Turkey is not prepared for approaching cyber wars

Barçın Yinanç - barcin.yinanc@hdn.com.tr

The response to the recent cyberattacks has shown Turkey has no crisis management culture for cyber space, according to Salih Bıçakcı one of the researchers who have recently prepared a report on Turkey’s cyber security. “Turkey is not prepared for the approaching cyber wars; it needs a mentality change,” says Bıçakcı from Kadir Has University.

What is your evaluation of the latest cyberattack?

Since Dec. 14, we have been under a Distributed Denial of Service (DDoS) attack. This is a type of attack where it is difficult to identify the perpetrator. Due to political contention with Russia and Russians’ track record for cyberattacks, we suspected Russia. Anonymous claimed responsibility but they announced their campaign against Turkey on Nov. 25; why did they wait until Dec. 14? The fact that Redhack participated in these attacks and that the Cyrillic alphabet is seen in the video put on the Internet by the perpetrators gives me the impression that different actors are taking part of these attacks under the leadership of Anonymous.

Anonymous had only state institutions on its attack list. Due to the multiplicity of attackers, I anticipate that next targets could be airlines, the stock exchange or municipalities.

What do you think about the response to the attack?

Crisis management was done through Middle East Technical University (ODTÜ), which is hosting the servers for the domain name .tr. ODTÜ is the first institution that brought the Internet to Turkey. 

The structure we have in Turkey is as follows: on the top, we have the Presidency of Telecommunication and Communication (TİB), which reports directly to the chairman of the Information and Communication Technologies Authority (TBK). Then there is the National Cyber Incidents Response Center (USOM), which hosts the computer emergency response team (CERT). That team advises. They are not very talented and capable at handling the issue. They advised shutting down all international IP blocks. 

But then we were excluded from everything in the cyber world, so they said open it. It was a wrong decision. That shows how badly USOM performed in crisis management. ODTÜ did the best it could. The question here to ask is whether USOM did a practice trial of crisis management.

On the other hand, it is not clear who will be do crisis management. We don’t have a crisis coordination center. USOM should have assumed that role but their power and expertise is very limited.

The government blamed ODTÜ and said the servers should be transformed to BTK, which responds to the Transportation Ministry. Would that be a solution?

The services of the Transportation Ministry were also affected during the attacks. What is forgotten is this: the state is obligated to protect all servers, wherever they may be located. At the stage we are at, there are national cyber space frontiers and they need to be protected. That’s why the state is responsible of protecting ODTÜ’s or banks’ servers. Obviously the transfer to the BTK could bring some benefits as far as technical capabilities are concerned. But establishing new structures are always open to more loopholes. This kind of transfer should be evaluated prior to the crisis period and I think we should not discuss such vulnerabilities in the midst of the crisis.

The fact remains that there is a lack of coordination on how to response to cyberattacks.

We have a National Cyber Council. It did not intervene at all during the latest attack. It is wrong to have it under the Transportation Ministry. We need an efficient crisis center under the Prime Ministry that conducts fast communication between all stakeholders. The message of the latest incident is clear: We have no cyber crisis management mentality.

The public was not very aware of the attacks. How come?

Those familiar with the Internet were aware of it. As cyber world is invisible, states tend to hide these attacks. They see this as vulnerability. It is called security through obscurity. But now the world is going to security through transparency. Deterrence comes from transparency.

What’s the scale of the threat?

We are talking about a threat that can return a country to the Stone Age. The country’s water, electricity, health and banking system can come to a halt. Cyber threats have been on the rise during the last decade. Until the [2010] Stuxnet attack on an Iranian nuclear facility which delayed Iran’s uranium enrichment for two years, we were not so sure such a sophisticated attack could take place. 

After that, Iran has become the world’s fifth cyber power, after the United States, Russia, China and Israel. I am suspecting that the March 2015 blackouts in Turkey were staged by Iran. 

Of the three super cyber powers, three are Turkey’s neighbors.

Geography is not an issue in cyber space. All the countries with which you have political contention have cyber capacity, including the Syrian electronic army. The outlawed Kurdistan Workers’ Party (PKK) has its own hacker team. Meanwhile, your allies can also use their cyber power in terms of gathering intelligence. 

States need to take measures against asymmetrical threats. But they are symmetrical structures that are obsolete in responding to these asymmetrical threats. We need a mentality change.

Marc Prensky talks about digital natives and digital immigrants. The young generations are native speakers of the cyber world; older generations are its immigrants. The high average age of decision makers make them digital immigrants, while the average age of the perpetrators is around the age of digital natives.

What does this latest attack tell us?

When we have a political issue, we have think of its reflection on the on cyber space. You cannot separate cyber space from political space. Turkey has not calculated the consequences of its political steps in the cyber world.  We claim we have a strategy but we don’t have one. We had an action plan for 2013 and 2014, and now we don’t have an action plan. 

In Turkey, issues related to cyber space get put high on the agenda when something happens and then the attention dies out.

Since we cannot touch the cyber world, statesmen do not care very much. Yet, we are so close to cyber wars and we are not prepared at all. Protection of critical infrastructure is very important; if you are not coordinated in the sense of forecasting cyber events, you cannot save the country.

Turkey has an enormous human capital that can work effectively in this issue. This human capital by itself is not enough. The human capital has to be communicating with each other. You need a coordination service. 
In the private sector, the banking system is really good for instance. But there is also an intersection point between the government and the private sector. 

That’s the problematic side. We have the energy sector, for instance, in the hands of the private sector. But energy is a matter of national security; the coordination there is not clear.

We have a state body which needs to protect itself like e-state and e-health.

The state side is very weak. A lot of institutions are working without any coordination. We need to build a cyber security culture. We are far away from situational awareness.