By Eric Trexler, VP Sales Global Governments and Critical Infrastructure at Forcepoint
Just over a decade ago, a sophisticated computer worm called Stuxnet, reportedly a joint creation of the U.S. and Israel, destroyed nearly one-fifth of Iran’s operating centrifuges, which are used to enrich uranium for nuclear power. The bug—later dubbed “the world’s first digital weapon”—was thought to have slowed Iran’s nuclear program by up to two years. According to the New York Times, the U.S. also had plans for a cyberattack to disable Iran’s power grid, air defenses, and communications systems in the event of military conflict over its nuclear program, though the plans were never carried out.
While the U.S. has used cyber strategy for warfare in the past, it can be used against the U.S. too. Stuxnet was an outlier at the time. But we should expect cyberattacks to become a staple of military arsenals in 2022 and beyond. Nation states will look for vulnerabilities in government and critical infrastructure as an alternative to warfare, or as part of it. Kinetic efforts will be preceded by cyberattacks similar to a naval bombardment prior to launching a beach assault in WWII. The tools, techniques, and procedures used in ransomware attacks are perfectly poised to become a central part of warfare, as it’s low cost and low risk. Additionally, ransomware-as-a-service is rapidly on the rise, causing additional obfuscation and uncertainty on the part of the attacked nation.
In 2020, the UK government announced its own cyber-attack agency called the National Cyber Force. According to the BBC, cyber hackers and analysts will work alongside traditional military operations “with potential scenarios including operators hacking into enemy air defences”. Going forward, this will become standard procedure.
Attacking governments or critical infrastructure—via ransomware or other cyber techniques—means attacking everyday citizens in a way that is not as directly lethal as drone strikes or other attacks, but that can still be extremely effective in causing harm and destruction to dictate political outcomes or cause discontent and sow confusion. State and local governments are particularly vulnerable. They often don’t have the cybersecurity budget or technology in place to prevent and respond to ransomware, and typically pay for ransomware without addressing the issue.Approximately one-third of local governments recently surveyed by cybersecurity firm Sophos reported falling victim to ransomware in the past year, and that figure is sure to expand based on the opportunity available and lack of risk to the attackers.
In December of 2019, the city of New Orleans faced a ransomware attack that took about a year and $5 million for recovery. Transportation agencies have been hit by ransomware attacks in New York City, San Francisco, Fort Worth and Philadelphia, to name a few. The UK’s National Security Centre has pointed its finger at cyber-criminals based in Russia for some of the most “devastating” ransomware attacks against the United Kingdom, including a ransomware attack that targeted Ireland’s Health Service Executive and disrupted healthcare for several months. Earlier this year, a disruptive and high-profile ransomware attack on Colonial Pipeline halted thousands of miles of pipeline and disrupted a large part of the east coast of the United States. As these examples illustrate, cyberattacks targeting government and critical infrastructure can be at least as disruptive to everyday citizens as private sector attacks.
Smart cities are particularly vulnerable to cyberattacks, as the UK’s National Cyber Security Centre recently warned. As more aspects of a traditional city—from transportation to lights to resource management—are connected to the Internet, the more they are at risk of cyber disruption. Connectivity breeds convenience for service consumers, but also for attackers. Earlier this year, a ransomware attack on the Pimpri-Chinchwad Municipal Corporation Smart City in India infected nearly 25 of its project servers. According to the Economic Times, this was the first known cyberattack on a smart city. But it likely won’t be the last.
In 2022, more nation states will find vulnerabilities in smart cities, other aspects of government, and critical infrastructure, and use them to forward their national interests. While there is growing awareness of this trend, little has been done to interrupt it. NATO member states, the European Union, and Five Eyes nations have condemned Chinese cyberattacks, including a hack of Microsoft Exchange. Tech leaders have called for the creation of a “digital Geneva Convention”, per the New York Times, “that would mandate restraint in the exercise of cyberweapons and prevent the sabotaging of civilian infrastructure.” The situation could also evolve as governments and governing bodies, from the Security and Exchange Commission to the Biden Administration, increase their regulatory oversight of cyber. But the bottom line remains the same. Cyberattacks will become a standard component of the military arsenal, with governments and critical infrastructure in the crosshairs.
For more than 200 years, the Atlantic and Pacific oceans have mostly protected the United States from direct attack on the homeland. Tomorrow’s conflict will not have that buffer. Cyber has no borders and all targets are only a keystroke away.