Borders and cyber-threats: how safe are we?
By Petros Chatzis, Specialist – Border Management and Dr Eliana Stavrou, Assistant Professor in Cybersecurity and Course Leader of MSC Cybersecurity, University of Central Lancashire, Cyprus
In the recent decades, the border landscape has dramatically evolved, from the traditional geographical related boundaries, which defined national sovereignty territories, towards a critical infrastructure, involving checks and surveillance and falling under law enforcement jurisdiction. Nations rely upon well-controlled borders, especially due to the interchanges of globalization and the increasing demand for movements, using all technological advances. On the other hand, the interdependence of cyber and physical areas and the heavy reliance on technology have greatly expanded the attack surface, giving more opportunities to malicious actors to attack borders. Due to the criticality of the borders, the impact from a cyberattack could be far-reaching. This article highlights the importance of the topic, presenting a list of cyber-threats and threat actors relevant to borders’ control management operations.
To effectively protect border control management operations, one must first obtain a clear view of the different assets that take part in this complex infrastructure and then identify the cyber-threats that can jeopardize their operation. Border control increasingly relies on databases, large information systems and algorithms, which are stored in the cloud or controlled by third-parties. In parallel, the systems become more and more interconnected and interdepended, thus any failure to one of them could have a cascading effect to the others. Moreover, the heterogeneity of the different systems contributes to the complexity of the border control management infrastructure, which may consist of components of different types and origin, e.g., the manufacturers of cameras, sensors and operating system. The advanced interconnectivity of systems, people, and processes along with the heavy reliance on smart technologies increase the exposure to cyber-threats, such as personal data breach and disruption of services, which could have a serious impact, resulting even in harming national security and sovereignty.
Existing cyber-attacks against the borders, reveal the reality and the dimension of the problem.
The following list of examples is indicative and not exhaustive, aiming to demonstrate the range of cyber-attacks that can be executed against the borders:
• 2021. Belarus: Hackers claim to have accessed full database of those crossing the country’s borders (Woollacott, 2021).
• 2021, Ukraine: Border control was hit with data-wiping malware, slowing refugee crossing (Alspach, 2022).
• 2019, USA: CBP Says Thousands of Traveler Photos Stolen in ‘Malicious Cyber-Attack’ (Levin, 2019).
• 2017, Taiwan: Since 2011, Taiwan used biometric e-Gates allowing fast-track passport control at main airports. It is suspected that the system had been compromised by a foreign government, due to a pre-installed ‘backdoor’ by the manufacturer (Everington, 2017).
• 2015, USA: Drug traffickers invested in spoofing and jamming the GPS systems of the border surveillance drones (Thompson, 2015).
These examples are indicative of the different threats that the borders face which extend the traditional “physical” threats, for example a person by-passing the border control by hiding in a vehicle or the use of a look-alike passport. Also, it needs to be taken into consideration that cyber-threats are not limited to intentional malicious actions, but extended also to non-malicious actions, like human errors, systems’ misconfigurations or natural disasters (ENISA, 2021).
There are various threat taxonomies developed for different critical infrastructures. Specifically for the border control infrastructures, the relevant threat categories could be summarized as follows:
• Natural and social phenomena can cause serious disruptions in the functioning of the society, and it is a category where the border management agencies do not have direct control such as the “push and pull” factors, e.g., a war situation causing mass migration movements. Other examples falling under this category are natural disasters, e.g., a fire destroying the border assets, a pandemic or even climate conditions such as strong winds not allowing the UAV surveillance flight. Disinformation or fake news is also a recent trend e.g., mass movements of people have been recently encountered trying to abolish border controls.
• Third-party failures are a great threat due to the interdependencies between border control management and third parties, which could seriously disrupt the border functions and assets; for example, a disruption caused by the internet service provider, errors or delays by companies to provide passenger or crew lists.
• System failures & outages, especially related to hardware and software failures, communication disruptions or even false alerts, e.g., a false alert of a database, could mean that an innocent person might be perceived as a threat.
• Human errors include all range of unintentional human activities which could harm the efficiency of border control processes and harm a range of assets. Fatigue could result to data-entry errors, non-compliance with security policies could lead to exposure of sensitive data, improper use of equipment could damage it and use of non-secure equipment might become a target of a malicious actor.
• Malicious actions: The core element of these threats is the intentional character and the aim, such as the disruption, destruction and unauthorized access to assets. Three subcategories are identified, in particular: a) Insider threats are caused by the border staff with malicious motivation, e.g. a corrupted officer misusing his data access rights to sell information, b) Physical attacks take place with traditional “physical” methods and tools, without reliance on technology, such as vandalism, sabotage and theft of assets, and c) Cyber-attacks are those targeting the ICT systems, in particular:
- Malware which is a generic term for software that has a malicious purpose, e.g., ransomware, trojan horses, virus, and spyware. Unpatched systems could be easily become target of an attacker. Malware could be also installed due to negligence of the users in a variety of border systems, from PCs to remote border control assets.
- In Denial of Service (DoS) attacks the attackers block access from legitimate users and could be conducted by cyber-criminals to disrupt functions, e.g., the access to travel authorization systems, possibly requested as a service by criminals.
- Penetration attacks is a broad category for describing all those attacks involving breaking into systems and networks by using known vulnerabilities of hardware and software assets, including interception and network attacks. Such attacks can take place at the borders considering the vast reliance on wired and wireless networks, e.g., drones, remote cameras and radio communication devices, possibly to steal sensitive data.
- Social engineering is defined as the act to influence a person to take action against their personal or organization’s interest, including disclosure of confidential information (Sutton, 2017). A typical attack type is ‘phishing’ which is the process of attempting to obtain personal information, e.g., credentials from a target, using techniques like mass emails, which entice recipients into clicking a ‘legitimate’ website but in fact they end up in a phishing website (Computer Security Fundamentals 4th Edition, 2019). Border guards could be deceived by social engineering attacks, so that malicious actors can gain further access to a range of systems or even the border databases. Such attacks could be also addressed to other relevant stakeholders, such as third-party service providers, persons with access to the database servers, airport and port staff, as a way to gain cyber access to the border systems.
- Advanced Persisted Threats (APTs) are sophisticated and focused network attacks in which an individual or a group gains access to a network and stays undetected over a long period of time. APT groups may obtain open-source intelligence or use social engineering methods and perform monitoring of a specific target, aiming at high-value information in companies and governments, usually in a long-term campaign involving different steps, and they are potentially funded by governments (Chain, Desmet, & Huygens, 2014).
The list above provides a broad categorization and description of threat types mainly affecting border control infrastructures. Moreover, threat types should not be seen in isolation but, sometimes complementing or even overlapping each other, e.g., APTs might use sophisticated malware as a main tool for their attack, whilst social engineering attacks may be the first step before spreading malware.
The coherent overview of the cyber-threat landscape should certainly incorporate the different threat actors as well. Gaining a good understanding of the threat actors and their motives is essential to prioritize decision-making and effectively address the relevant threats. In terms of threat actors, there are those that unintentionally impact assets and those that have a malicious intent. Unintentional human errors can be caused by a variety of factors, e.g., lack of sufficient training, lack of a proper security policy in place, lack of skills or negligence. This dimension does not only apply to the custom officers or border guards but also to the wider border community, e.g., airport and port staff, service providers, etc. On the other hand, there are several threat actors with a malicious intention, in particular: a) Insiders motivated mostly by financial gains, for example corrupted border guards. b) Irregular travelers are all those persons trying to enter/exit the borders without fulfilling the legal requirements, e.g., by presenting fake documents. c) Nation States is a main category of threat actors as they have the adequate resources for sophisticated attacks, while they can use advanced technology and methods.
Main motive is espionage, seeking to gain access to sensitive information, such as personal data and commercial information. In the frame of a warfare, their motive could be even harming national security or disrupting critical infrastructure. d) Criminals and criminal groups are largely driven by financial gain and try to exploit different vulnerabilities to achieve their target. Examples of criminal groups include migrant smugglers, drug and weapon dealers. e) Cyber-criminals are all malicious actors using cyber techniques, usually in an attempt to generate money for example by selling personal data in the dark-web. In addition, these actors could offer their services to criminal groups to facilitate their illegal cross-border activities. f) Terrorists may use the borders for illegally trafficking small arms, weapons, and explosives (UNCCT, 2018), whilst illegal border crossing could be part of a plan for a terrorist attack. g) Activists are driven by the willingness to affect the political or social change and some of the respective groups are exclusively dedicated to a struggle against border controls, e.g., the “no borders” movement.
It is common that synergies are established among the different threat actors. Some examples are:
- Nation States could “instrumentalize” the migration flow as a part of their political agenda, whilst borders can be a favorable target for long-term espionage campaigns undertaken by cyber-criminals.
- An organized crime group might facilitate irregular travelers, using the classified information provided by insiders.
- A cyber-criminal can be used by traditional criminals for accessing patrolling information or gaining access to the surveillance equipment.
Of course, threat actors are highly flexible and can constantly adjust their attack strategies, for example, a malicious actor can easily target another border post, if the one initially targeted is well secured.
Cyber-threats are a modern challenge for the border infrastructures and specific actions are required to reduce the vulnerabilities and mitigate the impact of a cyber-attack. Border control shall be considered a “critical infrastructure” requir-ing a multifaceted security approach: staff trainings, focused risk assessments, en-hanced information exchange and strengthened collaboration with the private sector. It is also important to keep privacy and fundamental rights as essential pa-rameters of every policy, since these aspects need to be well protected.
Technology solutions could also help amplify security states in borders. Absolute security cannot be guaranteed, however, a holistic security approach focusing on enhanc-ing awareness and preparation of people, implementing appropriate technologies and processes would assist in minimizing risks and protecting the operation of border control infrastructures (Chatzis & Stavrou, 2022).