I said earlier in 2017 I believed it was quite possible that in 2017 a major cyberattack will occur in either the United States, the United Kingdom, or another friendly country that will require a response equivalent to a kinetic attack. In other words, a cyberattack will occur that will be looked on as an act of war. To date, despite the fact that cyberattacks can easily surpass kinetic attacks in both scope, magnitude and damage (both in the short and long term) we have not addressed such cyberattacks, planned for them, or developed long and short-term response policies.
I still believe this to be the case, the world has not got any safer following a host of geopolitical events, ranging from missile launches by North Korea through to Russian interference in elections such as this year’s French presidential election. This continues to mean cyber is being used as a weapon by nation states especially.
Indeed, we’ve seen an uptick in recent months of attacks focusing on various critical infrastructure around the globe. These attacks have targeted financial organisations, election infrastructure, and various utilities including oil and gas companies, payment systems, electric grids and governments.
The UK in a report this year from the UK’s General Communications Headquarters (GCHQ), and the national Cyber Security Centre (NCSC) stated that hackers are targeting the UK’s energy sector. Similar concerns have been raised by countries from around the world, notably in the United States there have been concerns around attacks on nuclear power stations.
The security breach of the future
I still expect that the “mega security breach of the future” will be a combination of an attack with catastrophic intent in addition to a less obvious, passive attack. This attack will focus on our overwhelming reliance on data. Most of the value we place in business relies on the trust we place on the data that we receive and manipulate through various streams.
If an attack were sophisticated enough to pair a catastrophic attack that shuts off power or the telecommunications grid with a passive attack that destroys the integrity and utilisation of data, the cyberattack could impact the entire Western world.
Imagine the lights went out, mobile phones failed and when the power came back on, our bank accounts, medical records and online e-store account information could not be trusted. There would be chaos. The WannaCry and Petya attacks – which were not even particularly sophisticated – gave some insight into the devastation that could be caused.
In the UK the NHS had to cancel operations and medical professionals had to resort to handwritten notes. Petya broke the monitoring systems at the Chernobyl nuclear power plant. This disaster scenario is not only in the minds of movie directors, it is very real; and governments and organisations around the world are working all day, every day to prevent serious attacks from succeeding, albeit some get through.
The good news is that increased awareness about the potential for these attacks is motivating organisations to take a hard look at their security postures and implement both educational mechanisms for employees and next-generation security solutions that can alert on, and prevent, advanced attacks.
So how should we focus on protecting critical infrastructure?
There are areas that don’t get the amount of attention and concern over cyber-attacks that they require. Our transportation system is one such example. An aeroplane is essentially a large industrial machine, more complex with each generation. An aeroplane has become a corporate business centre, incorporating connectivity, communication and access to the internet.
If a single hacker were able to breach the security of an aeroplane and take control of it for even five minutes, perhaps sending it into a sharp nosedive to prove his or her point, the aviation industry would immediately ground entire fleets until they could assure that no other plane could be similarly compromised. Imagine a week or more with no planes travelling anywhere.
With so many serious threats around, this means that organisations must continue to be vigilant and investments in up-to-date and state of the art defence is absolutely essential. Furthermore, training of dedicated and professional staff is also key as human intelligence plays a significant role in preventing the doomsday scenario of a cyber act of war. We should all be cautious and prepared as it is quite likely a major cyber-attack will affect a Western nation quite possibly in the remainder of this year, or at some point in 2018.