Awareness on information security low in Turkey

Barçın Yinanç - barcinyinanc@hdn.com.tr

The rest of the world might be attuned to the importance of information security, but the Turkish government’s recent move to downplay the significance of the data breach of 50 million Turkish citizens shows how low the awareness about the issue is in Turkey, according to an expert. 

The public should be sensitive about the consequences of such a data breach, said information security expert Minhac Çelik, adding that the prime minister’s stance had not aided efforts to raise awareness on the issue. 

First of all, tell us what we are talking about, in terms of this latest incident.

We are talking about the information that is found on the front page of the identity cards of 50 million people, as well as their address information. 

It seems we are talking about a theft that took place in 2010. 

Actually this is not really theft. There is a place with an open door; there is no security system and there is some information there. You take that information out, but it continues to remain there since the door is always open. This is a data breach.

The government tells us that the Supreme Election Board provided the information to political parties as a legal necessity prior to the elections, meaning we have got the impression that the political parties might be responsible for the problem.

The thing is, in the virtual world, you put this data in a place and then you tell the political parties to come and fetch it. But what is assumed to be accessible only to political parties is actually open to others. There is a lot of security negligence. There is no security mechanism and hackers or people with bad intentions were able to access it.

The ones who opened this database to political parties have neglected security measures. Hackers even left messages; two of them made fun, saying, “How did you think you could protect it with such a simple security mechanism?”

The information was made public in 2016, whereas the data breach occurred in 2010. Why now?

Turkey has taken an important step and enacted a law to protect personal data. The timing is interesting. We heard about this data breach just as Turkey enacted the law. I do not imply anything, but I still think there is a linkage between the two.  

What is all of this telling us?

It tells us that awareness on information security is still at low levels. This is not only as far as citizens are concerned, but at the state level as well, the awareness is not very high. It is portrayed as such an insignificant thing that no one pays the cost. Perhaps those who made the statements [after the incident became public] might really think that this is not really that important.

A similar incident took place in the United States with the U.S. office of personnel management when the personal data of American public officials was stolen and it became a huge thing. Newspapers talked about it for days, and its director had to resign.

Here, however, there was no huge outcry at either the press or among the public. Society has not shown a reaction.

Why should we be concerned?

This could have very serious consequences in our lives. We could experience fraud, face financial losses or encounter incidents in which our reputations are jeopardized or our professional or family lives are jeopardized.

But the government tells us not to worry. Apparently, those who made the data breach do not hold the maiden names of our mothers.

But that does not mean they cannot get hold of it. In addition, with the current information they have, you can get some mail that would give you the sense of familiarity with the sender. As the mails and familiarities increase, at some point they could introduce malware in a link that send you. These are social engineering attacks.

The prime minister said he did not mind people knowing the address of his home; he invited them to visit his house. But you are telling us there is more to it.

Correct. When the one who says this is the prime minister, then he is not contributing to increasing public awareness on information security.

If the PM was to make the opposite statement without leading to panic, saying this information should have been better protected, then the people would have realized that this is important information. He would have served as a role model for the people so that they could become more sensitive about data breaches.

Perhaps there is not much we can do after this data breach. 

The PM’s statement would lead to laxity. To say “it’s OK if this information is known to others,” means this data is not important at all and that people will perceive it like that. But I think his statement has struck a blow to the institutional efforts that are being made to increase awareness on information security in the mid-term.

Is the prime minister trying to hide mismanagement or is he really unaware of the seriousness of the issue?

Political statements are done to protect certain interests, but I don’t think the awareness of the government on cyber security is that low.

Just two weeks ago, Turkey actually endorsed a cyber security strategy and action plan for the years 2016-2019.

The first one was endorsed in 2012 for two years. This time it is for three years, and it will be under periodical review. We understand from the strategy document that this time the government has the intention of having a platform where state institutions will come together with the representatives of civil society, private sector and universities to establish a cyber security strategy.

This shows that at least they are following the developments in the world. Only state institutions were involved the first time the strategy was prepared.

But in general, can we say that Turkey has been late in taking the necessary measures in terms of cyber security?

Other countries are targets of similar serious attacks. U.S. President Barack Obama has a cyber security adviser. The U.S. has a cyber command. Let’s say that the world is mobilized on that issue and a similar sense of mobilization is not being seen in Turkey; that’s what the prime minister’s statement shows. The world is in a state of alert and Turkey is not really on a state of alert. Data breaches in the world are becoming scandals, but in Turkey such a breach is not considered a scandal.

On the other hand, this state of alert in the world also provides economic opportunities. Turkey should divert its trained and educated people to this sphere. Cyber security is, for instance, an obligatory course in Israeli high schools. In the United States, conferences are not followed by just a small community of hackers but by a wide range of people. 

And we are a society that is actually on good terms with technology.

We do not produce technology, but it is clear that we are a society that is very enthusiastic about using the benefits of technology. But let’s not forget that the more you are connected, the more vulnerable you become. North Korea is the safest country in terms of cyber security, but they are very much on the offensive. 

Turkey doesn’t lack any enemies; that must make it a frequent target.

The Turkish Armed Forces has declared cyberspace as the fifth battlefield; that means it will take the necessary measures against threats to the country’s interests in cyberspace or against attacks from cyberspace. Strains in diplomatic sphere easy spill over to cyberspace and cyber-attacks against Turkey are no secret. We know for instance cases where social engineering attacks against the people working in humanitarian aid efforts for Syria have been successful; this information is open information.