“There’s time, though not unlimited time, to get the job done. We must make a continuing public commitment to securing cyberspace — and we must do so now.” – Melissa Hathaway Cyber Security Expert and President of Hathaway Global Strategies, LLC
On June 10, the McCain Institute for International Leadership at Arizona State University hosted Chris Brose, author and former policy adviser to Senator John McCain, to discuss his book, “The Kill Chain: Defending America in the Future of High-Tech Warfare.” During the discussion with former Director of the National Counterterrorism Center Nick Rasmussen, Brose emphasized the need for American focus and investment in cyberspace and cautioned against risking “calamity and crisis” that could occur absent addressing American cybersecurity vulnerabilities. Brose’s passionate call to action pointed out that our ever-increasing dependency on technology, while greatly enhancing our society, has created systemic risks that require urgent attention. We must be clear-eyed – safeguarding our society from cyber security issues is very complex. Without significant mitigation of these risks, we will see more and more disruptive and damaging cyberattacks that have the ability to greatly impact our day-to-day lives.
Protecting our national security, our commercial interests and the security and rights of our civilians is a highly complex task. According to the United States Cybersecurity and Infrastructure Security Agency, there are 16 critical infrastructure sectors. Some of these include commercial facilities, critical manufacturing, chemical, communications, dams, emergency services, financial services, food and agriculture, energy, healthcare and public health. Cyberattacks on these sectors present extreme risk and the fallout from attacks on any one of them could cause long term damaging consequences. According to Robert Lee, former NSA analyst and founder and CEO of an industrial cybersecurity firm Dragos, “No one should be messing with civilian industrial control systems.” According to Adam Greenberg, Lee believes that cyberattacks on physical infrastructure, like biological weapons or cluster bombs, are unethical and incredibly dangerous.
While attacks from cyberspace are not a new phenomenon, they certainly are becoming more prevalent as our cybersecurity systems play catch up with technological advancements. We have become extremely dependent on technology, especially the Internet of Things (IoT), which consists of physical devices, machines and objects with the ability to connect to the Internet and share and transfer data. You might recognize these as your smart TV, baby monitor or your Alexa assistant. While this ever-evolving interconnected technological infrastructure driven by high performance embedded computing drives modernization, efficiencies and economic growth, it creates opportunities for malign actors. One tool used by hackers is malware, software created to subvert the system it infects. A Google search of “ransomware,” a type of malware, yields a vast number of recent attacks and demonstrates the often-debilitating effects of cyber intrusion. This shift to more technological-dependent industries extends to all areas of the United States’ critical infrastructure. Cyberattacks on critical infrastructure are occurring more often and recent incidents highlight the tremendous vulnerability we face as a nation.
One such example is a ransomware attack that occurred on May 7, 2021, involving Colonial Pipeline- a major supplier of refined gasoline and jet fuel. The companies IT systems were encrypted and held for ransom and to prevent further damage, Colonial shut down its pipeline operations. It was offline for six days. The hack resulted in panic buying and a gasoline shortage on the east coast of the U.S. The company paid over $4 million in ransom to regain access to its information.
In early June 2021, one of the world’s largest meat distributors with more than 150 global plants, JBS, was also breached. The ransomware attack shut down the company’s plants and halted food production. The company paid over $11 million in ransom and the incident disrupted the supply of beef and pork to many buyers including McDonalds. This cyber assault highlights the reliance of the American food supply chain on internet connected devices and also demonstrates the damage that malicious criminals can cause by hijacking this essential productive capacity. It is not difficult to imagine the chaos that a large scale and coordinated attack on our food supply would cause.
This past Friday, July 2, software vendor Kaseya was the latest hit by ransomware. The company says that up to 1,500 businesses were compromised, some of these businesses to the point of a virtual standstill. If not for the protocols and rapid action of Kaseya, up to 1 million downstream customers could have potentially been impacted. This attack has serious implications not only for Kaseya’s customers, but for the future of cybersecurity. Attacking the supply-chain through a software vendor creates an entirely different magnitude of risks, while upping the ante for cybercriminals, who are purportedly demanding $70 million in ransom. Furthermore, the attack has been linked to the Russian hacking group REvil, portending serious implications for Russian and U.S. relations just weeks after Biden’s talks with Putin over cybercrime. Biden stated after the summit that “[Putin] knows there are consequences.” While Kaseya, its impacted customers and numerous federal agencies work to pick up the pieces, the world waits to learn the “consequences” that result from this brazen attack.
Unfortunately, cyberattacks are more frequent and the damage they cause is escalating significantly. According to a 2019 report by Melissa Hathaway, “Disrupting or damaging critical infrastructures that provide services to the public has become customary practice — the new normal.” Hathaway, a leading expert in cybersecurity who has served under two U.S. presidential administrations further cautioned, “As countries continue to embrace the economic opportunities of becoming more connected to the internet and adopting and embedding more IoT devices in every part of life, they must also prepare for the misuse of those same ICT-based devices.” Hathaway believes that in order to rein in bad actors, nations must be more active in preventing cyberattacks, not condoning cyberattacks on their own land, being proactive about citizen safety through clear product liability, assisting other states in their safety measures, committing to the prevention of cybercrime, and investing in training and education for future investigators. It is clear that cybersecurity is a global concern and requires a concerted international effort to enforce international cyberlaws.
Hathaway stressed the urgent need to safeguard the United States’ infrastructure from malicious intrusion and offered numerous practical ideas, starting with a greater awareness of how perpetrators gain access to systems. One of the most common techniques is phishing, when hackers send out fake messages asking for personal information. Being aware of the methods the hackers use and the common nature of such attacks allows for better protection from cyber intruders. Hathaway emphasizes the importance of keeping backups data and staying aware of software updates. Oftentimes, users that do not update their software are at risk of hackers using flaws in the outdated systems. Hathaway also advises caution when adding internet reliant hardware to your life. Having a completely “smart” life poses risks that we may not be fully aware of at this time. Common sense is vitally important regarding the safeguarding of passwords, utilizing two or more steps of verification, and remaining diligent in protecting data.
Recent high profile and crippling cyberattacks against our critical infrastructure have raised the overall awareness of the urgent need to protect the United States from criminal and malicious actors in the cyber realm. Absent the required steps to safeguard our national security, it is highly probable that the United States will suffer even more damaging cyberattacks in the future. As countries, including Russia and China, develop plans for blended attack scenarios, it is paramount that we accelerate investment and innovation to combat cyberspace threats. As Brose mentioned, the U.S. military often emphasizes investment in things that “look good in parades,” yet, failure to invest in cybersecurity would be catastrophic for the United States. The future of American industry, civilian life and overall national interest requires an immediate shift towards educating and emphasizing safety in cyberspace. Technology moves at a fast pace, so we must be faster, more innovative, and more aware than ever before!