacija v Sloveniji podobna nam bližnjim državam tako z izzivi kot tudi s prednostmi, ki jih imamo.

Voditeljica: Kaj torej lahko vsak posameznik pri sebi naredi, da ne nasede na kibernetske prevare?

Gost: Najprej se mora zavedati, katere dejansko digitalne naprave uporablja, torej da ve, kje se njegovi podatki lahko znajdejo nepooblaščeno, da ima tudi možnost potem na to odreagirati. Gesla so še vedno danes uporabna zelo široko. Dokler bomo gesla uporabljali, seveda menjava gesel, kompleksnost gesel. Absolutno je treba upoštevati, kjer je le mogoče, prijava z več kot enim faktorjem, se pravi, tudi z več kot eno napravo, če se logiraš oziroma prijaviš z računalnikom, da potrdiš prijavo še z drugim orodjem, napravo, telefonom, da omogočiš tudi beleženje vsake prijave. Temu rečemo <i>logging</i>. Se pravi, da vsaka prijava, ki se zgodi, da dobiš neko obvestilo, da se je nekdo prijavil, in v kolikor pride do tega, da to nisi bil ti, takoj po tem seveda menjava gesla in prijava incidenta. Kar je še pomembno, da tehnologiji verjamemo, ji pa ne zaupamo. Absolutno. To se pravi, ni nobenega razloga, da bi verjeli vse, kar dejansko nam ponudniki tehnologije prodajajo, in seveda slediti predvsem tudi morda kanalom, ki obveščajo zlorabah. Mi imamo tudi v Sloveniji zelo dober program Varni na internetu, ki ga izvajajo na SI-CERT-u, na Arnesu. Ta program ima razne kanale na socialnih medijih, obvešča o trenutnih grožnjah, ki se pojavljajo, kakšne so v bistvu prepoznavne oblike, tako da imeti predvsem v mislih, da se bo lahko kibernetski incident zgodil tudi meni, tebi, komurkoli, ne glede na to, da morda so nekateri bolj ozaveščeni, nekateri manj. To mislim, da je osnova, in kot rečeno, da se tako, kot smo se naučili cestno prometnih pravil, pa še kakšne druge zadeve, da varnost postane neločljiv del uporabe tehnologije.

Voditeljica: Dr. Uroš Svete, upajva, da bo vojskovanja čim manj.

Gost: Ja, se strinjam. Jaz si želim, da vedno tehnologija prinese več dobrobiti kot tveganja. Velja pa za vse tehnologije, ki smo jih v širokem smislu v civilizacijah sprejeli, imajo na žalost tudi našo temno plat. Imajo zlorabe, imajo tudi nedelovanje, imajo tudi nenazadnje tveganje, ko gre za nesreče, ki prihajajo iz naravnega okolja. In tega si želim čim manj in čim več uporabe tehnologije v dobrobit vseh.

Voditeljica: Hvala, da si bil naš gost.

Gost: Hvala za vabilo.

Voditeljica: Hvala vam, da ste bili z nami, in nasvidenje.


[ENGLISH VERSION]

Government podcast GOVSI.

Host Petra Bezjak Cirman: Greetings, dear listeners. This is the 12th episode of the GOVSI podcast, produced by the Government Communication Office. My name is Petra Bezjak Cirman. You can listen to us on any podcast platform. In many countries, including Slovenia, October is Cybersecurity Awareness Month, which is going to be our topic today. We have with us the best cybersecurity expert in Slovenia, Dr. Uroš Svete, head of the Government Information Security Office. 

Uroš Svete: Hello. 

Host: Life without the internet has become unimaginable. Your office, which deals with this, was established only five years ago.

Uroš Svete: Yes. Our office was founded on the basis of the first Information Security Act, which Slovenia adopted in 2018. As a member of the European Union, it had to establish a national authority on cybersecurity. Our office is the result of that directive. But, as you said, the subject of digital technology, the internet, and so on is much older than our office. 

Host: I said you are the best in the field, but there are probably others in Slovenia. But, when an attack happens, or incident, as you call them, and you will explain the difference later, we call you and you are the one in front of the cameras explaining what happened. 

Uroš Svete: Yes, that is a systemic solution, set up that way because the law is very clear on how to communicate in the case of an incident. Meaning who issues public statements, with the consent of the victim of such an attack. The topic also needs to be discussed very carefully, because nowadays in the digital world, cyber incidents can be over- or underemphasised and if your communication is poorly organised you can have even more problems. The system is set up so that our office collects data regardless of the body, be they national authorities or companies that report incidents through SI-CERT. We are at the very top of the pyramid, we have a complete overview of the situation in Slovenia. 

Host: That's how we met and why we're on a first-name basis, we work together in precisely such cases. Can you explain to us the difference between a cyber attack and an incident? 

Uroš Svete: The law presumes that there are now different types of cyber incidents, as well as degrees of severity. Incidents can happen in an organised manner, in multiple structures or sectors simultaneously. They can be random, like the random exploitation of users or the exploitation of out-of-date systems. That determines whether it is an incident or an attack. There are several types of incident, with critical incidents being the most sensitive. Those have very clear, direct consequences on the operation of services. For instance, if we have a service for the citizens, it has to work. If it doesn't, that is direct disruption. If an electricity provider, for example, was in any way impaired or even stopped, that has consequences for the service. That is the most severe critical incident. We would talk about an attack if we were to detect an organised campaign against the state and we were able to, at some point, determine who is behind the attack. In such cases we have to engage the National Security Council, the government and other crisis management mechanisms. That is why we don't talk about attacks, but incidents. And we will now also talk about "near-incidents", technical events that have not yet led to an incident. Those are an adversary's attempts to figure out our infrastructure and perhaps even find any weaknesses or flaws. These are near-incidents. 

Host: Slovenia has experienced DDoS attacks in the past six months. I have a translation here, correct me if it's wrong. "A DDoS attack targets websites and servers by disrupting network services in an attempt to exhaust an application’s resources." In this case, the GOV.SI websites didn't work. Was this a very serious attack or incident, or not? 

Uroš Svete: DDoS attacks are nothing new. They are mainly volumetric attacks, which is when an attacker sends an enormous amount of requests to a server, causing an overload of a network segment of the information system. These attacks are old. If you remember, about ten or twelve years ago there were certain hacktivist groups, even in Slovenia, that were disrupting access to various state services. Then that died down a bit, because the defence got better, and the communication infrastructure became more and more powerful. As bandwidth increases, there are fewer chances for a bottleneck to occur. "DDoS" means "Distributed Denial-of-Service". These are decentralised procedures of attacking a specific server or service in order to incapacitate the said server or service. That is the basic tactic and the purpose for which the attackers use it. Now this is a new thing, because of increased hacktivism in the past two or three years. Politically engaged hacker groups nowadays align more frequently with state actors and they are very involved in all geostrategic conflicts, be it the war in Ukraine, the war in the Middle East ... All modern conflicts have also got a cybernetic dimension now. And hacker groups side with opposing sides. They use DDoS attacks because they are very visible and because they can get the attention of the media and the users very quickly, and because such attacks are the simplest. They are not the most technically advanced attacks, however, some DDoS attacks can even damage the infrastructure. In terms of difficulty, those would be more sophisticated attacks. 

Host: Russian hackers claimed responsibility for that attack. You say it is all geostrategically connected. Why were we so important for them to attack us? 

Uroš Svete: I think the situation is very clear. Since the beginning of Russia's aggression toward Ukraine Slovenia has held a very clear political stance. We also support Ukraine's right to defend itself. The government also decided to aid Ukraine with military equipment and so on. In a quantitative sense, Slovenia stands out. If we were to calculate our aid based on the size of Slovenia's defence system, I think we would see that Slovenia helps Ukraine more than other countries. Naturally, this made us a target for pro-Russian actors. And, for the first time in Slovenian history, we even had the case with the arrest of Russian spies. This also made us appear in many headlines, which is why Russian hackers chose Slovenia and claimed responsibility for the attack. 

Host: These are very military-sounding words, attack, threat, security, defence ... 

Uroš Svete: Yes, they may seem military-sounding. Nowadays, we cannot look at security solely through the lens of military defence. We have individual security, company security and state security, so, many different levels of security. But yes, "offence" and "defence" are military expressions. This field is becoming more and more digitalised and autonomous. We now have very many tools for offensive and defensive action, including AI tools. So, the cyberspace dialectic is very vibrant. There is even a statistic that 60% of all communication in the internet space is noise, a dialectic between devices that serves no purpose for us users. These are data exchanges between devices that the users do not perceive. 

Host: What is our strategy for improving ourselves and our state? 

Uroš Svete: That is a good question. The Slovenian strategy aims to include the private sector, because the technology itself is a result of development in the private sector. States do not develop IT. If they do initiate development, they do so in cooperation with private companies. One strategy is to include more actors. We outlined cyber defence already in 2018, although it is defined in the civil law that includes information exchange between authorities, the police, intelligence community, the army and so on. We wanted to establish a system of a very fast exchange of information and experience. This is the only right path because only this works in Slovenia. We also defined the authority in charge of this coordination. We have made this decision several times, also in the Resolution on the National Security Strategy from 2019. Now, we have this authority. This is our attempt to connect the knowledge of a few experts, but they are excellent. It is not true there is no knowledge here, there just is not much of it. 

Host: We have to adopt the Directive on measures for a high common level of cybersecurity. The abbreviation NIS2 is being used. What are you doing? 

Uroš Svete: Yes. The European terminology is interesting. NIS means Network and Information Security. When the first directive was passed in 2016, the term cyber security has not been used yet and now it is. This is our main job at the moment. As a country, we have to adopt it in our legislation with minimal harmonisation which means we are not just adopting the NIS, but we are also writing the systemic law on our information security. We are preparing solutions that will be specific to us and will reflect our environment, our experience and our capabilities. The EU does not limit us here. We are independent here and can adopt such solutions as well. 

Host: Who will be included? What will they have to do? It sounds like they will have to invest in their security, so that we will be resilient to these problems. 

Uroš Svete: It mostly concerns the economy and other private entities. The NIS as the EU mechanism stems from the internal market. The EU does not see cyber security as a cost, but as added value to companies in a global conflict. The safer the EU companies are, the bigger will be their added value and they will be more stable on the global market. This is the main premise. The number will be defined a little differently. Now, the Government has to approve everyone subject to the law. The ministries have to decide whether someone is important, has some specifics or competence and carries out crucial services for Slovenia. We pass them to the Government that makes the decision. What have we seen? We defined around 70 companies and Finland defined 10,000. When we met, we saw there is a huge difference and the Commission saw there is something wrong with the methodology or its implementation. Slovenia did not stand out the most. Some countries defined even less companies. In the end, we decided the criteria should be the scale of operations and the number of employees. This is the EU methodology. All big companies in the energy, transport, water supply sector with a certain number of employees and the scale of operations are subject to the Directive. This is the way to get a clearer picture. We anticipate there will be around 1,000 such companies in Slovenia and in Germany, they say 25-50,000. 

Host: Germany is bigger. 

Uroš Svete: Yes. 

Host: What does it mean for the companies? 

Uroš Svete: First, they will have to be registered. Our office will establish a platform where companies will be able to check whether they are subject to the Directive or not. If they are, they will have to register and we will start working with them. It is very important that the Directive is also talking about how cyber security is integrated in the company. The IT personnel is not responsible for the security anymore, the management is, like they are responsible for market risks, natural disasters, fires and so on. The management is responsible and not the experts anymore. The measures are more concrete here, from information exchange and multi-factor authentication, incidents will have to be reported more accurately and faster. They will have to do self-evaluation or have it done to determine their maturity. There are quite some measures that require constant checking of cyber maturity. Your job will not be done when you register, but we all have to realise that a company can go bankrupt because of a cyber attack. We could suffer irreversible damage as a country that will have consequences for years to come. This risk is real and it is up to us to prevent it from happening with security measures. It is up to every one of us. 

Host: How will the employees get used to it? A two-factor authentication takes more time. 

Uroš Svete: It is true. 

Host: It will not be as easy anymore, but it will be safer. 

Uroš Svete: This is the constant relation between security and usefulness. As a security authority, we do not want to hinder the development of services or infrastructure, but if you want to be safer, there will be limits. Look at the airports, for example, or traffic. Maybe you will remember, the seat belt became compulsory in the 80s. When it happened in the previous country, people were complaining it is too tight and they cannot move, it bothers them and it is an obstacle they do not want. Today, and let's leave aside the fact every car is beeping if you do not fasten it, but people are using it. When you sit, you fasten it and do not even feel it. It is similar with other measures. You mentioned the authentication. Look at the banks. They are all using it. The finance sector is most exposed to risks, there could be a lot of damage for banks and clients. With the help from regulations, they decided the 2FA is obligatory and we all accepted it. We cannot access the online bank just with the username and password. It will be similar elsewhere. We have to realise that not everything is safe. It is useful, but I would stick to the rule: Trust, but verify. This is key for the users as well, not only for the authorities. 

Host: Great advice. Do you remember fishings ... Do you call them that? 

Uroš Svete: Yes. 

Host: When we just enter our codes and attackers convince us. 

Uroš Svete: Yes. 

Host: We will have to do a lot ourselves, not just investing money, but also educating people. 

Uroš Svete: You gave a good example, I have a bit different opinion on fishing than my colleagues. I think we have exhausted the ability of a human to detect fishing. Before, we were getting letters from Nigerian princes in a broken Slovenian language. It was obvious that this was not an authentic letter. Today, the fishing is done by AI, which can work with our past correspondence, make a continuation of the story that makes sense and has a context. We would say in communication science that it has a frame. And now, it's the users task to figure out that this is an illegitimate email, which is very hard. We'll have to work on that. If AI is used for making a fishing or for an offensive side, it can also detect such things. It's already doing that, but a lot of things still fall through. Fishing or Slovenian term 'ribarjenje' ... 

Host: I'm sorry. There are a lot of new terms and it's hard to keep up. 

Uroš Svete: Yes. What is this telling us? That we are falling for it, we are inattentive and subjected to manipulation. Maybe we are in a personal distress and then this happens. This attacks will happen, until we use communication tools. Now something interesting. I remember discussions, if email becomes redundant. If we look at internet history, many of internet services or some news groups have died out. Email is still being used, which is interesting. Even if we decide that email is too dangerous for communication, we have dozens of applications for communicating on our devices. Human is a communication being. Until it is a being, who lives and exists because of communication, there will be tools for communication and they will be misused. 

Host: These scammers take some information. What happens? What is its purpose? They can threaten us or make use of some data. What happens with this confiscated content? 

Uroš Svete: If fishing is successful, from a view of the invader, and we enter our information, passwords, user names or some other factors, for example some codes of authentication, then they can enter into information system without authorisation. They identify themselves as us and they enter into information system of some online bank to transfer money. Now, they don't transfer it to another account, but to crypto wallet, because they have a higher level of anonymity. This is one thing. Here, we suffer damage directly. Our account and bank as well, if we want that the bank refunds us the money. I have to tell you that these sums, in Slovenia as well, are very high. It can be several 100,000 Euros. You can never be too careful. The other version that is important for the scammer is, when they get our credentials, they log in to our information system and they are detecting, where can they move. Which sensitive data can they get. If segmentation of the network is bad and there isn't a clear politics or credentials, if we have open passwords and accounts, they can eliminate a lot of data, they transfer them to themselves. Or they can destroy them. It's a form of ransomware or software for malicious code. Or they can slightly modify the data, which is very annoying. They make them less visible and this is an attack to integrity of data. The data is not deleted or copied, they are just modified. The attacker waits for the right moment, when he can abuse the data. There are several motives, what happens, when we activate the fishing. 

Host: What does it mean in other incidents, in companies for example? You've said before that the state can stop functioning. What can this encompass? Our web page didn't work, but it's not so bad, because we restored it again. 

Uroš Svete: True. 

Host: What are they looking for? Why would it be worth to invest in cybersecurity? 

Uroš Svete: I can describe you the last case, which wasn't a cyber attack, but it was an incident, since the services didn't work. In Slovenia, it was fortunately much milder than elsewhere. It was a failure of Windows operating systems, when they installed a software, not from Microsoft, but from some third party, for cybersecurity nonetheless. It was about updating the tools for cybersecurity. I have to tell you that now these tools are updating all the time, since there are more threats and they are different. They have to make constant updates. That update wasn't properly tested and it just ran the computer into a blue screen or in a state of restart, without making a recovery. 

Host: The society was in restart as well, since the airports didn't work. 

Uroš Svete: Exactly. The airports, companies stopped producing various things. Production lines and airports were at standstill. There weren't any problems with electricity, I think. I know there were problems with water supply. When people were asking, when they were in a panic mode, because something was happening, they crashed the helplines, since there were too many calls for information. It is quite common. We know this from nearby countries, which had problems in electrical distribution. Helpdesk systems just failed. 

Host: In movie terms: The world could stand still.

Uroš Svete: It stood still. If we look at airports, transport. Every car has a temporary or permanent internet connection. This wouldn't be unusual. It could be a shorter version of the lockdown as in Covid times.

Host: People who attack, we mentioned at least one state, probably appropriate a lot of money for this. How is this in Slovenia? We will get new capacities. Can you tell us more about it? 

Uroš Svete: Yes, of course. It's interesting. Cyber attacks are very expensive, especially when we talk about personnel or tools. But for states, they are the cheapest forms for ensuring its powers. Think about it, one tank costs a few million Euros and for such a sum you can get a lot of cybersecurity. For offence or defense. Other states are building their own capacities and they give a lot for the support of communities, communities of hackers, who want to cooperate with the state. This moment is spreading. The offensive capacities of the states are spreading. More and more states are openly admitting these capabilities. They want to do more on aversion. Let's look at how we started in Slovenia. Our cybersecurity started in the year 1995, when Arnes established Si-cert. We were one of the first states, dealing with cyber problems. Afterwards, we had a few Acts and strategies, national securities and more. Years were passing by and it took us 20 years to come to a roughly working structure. This delay was huge. When you asked about funds, I estimate that they are rising, on the level of companies and on the level of state. Don't ask just what citizens and companies will do for us, but what can we as a state authority offer to the taxpayers, citizens or our companies. We don't want to leave it at inspection. The state has to give something. Cybercentre will be established in the next two, three years, will be an attempt to put in place, first at the state bodies and the most important critical infrastructure, a system of sensors which will at some point enable a much faster response to cyber incidents. We're working in a very template-oriented, very bureaucratic way, similarly to how we respond to other threats to national security, whereas cyberattacks are a matter of immediate response. We want the exchange of information about misused systems, above all, information about what could be misused, which will be of a preventive nature, to be spread immediately. The cyber centre is being built in cooperation with the Ministry of Defence and the Slovenian Armed Forces. The Ministry of Public Administration as the competent authority will also manage and use it. I think we'll have a certain nucleus which will over time evolve for other duty holders, so we can deal with cyber security in a time-appropriate manner. In terms of the data that we'll get, in terms of the data processing, supported by AI tools and so on. That's all still to come, but we're on the right track. 

Host: You mentioned the carrot, what about the stick? What will be the sanctions? 

Uroš Svete: Of course, the act also provides sanctions. The sanctions are also partly laid down by the Directive and, perhaps crucially, I would point out that the responsibility is being placed on the companies, on the companies' management. So, as I said earlier, there won't be individual departments responsible for security, the management needs to realise that cyber security is important, that it's an ongoing process, that it's a management science. It's not a science of computers or digital technologies, it's a management science. Of course, the penalties will be higher, but I can still say that they're significantly higher under GDPR than they will be under the new act. The penalties for failure to respect personal data are significantly higher than in the case of cyber incidents. Our inspection works as a kind of support, above all to get the right response on the ground, that the act ... If an act is passed without inspection, it can actually be just a dead letter. The state has its power and its responsibility. Once the inspection has been carried out, we can see what the situation is, and we can adjust our activities accordingly. When our inspectors report on what is happening, we can see which sector is in what state, then the EU or our own funds can be redirected, we can react to it more easily to obtain, on average, the highest possible level of resistance.

Host: Our office, together with the Ministry for Digital Transformation, is leading the Let's Stop Disinformation campaign. How is the field of foreign manipulation of information and foreign interference in our public opinion linked to cyberattacks? 

Uroš Svete: It's strongly linked, both are so-called hybrid action dimensions. Both the disinformation and the cyber part are key elements of hybrid action. On the other hand, disinformation can also take place as the next phase of a cyberattack. In the first phase, the attacker takes control of an account, of a communication tool, and then spreads seemingly very credible information, which may be disinformation. This part is strongly linked. We also have a lot of trolls who are not the result of a cyberattack. But it's easier to base troll farms on stolen infrastructure, on the so-called botnets. And then it's also easier to work with them. I think the problem here will be that nowadays disinformation is detected in a similar way to cyberattacks, that AI can be very quickly misused for these kinds of attacks. If we're talking about deepfake and so on, we know that it's very difficult for the user to figure out what is a real post and what is some kind of a montage or even an AI-assisted post. 

Host: Now that I'm dealing with this more, I've come to a realisation that lies spread faster than the truth, and it's very hard to stop them. 

Uroš Svete: The problem is that usually the lies are also more impactful. Loaded with emotions. Of course, if you try to oppose it or work against this disinformation with boring data, it becomes a problem. In any case, we're now at a turning point, because human beings have a limited capacity to absorb everything. If we compare ourselves to the younger generations, we see that there's still a lot of room for manoeuvre and reserve. But this will quickly lead to a point of singularity, because we will simply no longer be able to find out or distinguish between reality and an ICT construct. 

Host: So you agree with my observation. 

Uroš Svete: Yes, I do. 

Host: We've talked a lot about IT, but you have a background in defence studies. 

Uroš Svete: That's true. I started defence studies in 1994. But maybe I looked at the security challenge a little differently, which was a consequence of the fact that I came into contact with IT in a very interesting situation. I was of course an enthusiastic user of the tools of the late eighties. Our generation used ZX Spectrum, Amiga, BBS and so on. Then I very quickly got into the world of PCs, and even quicker into the world of networks. I'm from Kočevje, where I had the opportunity to work in a company that was very diversified all over the world, it had several branches, in Germany, Slovenia, Croatia and so on. All these branches were connected to the parent company with operating systems. Back then, that was Novell. It's interesting that there was some kind of IT reform because of an accident. Our backup system crashed. There was no air conditioning, the temperature was high, so the discs failed, and the company lost a few months’ worth of data. The workers had to do a huge amount of overtime to get all the data back. When the director saw that, he realised the matter was very serious. I had some ideas how to solve it, and I quickly got the opportunity to implement them. In 1994, right at the beginning of college, I came across an excellent paper I still like to quote, entitled What is Information Warfare. In 1993, Martin Libicki, the author of this paper, wrote about how the future of warfare will no longer be based on kinetic military power, but on disinformation, on cyber or hacker warfare, on the destruction of digital infrastructure that will become critical. Back then, all of this was just beginning. I found that very interesting from the point of view of a different concept of social power. I also found it interesting for Slovenia as a small country, that a country can't only be powerful in terms of its territory, number of tanks, planes, inhabitants, but that actually knowledge can be a very powerful weapon in terms of positioning the country. Then I continued to deal with that in my master's degree, in my PhD, I also spent quite a few years lecturing on cybersecurity and information warfare, up until 2018. 

Host: What did the students at the Faculty of Social Sciences ask you most often?

Uroš Svete: There were a lot of questions, but there was an interesting question at a semi-public doctoral thesis defence. When are we going to reach a situation of exclusively cyber warfare? Now, the cyber dimension is some kind of addition to real warfare. The answer was when the two sides have similar, symmetrically developed technology. 

Host: So it's a good thing we're lagging behind. 

Uroš Svete: I'm afraid we're not lagging behind that much. We're at a point where we're similar to the most developed countries in the world in terms of usability, in terms of dependence, there's no longer any significant difference. In some areas, when it comes to connectivity and so on, we're among the most developed countries. We're developed enough for machine-to-machine fighting, we have tools for carrying out attacks against the XDR, EDR antivirus and other solutions. We're not far off. The situation in Slovenia is similar to other countries close to us, both in terms of challenges and advantages. 

Host: What can each individual do to avoid cyber fraud? 

Uroš Svete: First of all, they need to be aware which digital device they're using, so that they know where their data can end up, so that they have the ability to react to it. Passwords are still very broadly used. As long as we use passwords, they need to change passwords and use complex passwords wherever they can. Multi-factor login. Cross-device login, so if you log in on a computer, you need to confirm your login with another device, a phone. Logging every login, so you get a notification of every login. If it wasn't you, you need to immediately change your password and report the incident. What else is important? That we don't trust the technology. There is no reason to believe everything that's being sold to us by technology providers. And above all, follow the channels that inform about misuse. Slovenia has a very good programme, called Safe on the Internet, run by SI-CERT at Arnes, which also has various social media channels, informing about current threats that are emerging, how we can recognise them ... Bear in mind that a cyber incident could happen to me, to you, to anyone, regardless of the fact some may be more, some less aware. I think that's the basis. As I said, like we have learnt the rules of the road, safety needs to become an inseparable part of technology use. 

Host: Dr. Uroš Svete, let's hope there'll be as little warfare as possible. 

Uroš Svete: I agree, I always want technology to bring more benefits than risks, but it's true of all the technologies that we've adopted in a broad sense in civilisations, that they have a dark side, there are abuses, malfunctions, last but not least there are risks when it comes to natural disasters. I want technology to benefit us all as much as possible. 

Host: Thank you for being our guest.

Uroš Svete: Thank you for having me.

Host: Thank you for being with us and goodbye.