According to recent reporting, the North Atlantic Treaty Organization (NATO) announced that its Cyber Operations Center (COC) is expected to be fully staffed and functional by 2023. The new COC marks NATO’s understanding of the importance that cyberspace plays in conflict, particularly in times of political tensions that has resulted in cyber malfeasance that has targeted elections and critical infrastructure. The establishment of the COC is a natural evolution in how to address cyber attacks in a more timely manner by integrating cyber actions with more conventional military capabilities. In early 2014, after notable cyber incidents were a part of international incidents that occurred in Estonia in 2007 and Georgia in 2008, the Alliance updated its cyber defense policy to classify digital attacks as the equivalent of kinetic attacks under its collective security arrangement under Article 5 of the treaty.
In those particular instances, Russia was suspected in orchestrating or at least tacitly supporting the cyber attacks that afflicted both states. Since then, Russia’s alleged cyber activities have only become more brazen in their scale and aggressiveness. From suspected involvement in launching cyber attacks against Ukrainian critical infrastructure to launching a variety of cyber operations to meddle in the elections of foreign governments, Russia has taken advantage of the uncertainty of cyberspace where there is little consensus on key issues such as Internet governance, cyber norms of state behavior, or the criteria by which cyber attacks escalate to a point of war.
There has been recent focus on alleged Iran cyber activity the past few weeks, spurned on by the publication of a vendor report on Iranian operations. Per the vendor’s findings, not only was Iran likely behind the activity that was targeting government and private sector in the Middle East, it was implementing National Security Agency exploits that were stolen and dumped into the public domain by the Shadow Brokers group in April 2017. As recently as late August 2018, Iran is suspected of trying to launch influence operations ahead of the midterm elections. The conclusion is that Iran is increasingly using asymmetric attacks, particularly via cyberspace, as part of its tool box to conduct retaliatory attacks.
The new reporting comes at a time when Russia’s cyber malfeasance has largely dominated the press, due to its influence operations efforts and election shenanigans, not just in the United States but in other countries as well. Prior to the Russia focus, North Korea was the focal point with its suspected cyber activities targeting cryptocurrency, and the SWIFT banking transactions before that. Iran was propelled onto the scene with Operation Ababil
There is much concern about the realities of “Cyber Battle Fatigue” – a condition resulting from a never-ending process of defending networks and sensitive information from an onslaught of cyber attacks conducted by cyber criminals, cyber espionage actors, and hacktivists. These attackers continue to use a wide variety of tactics, tools, and procedures that span from being unsophisticated to very sophisticated and continue to have more successes than failures. Two things are certain in a constantly-changing domain – that no business that operates online is immune to being targeted, and two, the cyber security talent pool is sparse, and is contributing to the cyber battle fatigue reality.
The numbers are staggering and continue to outperform previous activity. In 2017, ransomware attacks demonstrated how prolific just one type of attack was. The WannaCry outbreak impacted computers in more than 150 countries that cost approximately USD $ 4 billion. According to one U.S. IT Company, in 2017, some notable cybercrime statistics illustrate the challenges facing those network defenders:
The recent Equifax breach, a global information solutions company that organizes, assimilate and analyzes data on consumers and businesses worldwide, and one of the three major credit reporting agencies, exposed the data of approximately 143 million people in the United States. Between May and July, the breach allowed attackers access to the names, Social Security numbers, birth dates, and even driver’s licenses, in addition to 209,000 credit card numbers and dispute details for another 182,000 individuals. According to the company, the attack vector exploited a U.S. website application vulnerability to gain access to certain files. In addition to being a major credit bureau, Equifax is a partner of the Internal Revenue Service (IRS), the centers for Medicaid and Medicare, and the Social Security Administration, all major targets of hostile cyber actors.
More alarming than the breach itself is the fact that details of the breach wasn’t made public until six weeks after it had occurred, and the company hasn’t said why it had waited so long before notifying the public. One possibility is that the company may have been investigating the causes and the extent of the breach, although this is just one speculation. To add insult to injury, it was revealed that three of Equifax’s executives sold company stock prior to the disclosure of the breach. While the company maintains that these individuals were not notified of the Equifax breach prior to the sale, once the breach was made public, Equifax stock value plunged 18 percent, with some estimates predicting further losses.
Unsurprisingly, the culmination of events has outraged an American public whose anger has reached the U.S. government, igniting a bipartisan political response to the breach. The U.S. Senate Finance Committee has pressured Equifax to disclose what happened and why. A 13-question letter covering topics such as details of breach discovery, the company’s victim notification plan, and steps to mitigate consumer impact. The company has until September 28 to answer the questions outlined in the Committee’s letter.
The Equifax breach comes at a time when some significant organizations have failed to safeguard sensitive personal information of citizens. Notable breaches have included the 2015 Anthem breach that surrendered 79 million people’s personal information;
the 2015 Office of Personnel Management (OPM)breach that compromised more than 4 million personnel records of individuals applying for security clearances; and the 2016 IRS breach that exposed the personal information of more than 700,000 individuals.
It is important to underscore that these millions of individuals did not carelessly protect or handle their own data. Rather, it was the inability of these “responsible” organizations that require the information for their business purposes to properly secure it, calling into question the extent of their responsibility, accountability, and consequence. Even after providing potential victims to see if their information might have been compromised, the last six numbers of an individual’s Social Security number – not the last four which is more standard – was required. Providing additional information into a website of an entity that demonstrated its inability to protect what it already had is certainly not reassuring.
Currently, 48 states have laws requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. However, the “time of notification” varies, and in several instances, is defined in vague terms such as “most expeditious.” This is completely unacceptable in today’s cyber reality where the criminal element can operate quickly and monetize stolen information immediately before victims are even aware that they have been compromised. In 2011, the Social Security Administration (SSA) failed to inform thousands of Americans it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups. The SSA essentially ignored established reporting guidelines of the U.S. Privacy Act, which protects personal information of private citizens. Such actions are not only negligent but border on criminal in their own right.
The U.S. public is tired of seeing massive breaches occur without any accountability or consequence levied against those organizations that were trusted and failed to protect the sensitive information of other people. Fines do not send a serious enough message, and CEO firings and/or forced resignations have not made any significant impact in implementing change in cyber security practices. U.S. Congress, long maligned and unpopular according to one tracking service, has the opportunity to demonstrate bipartisanship and pass strict disclosure mandates, along with an appropriate level of grave consequences.
While much attention has been focused on nation state cyber capabilities, the frequency and pace of major breaches like Equifax breach have become white noise that gets a moment’s notice before attention is focused on sexier cyber topics. This has got to change. While the crippling of a U.S. critical infrastructure as a result of a cyber attack can potentially have far reaching impacts, it remains a scenario. What is transpiring is the rampant mass exploitation and misuse of the U.S. public’s personal information, which effects everyone, regardless of political party, economic class, or religious ideology. That seems a call that both sides of the aisle should be able to get behind.
It’s that time of the year when the data breaches are just everywhere. And again, our old friend Yahoo surprises us with another end-of-year-hack. Only this time, it’s not several million, but a Billion compromised accounts.
Unsurprisingly, the healthcare sector continues to be an attractive target as data stolen continues to provide value to a diverse threat actor set. Indeed, criminals and those actors associated with traditional cyber espionage activities have conducted some of the more news garnering incidents over the past few years. What’s more, depending on the actors’ intent, all types of information have been sought after and stolen by these groups and individuals to include financial and insurance-related information, personal identifiable information, and even the health records of patients. The targeting of these different types of data should demonstrate to the healthcare industry that there is no seemingly benign data when it comes to healthcare and that strategies must be designed to safeguard any and all types of data that relate to patients and their care treatments.
In late September and late October 2016 two massive distributed denial-of-service (DDoS) attacks successfully targeted and impacted the operations of their targets. In the October DDoS against Dyn, a cloud-based Internet Performance Management company, several high profile organizational websites (Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, to name a few ) for a substantial part of the day. While Dyn was ultimately able to mitigate the three-wave attack, it did impact users’ abilities to access these sites.