Romania is in a frantic race to modernize its military arsenal. It is a race which involves significant costs for the lowest European budget relative to its economy. These costs make Romania`s defense budget the second largest as a percentage of budgetary revenues among NATO countries, behind the US.
And yet, these expensive steps will in no way make Romania more secure if other vulnerabilities are not addressed with maximum seriousness and speed, more so that the associated financial effort is incomparably smaller.
This is the topic that I will be approaching together with my guest, Victor Cionga who has been working throughout his career in investment banking. He was involved in both mergers and acquisitions, as well as in listings on the local capital market. Throughout his professional life he was a member of several Boars of Directors (Arctic, Sidex, Electrica) and one Supervisory Board (Hidroelectrica).
RC: Victor there has been a lot of talk about Romania`s military vulnerabilities. Isn`t it possible that Romanian businesses have other weaknesses that make them the sitting ducks of less friendly players? Strategically important state-owned enterprises first come to mind, but the private sector may not be in a better position as far as cybersecurity goes.
VC: I would suggest to go from the general to the specific. Besides their obvious advantages, technological advances also increased risks whose likely consequences, in some cases, remained for a long time misunderstood. The area where this category of risks are perceived as potentially “explosive” right now are cyber risks. There are many players operating in the virtual space and they are not necessarily state actors. The non-state actors can be organized, firms offering their services in exchange for money to attack targets, lone wolf hackers and hacking organizations which come together on an ad-hoc basis to attack targets for money, not to mention the “romantic” hackers, those who act just to prove that they can, or to show the companies how off-guard they are.
RC: And yet, if we look at Romania one of the two applies: either these attacks are swept under the rug, or they do not exist. Very rarely do we see public confirmations of such attacks. The latest information relates to the Ministry of Education website where cryptocurrency mining apps had been illegally installed.
VC: It depends on how dangerous the attack is. I can say, from a very reliable source that in 2014 and 2015, there were ransomware attacks against Romanian utility companies. These attacks were not always reported up the chain of command. Probably out of fear, they remained unreported even to the direct management and were discovered accidentally. As far as the utility companies are concerned, the most serious attacks are against a country`s critical infrastructure, which are most likely prepared and coordinated directly if not mainly by state actors. The problem is that, in the case of an attack by a state actor it is extremely difficult to trace the author.
The first serious attack recorded occurred on December 23, 2014 when two power distribution grids in Ukraine were attacked. The attack was felt even in the Kiev area. That attack was carefully examined by experts and it was found that: 1) it had been prepared as early as March that year, 2) the hackers had taken charge of the grid control systems and 3) they were “generous” because they caused less harm that they could have otherwise have done. As an expert with whom I talked put it, if they wanted to, they could have sent at least one of those Ukrainian regions back into the 19th century. Two more cyber-attacks followed also in Ukraine. One against power grids and another one, more widely against Ukrainian firms and agencies using a certain accounting software. In the latter, the “bug” was entered into the source code of the new software version and got spread as the firm`s clients installed the updates.
RC: How likely is that something similar will happen in Romania?
VC: I cannot say. But, just like in Ukraine`s case, it is possible (not necessarily probable!) that there already exist spy software triggering these attacks in some of Romania`s network. That they have not been activated does not mean that they do not exist because they emerge only at command.. I do know, though, and my information is for 2015, that state-controlled companies in Romania failed to properly grasp the danger of these attacks and as a result, there hasn`t been an ongoing and professional concern to prepare the companies for such attacks.
RC: Why those controlled by the state?
VC: Because those run by multinationals embrace the strictness showed by the parent company. And therein lies another issue of principles. When part of the infrastructure is owned by foreign companies which apply different security standards, as a country, should you have your own standards, must ensure that they are enforced. I am not aware of European procedures that make this alignment possible. To my knowledge, ANRE, the Romanian energy regulator does not have any direct legal power to set minimum cybersecurity standards to be applied across the industry. Moreover, three years ago at least, it lacked the professional skills in that respect and the concern to acquire any. Meanwhile things may well have changed.
I would like, however, to draw your attention to the fact that Europe has seen massive attacks not just against its critical infrastructure, such as power grids. In 2015, if I`m not mistaken, the entire healthcare system in the UK was hit (National Health Service). Some hospitals were temporarily shut down because they could not operate under normal circumstances. Coming back to Romania, though, I can say the following thing that I have noticed: both government authorities and government or private companies have shown and continue to show too little interest in ensuring protection against cyber-attacks. A missing market and therefore a lack of a serious demand explains why there are no powerful companies in Romania to provide such services..
RC: Why? What would be the explanation?
VC: The first thing that I noticed in the 2014-2015 period is that many decision-makers in the energy industry were cut off from how the global realities were shifting. It is very difficult for a state-owned company, with an IT department already set up, in many cases run by people professionally left behind, to bring in someone whom you can pay properly and to whom you can offer a position with the adequate power and accountability. Most large companies in Romania controlled locally (by government or private entities) lack the CISO, Chief Information Security Officer, position. The job description of the position can be easily guessed from the title.
I carried out a very simple exercise this year. I took the annual National Grid report, the UK Transelectrica, and the S.C. Transelectrica (TEL) annual report. As TEL interconnects with other European operators, it is subject to the European minimum requirements. As far as I know, that is why, a few years back, it probably was the Romania state-owned energy company with the most advanced cybersecurity program.
Having said that, in Transelectrica`s 2017 annual report, the word “security” was mentioned up to around 50 times, and “cybersecurity” showed up once explicitly and 2 or 3 times implicitly. I, for one, did not see any mention in the report about a cyber-attack response plan, no remarks on executive managers submitting reports to the Supervisory Board that would once or twice a year present the implementation stage of cybersecurity measures. On the other hand, in its annual report, National Grid, besides its many “cybersecurity” references, presents several scenarios of which three with possible catastrophic consequences were triggered by cyber-attacks. In addition, there is a CISO who quarterly informs the Supervisory Board on the risks and preventive actions of cyber risks. If memory serves, as early as 2015 most businesses publicly traded on the London Stock Exchange included in their annual reports “cybersecurity” issues with a mention of steps taken. In 2015 I had the initiative to mention our concern, as Board of Directors, as regards this issue, in Electrica S.A. (ELSA) directors` report. It was a first for ELSA; we were probably the first company traded on the BVB [Bucharest Stock Exchange] to include the issue in a document to shareholders.
RC: You know what I cannot understand? Just like you know what happened in Ukraine and in the UK, the Board of Directors members and the executive managers of these companies must know as well.
VC: Firstly, many things happened since 2014 and public perception has evolved; I can`t yet tell how much, but at least the issue is on the table. That year, though, as then Chairman of the Board of Directors, I found myself several times in the situation where I was told “Chairman, this cannot happen here. We have more important issues to deal with”.
RC: That was the ultimate reason for inaction …
VC: I requested an IT audit, including a penetration test and hopefully its results prompted some change at ELSA in understanding how vital cybersecurity is. I know of real cases involving large Romanian companies which, at some point, had not bought antivirus software for their own computer systems. The highest risk to cybersecurity is the human being. And not necessarily the spy, the James Bonds, but the simple person, the operator not complying with some relatively simple rules. Assuming the company they work for established rules and they were made aware of them. Otherwise they have no reason to abide by them.
RC: I reckon that you don`t have to be a very skilled hacker to break into a computer system given this level of neglect.
VC: I`ve heard of cases where, for many years, for some of the SCADA power grid management systems in Romania they did not purchased the cybersecurity package. Things were finally put on the right track.
Cybersecurity has to do with laws and doing things professionally. With an IT manager who has been with the company for 10 – 20 years and cannot be removed, who doesn`t know and doesn`t want to know, addressing these vulnerabilities is very tough.
RC: Should I infer from what you said earlier that in Romania these problems are not by accident but rather systemic?
VC: It`s culture related. And here are the arguments that are based on one effect. They say that Romania has excellent computer experts, but there are few cybersecurity firms and they do not have a lot of business. The cause: I repeat, the local market was and is still small due to relatively flimsy demand; outside of the financial industry and most multinationals, government institutions, central and local authorities, government business enterprises, state-controlled and private companies failed to realize the importance of the issue and of the fact that cybersecurity measures mainly require preventive action.
Negligence comes at a high cost; I don`t know what the Ukrainian authorities learnt from the December 2015 attack, but the fact that several successful cyber-attacks followed, one of which also against the energy industry, goes to show what “not doing your homework” not even at the 11th hour means!
In the Romanian cases that I know of, and again in 2015 there were “ransomware” attacks which disrupted the computers of a large utility company, some of these incidents were not reported and we found out about them by accident!
RC: This sounds very serious to me. And how was the vulnerability addressed if it wasn`t reported?
VC: I don`t know.
RC: How do we deal with this cultural issue?
VC: The key has to do firstly with people. Romania is a country where, sadly, many times the form is left without the substance. I am going to give you one example: a large Romanian company with a significant turnover, with more than 150 work stations protected only by Microsoft Essentials because “we cannot spend money on a professional antivirus protection” when there is one free. So they were able to put in the “report” that using antivirus software to protect the computers was considered, though that was not the best technical solution by far. Professional antivirus software (which is just a part of a professional corporate cybersecurity package) would have mounted to around EUR 2,200 per year for all the above-mentioned stations. There is clearly no perfect cybersecurity protection, but when the stakes are high, you make the proper preparations and not just check off a report.
Without any statistical data I believe that unfortunately, the level of awareness is low among both Board members and most executive managers. One of the things that I would suggest the Independent Directors Association (AAI) should do: go through the propel channels to have a Manual, a Guide developed for public companies to start with. To be later extended which is to be decided through talks with ministries, central and local governments. We do not have to reinvent the wheel; maybe the US model is a good example. New York Stock Exchange worked with a cybersecurity company to establish a Guide, which is now at its second edition, on how public companies should approach cybersecurity. Partners could be either private or part of government institutions, such as the Romanian CERT-RO [National Cybersecurity and Incident Response Team] which has made some steps in that direction.
As I recently became an AAI [Independent Directors Association] member I can talk in the first person plural: this approach should better be agreed first with the Bucharest Stock Exchange and later disseminated among the analysts of brokerage firms who have research departments and do research reports on public companies. When meeting up with public companies executive managers the latter should question them on how advanced their cybersecurity projects are..
What could also be done is to raise awareness among decision-makers within ministries because state-owned enterprises respond easily to commands coming from that area. It is not my intention to downplay the role of some institutions which operate in this field: I mean here CERT-RO and the Cyberint National Center; the projects which they have developed so far, based on their websites, show that there has been increased public interest in this issue. What we are still missing is risk awareness among decision-makers and an allocation of sufficient funds to be able to cope with future challenges in such a sensitive area.
RC: Cybersecurity in the private pensions industry is heavily regulated. We conduct penetration testing every year, we have a Business Continuity Plan, a Disaster Recovery Plan and so on. And ASF [Financial Supervisory Authority] monitors that we do our homework timely and to perfection. Would a similar approach also work for state-owned companies?
VC: I`m glad to hear that; maybe you should also inform the public. State-owned companies are very sensitive to calls from the ministry. Alas, there are cases where some Board members are grossly mistaken in terms of corporate governance: they are highly sensitive to the interests of shareholders voting them in and at times less keen about the company`s interests. This is a cultural “illness” which is not easily cured. But, in the field of cybersecurity at least, I don`t think we can still afford to wait for the minister concerned to issue instructions. We must act fast and professionally. Where we lack sufficient experience, the fast and effective way that I see, is to work with other government or private organizations within the EU or NATO. We shouldn`t sit and wait to become victims of an attack to do something. More so that preventive measures cost less than fixing the aftermath of a cyber-attack…
RC: The damage could be huge. Let us hope that this interview will be the alarm signal that will lead to making critical infrastructure cyber secure.
Thank you, Victor, for this talk.