Addressing Escalation: When Hackers Get Destructive

Ask most corporate executives to define cybersecurity and their initial thoughts turn to data privacy. That’s for good reason. Companies are bleeding corporate trade secrets and personally identifiable information at such an alarming rate that confidentialityissues and related compliance concerns can’t help but dominate the cybersecurity agenda. Yet, ask cybersecurity professionals what keeps them up at night, and the topic invariably turns to data deletion, tampering with control systems, and the potential to cause physical harm over the Internet. These concerns fall into categories that are distinct from protecting data confidentiality. Instead, they demonstrate the importance of maintaining an enterprise focus on the integrity and availabilityof your company’s most essential data, systems and services.

In fact, it is possible that data privacy concerns may soon pale in comparison to other types of potential cyber harms. In that vein, there is a growing list of victims when it comes to data destruction. At least as early as 2010, criminal syndicates began using malicious software, now commonly referred to as ransomware, to hold a victim’s computer hostage by locking it up until the hacker’s demands were met. The risk in these cases isn’t lost data privacy; it’s lost data, period. Today’s ransomware more commonly encrypts files, rendering them into useless bits, followed by the hacker’s demands for online payments in exchange for the password.

Just as in the physical world, however, destructive attacks typically are not financially motivated. In 2011 for example, a security company fell victim to hackers that stole its data, published much of it online, intentionally deleted the rest of it and adding insult to injury, then discovered and deleted the company’s remote backups. From a risk management perspective, although encryption might have prevented the disclosure of the company’s and its clients’ secrets, it would have done nothing to protect against the accompanying large-scale data loss. Rather, backups kept on write-once media (which cannot be modified intentionally or by accident) would have offered an effective approach for digital disaster recovery. That of course is the risk management lesson. Different tactical approaches often are required to mitigate different types of harm, even to the same data. By storing encrypted data on write-once media, at a separate physical location, with limited access that is logged and audited, a holistic approach to data security begins to emerge.

Consider the 2012 case of a global energy company that lost use of its internal network services after hackers unleashed a malicious virus that effectively erased 30,000 of the company’s 40,000 computers. The company stated that it successfully restored those machines, indicating a mature backup and recovery strategy. However, even with an effective plan in place, rebuilding the internal network took 10 days.

Fast-forward to this past December, when the FBI issued a rare warning about a destructive malware campaign. An ongoing FBI investigation determined that the malware provides its masters with the ability to overwrite data files in a manner that makes it “extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.” Cybersecurity and risk managers should heed this message as a call to pay closer attention to the unique demands of keeping data (including data backups) reliable and available despite the potential for malicious alteration, deletion, or denials of service.

Still, despite the importance of data integrity and availability, far more troubling are Internet threats in which hackers might engage in physical destruction, and do so from afar. In 2007, the Department of Homeland Security engaged Idaho National Labs as a proof of concept to hack into – and explode – an electric power generator by remotely manipulating the hulking machine’s circuit breakers. The media obtained a video of the successful attack, which was later aired on TV and posted to YouTube. In 2010, Stuxnet was exposed as state-sponsored network sabotage targeting Iran’s nuclear power plants. Apparently, malware can be designed not only to alter the spin rate of the centrifuges used to enrich uranium, but to do so while having the control monitors indicate that everything is still working fine. Based on these two examples alone, it should come as no surprise that, in 2011, the FBI retrieved a terrorist recruitment video in which the former leader of Al Qaeda in Iraq pronounced, “I think that the electronic warfare is one of the most important and effective future wars.” The terror segment ends with a call to “electronic jihad.”

Finally, just this past October, the European Police Office (Europol) warned that, with the emergence of the Internet of Everything, we can expect to see “new forms of blackmailing and extortion schemes (e.g. ransomware for smart cars or smart homes),” as well as “physical injury and possible death.” The time to prepare most certainly is now, mindful of that fact that greater convergence of a company’s physical security program with its cybersecurity program soon may no longer be a choice.

Steven Chabinsky is global chair of the Data, Privacy, and Cyber Security practice at White & Case LLP, an international law firm. He previously served as a member of the President’s Commission on Enhancing National Cybersecurity, the General Counsel and Chief Risk Officer of CrowdStrike, and Deputy Assistant Director of the FBI Cyber Division. He can be reached at chabinsky@whitecase.com.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.