It is widely accepted that the next world war will be a hybrid war seeing businesses and governments targeted by cyber-attacks, subversion and espionage. Amid the ongoing COVID-19 pandemic and everything becoming connected, intelligent and automated, it’s highly likely that the next global crisis will include a catastrophic cyber security pandemic.
There is no doubt that the threat from hostile nations such as China, Russia, Iran and North Korea is growing. As more systems are connected to the internet — including critical national infrastructure (CNI) such as water and electricity which rely on supervisory control and data acquisition (SCADA) systems — the possibility of a cyber-attack causing real-life damage becomes frighteningly real.
The threat of an attack on CNI first became clear a decade ago, when a worm known as Stuxnet caused significant damage to Iran’s nuclear programme through a major cyber-assault. And who could forget the WannaCry crypto worm, which in 2017 ravaged systems across the world with ransomware, in an attack believed to have been perpetrated by North Korea taking advantage of the NSA’s EternalBlue exploit.
Hailed by cybersecurity firm Avast as one of the broadest and most damaging cyber-attacks in history, WannaCry hit organisations including the UK’s NHS, rendering vital equipment such as MRI scanners useless, resulting in a bill of £92 million in lost output and IT costs.
Cyber Security Pandemic in an Increasingly Digital World
Amid an acceleration in the use of digital automation over the last five years, the risk of a major cyber-event even worse than WannaCry is growing. Organisations are taking advantage of transformative technologies such as artificial intelligence (AI), internet of things (IoT) and 5G.
And during the COVID-19 crisis, the move to digital has accelerated further. To survive right now, every business needs to be digitally-enabled, and this has seen transformation programmes accelerate. It is by no means a bad thing, but it has opened up more avenues for adversaries to attack.
Everyone is using cloud and businesses are increasingly relying on video conferencing services such as Zoom and Microsoft Teams each day. Employees are often connecting from home, on possibly insecure devices, utilising their own networks.
As more employees work from home, there is also more potential for cyber-attacks perpetrated by insiders — whether accidental or intentional. Take, for example, the recent Twitter hack that saw the accounts of prominent politicians, celebrities and technology moguls compromised to scam people around the globe out of more than $100,000 in bitcoin.
It was soon reported that an insider was responsible for allowing the attack to happen by helping the perpetrators to gain access to an internal dashboard meant only for Twitter employees. This had apparently allowed criminals to take over accounts by changing their associated email addresses without their knowledge.
The Twitter attack was targeted and financially motivated, but it could have been much worse and more widespread if malware was involved.
Nation State Attacks
For organisations operating in the sectors that comprise CNI, the threat is even more elevated. Russia, China, North Korea and Iran have growing capabilities that they are not afraid to use to attack the West.
The West has its own capabilities — Stuxnet is believed to be the work of the US and Israel — but there is reason to believe nation state adversaries are planning attacks on the UK and its allies. For years, countries including Russia have conducted “sight-seeing” trips to probe for weaknesses in CNI for a possible future attack.
The issue with CNI stems from the fact the SCADA systems on which many power stations and electrical grids are based were never meant to be connected to the internet. And last year, a Ponemon Institute report revealed that 90% of critical infrastructure providers’ IT/OT environment had been damaged by a cyber-attack over the past two years.
Read more: Iran’s Cyber Attack Timeline
Disconnecting from the internet is a good idea, because manual operations offer more control and lower the risk. This was a key factor in reducing the damage in 2015 when Ukraine’s power grid suffered a cyber-attack and disrupted the country’s electricity supply.
Governments are aware of the threat they face from cyber-assaults such as these. EU wide legislation in the UK as part of the NIS Directive intends to help keep the essential services comprising CNI secure.
But within hybrid warfare, cyber-espionage is another area of risk. A new BBC report details how the government is working to stop adversaries such as Russia and China taking advantage of the COVID-19 pandemic to launch cyber-attacks and espionage against the West. And a few months ago, the UK’s National Cyber Security Centre (NCSC) warned Russia is trying to steal COVID-19 vaccine information.
At the same time, the Government’s new proposed Espionage Act is one measure being considered to try and counter the fast-evolving threat from hostile nation states.
Cyberwarfare and Keeping the Lights on
Combined, these threats offer a perfect storm of complexity that lays the groundwork for all-out cyber war. This might start, for example, with an attack on the electrical grid to cut power to the UK. A devastating assault like this could stop organisations — including critical organisations such as healthcare — from operating, literally costing lives.
As the likelihood of a major cyber-event increases, it’s important to be prepared. From a business and organisational perspective, the only way to stop or limit the risk of a cyber pandemic is by embedding a culture of cyber awareness into people’s work and personal lives. It requires education and training, which should be updated regularly to reflect the threats all organisations face from malicious actors including nation states.
Another key part of preparing for the possibility of a cyber pandemic is incident response. As well as ensuring data backups to help mitigate ransomware attacks, analogue back up such as a telephone is essential.
So in case the worst does happen, don’t throw away analogue phones. Of course, there is no need to stop using voice-over IP (VoIP) but many organisations including local authorities have shut off analogue, and that’s a mistake. The time to make change is now. The COVID-19 crisis wasn’t on any business’ agenda, but it still happened. Organisations should think the same way about a cyber security pandemic: A big cyber-event is possible — even likely — so it’s integral that everyone is prepared.
Webinar: COVID-19 – Digital Transformation and Cyber Security
Join us for our upcoming webinar, ‘COVID-19 – Digital Transformation and Cyber Security‘ September 23rd | 15:00 BST | 10:00 EDT | 07:00 PDT.