On the 20th anniversary of the 9/11 attacks many nervous conversations can be overheard speculating on whether we should expect terrorists to strike on or around this infamous date. For those of us who lived through the attacks on 9/11, these are not irrational fears, but the vivid effects of a brutal day etched indelibly in our memories.
Terrorist attacks, in the traditional sense, are designed to exact asymmetric destruction, create chaos and fear and to disrupt the concept of normal routine by targeting the innocent. But today we should challenge our thinking and definition of terrorism and define these potential events and the threat more broadly.
During a recent debate, I commented that I believe we have entered a new World War in which the spoils are not the capture and control of geography, people, or physical resources, but rather the capture and control of data, commerce, and digital infrastructure. In the last year we have seen cybersecurity incidents that disabled oil pipelines, threatened water supplies, shut down healthcare systems, and even breached the Department of Defense. It is not a stretch of the imagination to view these compromises and disruptions as probing events designed to test the vulnerabilities of our most vital institutions and core infrastructure
Terrorist organizations, state sponsored or otherwise, have come to realize the power of cyberattacks from both an economy of effort and asymmetric warfare perspective. One could argue that digital warfare is the highest form of asymmetric warfare and force multiplier history has ever seen. A small group of threat actors sitting in front of computer screens anywhere in the world have the power to cripple industry, supply chains, infrastructure, and entire economies. If the threat of losing power due to an exuberant weather reporter on the local news station can cause a run on milk, bread, and water at the local supermarket, imagine how disruptive the sudden and unannounced shut-down of the power grid would be?
Compounding the threat is the proliferation of blockchain currency that, through ransomware, has become a fundraising facilitator through which the attacked become the financial sponsor of the attacker. This year alone has seen over 200 reported ransomware attacks on municipalities, school systems, hospitals, universities, utility companies, financial institutions, and private businesses. The actual number of incidents is likely much higher as companies and organizations are often reticent to report attacks unless compelled by a regulatory requirements such as HIPAA, PCI or, as is the case with publicly traded companies, in an 8-K as per the SEC.
The SolarWinds attack, one of the higher profile incidents in the last year, is recent example of a significant and ubiquitous vulnerability which can be exploited: the use of data supply chains to gain access and infiltrate targeted agencies and companies. This should be a warning to leaders across all sectors, public and private- the cybersecurity posture of the organizations with which you exchange data matters. Additional risks are exacerbated by misconfigured cloud workloads which can allow cybercriminals access to critical information and systems.
It is incumbent upon leaders in all organizations to make cyber protection a priority. Interdependence on public and private data exchange partners necessitates a change in leadership’s mental models. Cybersecurity needs to be part of the daily executive suite conversation and a priority for our public officials. Our nation is largely under educated and under protected when it comes to our standards of cybersecurity.
We are fortunate to live in a culture and society of innovation that, throughout our history, has demonstrated the ability to unify to overcome common challenges and common enemies. We have the power and technology to improve the security of our institutions if we are thoughtful and proactive. Let’s apply the lessons of vigilance and community learned after the tragic day in September of 2001 that we remember and make cyber protection a priority now and for the security of our future.