The hacks kept coming in 2018, with cyberattacks hitting brand names, marketers of consumer data, back-end systems, and more — all highlighting the need for tighter collaboration within the business and government circles that make up the cybersecurity community.
Facing an increasingly dangerous cyber threatscape, industry groups in the past year stepped up with their own initiatives and ambitious new efforts with their federal partners.
Of course, government shutdowns, even partial ones, put a strain on such collaboration, cyber professionals stressed in recent weeks.
The shutdown, which hit the departments of Homeland Security, Commerce, and others, “materially affected” major partnerships, an industry source said, citing low-profile but high-impact government-industry work designed to make that annual list of hacks a little shorter and less frightening.
Collaborations affected by the shutdown include joint efforts to fight “botnets,” automated attacks by hijacked computers and connected devices, and to reduce cyber vulnerabilities in the supply chains for telecom and tech products. Federal officials involved in these efforts were furloughed, meetings postponed, and work streams temporarily halted.
“I don’t see how we make any progress in areas where we have to engage with government partners,” the industry source said last week.
The new cybersecurity agency at the Department of Homeland Security has been the focal point of government-industry partnerships, but had to furlough half its workers, according to congressional sources, putting a serious crimp in collaborative efforts.
Government shutdowns are nothing new. This one just happened to come after a year of astounding hacks and illicit exposure of people’s digital identities.
In July, a blog by security writer David Bisson found that “the number of records compromised in Q1 and Q2 2018 had already surpassed the total number of breached records for all of 2017.” The Marriott hotel chain and the city of Atlanta were victims of high-profile attacks in 2018, as were Facebook, Lord & Taylor, British Airways, and Ticketfly.
Nonbrand names with huge impacts on consumers suffered major hacks, including Florida-based marketing firm Exactis, where a database containing over 300 million individual records was exposed. A particularly pernicious malware known as VPNFilter, linked to Russia, infected over 500,000 routers globally.
[Also read: Republican congressional committee emails hacked before 2018 election]
“I think 2018 confirms that the diversity of threats we are seeing requires a continued strengthening of collaboration within industry and among industry and government,” said Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center, a group that alerts IT-sector groups and companies of the threats lurking on their networks.
“The actors are too advanced and diverse for either industry or government to address on their own,” Algeier said.
Pointing to a recent hack at a major media company, former DHS cyber chief Suzanne Spaulding said, “We have moved from a world in which theft of personal information was the only cyber risk most companies worried about to one in which business disruption from malware is increasingly common.”
It’s not just hacks, explained Mike Echols, a former DHS cyber official now running the International Association of Certified ISAOs, information sharing and analysis organizations.
“I believe the analysis and scanning that is being done is actually worse than specific incidents of hacking,” Echols said, pointing to how “bad actors” can get inside a system and map how it works for use in future attacks.
“We all wonder when the big attack is going to occur and to what sector,” Echols said. “With the proper insight on slowly resolved vulnerabilities and an understanding of the potential consequences, the adversary is more powerful. It will be possible to deliver a high-consequence blow.”
He sketched out a role for policymakers, saying, “Don’t engineers/architects have to be certified before they build buildings? So, where is the requirement, when building virtual systems that affect the lives of millions?”
“We still haven’t learned that the government has a responsibility to lead and protect its citizens. We are letting this thing get so out of hand there will be no putting it back in the box; just victims all around the box,” Echols added.
The December cyberattack on Tribune Publishing Company affecting various newspapers, the most recent of last year’s hacks, raised broader policy concerns.
“Reports on the cyber incidents disrupting newspaper distribution indicate that it was ransomware affecting back-office systems. That in itself is unremarkable,” said Spaulding. “However, there were some indicators linking it to the malware behind WannaCry. There was also at least one report that the message that appeared in place of encrypted files did not specify a ransom amount.”
If true, she said, “that raises a question of whether it might have been in retaliation for, or designed to deter, negative reporting in Tribune papers that the perpetrator — North Korea? — didn’t like, a la ‘The Interview,'” a 2015 movie that allegedly spurred the infamous attack on Sony Pictures.
“In any event,” Spaulding said, “this latest incident is yet another reminder of the importance of having plans in place to reduce the consequences of such a disruption.”
“CEOs and boards need to ensure that they fully understand how business operations can be disrupted by a loss of data confidentiality, access, or integrity, as well as disruptions to operational technology like industrial control systems. And they need to have plans in place to mitigate those disruptions. We’ve traditionally focused almost entirely on preventing cyber incidents and not nearly enough on planning for how to best operate in the face of a successful cyber incident,” Spaulding said.
On the positive side, Algeier pointed to the creation of the National Risk Mitigation Center at the Department of Homeland Security, praising the NRMC’s work “with industry to develop a new approach to managing national level risk, based on critical functions.” He also lauded the Information and Communications Technology, or ICT, Supply Chain Taskforce, another DHS initiative launched last year.
Within industry, Algeier said, “the ISACs continue to work with their members to provide intelligence, analysis, and collaborative forums to help members address the evolving threat landscape. Working through the National Council of ISACs, the ISACs are improving cross-sector collaboration and coordination, providing a pretty robust analytic and response capability for industry.”
