The Coming Cyber Pandemic: Part II

Part I explored the expanded threat and risk environment created with the unfettered access to destructive power by the weaponization of cyber tools and the anonymity of the modern cyber combatant. In Part II of this two part article, the authors continue to explore and discuss ever-present cyber threats that raise national security concerns.

New Instruments, Same Tune

"We are currently under attack." Those were the words of a concerned student at the University of California, Berkley, in an email sent shortly after a malicious program was unleashed on the Internet from a computer located at the Massachusetts Institute of Technology. The program was a worm that self-propagated and targeted computers running a specific version of an operating system. The worm also utilized multiple attack vectors, including stealth, backdoor access to email systems, and overcoming network ID verification protocols. Because the targeted operating system was used by the country's leading research institutions, the worm's victims included UC Berkley, Harvard, Princeton, Stanford, Johns Hopkins, NASA, and the Livermore National Laboratory. The year was 1988.

The worm was innocently developed by a graduate student who wanted to know how many computers were connected to the Internet. The details of how the worm worked are not relevant for purposes of this discussion, but nonetheless, are interesting in and of themselves. What is relevant is that while the program was not released with malicious intent behind it, the worm interrupted internet communications and required significant effort to remove it from infected systems. The outcome of this event was a greater appreciation of the fact that computers are vulnerable and the need for greater security. This prompted the Department of Defense to direct the creation of the country's first computer emergency response team.

Just over 30 years later, and following countless lesser worm attacks, the world faced what has been referred to as the most devastating cyberattack in history. In June 2017, the NotPetya cyberattack occurred, causing staggering collateral damage. Like the worm in 1988, NotPetya was engineered to spread on its own accord, both quickly and without a concrete direction. However, while the 1988 worm was designed by an inquisitive grad student, NotPetya was the offspring of stolen military grade programming created by the U.S. National Security Agency (NSA) married with a researcher's proof of concept used to demonstrate that residual password information resided in a computer's memory. The result was a program that left an estimated $10 billion of destruction in its wake.

Designed as a cyber weapon for use against Ukraine, the uncontrollable trajectory of NotPetya resulted in the indiscriminate selection of victims after Ukraine was hit. Once unleased, the worm rapidly sought out the computers running the software it was designed to infiltrate in Ukraine and beyond. If the initial attack on Ukraine was the nuclear detonation, the spreading of the worm beyond Ukraine represented the nuclear fallout. Governmental agencies and private industry, including hospitals, energy and transportation companies, construction firms, and manufacturers, were all caught up in the fallout of this military attack. While, those responsible for the cyberattack have been identified, the lasting effect of NotPetya has been the harsh realization that impacted organizations may oftentimes be precluded from obtaining recourse.

Expanding Strategic Vulnerabilities

The relatively low financial investment required, the high degree of ease and effectiveness in digitally compromising an adversary and the limited exposure of detection and attribution for the offensive actor render the expanded use of offensive cyber operations a "no-brainer" for political and military strategists. As with other offensive techniques which have historically operated outside of traditional notions of "honorable" warfare, such as raiding, "plundering," guerilla warfare and terrorism, the danger these operations pose to civilian assets and populations rises exponentially. Thus, as we migrate into an era in which international conflict will increasingly be carried out on a virtual battlefield, we can expect that a broader "target set" will now be in play and the impact to the civilian population will be more direct and apparent.

Critical government systems and assets, such as sensitive facilities, high-level officials, major infrastructure and data, will remain primary targets of hostile actions of cyber warfare but the greater maturity of government cybersecurity defenses will divert the focus of marauding forces toward "softer" targets which offer ultimate access to the same critical assets, even if the route is more circuitous. As such, private industry will find itself much more in the crosshairs of offensive actions than previous conventions permitted. Industries with direct supply-chain connections to critical government assets, like aerospace and defense contractors, and industries that are considered vital to US power, such as oil and energy, financial services and banking and telecommunications and media, will be attractive targets. Other attractive targets will be less obvious industries such as healthcare, hospitality and manufacturing which possess massive amounts of valuable personally identifiable information (PII) and proprietary intellectual property which can be coopted for strategic advantage or to facilitate operations that compromise or weaken an adversary's power.

As illustrative examples, the 2017 Equifax and the 2018 Marriott breaches, initially suspected to be the work of cyber criminals, are now widely believed to have been hostile intelligence collection operations carried out by Chinese intelligence networks seeking to obtain sensitive financial and travel pattern data on key US government officials to identify opportunities for compromise. The hundreds of thousands of other individuals impacted by these breaches, while not primary targets, become collateral victims whose data can be utilized for multiple purposes that leave them susceptible to future exploitation.

As such, organizations of all shapes and sizes must evaluate cybersecurity in the context of a much more symbiotic ecosystem where size, economic might and direct connectivity matter less in assessing vulnerability and criticality to national security than the nature and extent of internal and external relationships and the general utility and manipulability of data that constitutes their "stock-in-trade."

Society's Obligation to Prevent Cyberattacks

In 1944, a public service campaign was created to educate Americans about their role in preventing wildfires. Smokey Bear was subsequently enlisted as its spokesperson, and his catchphrase was "[o]nly you can prevent forest fires." According to SmokeyBear.com, the origins of the wildfire ad campaign were rooted in World War II. Following the attack on Pearl Harbor, Japanese submarines fired shells that detonated in an oil field near a national forest in California. Because of the fear that exploding shells could ignite deadly wildfires, protecting the country's forests became a matter of national security.

Cyberattacks are akin to those wildfires, with the potential for devastating loss of life and property, and protection against them is now a matter of national security. Accordingly, U.S. Government interagency technical guidance has been created to aid organizations in preparing for, detecting and recovering from a cyberattack. The guidance recommends implementing training programs, utilizing strong spam filters, scanning emails, blocking known malicious IP addresses, engaging in regular patch management, and utilizing anti-malware programs, just to name a few basic steps. Some additional recommendations that are more complex include limiting access to certain files, disabling macro scripts, implementing software restriction policies, and whitelisting programs and email addresses. Business continuity preparation also figures largely in the guidance, requiring regular back-ups of data that is then secured, and periodic penetration testing and vulnerability assessments.

The evaluation of cybersecurity in the context of porous interconnectivity requires the implementation of robust countermeasures and remaining vigilant for new threats. The inescapable key to the success of these efforts is the education of personnel within an organization, with each person making up one link in the chain that is cybersecurity. The Smokey campaign focused on the importance of the efforts of the individual in combating wildfires. Similarly, prevention of cyberattacks centers on each of us adopting a culture of cybersecurity that should have its origins at the leadership level of every organization. Societal obligations require this approach as a matter of national security, much like the social distancing we have all been forced to recently undertake.

Niall Brennan is VP for Strategic Partnerships and Engagement with SAP Global Security. He is based in New York City. He has over 29 years of experience in a variety of legal, advisory and investigative roles in both the public and private sectors. Niall retired in 2018 from a 22-year career with the FBI, during which he served in multiple operational and managerial capacities in virtually all investigative and investigative support programs. He has extensive crisis management and international experience and, in his last position, led the FBI office in the American Embassy in Paris, France for over 5 years. Prior to joining SAP, he was a Director in PwC's Cybersecurity & Privacy practice.

Marc Voses is a partner based in Goldberg Segalla's Manhattan office. He serves as the chair of the firm's Cybersecurity and Data Privacy group. Marc has advised clients engaged in business covering a broad spectrum of industries on matters related to cybersecurity and data privacy compliance, and the mitigation of those risks.