By Lionel Snell
At first it seems a logical question: understand the enemy and you will understand the threat. If the threat is cyberwar, then military and armaments organizations are an obvious target. If it is cybercrime, then financial institutions should be concerned. If it is hacktivism, then any company with considered malicious by a significant portion of the public should be alert for attacks by campaigners.
But on second thoughts, the scene becomes far more confused. An attack on the national electricity grid could severely compromise military suppliers. One that caused traffic chaos could make it harder for an enemy to mobilise ground forces. Financial companies are already heavily guarded, so it is far easier for criminals to make money by blackmailing hospitals with stolen data. Hacking has always been an irritant, if not a major problem, because the motives can be so arbitrary – maybe an institution was hacked for no other reason than that it claimed to be unhackable?
In the case of hacktivism against a broad target like the present government, then any attack that disrupts the economy or draws attention to the cause could be an effective weapon when followed by a public announcement. Terrorism is similarly almost impossible to predict because the aim is to do absolutely anything that might invoke public terror – and that makes it highly threatening.
Joel Stradling, Research Director for the analyst company GlobalData, chairing a recent NetEvents session, mentioned a call for half a million heart pacemakers in the US to be recalled because of vulnerability to cyberterrorism. That is a very good example, because any family or group with a heart patient that might drop dead will feel threatened, and that fear generates panic that could spread far and wide.
It also raises another key point about cyberterrorism: that the threat can be more effective than the actual attack. Terrorists know that a failed bomb attack can be just as effective as a successful one, because the public starts thinking about all the deaths that might have happened. Terrorist groups have far broader agendas than before, going beyond physically harming civilians.
Ray Ottey, Fellow Cybersecurity Practitioner at Verizon, responding to Joel Stradling, described two distinct areas: cyberwar is really just another weapon in the evolution of war, while cyberterrorism has a different motive: “It’s a subset of the wider threat, but it’s just coming with a different motive. There’s no different toolset, and it’s not in some cases different people either. So, it can be the same person during the day being a hacker, or having a normal day job, and by evening a gun to hire”. Attacks may have different political or criminal aims, but the symptoms are the same.
The Internet of Things (IoT) adds a major terrorism threat because it brings what was seen as information war down to physical manifestation – like a compromised pacemaker causing a friend to drop dead. A loss of data is one thing, but if it compromises an entire electricity network or water supply, then you have terror potential. Another factor is that it suddenly extends what has become a pretty well secured IT network by added a mass of far less secure endpoints previously air-gapped from the Internet. As Roark Pollock, Chief Marketing Officer, Ziften Technologies put it: “You’re trying to protect a network that’s very different than your IT infrastructure. From a security standpoint it’s 20 years behind traditional IT. We’ve integrated those devices into our traditional IT networks, so they become a big part of what you’re trying to protect now, as opposed to just trying to protect the underlying data”.
Optiv’s European Director of Strategy and Technology, Andrzej Kawalec, explained: “IoT is going to completely explode it, and it forces us to think about devices again – which is something we’ve forgot about for a while. We need to start doing that again… To create physical safety implications on a network, you used to have to have quite specific deep domain capability… the integrated industrial cybercriminal global network allows you to do anything, whether it’s malware as a service, ransomware as a service, being attacked by swarms of kettles” – a reference to the story that the UK company Hargreaves Lansdown was attacked by a botnet of smart kettles last year.
Another factor that blurs the boundaries is the way that cybercrime and drug cartels provide funding for terrorism. IT can also be misused for recruitment and propaganda – as it was recently in New Zealand to amplify the impact of an isolated terrorist incident. Kawalec pointed out that cybercrime had overtaken the global illegal drugs trade: “National crime agency in the UK moved drugs off their top three focus areas, and put online fraud and cybercrime on. I think there’s a lot in there to be unpacked, but I think it’s actually about digital world influencing cyberterrorism, rather than cyberterrorism influencing the digital world”.
Kawalec concluded: “If there’s anything, it’s going to make us focus on the safety component of cybersecurity, rather than the confidentiality, the integrity, the financial impact. It’s the human implication of hacking into an autonomous car via the DAB radio to turn the brakes off. Who thought that was going to be a thing, but it is.” Roark Pollock agreed that the IT fundamentals had not changed as much as the motives for attack. And with IIoT the user is no longer only an office working with years of PC experience: “As we talk about industrial terrorism we’re bringing in a whole new user group. Now you’re talking about a user in some industrial facility, managing the safety and reliability of its devices. That person is not used to talking about cybersecurity”.
For Joe Baguley, VMware’s VP and CTO for EMEA: “The biggest problem is IT meeting OT. I’m seeing fundamental failings in basic principles of security when we get to IT and OT”. He gave the example of ubiquitous security cameras: “I found cheap USB ones of which there is no patching model and no way to update them. It’s just people missing basic fundamental steps in deploying IoT systems. That will set us up for massive failure in the future”.
Ray Ottey pointed out that security for the new users Pollock mentioned was about physical, not cyber, security: “So that MRI scanning machine, or that nuclear control system, whatever it was, the security around that was all entirely physical – you can’t get into it, can’t touch it – security badges etc” He outlined a scenario where the industrial control manager is approached by a the new network manager and says: “So you want to try and connect your IT systems to my control system? But you are the guys that gave me that XP laptop riddled with viruses that never really worked, and you’re now telling me you want to try and connect to my OT system? Get stuffed!”
Adding a more positive note, Roark said: “It’s taken us 20 odd years to get to today’s security perspective. At least we now have mature frameworks we can start to apply to those industrial control networks, whether the NIST framework, or any other framework”. Hopefully we can implement these existing frameworks a lot quicker than it had taken to develop them.
Joe Baguley returned to the prevention theme and the principles of cyber hygeine that are so blindingly obvious to people in the security industry, but not to others: “Things like least privilege, micro segmentation, and encryption. Encryption 10 years ago was a horrible thing, because it was hard. Now it’s really easy and it’s not a burden on processors, so let’s just do it everywhere. Multifactor authentication: Tesla owners are crying out for multifactor authentication on their cars – even Tesla aren’t applying it now – and patching. People are deploying stuff and not thinking about the ongoing lifecycle management”.
Questions from the floor brought the discussion back to the specific issue of cyber terrorism, when the panel was trying more to focus on general prevention. Joe Baguley referred to the Spectre processor issues: “How long had certain nation states known that those vulnerabilities were there, and kept it to themselves, before the wider world found out? You know, it’s those kind of things were actually more worrying… We’re looking again at how do you build a layer on top of that, that almost abstracts you from that threat?”
Andrzej Kawalec said the whole issue is even more blurred when several cybercriminal gangs share malware using an existing vulnerability hijacked through another service to some industrial ecosystem. Hence the need to focus on the continuous hunting and analysis of threat: “You need to go back to what you can control best.” Baguley agreed that there can be too much trying to anticipate what the next big threat is going to be, rather than just going back to base and how the system is built and made rock solid.
For Ray Ottey part of the problem is that people often do not even know they are under attack: “A process running a bit longer every day, because it’s doing something else. A machine occasionally pinging some other machine, which isn’t necessarily out of the ordinary… and many organisations don’t know what their normal is”.
Roark Pollock had the final word in what was a great debate session. He suggested a gaming approach to security training: “These companies need to create some sort of cyber range, where they can play red team, blue team, and train their people, of how to respond when something does occur. Because it’s too late once it happens”.
The transcript of the entire discussion is available at https://www.netevents.org/wp-content/uploads/2019/01/Debate-I-CyberSecurity-GlobalData-final.pdf