As cyberattackers become increasingly aggressive while expanding their targets to critical systems that literally could impact people’s lives, we are left to ask, “What’s next, and how can we stop it?” I’ll provide some advice here, but first, let me share a little background. It’s longer than our usual articles, so please stay with me.
The Situation Is Moving from Serious to Dire
If you weren’t affected directly, you probably heard about the WannaCry attack, launched in May 2017, which held the corporate information of millions of companies hostage for ransom. In June, another ransomware attack, Petya, drew less attention in the U.S. because it was focused mainly on the Ukraine. Nevertheless, it’s worth noting.
Security experts warned that with Petya, the ransomware demands were likely a smoke screen for a far more nefarious activity—penetrating the command systems of crucial infrastructure. Even the Chernobyl nuclear power plant was affected and forced to move its radiation-sensing systems to manual operation. Many experts think Petya was a practice run for an attack on the U.S.
In the wake of these two attacks, the security community learned two important things:
- The tools used in both attacks had been stolen from the National Security Agency (NSA), which develops some of the world’s most sophisticated hacking tools as part of its efforts to keep the U.S. safe. One would think that an entity such as the NSA would have been impenetrable, but its defenses weren’t strong enough to keep out the hacking group.
The takeaway? No one is safe.
- Hackers, many of whom are sponsored by corrupt nation-states or organized crime fronts, are upping their games. This theory was borne out in early July, when the press announced that
hackers have also been targeting American electric utilities—including a Kansas nuclear facility. Fortunately, taking control of a nuclear power plant requires a bit more effort than penetrating an inadequately protected network. Unfortunately, it’s not impossible.
The takeaway? Hackers want more than money. They want control…and possibly something far worse.
How People Play a Role
For decades, researchers have been issuing warnings about the prominent role played in cyberattacks by both human error and social engineering—where humans are duped into helping attackers penetrate corporate security defenses. Yet, companies and their employees unwittingly continue to “aid the enemy.”
This was the case with WannaCry, where patching a single Windows vulnerability would protect against all the different variants of the malicious code. Almost immediately, Microsoft issued a patch that worked, yet companies continued to be hit because they didn’t have the means (or didn’t want to spend the money) to patch vulnerable systems virtually identical to those that had already been hit.
Any company with even minimal cybersecurity awareness should already have been patching all their computers—even those dusty old Windows XP machines used to print out labels in the warehouse or back office. If they had, chances are good they might never have become a victim. Yet, victims were found everywhere, in nearly every sector of the global economy. Furthermore, Petya exploited the same vulnerability, which meant that even after learning of WannaCry and the means to defend against that type of attack, organization leaders didn’t take appropriate action.
As with the phishing attacks that often lead to successful penetration, where uninformed or careless employees click on an infected link, the success of both WannaCry and Petya hinged on human inattentiveness. As we move forward, that will be an increasingly dangerous attitude.
The Future Is Ours
In his closing keynote address for the Source Boston 2017 conference, held April 24 – 27, 2017, world-renowned computer security analyst Dan Geer shared some sobering thoughts. You can read the entire keynote here, but his point was that cybersecurity and humanity’s future are inextricably and irreversibly conjoined.
He made 26 predictions, highlighted by a declaration that cybersecurity “is and will remain the paramount national security risk.” One of his overarching points was that even though malicious code and the hacking tools that perpetuate it are weapons, he doesn’t expect nations to achieve the equivalent of detente on cyberattacks.
The world must make proactive, sensible choices about how to protect its citizens and its resources, he told the audience, and failure to do so puts humanity’s future at risk. When taken as a whole, that’s a tall order, but organizations and their employees can get started by adopting best practices for technology, from automating system patching to not clicking on suspicious links.
Companies can also protect themselves from serious damage by taking steps to protect the information-rich core of their systems—what security experts call the “gooey center.” I’ll talk about that effort in another blog.