by Frank Umbach
A worldwide surge of sophisticated cyberattacks on industrial control centers has alarmed business, governments and cybersecurity experts alike. As long as it remains difficult to identify the sources of cyberattacks, while offensive cyber tools become more commonplace and easily available to rogue nations, jihadists and cyber-criminals around the world, one can expect such assaults on information and control systems (ICS) to increase. Disruptive attacks on critical infrastructures have already crossed the “red lines” of past forecasts. Even so, we may still be underestimating the scope of future cybersecurity threats.
The WannaCry ransomware attack in May 2017 encrypted data stored on hard drives worldwide, demanding from victims a payment equivalent to $300 in bitcoin to receive decryption keys. It was the latest wake-up call for the highly industrialized nations, especially the United States and Europe, which find themselves insufficiently prepared to fend off major cyberattacks. By exposing security vulnerabilities in even the largest organizations and companies, WannaCry highlighted how interconnected the global digital economy has become, with shared critical infrastructures (CIs) constituting the backbone of commerce, wealth and security in many countries.
The malicious software has been called one of the most virulent and wide-ranging cyberattacks to date, affecting hundreds of thousands of computers in more than 150 countries. Its high-visibility impact on the United Kingdom’s National Health Service (NHS), knocking out a third of its IT network, demonstrated the potentially devastating effect on critical infrastructures such as hospitals. WannaCry infected some of the world’s biggest corporations, including the Spanish mobile phone giant Telefonica, the German national railway Deutsche Bahn, the French carmaker Renault, and the U.S.-based logistics giant FedEx Corp. It also spread to Russia, forcing the Interior Ministry to take more than 1,000 of its computers offline. In China, almost 30,000 institutions were affected.
One striking feature of the WannaCry cyberattack was its indiscriminate nature. No specific institution was targeted, yet British hospitals were forced to delay or cancel surgeries and treatment of patients. Lack of preparedness was also evident. Cybersecurity experts called the NHS’s information systems a security nightmare that would require enormous investments to bring up to standard.
Coming on the heels of the release of powerful hacking tools allegedly stolen from the U.S. National Security Agency (NSA), the Wannacry outbreak showed the extent to which governments and companies are being targeted by constant and increasingly sophisticated cyberattacks from rival nation-states and their intelligence services, terrorist groups, hackers and cyber criminals. Recent assessments of the scale of this threat are given below.
Estimating the Threat:
- Economic losses from cybercrime exceed global profits from the drug trade – Europol
- About 70% of businesses suffering attacks from malicious software (malware) paid ransom, often in the anonymous digital currency bitcoin – IBM research
- Cyberattacks on information and control systems (ICS) rose 110% in 2016 – IBM research
- Cybercrime in Germany nearly doubled in 2016 from the previous year to 82,000 cases, resulting in damages of over 51 million euros. (These figures are based on reported attacks and may be only the tip of the iceberg.) – German Federal Crime Office
- More than 67% of institutions do not realize they have been under cyberattack until told by a third party – FireEye
- U.S. institutions and companies take an average 99 days to realize they have been attacked; in Europe, it can take up to 200 days – FireEye
- One-third of 1,552 known ICS vulnerabilities had no patch at the time of disclosure – FireEye
- Between 17% and 93% of software from major vendors has unpatched vulnerabilities – Kaspersky
- A survey of 70 professional hackers revealed that 88% believe they can break through cybersecurity defenses and into targeted systems within 12 hours – Nuix
- U.S. businesses will spend $101.6bn annually to protect themselves against hacking by 2020 (vs $73.7bn in 2016) – International Data Corp.
- Worldwide costs from cybercrime will double to $6tn in 2021 from $3tn in 2015. These costs include damage and destruction of data, lost productivity, theft of intellectual property and personal data, fraud, embezzlement, business disruption, deletion and restoration of hacked systems, and reputational harm – Cybersecurity Ventures
- Credit card fraud is forecast to rise to $20bn in 2020 from $4bn in 2016 – CNBC
- The global cyber insurance market may generate $14bn in premiums by 2022, posting an annual growth rate of nearly 28% – Allied Market Research
Most cyberattacks go unreported by companies, especially in the financial sector, because they fear reputational damage and loss of customers to competitors. Many firms and operators of critical infrastructure see no alternative to paying ransom, as the loss of up-to-the-minute data is too disruptive and could even lead to deaths (e.g. patient monitoring and surgeries in hospitals).
The positive aspect of spreading cyberattacks is that they have increased international awareness and cooperation in tackling the problem. Western countries are actively sharing expertise and information, with tangible results.
In 2016, for example, investigators from more than 40 countries, including the U.S., collaborated to destroy the global Avalanche phishing network, which had operated since at least 2009. Phishing is an attempt to obtain sensitive information such as usernames, passwords, or credit card details through electronic communications disguised to appear as coming from a trustworthy source. Avalanche consisted of a distributed, cloud-hosting network of as many as 600 servers and 500,000 infected computers that was rented by cyber criminals to launch worldwide phishing and malware attacks.
Despite such progress, however, preparedness and defensive capabilities have not kept up with the offensive prowess of transnational criminal organizations and government-supported hacking groups.
Withhold or Disclose
The WannaCry malicious code also highlighted the competing security interests between private actors and government institutions – especially law enforcement and security agencies, which themselves develop and use offensive cyber weaponry. Flaws and loopholes in widely available commercial software are used by military and security organizations to fight terrorism and international crime, and for intelligence and counterintelligence operations.
In the case of WannaCry, the outbreak was only made possible because a sophisticated cyberspying tool – EternalBlue, which exploits a vulnerability in file-sharing protocols in Microsoft Windows software – was allegedly stolen last year from the NSA, the agency that controls U.S. signals intelligence. The likely culprit was a cybercrime group known as Shadow Brokers, which is suspected of being a proxy of the Russian intelligence services. EternalBlue was then sold on for weaponization to other cyber actors in the “darknet” – the online marketplace of the global underworld.
The NSA tool allows hackers to move through various networks and between organizations by setting up legitimate enterprise file-sharing protocols. Cyber experts had warned for years about such loopholes, which U.S. intelligence agencies had either created for themselves or used their specialized knowledge to exploit. Microsoft was bitterly critical about the U.S. government’s withholding of information about these vulnerabilities, which allowed them to “st