Just over thirty years ago, the first internet worm made its debut wreaking havoc on thousands of computers worldwide. Since then, cybercrime has cemented its presence in our lives with nations, cities and thousands of organizations feeling the impact of malware and ransomware, as adversaries hold systems hostage for financial gains. To date, one in five Americans have been impacted by a ransomware attack.
But, long have the days gone where cybercriminals were primarily driven by monetary incentives. Today we are called to face an increasing form of adversarial incentives – destruction.
As state and local governments continue to face cybersecurity challenges, they are prime targets for a destructive attack. The more citizens and systems there are, the larger the impact such attack will have. With nearly 60 percent of security professionals stating their government officials can’t comprehend security risks, it’s essential that everyone understand how real these threats are.
This morning I will be briefing congressional staff on the rise of destructive attacks and the threat they pose to U.S. critical systems. It’s now, more than ever that we must build the right defenses to prepare for and thwart attacks that threaten the resilience of U.S. infrastructure. Destructive malware attacks aim to paralyze core operations by permanently destroying their victims’ network systems. But not only are critical devices rendered inoperable and data irretrievable, these attacks often have a secondary kinetic effect causing physical damage and hazards.
We’re now seeing cyber-adversaries motivated by a desire to devastate. The increasing popularity of destructive malware has spread from nation state threat actors to commercial cybercriminals, largely thanks to its “wiper effect.” Adversaries now use destructive malware to cover up data theft or money transfers, ensuring they leave no trace behind, or to get back at victims that opt to not pay the ransom.
We must change our mindset and harden our defenses to not only protect our infrastructure from such attacks but constituents’ safety as well. If the nearly 50 ransomware attacks that city and state governments experienced this year alone have taught us anything, it’s that we have a long way to go in defending ourselves. Destructive malware has the ability to disrupt our daily lives in a manner we haven’t experienced before.
Destructive attacks will continue to rise over the next five years according to our research at IBM X-Force Incident Response and Intelligence Services (IRIS). In fact, in the first half of 2019, we saw a 200 percent increase in destructive attacks that we were called in to respond to and remediate.
We must see clearly what destruction looks like. It’s a power plant left inoperable because its 12,000 machines were destroyed. It’s a hospital debilitated for 512 hours, fighting to recover IT systems that run its surgical equipment. It’s a crippled organization or municipality that can no longer issue paychecks while employees or constituents overall are left unable to pay their mortgages or bills.
What’s at stake is more than an institution’s connectivity, financial assets or data. It’s the resilience of specific critical functions which, if lost, can threaten constituents’ physical integrity. So, what can we do?
- We need to “train like we fight, and fight like we train.” Simulation tests should be a standard incident response practice to ensure maximum preparedness — by experiencing attacks before they happen, we learn how to better react under pressure. Incident response plans are vital: Can we cordon off and quarantine systems that have been infected with destructive malware to avoid spreading? Are we empowering employees to take calculated action in the event of a cyberattack or are they constrained by a ranking apparatus?
- We must shift our mindset to understanding loss of data vs. the kinetic effect of losing control of sets of infrastructure beyond the affected systems. In the case of industrial control systems, for example, how do we isolate fail-safe system controls to ensure that a fire doesn’t break out in the event of a destructive attack? It’s important to create action plans for quickly establishing temporary functionality to limit an attack’s potential ripple effect.
- We must embrace the value of threat sharing. By leveraging private industry’s resources in threat intelligence, government entities can more effectively act on real-time threats. Collaboration not only leads to more education and visibility; it empowers preparedness and faster response.
The horizon beholds many destructive attacks for which the U.S needs to prepare. Just as adversaries can execute to destroy rapidly so must we meet this threat with urgency and vigilance. U.S. institutions need to prepare for cyber threats — and, in the case of destructive attacks, response and redesign of systems, based upon the risk, is imperative.
Chris Scott is global remediation lead at IBM X-Force IRIS.