In the wake of the ransomware attack against Colonial Pipeline in May, experts reassured the public there was no need for panic, that the incident was a textbook “hack-and-pay” gone wrong, and that attacks like these are common and have been occurring for years. While I agree we should not panic, I do not feel that overly reassuring the public is in our best interests either, nor do I find comfort in the thought that such attacks are common—quite the contrary, in fact. The most recent cyber attack against Kaseya, in which up to 1,500 companies have been affected, only further confirms my belief.
Somewhere between panic and uninformed complacency is a middle ground that we need to be straddling, and while it’s true that ransomware attacks have been going on for years, there is no question that the rate of incidence is rising. Further, the attacks are getting bigger and bolder, with the worst yet to come. And the problem is not just ransomware. State-sponsored cyber attacks such as the ones against SolarWinds and Microsoft, perpetrated by Russia and China, respectively, are also increasing drastically, and they are now subverting our conventional, outdated notions of what cyber threats are supposed to look like and where they come from. To prevent a true calamity, we need to bolster our cyber resilience by evolving our approaches and responses to cyber threats, be they ransomware or state-sponsored attacks.
Recognizing the scale of the threat
Organizations first need to understand the scale of the threats they now face on a constant basis. From 2019 to 2020 there has been a 150 percent increase in ransomware attacks, and the average payout was 300 percent higher. Because organizations lack cyber resilience, threat actors know they can keep raising the ransom and that compromised organizations will keep paying because, essentially, they have no choice.
With the state-sponsored cyber attacks against SolarWinds and Microsoft, we still don’t know the full extent of the damage done as it is still being investigated. We learned only just recently, for example, that the SolarWinds attack began a full eight months earlier than initially believed and as early as January 2019. When we consider that the goal of the threat actors behind the SolarWinds attack was not money but extracting information, and that SolarWinds has over 300,000 clients including Fortune 500 companies and prominent government agencies such as the Department of Defense, the Secret Service, and none other than the Office of the President of the United States, the implications become truly alarming. Worse, the state-sponsored organization behind the attack, Nobelium, appears to still be at it.
Even when the motive is not political but profit-oriented, as it is with ransomware, the potential for economic and societal damage is vast, as we saw with the Colonial Pipeline attack (despite DarkSide’s claims that it only wanted to make money and didn’t mean to cause problems for society). When we brought in the former CIO of Siemens, Dr. Helmuth Ludwig, onto the faculty here at the Cox School of Business, where I teach, we asked him to share the one cyber security-related fear that kept him up at night. He responded that it was a catastrophic event in which it would have been not just Siemen’s but all of the cloud servers, globally, becoming the target of a ransomware attack, effectively shutting down the Internet, and by extension the economy, until the ransom was paid or a workaround was found.
Shedding outdated models of protection
The traditional approach to cyber security has been similar to the way we approach terrorism, in which the idea is to build a moat and keep the bad guys out. By overly focusing on this, we have left open gaping vulnerabilities that the bad guys are now exploiting. While the state-sponsored cyber attacks on both SolarWinds and Microsoft involved the usual foreign suspects—Russia and China, respectively—part of the reason they managed to avoid detection was that the attacks were launched from within the U.S. through domestic servers and thus able to bypass early warning systems designed to detect threats coming in from the outside. So that is one outdated model that needs to be revised.
The SolarWinds incident also highlights another vulnerability. We are not accustomed to viewing software updates as threats—quite the opposite, in fact. Organizations and individuals are constantly told that installing updates as soon as they are released is one of the best ways they can protect themselves. For threat actors to create access points within something widely seen as benign and helpful is a particularly clever and insidious strategy that has blindsided us.
Whether profit-minded ransomware or state-sponsored intelligence, this new wave of cyber attacks are able to, and likely will continue to, mercilessly exploit these weaknesses unless we take aggressive measures to address them.
Learning from the military
One of the reasons that Taiwan has done extraordinarily well in controlling the Covid-19 pandemic is the extensive scenario planning and wargaming it has consistently been doing ever since a SARS outbreak killed 70 Taiwanese citizens in 2003. This kind of scenario planning and wargaming is what we need to be doing to build cyber resilience. Moreover, the wargaming mustn’t be rote, mechanized repetition but an ongoing process of imagining the worst things that can happen and then creatively imagining how they could get even worse. Strategists must also question their own assumptions and biases, such as the assumption that attacks come from the outside-in, not inside-out. In this, we should take a cue from the military’s practice of red teaming, or bringing in fresh eyes and talent to examine a mission and challenge all its underlying assumptions.
Next, there needs to be collaboration. The fact that none of our intelligence agencies—Homeland Security, the FBI, NSA, or anyone else—were able to detect the recent wave of cyber threats, and that when they were eventually discovered it was by private security firms such as FireEye (which was itself attacked by Russian hackers from servers inside the U.S.), suggests that there needs to be a new model of collaboration between the public and private spheres. In the present landscape, a situation in which the government tries to protect its own self and private enterprise also tries to protect its own self is simply untenable. Even within private enterprise, competing organizations are often hacked by the same threat actors, as evidenced by Nobelius’s latest attack on 150 companies simultaneously. Much can be gained by the sharing of information between organizations and across the public and private sectors and, conversely, there is too much to lose by not doing so.
Finally, and this overlaps with the need for collaboration, there needs to be more transparency and swiftness with regards to organizations admitting when they have been the victim of a cyber attack. The traditional tendency has been for organizations to wait too long before admitting they’ve been hacked or perhaps never admitting it at all. Regardless of the reasons for taking so long, and there can be numerous, this is dangerous and it only increases the risk of more attacks for everyone. The sooner an attack is disclosed, the sooner fruitful collaboration can begin, and the sooner that organizations can build the cyber resilience they need for a new era of neverending cyber threats.