Cybersecurity in Turkey
IIn today’s increasingly interconnected digital world, to be engaged in economic activity means being online. Whether it is transferring money, marketing products, corresponding with customers and businesses, or storing data in cloud systems the digital world has become an indispensable part of our daily lives. The invisible border separating the real and virtual worlds vanished a long time ago. As leading physicist scientist Stephen Hawking has noted: “We are all now connected by the Internet, like neurons in a giant brain.” The Internet connects people and creates a virtual and living environment built on ones and zeros. It is called cyberspace.
The advent of cyberspace has engendered a new class of security risks both for everyday people and the security agencies of nation states. Attackers using cyberspace can inflict serious damage by targeting financial institutions, accessing and leaking national secrets or compromising the physical security of critical infrastructure, exposing states to further attacks. The Stuxnet worm, which targeted Iran’s nuclear facilities, is a prime example of how cyberwar has become another weapon in the toolkit of nation states to disrupt the activities of their enemies. Many others likely exist but have yet to be deployed or publicly disclosed, but here are some of the more stand out examples of past attacks: In 2014, one of the biggest banks in the world lost data on 2.7 million customers, damaging its credibility and reputation.
In 2016, the leading ride hailing company, Uber, was hacked and personal information of 57 million drivers and customers stolen.
In 2017, one of the world’s leading audit firms (which was ranked as the best in cybersecurity in 2012) admitted it had been hacked in 2016 and the personal information of 143 million US customers along with 400,000 European customers stolen.
In 2016, it became public that the Turkish Social Security Institution (SGK) was hacked for an unknown period of time and vast amount of personal information stolen, inflicting an estimated of TRY 6 million in damages.
V ct ms are not aware
It is quite challenging to identify cyber attackers because they rarely leave traces behind. In most cases, cyber attackers do not need expensive or advanced technology to conduct their activities. As a matter of fact, facilitating access to public IT resources and its growing importance in the operation of both public institutions as well as private organizations result in increased vulnerability. With the exception of a few attack types, such as distributed denial-of-service (“DDoS”) attacks, most cyber threats exploit the security holes of the target system and exploit the lack of sufficient countermeasures. Most of the time, victims are not even aware of these weakness in their defenses which makes it quite difficult to foresee, disarm, and deter cyber attackers and gives the attackers an asymmetric advantage.
Cybersecur ty pol c es needed
The key to countering these attacks lies in how seriously nations take the threat and the countermeasures they adopt. Unfortunately, developments in cybersecurity policies, legislation and national capabilities in Turkey have a long way to go. Nonetheless, Turkey presents a fascinating instance of average internet access but high capabilities: as of 2017, 66.8 percent of Turkish citizens have Internet access (97th place globally), yet the country has been the 5th biggest source of cyber-attacks around the world. Hence, we believe that Turkey has a huge potential in R&D and human resources which are essential for long-term success in cyber operations, if government planning can be merged with private sector efforts.
Cyberattacks have often been treated as minor issues that can be covered by civil law and public order legislation, despite the fact that some of them have the potential to turn into national security issues if left unattended. Cybercrime was first introduced in the Turkish Criminal Code with an amendment in 1991, defining “Information Technology Crimes” as illegally obtaining software and other electronic data from a computer or the use, transmission or copying of such data with the aim to harm any party. In 2004, the definition was expanded and the concept of modern cybercrime was implemented.
In addition to such limited pieces of legislation, the Turkish administration began drafting and publishing cybersecurity Action Plans in 2012. The first five years, however, passed with little action. In 2016, a decision was made to draft a Cybersecurity Law but to this day a draft has not been proposed to the General Assembly. Even if a law is proposed and passed, it would then still take years for it to be properly implemented. So we have to be realistic: achieving even an adequate cybersecurity regime in Turkey is still years away.
Leg slat ons should be enacted
Hence, there’s a whole heap of work to be done in Turkey. We should take real steps as soon possible to catch up with international innovations and technological developments in order to be able to prevent cyberattacks and maintain a safe and stable economy. Accordingly, legislation should be enacted expeditiously and meticulously in order to cover cybercrimes and deter cyber attackers.
Outside of national legislation and government policies, we believe that achieve a sustainable future for life in cyberspace will require the coordinated efforts of the global community. Cyberspace knows no borders and unless an internationally recognized basis for legal actions that address the issues of “jurisdiction” and “attribution of a crime” is instituted, legal practitioners and law enforcement agencies will face obstacles in fighting cybercrime.