At the time of writing these lines, it is not yet known who was behind the biggest cyberattack ever made against Portugal: the attack on the communications infrastructure of one of the largest national operators: Vodafone. The attack began on February 7 at around 210 and, according to the operation, you “abruptly” attacked “almost all” of your telecommunications services through a very targeted attack on the operator’s networks because you will have a large botnet and with the majority of equipment (according to cloudfare) in the US and Singapore but, as happens in this type of attack, the operation was not commanded from here but from a third country.
Vodafone activated its contingency plan and began to recover services one by one. The attack was just the latest in a series that has not yet ended and that should put all companies, organizations and national citizens on guard. Vodafone was, in fact, just the latest in a series of attacks that began on January 2 with an attack on Impresa and that destroyed – by encrypting – the Expresso and SIC websites and deleted the backups that this company had on the Amazon Cloud. and which was followed by attacks – of varying success and duration, on the Assembly of the Republic, Correio da Manhã, Sábado, Visão, Caras, TAP and, more recently, on the Germano de Souza laboratories. Apparently, it was not the same organization that was part of this wave of attacks and they differ in method, nor in objectives: some were classic ransomware objectives with financial and others aimed at affecting the communication networks essential to the normal functioning of the country. As these data on economies, attacks were from the 1930s and 1940s, it would be the destruction of bridges, roads or telephone networks by aerial bombing or sabotage by fifth letters but now – the degree of digitization of the equivalent and the trivialization of these news and information consequences – we are not paying attention to the problem. Basically Portugal is at war against an unknown agent or agents and we are not doing enough to defend ourselves… And we need to!
Two days after Vodafone, it was the turn of the mobile network of the Spanish operator Movistar. These attacks, and in particular the attack on Dafone Portugal and Movistar, can be inserted in a broader geopolitical context, where Portugal is still being used as a “test” of a large-scale operation against the management of more essentials, such as a of services still main dams, power grid, a parallel attack on all communications and internet operators and on internal security and defense systems. The attack on Vodafone could be like this or a test of Vodafone’s defense (which has not yet been) it could be like that or a test of defence, reaction and mitigation or a demonstration of capability that aims to intimidate those who, in NATO countries, believe that must help force or force new expressions against any aggression in Eastern Europe.
What happened to Impresa (with the loss of online data and the history of SIC and Expresso), to Cofina (Correio da Manhã, Saturday) and, more recently to Vodafone (with impacts on firefighters, INEM, the ATM network, hospitals and More than 4 million individual and business customers) must lead the government of the Republic and establish a major cybersecurity initiative:
1. All Government bodies, Ministries and Local Authorities begin or complete a transition to a secure cloud structure with a “Zero Trust” architecture with mandatory multi-factor authentication (MFA) systems and strong implementation. And that the government set a specific deadline to complete this transition.
2. Improvement of computer security in the “Software Supply Chain” by determining common security rules for all software sold to the Government and Local Authorities and that this launch as the basis for a partnership initiative initiative that guarantees the development of secure software from large central state programs.
3. The creation of a security seal that allows the “energy star” to develop to the “energy star” and the general public that software developed in a safe way and that allows the government, using its immense power to develop for here, force manufacturers to here their entire market, software more secure and without vulnerabilities.
4. Be “Cybersecurity Review Cabinet Security and Review Sector Cybersecurity Review Office where the secure sector changed the private sector significant, after a security incident” cybersecurity components that failed. This will ensure that all organizations can benefit from resolving the failures of some.
5. Create a “Book of Rules” from a text still incomplete and already available at the National Cybersecurity Center for response to Cyber Incidents that must be attended by government authorities and local authorities – regardless of their digital maturity – and that organizations require a minimum standard of response among all organizations that can later be followed by private sector organizations.
6. Increase the Government’s capacity to detect the occurrence of a cyberattack on its networks through the creation of a single system for the detection and sharing of information between different agencies and governance bodies.
7. Public Safety Investigation and Reset and Standards Review Capabilities for Evaluating Standards and Benchmarking of Reference Records (“Determination of Intrusions, Mitigate that are in Progress and Extent of an Incident).
Portugal still needs:
1. Raising Authorities takes place against organizations that do not report all cybersecurity organizations.
2. Determine practical and concrete actions against the authorities of the countries from which these attacks on companies, individuals and entities of the central government and local authorities are launched.
3. Consider creating a fee that applies to companies and organizations that pay ransoms or hide that they have done so. Portugal has to go further than everyone else to stop being a target (the pattern of being a preferential target is starting to be drawn due to the low digital maturity of our musicians).
4. Determine that all organizations, starting at a certain scale, have a cybersecurity budget that is 10% to 15% IT budget (Estonia).
5. That the National Security Center:
one. Comply with the Code of Administrative Procedure designated as the deadlines for responding to citizens and companies.
B. Have cybersecurity equipment that performs surprising audits of national companies above a certain manufacturing volume and
ç. That assists the resolution of each incident being called cybersecurity or does not consult an organization that has a role at the time of the occurrence.
6. That if, at the European level and an assessment of economic utility, cryptocurrencies and this national assessment of cryptocurrencies have no value for the economy only as a speculative product and tool for cybercriminal drug use and traffickers of their cybercriminal use, mining, possession and manipulation must be prohibited in Portugal and in the European space and that Portugal takes the lead and prohibits mining of cryptocurrencies in its territory
7. All cybersecurity related expenses Minimum VAT as essential services they are and should be.
8. That all national organizations above a certain billing volume:
one. Remote access (VPN and Internet) to your two-factor authentication features.
B. perform penetration tests (pentests) of.
ç. who had insurance against ransomware impacts on the organization’s activity.
d. than offline backups and a team specializing in cybersecurity.
and. an online training plan dedicated to cybersecurity with its mandatory requirements for all employees.
f. the existence of alternative backup networks that are mandatory for the State, local authorities and large companies.
9. That the Government launches a rewards program that pays those who discovered the vulnerability on State websites, public or municipal companies and local authorities.
It would also be available that the “Cyberdefense Center” has the mission to protect and protect the information, confidentiality and information of the National Defense and protection systems essential to the exercise of our sovereignty, in order to guarantee the defense and, eventually, the creation of effects in and through cyberspace” broadens its scope and scope can also assist the national government and companies in reacting to a large-scale cyber incident like the one that brought down the Vodafone network in 2022.
But we must not stop here. Closely follow Estonia’s example and include cybersecurity in school courses, with constant practical practices and non-secondary specialist specialists. Cybersecurity is no longer just a matter for specialists to think about, because its impact has already extended to the whole of society and we cannot continue to believe that it is a “computer” problem, but a social one with reach in all sectors.
These were sent to the Parliamentary Committee for National Defense, the Ministry of National Defence, the Ministry of Internal Administration, the National Cybersecurity Center, the OSCOT – Security Observatory, Organized Crime and Terrorism and the APDSI – Association for the Promotion and Development Society of the Information Society but so far there has been no response.
(The author writes according to the Old Orthographic Agreement)
Rui Martins, founder of www.vizinhosdoareeiro.org and president of the association Neighbors in Lisbon