How did we get to this point?
As expertly and comprehensively detailed in the book “This is how they tell me the world would end” by NY Times journalist Nicole Pelroth, the creation of cyber weapons has been going on for decades. Certainly, since the 1980s.
By cyber weapons, we mean computer viruses that are developed to exploit a discovered product vulnerability. The vulnerability is kept secret from the product manufacturer to avoid getting it fixed. The computer virus developed is then ready to attack parties using the software product.
According to Ms. Pelroth, the United States NSA and the CIA had been secretly developing and accumulating a very large arsenal of these cyber weapons. The general understanding among the cybersecurity community is that the US became the most advanced country in offensive cyber weaponry.
But, of course, it wasn’t too long before other countries began to develop their own or steal available cyber weapons. And in fact, a market eventually grew by companies formed to develop these weapons to sell them to the highest bidder. As a result, any party with enough money could buy these weapons to inflict damage to their intended victims.
Today, a “Ransomware-as-a-service”, RaaS, business model has emerged where such weapons can be leased or rented by affiliates lowering the barriers to entry.
With this going on and as a response, software companies worldwide began to increase their internal product testing with cybersecurity in mind. The goal is to discover and eliminate vulnerabilities in their software products before they could be exploited.
Companies launched “bug-bounty” programs to attract independent “Ethical” hackers to discover software bugs and report them in exchange for a monetary reward. Rewards for particularly damaging bugs on a very important product can earn the Ethical Hacker many thousands of dollars.
The world now has active programs funded by government entities like the US CISA ( Cybersecurity and Infrastructure Security Agency) and the French ANSSI (National Agency for the Security of Information Systems) spearheading efforts where software product vulnerabilities are cataloged, reported, and fixed at a massive scale. Regardless of the colossal effort from the entire industry, software vulnerabilities will continue to be discovered and exploited for the foreseeable future.
What About Protection?
While the NSA and the CIA were busy discovering software vulnerabilities, weaponizing the exploits, and keeping them secret, there was no apparent effort to develop protection from those viruses in the case that they were to fall in the wrong hands and used against friendly targets. Inexplicably, it seems, the IT software consumers at large were kept mostly in the dark regarding the deeply flawed state of some of the software products they were deploying and integrating into their processes and services.
The US in particular has become the most vulnerable of all countries because of the high adoption rate of the Internet. The US Industry is leading the world in automating their business processes with information technology (IT) computer systems all connected via the Internet. This “digital transformation” is now moving on not just to business systems but to physical machines ( engines, pumps, transformers, power systems, pipelines, water treatment plants, etc) with the Internet of Things. In other words, the actual US critical infrastructure that controls and manages many heavy-duty industrial processes key to the running of the country is now accessible to potential attacks via the Internet.
Countries affected by Ransomware
Countries were the Hackers are
This sounds alarmist but, unfortunately, it is not. Consider three examples:
a) The first is related to three ransomware viruses released in 2017 – WannaCry, Petya, and NotPetya.
WannaCry infected 200,000 computers in 150 countries. Damages were estimated to range from millions to billions of dollars. The US and the UK attributed the virus to North Korea.
The Petya and the NotPetya ( a Petya variant) viruses were released to attack Ukraine purportedly by groups friendly to Russia. It, however, quickly spread beyond Ukraine affecting many large companies around the world in countries like the UK, the US, Germany, France, Australia, India, and even Russia. The estimated damage was 10+ Billion dollars just for NotPetya. Interestingly, the Insurance carrier Zurich American Insurance Company refused to pay out a claim for clearing up damage from NotPetya infection because NotPetya was an act of war and thus not covered on the policy.
By the way, all three viruses exploited a Microsoft Windows Vulnerability discovered by the NSA called EternalBlue. This secret exploit was leaked out from the NSA in 2017. What is even more frustrating is that the EternalBlue Vulnerability had been fixed by Microsoft and made available as a security patch months if not years earlier. The viruses infected computers that were not patched.
b) The second example is the SolarWinds attack on many companies around the world discovered in 2020. This included the US Federal Government agency systems ( Defense, Treasury, State, and Homeland Security departments), NATO, the European Parliament, Microsoft, and others. This espionage attack went undetected for months and is particularly damaging because of the sensitivity and high profile of the information accessed. The perpetrators were suspected to be a group backed by the Russian government. US Senator Richard Durbin described the cyberattack as tantamount to a declaration of war.
c) The third example is in the US, the Colonial Pipeline Ransomware attack on May 2021. This pipeline carries fuel to the Southeastern US. The cyberattack impacted their computerized billing systems. The company had to shut down operations because it couldn’t bill its customers. Colonial paid the ransomware demands of $5 million within 5 hours of the demand, However, the recovery took a few days as the company needed to ascertain the hackers did not possess the ability to perform further attacks. This shutdown caused the declaration of state of emergency by the US President, the Governor of Georgia, and panic buying by consumers throughout the SouthEast. By the way, the FBI was able to recover 2.3 Million of the ransomware paid but no perpetrator has been found and arrested yet
Where does all that war doom and gloom leave us now? The US and other countries can retaliate against these attacks in many ways provided they can find the perpetrators in time, however, even if they do, the damage caused is not reversible, and is completely unacceptable to be this exposed.
What is needed is a call to action to drastically increase our awareness of the evolving cybersecurity challenge and mobilize people to alter their behavior to become more cybersecurity resilient and less vulnerable. The West has amassed plenty of offensive cyber weapons already but now we need to work on our defensive capabilities.
We need this urgently as an enemy attack could be devastating to our countries – all that without anyone launching a missile or officially declaring war.
Part 2 of this blog post will take a look at what the Federal Government is currently doing to take on this challenge and prepare us for cyberwar – declared or undeclared.
Stay tuned.
0 Comments