This post was actually started in late 2023, when the Swedish Church had become the victim of a cyberattack with ransomware, which took place November 22. The church organization at that time decided that it will not pay the ransom (in order not to make this a successful attack) but will instead recover the systems manually over time. However, this recovery takes a lot of time, and as long as the systems are not completely recovered, it is not possible to make any bookings for baptizing and weddings. In case of a funeral, it has still been possible to make a booking, but, the data had to be taken down using pen and paper (i.e., post-it notes).
We are very vulnerable if we only depend on our digital systems.Head of information services at the Swedish church
In Sweden, the church has been separated from the government, but it is also still responsible for a number of national and regional bookkeeping services, like funerals. Also, a large number of people will still use the church services for baptizing and weddings, where in the latter case it also fulfills its role as an official administrative unit, in parallel with the weddings that are registered by the government. Suffice it to say that the church depends heavily on digital administration for its work. Consequently, some parts of the Swedish society also depends on the same computer systems being intact.
In 2024, there has now been a number of similar events, mostly through the use of ransomware, but also with overloading web servers. The systems affected this time have been in other organizations and governmental institutions. The most famous of them this time is probably the HR management system Primula, which is also used by the defense organizations and industries, among many others (including universities). This time the attacks are suspected to be made Russian hackers, possibly as part of a destabilization campaign as part of the ongoing war in Ukraine.
Again, the main issue is not that there have been attacks that have been successful, but rather that the backup systems are insufficient or, in most cases seemingly missing. Hopefully the systems will soon be up and running again, but if there is an attack on systems that are more central to the functions in society, then the problem is not only in small organizations, but may affect larger systems including systems for money transfers. Recently shops have been forced to close, when there have been longer problems with the money services.
In this context it is also important to point to the problem with paying. The Swedish Civil Contingencies Agency (MSB), which is responsible for helping society prepare for major accidents, crises and the consequences of war, recently sent out a message to the public, advising them to always have at list 2000 SEK in cash at home. The question is whether the society is prepared to revert to using cash money for the transactions. A large number of shops and services no longer accept cash as payment.
When interviewed, the head of the information service for the Swedish church said that one lesson they have learned from this event is that they have to be less dependent on computer services than before. He did not specify how in any more detailed way, but the message was more or less clear: “We are very vulnerable if we only depend on our digital systems”. His conclusion is neither new, nor especially controversial. When our computer systems or the Internet fails, we are more or less helpless in many places. However, most of the time, the threats are envisioned in terms of disk crashes, physical damage or other similar factors. The increased risk of cyber attacks is not mentioned to the public to any larger extent.
We depend on our IT-support units to handle any possible interrupt as fast as possible, but the question is whether this is enough. Are there backups of the data? Are there backup systems that are ready to be launched in case the old system is failing? Are there backup non-computer based procedures that can replace the computer systems if there is a longer breakdown of the computer systems? Even if it is costly to maintain these backup systems/procedures, it is quite likely that we will need to add a higher level of security in order to not end up with a social disaster, where a large part of the society is essentially incapacitated.
What are the consequences?
We can just imagine what would happen if, as mentioned above, the central systems for bank transfers fails badly or gets “cyber-kidnapped”. Credit cards will not work, neither will mobile money transfers or other electronic payment options. There will be no way to pay our bills, and we may not even get the bills at first hand. Probably even the ATM machines will cease to work, so that there is no possibility to get cash either. Imagine now that this failure will last for days and weeks. What are the consequences?
But we don’t have to look at this national disaster scenario. It is enough to think about what will happen if the computer systems in universities or other large organizations are attacked by cyber-criminals. Not to mention the effects on critical health care, where minutes and seconds can count. Do we have any possibilities to continue the work, reaching journals or other important documents, schedule meetings, planning operations and other important events? Are we really ready to start working on paper again, if necessary? I fear not!
With the current situation in the world, with wars and possible also challenges from deteriorating environmental factors, a lack of emergency plans for our digital systems may not only be causing serious problems, but may really turn out to be disastrous in case of any larger international crisis. Looking at what happens around the world currently, it is easy to see that the risk for cyber-attacks in international crisis situations has increased to a high degree. In many cases the (possible) plans on how to proceed are not known to people who work in the organizations. Is your work protected? Do you know what to do if the systems fail?
Unfortunately, we cannot continue to hope that “this will never happen”. Even if the most extreme of the possible scenarios may not happen, we are still very vulnerable to attacks, e.g., with ransomware or “Denial of service” from “normal cyber-criminals” and this can be just as bad on the local scene, when a whole organization is brought to a halt due to a computer system failing badly. Therefore we need to be acting proactively in order to not be stuck if/when the systems fail. Because, it is quite certain that they will fail at some point of time.
And how will YOUR organization handle that kind of situation? Do YOU know?