The Coming Cyber Pandemic
Technological advancement has had, undoubtedly, many positive impacts for humanity, but it raises complicated questions in the context of increasing global unrest and the changing nature of warfare, national security and international dispute resolution. Hostile actors, from lone political activists and financially-motivated criminals to international criminal and terrorist organizations, now possess the capability to digitally, and anonymously, launch devastating attacks and breaches of critical infrastructure and information systems in the physical world, which equal or supersede the destructive power of the conventional weapons of war.
The Evolution of the “battlespace” and the modern combatant
Generally, software that can be digitally deployed to disrupt an adversary’s critical infrastructure, can be considered a weapon of cyber warfare. Such malware is often identical to the weapons of cyber criminals, hacktivists or any other malicious cyber actor. Though increasingly sophisticated technology can facilitate precision placement of specific malware to achieve tailored goals, malware can easily spread to third parties and other connected entities within a network or intersecting networks and have unintended consequences. Given the enhanced digital connectivity between government and private commercial interests in the modern economy, this dynamic represents a significant threat that can exceed the malicious actor’s intent and cause significant collateral damage.
While history is replete with examples of the failure by organized nations to minimize collateral damage to non-combatant persons and assets, international law and protocols have created generally accepted standards of conduct. The blurred connectivity of cyber combatants to a central war planning and analysis element when mounting offensive operations reduces the likelihood that these operations are guided by battle damage assessments and provides little to no accountability. This is a sure-fire recipe for eventual chaos as highly destructive operations are planned and executed in a strategic vacuum.
New instruments, same tune
“We are currently under attack.” Those were the words of a concerned student at the University of California, Berkley, in an email sent shortly after a malicious program was unleashed on the Internet from a computer located at the Massachusetts Institute of Technology. The program was a worm that self-propagated and targeted computers running a specific version of an operating system. The worm also utilized multiple attack vectors, including stealth, backdoor access to email systems, and overcoming network ID verification protocols. Because the targeted operating system was used by the country’s leading research institutions, the worm’s victims included UC Berkley, Harvard, Princeton, Stanford, Johns Hopkins, NASA, and the Livermore National Laboratory. The year was 1988.
The outcome of this event was a greater appreciation of the fact that computers are vulnerable and the need for greater security. This prompted the Department of Defense to direct the creation of the country’s first computer emergency response team.
Just over 30 years later, and following countless lesser worm attacks, the world faced what has been referred to as the most devastating cyberattack in history. In June 2017, the NotPetya cyberattack occurred, causing staggering collateral damage. Like the worm in 1988, NotPetya was engineered to spread on its own accord, both quickly and without a concrete direction. However, while the 1988 worm was designed by an inquisitive grad student, NotPetya was the offspring of stolen military grade programming created by the U.S. National Security Agency (NSA) married with a researcher’s proof of concept used to demonstrate that residual password information resided in a computer’s memory. The result was a program that left an estimated $10 billion of destruction in its wake.
Expanding Strategic Vulnerabilities
Critical government systems and assets, such as sensitive facilities, high-level officials, major infrastructure and data, will remain primary targets of hostile actions of cyber warfare but the greater maturity of government cybersecurity defenses will divert the focus of marauding forces toward “softer” targets which offer ultimate access to the same critical assets, even if the route is more circuitous. As such, private industry will find itself much more in the crosshairs of offensive actions than previous conventions permitted. Industries with direct supply-chain connections to critical government assets, like aerospace and defense contractors, and industries that are considered vital to US power, such as oil and energy, financial services and banking and telecommunications and media, will be attractive targets. Other attractive targets will be less obvious industries such as healthcare, hospitality and manufacturing which possess massive amounts of valuable personally identifiable information (PII) and proprietary intellectual property which can be coopted for strategic advantage or to facilitate operations that compromise or weaken an adversary’s power. As illustrative examples, the 2017 Equifax and the 2018 Marriott breaches, initially suspected to be the work of cyber criminals, are now widely believed to have been hostile intelligence collection operations carried out by Chinese intelligence networks seeking to obtain sensitive financial and travel pattern data on key US government officials to identify opportunities for compromise. The hundreds of thousands of other individuals impacted by these breaches, while not primary targets, become collateral victims whose data can be utilized for multiple purposes that leave them susceptible to future exploitation.
As such, organizations of all shapes and sizes must evaluate cybersecurity in the context of a much more symbiotic ecosystem where size, economic might and direct connectivity matter less in assessing vulnerability and criticality to national security than the nature and extent of internal and external relationships and the general utility and manipulability of data that constitutes their “stock-in-trade.”
Society’s Obligation To Prevent Cyberattacks
U.S. Government interagency technical guidance has been created to aid organizations in preparing for, detecting and recovering from a cyberattack. The guidance recommends implementing training programs, utilizing strong spam filters, scanning emails, blocking known malicious IP addresses, engaging in regular patch management, and utilizing anti-malware programs, just to name a few basic steps. Some additional recommendations that are more complex include limiting access to certain files, disabling macro scripts, implementing software restriction policies, and whitelisting programs and email addresses. Business continuity preparation also figures largely in the guidance, requiring regular back-ups of data that is then secured, and periodic penetration testing and vulnerability assessments.
The evaluation of cybersecurity in the context of porous interconnectivity requires the implementation of robust countermeasures and remaining vigilant for new threats. The inescapable key to the success of these efforts is the education of personnel within an organization, with each person making up one link in the chain that is cybersecurity Prevention of cyberattacks centers on each of us adopting a culture of cybersecurity that should have its origins at the leadership level of every organization. Societal obligations require this approach as a matter of national security, much like the social distancing we have all been forced to recently undertake.
Niall Brennan is VP for Strategic Security Partnerships and Engagement with SAP Global Security. He is based in New York City. He has over 29 years of experience in a variety of legal, advisory and investigative roles in both the public and private sectors.
Niall retired in 2018 from a 22-year career with the FBI, during which he served in multiple operational and managerial capacities in virtually all investigative and investigative support programs. He has extensive crisis management and international experience and, in his last position, led the FBI office in the American Embassy in Paris, France for over 5 years. Prior to joining SAP, he was a Director in PwC’s Cybersecurity & Privacy practice.