The ongoing massive cyber hacking for ransom that at the time of this writing has reportedly affected 150 countries and at least 200,000 institutions was a disaster waiting to happen.
The July 2009 North Korean cyber-attacks on the United States and South Korea’s government and major business and public organizations in the form of denial of service, signaled that it was only a question of time before digital weapons are used as Weapon of Mass Effect (WME). It did not take long before service denial attacks escalated into cyber espionage, stealing data from government, public and private entities, and academic institutions, causing untold economic damage. The weaponization of cyber soon followed; recall the Stuxnet, the first publicly known digital weapon that was said to cause physical damage to Iran uranium enrichment plant in Natanz, in 2010.
On July 9, 2012, former CIA and NSA director, Gen. Michael Hayden, speaking at the American Center for Democracy’s Economic Warfare Institute’s briefing on Capitol Hill, on Economic Warfare Subversions: Anticipating the Threats, said he was worried that it would not take long for “Hackers to acquire the skills and the tools we currently associate with nation-states.”
As we have since seen, Gen. Hayden was right to worry. While not widely publicized, the scope of cyber-attacks by seemingly loosely affiliated hacking groups and the information they sell on the dark web has grown exponentially. Just one year later, two major attacks on the Internet hinted what to expect if/when our economic and financial infrastructures are hit by different attacks at once. Cyberbunker – not a Chinese – but a Dutch web hosting company generated the largest global distributed denial of service (DDoS) attack on the spam filtering company, Spamhouse. When that attack came to light, in 2013, this author has warned: “This new economic warfare presents a nascent threat in complex areas that challenge analysis and identification. While at first our streets will not be littered with bodies as with a nuclear attack, a stealth attack on our economic, financial, and communication channels, could in a short time destroy the U.S. economy and devastate its people. Perhaps it’s time to rethink our mostly digital dependent economy.”
Criminals, terrorists, and rough nations operate under cover of the Dark Web, which masks their identities. It is too early to say who the alleged ‘hacking collective’ known as the ‘Shadow Brokers’ is affiliated with. This is the group that is said to have released the ransom malware that paralyzed hospitals in Britain, telecommunication and gas companies in Spain, and other government and public institutions all over the world. The unprecedented global attack would yield at least $60 million to the hackers (200,000 victims paying $300 in ransom), though cyber experts claim only some $70K in Bitcoin were paid. Judging by previous reactions from cyber experts immediately after a major attack, I doubt this is accurate. Even if the ‘Shadow Brokers’ are not affiliated with Iran North Korea, China, Russia, al Qaeda, ISIS, and their ilk, it is reasonable to assume the stolen data in their possession would generate much higher revenues. Upgrading computers and network security may safeguard new information, but not the valuable information that has been stolen.
Warnings against a massive weaponized cyber-attack on critical infrastructures, academic institutions, and businesses have been voiced by civilian and military experts in public and classified Congressional hearings, closed and open conferences, academic papers, media outlets, everywhere. The cybersecurity industry has flourished mostly in the aftermath of a glitch, promising to curtail the next one. Despite untold billions (trillions?) of dollars in damages, the notion of prevention keeps eluding most government, public and private organizations in the U.S. and elsewhere.
If the ransomware released was stolen from the NSA, as we are told, it demonstrates, once again, the urgent need to find and punish the leakers and screen out potential leakers from the agency.
Until the ongoing attack that began on Friday, none of the previous attacks has caused a truly crippling catastrophe, and the potential devastation of such threats failed to register. Public policymakers and average citizens mistakenly assume such threats fall below the threshold of political and financial liability. The U.S. government, for example, has yet to aggregate information about the quantity and level of damage caused by the continuing wave of successful computer intrusions against the military, government, business, and private systems, which persist despite a scheme that includes mandatory National Institute of Standards and Technology standards. Perhaps now, the paralyzing attacks on hospitals in England that forced them to shut down and turn away patients with life-threatening conditions would serve as a wake-up call. Perhaps not.
Media reports on cyber hacking failed to convey the need and urgency for better cyber defense. Movies and books describing the catastrophic results of cyber-attacks that should have raised public awareness were mostly dismissed as entrainment. And since there were no major attacks that paralyzed transportation, communication, and public medical facilities until now, there was no public outcry calling on policy-makers to take the necessary actions to mitigate the threat.
The move to wireless connections eased access to vital data and increased the vulnerability of all Americans physically and economically, in ways that were unthinkable a few years ago. The federal government that should lead the efforts to increase the nation’s security and business leaders that could have influenced the government and pushed for greater private investments in cybersecurity were sitting on the fence. A good example of the slow realization of this critical threat by even the most successful business leaders is Warren Buffett’s May 6, 2017, acknowledgment at the Berkshire Hathaway’s annual shareholders’ meeting that cyber is “the number one problem with mankind.” What took him so long?
Was it his close friendship with Barack Obama? Indeed, the sorry state of cyberspace security in the U.S. is among the most damaging legacies of the Obama administration. Instead of leading the efforts to secure the nation’s infrastructure, he delegated his responsibility to several advisors and Czars that generated meetings to have more meetings. Throughout his eight years in office, he failed to set minimum standards of cybersecurity among government employees, as demonstrated by the handling of emails by former State Secretary and Presidential candidate Hillary Clinton and her team. Moreover, he failed to mandate cyber literacy for the young at school, and the adult workforce in America.
On May 11, one day before this mega attack, President Trump has signed a new Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” He rightly noted that “The executive branch has for too long accepted antiquated and difficult–to-defend IT.” The order calls on different agencies to “jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education.” This would help maintain the U.S. cybersecurity competitiveness. The EO demands that the final assessment “of the scope and sufficiency of United States efforts to ensure [it] maintains or increases its advantage in national-security-related cyber capabilities and suggestions to increase the nation’s cybersecurity,” will be given to the President, through his Assistant for Homeland Security and Counterterrorism. The President’s EO is a vital step in the right direction.
However, missing from the order, yet again, is any reference to the urgent need to strengthen timing and location infrastructure, without which our wireless communication will be paralyzed. Also missing is the designation of a single accountable Cabinet position, with direct access to the President to direct and oversee all the agencies that are involved to ensure the nation’s domestic cyberspace security is second to none.