Written by: Dell Spry
At Chesley Brown, nothing is more sacrosanct than the safety and security of our clients. It is our intention to keep you educated, updated, and informed as world events continue to unfold and keep you aware of what the potential consequences of those events to your company might be. We are your partner in preparing enhancements to your corporate security. Chesley Brown International will continue to stand with you as we address, and work through, these difficult times.
Concerning global events involving Russia attacking Ukraine, China looking to attack Taiwan, Iran looking to attack Israel, and North Korea looking to attack anybody, there is a huge amount of uncertainty as to what might happen next; just how devastating will the next explosion be and what weapon will be used to execute the explosion.
In all the uncertainty, one thing is certain; the safest, most effective use of your corporate funding is in the safety, security, and protection of your organization. No question.
While most of our clients have taken our recent security advice and engaged in updating their security audits and shoring up any weaknesses the audit determined, we’re encouraging our remaining clients to do so while there’s still time.
Before the recent attack of Ukraine by Russia, what we are seeing now was unthinkable then. Since the initiation of the invasion, one Ukrainian child every second has become an orphan. I would simply submit now is not the time to wonder how far the Russians, and perhaps subsequently the Chinese, will go in carrying out their threat(s). Now is not the time to cast doubt and seek blame. Now is the time for you to prepare. Chesley Brown International is here for you and with you.
Chesley Brown International has employees who were former members of the U.S. National Security Council Working Group on Counterintelligence with White House level experience in analyzing, and thwarting, the efforts of both Russia and China to disrupt and harm the ongoing operations of the U.S. government. These efforts were all directed at the protection of people like you and companies like yours.
Further, Chesley Brown International is a contributing member of the FBI InfraGard program. InfraGard’s purpose is the seamless collaboration and partnership between the FBI and the private sector to protect U.S. Critical Infrastructure.
This is no longer the military threat our parents faced or we faced as children where nuclear weapons and radioactive fallout were the major fear. Modern warfare transcends that several times over. Today we are still concerned about nuclear weapons, especially ones that can be secured in a backpack and smuggled across the border, such as a B-54 Special Atomic Demolition Munition (SADM) more popularly known as a “backpack bomb” or a “suitcase bomb”. However, warfare means and methods now include chemical warfare, biological warfare, radiological warfare, information warfare, economic warfare, and cyber warfare.
The U.S. government, U.S. corporations, U.S. educational systems, the U.S. hospital/medical infrastructure, etc., have all been identified by the government of Russia (due to U.S. support of Ukraine) and the government of China (due to U.S. support of Taiwan), to be current, and pending, targets for cyber attack.
According to an online undated RAND Corporation article titled Cyber Warfare, “Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation’s computer or information networks through, for example, computer viruses or denial-of-service attacks.”
The following is taken from a USA Today article dated March 1, 2022 by Jessica Guynn titled “Americans are at higher risk of Russian cyberattacks after Ukraine invasion: What you should do right now”: “Security professionals are urging Americans to take immediate steps to protect themselves from a higher risk of Russian cyberattacks after the invasion of Ukraine.
“We are seeing more and more nation-state activity due to the conflict in the Ukraine,” said Ryan Wright, a professor specializing in cybersecurity at the University of Virginia. “With U.S. sanctions setting in, it is only a matter of time until the U.S. is targeted more directly. This may mean attacks on your personal device through ransomware but also attacks on the infrastructure such as your internet access or even the power grid.”
From the SolarWinds to the Colonial Pipeline attacks, state-sponsored actors wage increasingly sophisticated cyberwarfare. Russia might try to disrupt financial systems and crucial infrastructure such as the power grid or oil production to put pressure on the U.S. to relent on sanctions, said Saryu Nayyar, CEO of security firm Gurucul.
Though it’s unlikely cyberattackers would target most Americans individually, “the reality is that any cyberattack can have repercussions on individuals,” she said.
With technology delivering so many of our basic needs, those repercussions can be wide-ranging, from supply shortages at your local grocery store to widespread power outages, says Kevin Novak, managing director of security firm Breakwater Solutions.
“So, while at the moment I do not believe that private U.S. citizens should cower in fear over Russia’s capability of adversely impacting them via cyberattacks, it is reasonable to expect that their lives will be impacted in some ways by cyber retaliatory actions that result from U.S. sanctions and other political maneuvering,” Novak said.
Warns Chris Olson, CEO of The Media Trust, a digital safety platform, said, “Consumers should be aware that cyber actors can target them through almost any website or mobile application.”
So, Americans need to be prepared, says Doug Jacobson, professor of electrical and computer engineering at Iowa State University. What he has been advising friends: Protect yourself by practicing “cyber hygiene.”
Eman El-Sheikh, associate vice president of the University of West Florida Center for Cybersecurity, said Americans should review and strengthen their digital defenses right away. “Cybersecurity is everyone’s responsibility,” she said.
So, what is cyber hygiene? Here are some common-sense recommendations from the Cybersecurity & Infrastructure Security Agency (CISA) “Shields Up” campaign and cybersecurity experts interviewed by USA TODAY.
- Turn on multi-factor authentication
Use multifactor authentication on all of your accounts, including email, social media, shopping and financial services, for extra protection. When you sign in, you will be asked to confirm your identity through a text message, email, code, fingerprint, or Face ID.
- Update everything, including software
Update antivirus and malware software, operating systems and applications, especially web browsers, on all devices including mobile phones, tablets, desktop computers and laptops. Turn on automatic updates.
- Think before you click
Before clicking or tapping on links or attachments or downloading files, take a beat. Most cyberattacks start with a phishing email, which looks legitimate but isn’t and can be used to steal your passwords, Social Security number, credit card numbers and other sensitive information or to run malicious software known as malware.
- Use strong, unique passwords
Protect all of your account credentials including username and password, says Lucas Budman, CEO of security firm TruU. Use strong passwords and don’t reuse them. Your best bet is to subscribe to a password manager to generate and store unique passwords.
- Don’t believe everything online
“All sides in any conflict will also be working to use information streams to their advantage. People should be very cautious about the information they share,” said Jessica Beyer, principal research scientist and lecturer at the University of Washington.
RUSSIAN SANCTIONS: From soccer to vodka, here are some sanctions, bans and boycotts placed on Russia
What is SWIFT? How could banning Russia from the banking system impact the country?
“People should remember that when information is incomplete and emotions are understandably high, it is the perfect situation for bad information to spread,” Beyer said. “People pursuing all kinds of agendas will take advantage of that. Bad actors will be working to spread fear and doubt. Military aggressors will be trying to make their reach look larger than it is. A way we can all help in a tiny way is by being mindful about what we consume and share.”
So far, Russia is losing the global information war “both because its attack on Ukraine was unprovoked and impossible to disguise, and because the government has taken a scattershot approach to shaping the narrative,” said Scott Radnitz, associate professor of Russian and Eurasian Studies at the University of Washington.
But he expects more misinformation and disinformation to spread. Watch out for unsubstantiated claims such as Ukraine is building a “dirty bomb” or it is carrying out “false flag” attacks, Radnitz said.
- Back up important files now
Cybersecurity professionals urge Americans to back up important files such as bank accounts and statements in the cloud and on external drives.
- Use a VPN on public internet
Use a VPN, or virtual private network. It provides an additional layer of protection between your devices and the internet by hiding your IP address and your location. It also encrypts your data. Also, make sure your home Wi-Fi is password protected and secure to keep people from stealing your personal information and attacking your devices.
- Stock up on emergency supplies?
Should you prepare for a cyber attack the way you would for a tornado or an earthquake? Security experts are mixed but say it’s generally a good idea to have cash, an emergency kit and a full tank of gas. “Worry about cybersecurity the way you do mother nature,” Jacobson said.
Just don’t overdo it. After the Colonial Pipeline attack last year disabled computer systems responsible for fuel production, panicked motorists lined up at gas stations in the Southeast to fill their tanks and jerrycans.
“Where the danger truly comes from is fear,” said Dave Cundiff, vice president of cybersecurity firm Cyvatar.ai. “The fear of the unknown is what gives cyberattacks their greatest power.”
Perhaps the most likely way that Americans will feel the effect of any Russian cyberattacks is through information warfare. “The only way they could surprise me in what they’re doing right now is if they didn’t use it as a tool,” Daniel said. Russia’s primary misinformation target would be Russians, he said, because the government will want to justify the invasion to its citizens. But its tactics could spread west as well, he said, by, for example, creating fake U.S.-government websites, which could sow confusion.
The heightened digital threat from Russia could last as long as the crisis in Ukraine does, or longer. “There are things that could occur through cyberspace that have an impact on the physical world that could take weeks, months, years to actually recover from,” Daniel said. Imagine, for example, that attackers destroy transformers and other physical parts of the power grid. American manufacturers can make new transformers only so quickly. In the worst-case scenario, we could be putting things back together for a long time to come.
In a Harvard Business Review article on Cybersecurity and Digital Privacy titled” What Russia’s Ongoing Cyberattacks in Ukraine Suggest About the Future of Cyber Warfare” dated March 7, 2022, authored by Stuart Madnick, Madnick writes “
For years, Ukraine has been a proving ground Russian for cyber weapons. As companies and countries watch the latest chapter of the Russian war in Ukraine unfold, they should take heed of the conflict’s online front — and think about how to prepare if (and more likely when) it spills over Ukraine’s borders. While some attacks, such as those are infrastructure, are nearly impossible for companies to prepare for, there are steps that they should take as a matter of course: make sure software is up to date and patched, check that you have effective and up-to-date malware and antivirus software, and ensure that all important data is backed up in a safe location.
Unlike conventional attacks, cyberattacks can be hard to accurately attribute. Plausible deniability exists because in many cases, cyberattacks can be launched from an unwitting host. For example, partial control of your home computer could be taken over, without you knowing it and used to initiate a chain of attacks. One such event occurred in 2013 when smart refrigerators were made part of a botnet and used to attack businesses. In 2016, many thousands of home security cameras were taken over and used to disrupt the operations of Twitter, Amazon, Spotify, Netflix and many others.
But there’s strong evidence tying Russian hackers to a string of attacks in Ukraine. Going back to 2015, after the Russian invasion of the Crimean Peninsula, suspected Russian hackers managed to knock out electric power for around 230,000 customers in western Ukraine. Attackers repeated the trick the following year, expanding the list of targets to include government agencies and the banking system. In the hours before Russian troops invaded, Ukraine was hit by never-before-seen malware designed to wipe data — an attack the Ukrainian government said was “on a completely different level” from previous attacks.
It’s easy to understand why Ukraine is an appealing target for testing cyberwar capabilities. The country has similar infrastructure to that found in Western Europe and North America. But unlike the United States, the United Kingdom, and the European Union (EU), Ukraine has more limited resources to counter-attack (though the U.S. and EU have both provided support in bolstering its cyber defenses). And while Russia is the obvious suspect, it’s certainly possible that other countries, such as Iran, North Korea, or China, have been testing their own cyber weaponry in Ukraine, too.
The larger point here is that there’s little chance that cyberattacks will be limited to Ukraine. Governments and corporations should closely heed what’s going on there, because cyberwar can — and has — quickly spread across borders.
What might a real global cyber war look like?
Given that the U.S. and EU have banded together in support of Ukraine, the scope of a cyberwar could be broad. Large scale cyber skirmishes can become global due to a spillover effect. There’s some precedent for what a spillover would look like. In 2017, a suspected Russian attack featuring a piece of malware dubbed “NotPetya” disrupted Ukrainian airports, railways, and banks. But NotPetya did not stay in Ukraine. It spread rapidly around the world, infecting — and for a period of time largely shut down — a diverse array of multinational companies including the global shipping company Maersk, the pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, and among others.
In my research with colleagues, and investigations by others, we’ve observed that most cyberattacks have not been as devastating as they could have been. It might be because the attacker was not fully aware of how much damage could have been done but, maybe more likely, these were just “tests” of the cyberweapons. As our research has shown, it is not only possible to cause systems such as electric grids to shut down, but also to cause them to explode or self-destruct — damage that could take weeks or longer to repair. There have so far been few such attacks, but in some cases, steel mills and gas pipelines have been destroyed. Probably the best known case was the Stuxnet cyberattack which is believed to have destroyed some 1,000 centrifuges in an Iranian uranium enrichment facility.
So, what might a real, global cyberwar look like? Given the interdependence of critical infrastructure sectors, such as electricity and communications, an aggressive attack would likely knock down many sectors at the same time, magnifying the impact. Furthermore, in a “no holds barred” attack where maximum damage was inflicted, a primary goal would be to also produce long-lasting physical damage.
The two kinds of cyber attacks
I often note two different impacts of cyber attacks: direct and indirect.
Indirect attacks: By indirect, I mean neither you nor your computer are individually targeted. The target would be the power grid, supply chains, banking systems, water treatment, communications, and transportation. There is not much you can do personally to defend these systems. But, how well, and how long, can you fare without electricity, food, water, and cash?
Direct attacks: By direct, I mean an attack targeting you. In war, the civilian population, either deliberately or accidentally, can also be targeted to weaken the desire to continue the war. In cyber warfare the technical methods are quite similar, but the consequences can be more personal. For example, what if all the data on your computer is stolen or erased, especially if those are the only copies of photos or documents.
So, what can you do to protect yourself?
Indirect cyber attack: You personally may have no way to protect the nation’s critical infrastructure. But, by collectively influencing the government, the private sector can be motivated to improve its protection, preparation, and, maybe even more important, improve its resilience in the face of such breaches.
Many may not realize that many types of cyber attacks are not required to be reported. As a result, the government and other similar companies have no idea that cyber attacks — attempted as well as actual — are going on. For example, pipeline companies were not required to report cyber attacks until after the publicity of the Colonial Pipeline attack. I believe the “bad guys” do a much better job of sharing information than their targets, who may have an interest in keeping quiet about an attack. That needs to change if we are to be better informed and prepared.
Regarding resilience of our infrastructure, we often don’t realize how badly prepared we are until too late. A serious cyber attack can have a similar impact to a natural disaster, knocking out essential infrastructure and creating cascading crises. It could, for example, resemble the 2021 winter freeze in Texas caused massive disruptions, loss of electricity, and over 200 deaths. And it could have been much worse. The Texas Tribune reported that the “Texas’ power grid was ‘seconds and minutes’ away from a catastrophic failure that could have left Texans in the dark for months.”
There’s also the collateral damage. In the case of the Texas freeze, as reported by the Insurance Council of Texas, a nonprofit trade association, “the number of claims due to frozen and burst pipes will be unlike any event the state has experienced.” Even the water pressure in some cities was significantly reduced due to the water flowing from these burst pipes. Many electricity generating stations temporarily had to be stopped due to load unbalances, but then were unable to restart. That was because many of the “last-resort power units,” basically the starter motors for the plants, did not work, likely because they had not been tested. That is like finding out that the batteries in your flashlights are dead only after your electric power has gone off.
Companies should push for assurances that our infrastructure can rapidly recover after a cyber attack before the cyberattack, and have those assurances verified by independent auditors.
Direct cyber attack: Most of the key things that you can do to prevent, or at least minimize, direct damage to you and your computer fall under the “Cyber Hygiene 101” category. This includes simple measures, such as having a strong password and not clicking on suspicious links — precautions many of us unfortunately overlook. But, we now know that there are ways to get onto your computer, such as Solarwinds, Log4j, and Pegasus, without you doing anything and which don’t require your password. These are called “zero click vulnerabilities.”
As such, preparing for a cyberattack means doing everything possible to minimize potential damage if the attacker does get in. This includes:
- Making sure that your software is up-to-date throughout your organization, and that known vulnerabilities in earlier versions have been patched.
- Having effective antivirus and malware detection software — and remember, malware may already be lying dormant on your computer, awaiting orders.
- Frequently backing up your important data, such as documents that are only stored in one place, in case it is destroyed.
It’s also worth taking steps in your organization to minimize risk and prepare to respond if (or when) the worst happens. This includes:
- Looking for possible vulnerabilities in your cyber supply chain, and pushing vendors of third-party software to prioritize cybersecurity.
- Testing your incident response plan — including running scenarios and tabletop exercises — to be sure that the plan is sound and that everyone knows what they’re supposed to do in a crisis.
There was a time, in the 1960’s and 1970’s, when the world feared a global nuclear war. Fortunately, we made it through that period. With luck, we will also avoid a devastating global cyber war. But there is no guarantee and with geopolitical tensions rising to high levels, it is not wise to just rely upon good luck. Each of us needs to do everything that we can to increase the chances of being a survivor.
Rob Joyce, who heads the National Security Agency’s Cybersecurity Directorate, said in September that US officials had previously “seen evidence of [Russian] prepositioning against US critical infrastructure.”
Chesley Brown International wishes to remind you of the fact online government resources exist to enable you in your preparedness. The U.S. Cybersecurity and Infrastructure Security Agency is a vast resource of timely, relevant, and valuable information to help you understand the threat, the adversary, the adversarial methodology, and ways to counter, or mitigate, the implementation of that methodology.
We are in this together.
For industry-leading guides and analysis sign up for our blog below.
Bomb Threats and Suspicious Packages The recent bombing incidents in and around Austin, Texas serve as an unfortunate reminder that those responsible for all properties and facilities must remain vigilant and be prepared to respond…Read More