The Cyber Attack on Parliament - A Cold Case Analysis in Its Global Context

In general, the attacks that hit the legislative institutions of many countries were a simple routine somewhat devoid of serious damage. These consist, overwhelmingly, of "defacement" of the website's main page (i.e. changing its appearance for a claim, generally political) combined, in general, with a DDoS (Denial of Service) attack, preventing access to any visitor to the site until the issue was resolved by the security teams.

Worldwide, attacks of this type are now conducted almost daily against state entities, being the work of hacker groups affiliated with a State or simply driven by a cause (terrorism, environmentalism, alter-mondialism, etc.) using both techniques , as was the case with the attack on the website of the Swiss federal administration during the visit to Davos by Ukrainian President Volodymyr Zelenskiy on January 18) or only DDoS, such as, against Romania, the powerful DDoS attack that hit the cyber attack website large-scale attack on the website of the National Cyber Security Directorate (DNSC), carried out last Wednesday, so only three days after the attack on the Chamber of Deputies.

In any case, apart from the fact that these operations did not affect the actual content of the servers, they only annoyed the users and gave headaches to the security teams.

• The usual heavy targets targeted by the best criminal groups

The main reason is that most of the more sophisticated data theft attacks have focused on targets and documents of much higher value than a law enforcement agency can hold. For very powerful hacker groups, the most interesting state assets are the highly sensitive data of government agencies related to national security, but also those related to the health, energy and agribusiness sectors.

These targets, now under constant assault, offer, if hacked, a huge added value, as their data can be used by a competing nation, but also sold for a very high profit to private actors operating in these areas, representing the four main pillars of the world economy.

• Why, now, and the parliaments?

The answer is complex and multi-rooted: the state of disrepair of the world's major economies caused by the pandemic years, compounded by the greatest geopolitical and military instability since the end of the Cold War, compounded by inflation, speculation, and consequently , the immense needs of large state and private actors in anticipating the decisions taken by their competitors, as well as their effects in a ruthless global competition, where friends and allies do not exist.

In every country in the EU, in the G-20 and beyond, both Houses, which were previously spied on by other means (see the NSA spying scandals and the more recent EU commissions), have thus become a prime target for groups of skilled hackers. Senates and parliaments deal with an enormous amount of data, most of it a little sensitive, but some of it very relevant to the four big economic pillars, such as the topics addressed by the specialized committees dealing with these sectors .

In this context, the Chambers' databases collect several "treasures" that can be used by competing states or illegally sold to the private sector. The attack, unfortunately successful, on the data center of the Romanian Parliament is, therefore, the last in a long series, even if we consider only the last six months.

In September 2023, the Canadian Parliament was the subject of a massive attack, with numerous data stolen; the following month, it was the turn of both Houses of Parliament in the Philippines to be massively hacked, followed by that of Belgium. On the very same day that the attack on the Romanian Parliament took place, one of the main private data centers used by the Swedish Parliament (part of the national public cloud) was completely compromised.

Without reaching the critical magnitude of last year's hackers from the Pentagon or the Swiss government - in the latter case, the data center, run by state-owned military companies, was the subject of ransomware with the threat of making public all documents, two of the parliamentary cases mentioned above deserve special attention.

On the one hand, the Canadian event also deeply affected Ministry of Defense data, while the Belgian incident involved thefts from the Prime Minister's office, the King's office, as well as several other ministries. Actually, both extra attacks, m of sophisticated took advantage of the similar cyber organization of various institutions to have such success, which leads us to believe that the Chambers were not the main objective.

• Lessons learned

I read with interest the articles published in Bursa last week. Unfortunately, we have been hearing for years that cyber security must be "priority zero" for public administration, statements made after almost every incident.

In this context, the challenges to be solved are enormous. The first, for every state, is the need to hire many more top cybersecurity professionals, a challenge hardly compatible with a time of recession and crunch budgets.

Then there is a huge need for clarification on how a nation wants to develop its own "government cloud" or "public cloud," neither of which offer more security than static servers unless they are state-of-the-art.

On the contrary, the cloud system needs numerous secure remote connections as well as a perfectly secure data supply chain. As we have seen in the US (Solarwinds) as well as in Switzerland (state military companies), even the best chains can be hacked.

Additionally, there is always a physical database system at the end of a cloud. In the Anglo-Saxon fashion of the "public cloud", secured by the highest state organizations, but also in the lesser meaning of "government cloud", the Swedish cyber attack of January 29 represents the worst possible nightmare. In fact, one of the databases used, belonging to the most reliable Finnish company, is still non-functional, and the loss of documents concerns the most important banking and commercial affairs, in addition to state documents.

Last but not least, it is essential to choose top technologies and top specialists. Here, two elements must be emphasized. The first is that all the most secure technology solutions, which include quantum encryption and artificial intelligence, do not belong to EU companies, so even if such large technology companies can build the physical components on EU territory, a dependency will be created that could not be compatible with GDPR rules.

Extending, already from the technological point of view, the problem to "quis custodet custodes", i.e. who guards the guardians (of the data), Romania, like many other EU states, will have to choose between the "traditional" popular distrust in their own security agencies state security and the risky path of privatizing the security, hosting and smooth functioning of the government cloud (a risk that only the US, Russia or China can afford, thus having world-leading companies in their national jurisdiction).

• Such attacks will continue ... with artificial intelligence, no bit is lost anymore ...

Unfortunately, such attacks will continue, because in addition to critical/ultra-sensitive data, which, if found, will be immediately traded, the "big tech" of artificial intelligence - as well as cybercrime groups - should not be underestimated who master this technology - and the billions of daily data they need to operate.

By its essence and its needs, measurable in peta- and exa-bits every day, extracted from all possible global sources (legal and not), artificial intelligence, in the absence of a legal and ethical framework, has transformed, without being directly responsible, into cyber crime target every public or private entity owning a rich data center regardless of their sensitivity/privacy.

Consequently, nothing is lost for the hackers, as the most important stolen documents will be immediately used (if the attack was paid for by an entity) and sold expensively, while the rest of the data will be collected with incoherent amounts of other data to become interesting, in volume, to the big actors (legal or criminal) in the field of artificial intelligence.