During the past year, we have become numb to the sheer outrage of cyber-attacks and the devastating impacts they have left in our wake. In fact, I still hear today an incredible amount of dismissive words to ascribe the attacks as “nuances” or “disturbances,” which is clearly anything but the case for the organizations that are battling the attacks and tallying the financial losses of such events.
If you sift back, whether through cyber-attacks or operational mishaps, this year has brought us the following:
- The first meaningful outage at Google – August 2013
- Operational outages at nearly every major commercial U.S. Bank – September 2012 – Present
- Multiple outages at one of the world’s largest newspapers – the New York Times – August 2013
- Hours-long outage at the NASDAQ during the trading day – August 2013
- Scientific reports and FDA warning that medical devices can be attacked and could conceivably lead to death – June 2013
- A ‘hacker’ industry nurtured with at least four massive hacking-collectives or memes formed, which are as follows:
- Group Anonymous
- Syrian Electronic Army
- Izz ad-Din al-Qassam Cyber Fighters
- AnonGhost (Group Anonymous Offshoot)
In many ways, this reminds me of the attacks on Pearl Harbor during World War II, in which a constant drumbeat of signs should have alerted us to trouble. The possibility of an air attack was never questioned, weaknesses in our defense were used to the enemy’s advantage, there were strong motives for the U.S. to be attacked and our resources were compromised.
With that sentiment in mind, it is important to note that things could become much worse and the forecast amongst the people fighting in the field is not good. Here are five reasons for concern:
Reason #1: It CAN be done
Planning the attack on Pearl Harbor took meticulous preparation. As in all warfare, one of the most difficult challenges in attempting to attack an intended victim is the following:
- Can it be done?
- If so, what resources do I need, what are the terms and under what conditions?
- What are the consequences – does it have the desirable affect and effect?
The most impressive change in today’s landscape is that the most complex, technical environments of the world have not yet built-in the sort of redundancy to ensure, without a reasonable doubt, that they will not go offline. As a result, those who plot to exploit these weaknesses have hope.
Reason #2: Weaknesses can be exploited
After an organization is attacked, there are a cacophony of questions and demands for answers from numerous constituents as to what exactly occurred and how. Although on the surface, these questions are sound and mostly well-meaning, the more transparent a company is about the attack, it ironically creates a “roadmap” for any future perpetrator of an outage.
Yes, the irony is that ALL outages, regardless of origin, now represent a vulnerability that can be leveraged across the world as these, often simple steps become the new mastermind plan to take down a targeted organization.
Reason #3: Motives are robust
Although the means to execute cyber attacks exist, without motive there is no will and often no real risk. I think few can argue that motives are increasingly logarithmic, as these new “weapons” now represent fantastic new tactics in age-old struggles, such as major ideological conflicts spread throughout the world, while also providing new opportunity for those interested in classic financial gain or personal fame. One only has to see the rise of Hacktivist organizations to see this clearly playing out.
Reason #4: Cyber-attack defensive resources are still lacking
Combine means and motive with a psyche that still views the threat trivially, and you have an environment rife for exploit. Although many have been humbled over the past eighteen months at the ire of some of these organizations have been brought to bear, they are the exception, not the rule. Today’s information security professionals, business executives and regulatory bodies have proven themselves to be lethargic at best in moving quickly into identifying these new threats, sounding the alarms, and applying proper resources accordingly. Whole industries are struggling to keep up mentally, financially and technically.
Reason #5: Only one “Sucker-Punch” can rule!
Pearl Harbor taught us a lot about the stirring threat, which marshaled the U.S. into World War II. However it cost the U.S. dearly to learn the lesson of that sucker-punch. However, a cyber Pearl Harbor event could be very different in numerous ways, such as:
If executed, it may be permanent for huge audiences, perhaps all (instead of just a few).
Could it be that perpetrators have learned these lessons and understand the wrath of retaliation? It is very likely that if an adversary was to unleash a cyber ‘sucker-punch,’ finally allowing the world to see the ugliness of the threat we confront, that the threat would understand the value of making the attack permanent. That is, to not allow for a momentary attack, but something more permanent and longer-lasting.
It could be anonymous and conceivably successful
Unlike Pearl Harbor, this type of attack could be perpetrated with a great degree of anonymity. Even if the evidence points strongly in one direction, the ability to introduce doubt in this attack will be a very attractive feature for a perpetrator. Also, this type of attack could quite possibly achieve the intended results of the perpetrator(s) – also increasing the likeliness of the attack being levied.
All is not dire. We have not reached condition red
It’s not time to start building your bunker or huddling under your desk with your hands over your head and neck, however it is high time to become very sober about the threats we face and begin very real, and very necessary steps to both protect and prepare for these risks. Ironically, the more we prepare, the less likely these events will pass!
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.