The stakes are getting higher.
Screens go blank at a Ukrainian power provider. A hospital is reduced to pen and paper record keeping. These aren’t scenarios from the latest video game, but headlines representing the state of cybersecurity. Last year set a high bar for the size and scope of data breaches, led by the theft of over 20 million government background checks. Barely two months into 2016, we’ve already witnessed cybersecurity incidents of unprecedented audacity. Sadly, The latest attacks exhibit a level of malice and danger that may force a much-needed new approach to cybersecurity.
Two types of hackers have been driving increasingly coordinated and dangerous cyber attacks: nation-sponsored groups and organized cybercriminals. The former execute attacks on behalf of geo-political objectives, and the latter simply chase financial gain. Actors in both categories elevated their efforts to unseen levels of recklessness so far in 2016.
Attacks against essential utilities have long represented the nightmare scenario of cyber incidents – dangerous, possible, but far-fetched. Federal officials have attempted to ring the preventive alarm with a mock attack that would “be like returning to the Dark Ages.” These fears have been realized with the first known attack to effectively cause a power outage announced in January. Hundreds of thousands of Ukrainian homes lost electricity in an attack John Hultquist, head of the cyber espionage intelligence at iSight, called the “major scenario we’ve all been concerned about for so long.” Recent revelations point to an unprecedented “operation specific malicious firmware update.” In other words, hackers covertly updated infrastructure with malicious software that rendered them inoperable, forcing employees to rely on manual backups to this day, two months later.
An event of this scale raises a red flag because compromising the electrical grid could have significant casualties. According to Wired journalist Kim Zetter, many power grids in the US do not have the manual backup that enabled Ukrainian operators to restore power without extensive delay. Rest assured that infrastructure departments around the world made note of this incident, and a smaller attack against Israel’s Electricity Authority, as proof that nation-state actors are willing and capable of disabling essential services.
Conversely, a February attack on Hollywood Presbyterian Medical Center demonstrated criminal hackers’ willingness to put lives at risk for a payday. The attack method, known as ransomeware, locked employees out of the hospital’s systems in an attempt to shut down the hospital. While the center’s chief executive said patient care was not compromised, the hackers crippled computer systems, forcing employees to use pen and paper for record-keeping.
Both of these attacks resonate because they demonstrate how quickly our fine-tuned digital systems can disappear. In a connected world, the data that powers our operations is equivalent to oxygen: Even minor deprivation can have disastrous results. At the RSA Conference earlier this month in San Francisco, the leading minds in security gathered to discuss the path to where we stand and the road forward. Listening to a panel of leading chief information security officers, a couple factors became readily apparent:
Lives are at stake. We’ve long known that critical cyber failings could be lethal, and the past two months demonstrated hackers’ willingness to cross this line. A CISO from a medical device company reminded the audience his primary concern is safeguarding the lives of patients. These devices are connected in order to provide better care, but their connectivity also increases the risk of a remote hack. His comments put into perspective the perilousness of the modern technology powering our lifesaving innovations.
Sophisticated threats have changed the game. While not necessarily a new revelation, every chief information security officer (CISO) raised the point that their security strategy must now contend with nation-state attackers employing practically unlimited resources. In a panel on lessons from real-world CISOs, University of Virginia’s Randy Marchany explained that this threat forces him to assume that hackers already have access to his network, and the best he can do is to monitor for when the latent threat becomes active.
There is no silver bullet. After every breach, the claims come in that a certain technology would have prevented the attack. While these one off recommendations are not categorically false, they almost never hold true across the board and therefore do not address the systemic issue.
The rhetoric around cybersecurity can be dangerous when it underestimates the challenge, as did a recent column arguing that cybersecurity isn’t complicated. The comparisons to building the Eiffel Tower and engineering flight neglect the fundamental challenge of cybersecurity: the enemy is well-funded and innovative. In the case of the Ukrainian power grid, hackers began reconnaissance activity nine months prior and coordinated offensive operations down to the minute during the attack. The ingenuity displayed led an analyst to rave, “From an attack perspective, it was just awesome.”
There are extremely talented minds in information security, on both the enterprise and vendor side. Unfortunately, inertia and politics within information security programs can hinder innovation, preventing organizations from using the best available technologies and processes. The Office of Personnel Management is the tragic case in point. The agency’s information security efforts suffered from “enormous information technology challenges that were years in the making.” Legacy technology – the pejorative implying systems kept in place out of resistance to change rather than optimal capabilities – is a glaring vulnerability that prevents companies from leveraging state of the art tools. Hackers rely on bleeding edge offensive tools and techniques, and security professionals need to be able to do the same. The US Digital Service provided a stark example for overcoming constrictive policies on acquiring and implementing new technology.
Obama increased cybersecurity spending by $5 billion , and companies across sectors are raising budgets to acquire new tools and talent, leading to a negative unemployment rate in the industry. Throwing more money at the issue, however, will not deliver results unless companies remove barriers to efficacy – whether in the purchasing process, reporting metrics, organizational strategy or horse blinders. There are too many smart hackers for us to limit the contributions of Infosec’s bright minds.
Rajiv Gupta is CEO of Skyhigh Networks, a Campbell, CA-based cloud security and enablement company.