Despite the fact that cyber-attacks occur with greater frequency and intensity around the world, many either go unreported or are under-reported, leaving the public with a false sense of security about the threat they pose and the lives and property they impact. While governments, businesses and individuals are all being targeted on an exponential basis, infrastructure is becoming a target of choice among both individual and state-sponsored cyber-attackers, who recognize the value of disrupting what were previously thought of as impenetrable security systems. This has served to demonstrate just how vulnerable businesses, cities and countries have become, and the growing importance of achieving global risk agility in the face of such a threat.
As an example of the growing vulnerability of critical infrastructure, in December 2015 a presumed Russian cyber-attacker successfully seized control of the Prykarpattyaoblenergo Control Center (PCC) in the Ivano-Frankivsk region of Western Ukraine, leaving 230,000 without power for up to 6 hours. This marked the first time that a cyber weapon was successfully used against a nation's power grid. The attackers were skilled strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance. The control systems in Ukraine were surprisingly more secure than some in the U.S., since they were well-segmented from the control center business networks with robust firewalls (Wired, 3/3/16), emphasizing just how vulnerable power systems are globally.
The PCC operated a common form of industrial control system known as a supervisory control and data acquisition system, which allows for remote controlling and monitoring of industrial processes -- in this case the distribution of electricity. The attackers overwrote firmware on critical devices at 16 substations, leaving them unresponsive to any remote commands from operators (Wired, 3/3/16), effectively leaving plant operators blind. It now seems clear, given the degree of sophistication of the intrusion, that the attackers could have rendered the system permanently inoperable.
If that is the case for a sophisticated power station, does an ordinary business stand a chance if hackers choose to penetrate its security system? Cyber-attacks are difficult to prevent, given the relative ease with which hackers can find a single system vulnerability, and the impossibility of plugging every conceivable security hole. Cyber-security professionals are in essence playing an endless game of cat and mouse, whereby a would-be attacker attempts to enter a system while security professionals attempt to defend a computer system from attack by applying continuous patches. The adversary then quickly moves to exploit the latest discovered vulnerability. That is why many computer security programs produce patches numerous times per day - even for home computers.
Cyber-Vigilance and the Need for More Resources
High profile cases of cyber-attack are increasingly becoming the norm. The U.S. government had little difficulty finding evidence to assign blame (to China) for the theft of personal information of more than 22 million government employees from the computer systems of the Office of Personnel Management in 2015. Similarly, it did not take long for the U.S. to determine that North Korea was responsible for the cyber-attack against Sony in 2015. Cyber-attacks essentially give nations of all sizes, degrees of wealth and resources a seat at the table of the super powers, affording them a disproportionate amount of clout. While China, the U.S. and Russia lead the world in cyber-attacks, virtually every government engages in such attacks, and nearly every country has its share of computer hackers.
International treaties intended to address the problem have limited impact because of the inability to hold signatories accountable and the difficulty associated with accurately determining the identity of responsible actors. Enhanced information sharing, combined with a mandate to swiftly and accurately release information regarding attacks to impacted citizens, provide a sensible foundation for designing a protocol to effectively address future attacks, yet very few governments routinely engage in this practice.
Clearly, governments, businesses and individuals must devote greater resources to becoming more cyber-vigilant, which means they must devote more resources toward anticipating and protecting against attacks. Governments and businesses need to also engage in more public-private partnerships in order to adequately address the issue. The European Union has recently implemented the "Network and Information Security Directive", which forces member states to adopt more rigid cyber-security standards, and creates an avenue for the 28 member states -- and the operators of essential services such as energy, transportation, and healthcare sectors -- to communicate (European Commission, Digital Single Marketplace). Other nations are in the process of acting accordingly. However, no nation allocates sufficient resources to adequately respond to the increasing threat of a cyber-attack against critical infrastructure, nor does any nation have a truly comprehensive plan to prevent or meaningfully react to the outcome of such attacks.
Taking precautions against cyber-attacks has become essential, particularly among financial institutions, which are frequently targeted for attack. Serious incidents have occurred this year across the globe, including among banks in Vietnam, Ecuador, and the best-known example -- the central bank of Bangladesh, in which $81 million was successfully stolen. For financial institutions, cyber-attacks have become so serious that in October of this year, the U.S. Treasury Department's Financial Crimes Enforcement Network issued an advisory on cyber-crime as well as guidelines for how and when to report suspicious activity. According to a recent report by Verizon, which involved 67 organizations in the private and public sectors, 48% of data breach incidents among banks in 2015 involved compromised web applications, prompting many financial institutions to require two-step verification procedures, and a host of other protective measures.
While cyber-attacks can pose a nuisance for countries with cyber defense capability, for businesses without it, cyber-attacks can pose an existential threat, not just operationally, but in terms of reputation risk, so they must create a sturdy defense. A large variety of insurance carriers now provide cyber-risk insurance, which can provide meaningful protection. But businesses must go further than to take out insurance. Business continuity plans must be carefully crafted, and an implementation plan must be both realistic and executable. Employees must be trained what not to do (i.e. click on the wrong email link), as well as what to do in the event of an attack. And crisis management programs should be put into place in advance of actually needing to do so, so as to be able to respond in a meaningful fashion.
Apart from heightening awareness to cyber-attacks, a number of actions should also be taken so as to avoid the gaze of regulatory and legal action that can occur after an attack has occurred. To the extent possible, avoid collecting or retaining unnecessary personal information of customers. Restrict access to sensitive information to a small pool of employees. Deploy best practice methods to store and transmit sensitive information, and be sure to require that third party partners and service providers do the same. If there is a data breach, be sure to carefully weigh the key messages you wish to convey to your customers, partners, and employees. Don't make matters worse by sending the wrong message to the marketplace.
Governments around the world have plans in place to deal with the consequences of natural disasters, yet none have disaster relief plans for a downed power grid. Clearly, this must change. Local and state governments must work together with their national counterparts to produce and quickly implement plans to address future attacks. The same may certainly be said of the need for businesses to put cyber-risk on the front burner, stop presuming it is someone else's problem, and devote the resources necessary to seriously and effectively combat the problem. Doing so will take as much will and determination as successfully tackling any other risk that poses a potentially existential threat to a firm. If a child can hack into the Pentagon, as has been done, there really is no place to hide. The only solution is to confront this menace head on.
*Dante Disparte is the CEO and Daniel Wagner is Managing Director of Risk Cooperative. They are the co-authors of the new book "Global Risk Agility and Decision Making".
This article first appeared in the Winter 2016 issue of Professional Investor magazine.