Given the number of major breaches making the news, not only do they begin to blur together, but it also becomes easy to underappreciate the significance of each one. The Sony hack may have gotten lost in the crowd if it weren’t for the way Sony responded, by cancelling or postponing the release of “The Interview.” Moreover, the source of the attack was not some garden variety criminal hacker or even the Chinese, who we’ve come to expect. It has been alleged instead, that the unstable and unpredictable nation state of North Korea is responsible, if government sources are correct (although those reports are now in doubt). It’s sort of ironic that Chinese hacking no longer seems all that troubling, just one of many issues to be discussed by diplomats during routine visits. Perhaps it’s because the Chinese hacking falls into what is predictable and “responsible.” After all, the Chinese don’t destroy things or make the lives of individuals difficult. They instead steal data known by the rather vague term, intellectual property, which is often hard to value.
In essence, the retail breaches by cybercriminals and the intellectual property stolen by nation states has become par for the course. It may be harmful, but it is manageable in the aggregate. No one dies, consumers are made whole, and large companies take a painful but recoverable adjustment to their balance sheets. The difference with the Sony hack was the presence of palpable fear. Sony could not easily point to an easy fall guy for the breach, to someone who left the proverbial barn door open. In fact, Mandiant, the premier incident response organization recently acquired by FireEye, remarked that “neither [Sony] nor other companies could have been fully prepared.”
In this attack and many of the major retail breaches the attackers were highly motivated and well-funded. Those two facts should be of great concern to critical infrastructure asset owners. Despite significant improvements in cybersecurity across portions of critical infrastructure, particularly among electric utilities, the reason why there have not been more significant and destructive breaches is because the potential attackers have not been sufficiently motivated and funded. Bored teenagers may seek to cause power outages, but they clearly don’t have the funding or, arguably, the motivation to see it through. Traditional cybercriminals have not yet found a way to turn those attacks into a profitable enterprise, or at least a more lucrative one other than low-hanging fruit. Nation states like China and Russia have little reason to cause destruction or damage to our infrastructure because the economic consequences (not to mention the political) would likely hurt them too. Instead, it is the rogue nation or terrorist group (or possibly disgruntled former employees) that have the most to gain from such an attack. The attacks give them notoriety, support from fellow outlaws, and, in their view, leverage for future negotiations. In fact, in his book, America the Vulnerable, Joel Brenner suggests that China has already infiltrated our critical infrastructure in order to gain leverage later on when some geopolitical crisis pops up. If the conventional wisdom is that China is prepared to launch such attacks in the future, then it should not surprise anyone that rogue states and terrorist groups may choose this avenue sooner. And of course, we already have Stuxnet and the Saudi Aramco attack to demonstrate the lengths governments are willing to go to disable their adversaries.
So what message should we take from the Sony attack? First of all, Sony was not an attack on our critical infrastructure. While Sony will suffer, neither our infrastructure nor our economy will feel any noticeable impact. What the attack does demonstrate is the lengths that a rogue state or terrorist group will go to achieve a seemingly limited aim, to stop the release of a movie. Presumably those same groups would be more motivated to launch attacks designed to achieve some geopolitical goal instead. Whether an attack launched on critical infrastructure that is primarily owned and operated by the private sector would motivate a government to alter its policies is an open question. But given its relatively low cost and attribution challenges, launching a cyber attack on critical infrastructure is certainly something these groups must be considering. It’s only a matter of time before real damage is done.
The good news is that the US Government and most areas of critical infrastructure have focused more attention on cybersecurity threats. And while many of the activities have mainly served a public relations purpose with little actual improvement, some real improvement has also been made. What the Sony attacks and other breaches have shown us is the importance of implementing some very basic but critical controls. Those include:
- Identify and isolate critical assets from the rest of the enterprise and monitor their access very closely
- Require two-factor authentication for all administrator functions and all remote access
- Implement 24x7 security monitoring by human analysts for all large and most medium-sized organizations
- Deploy application whitelisting and anomaly detection tools for critical infrastructure cyber assets
Unfortunately we don’t have the luxury of time. While many of the Hollywood-style scenarios are overblown, there is reason for concern. Our critical infrastructure is vast, largely decentralized, and resilient, but it is vulnerable. For those who had comforted themselves with the lack of a determined adversary, those assurances now ring hollow.