“We have never been closer to a cataclysmic cyber event,” warns Nicole Perlroth, New York Times’ cybersecurity journalist, at this year’s KB4-Con in Orlando, Florida.
Perlroth begins her talk by painting a picture of today’s sombre reality, highlighting the threat of Russian cyberattacks on our critical infrastructure and the latest discovery of Pipedream – the seventh known malware developed to disrupt industrial control systems.
When she first joined NYT in 2010, Perlroth was hired to be a cybersecurity business journalist, covering the latest mergers and acquisitions within the industry. Little did she know that the world would face the monumental Stuxnet worm attack that same year. In an attempt to curb World War III and halt the Iranian nuclear programme, Stuxnet showed just what code was capable of. It was a watershed moment for offensive cybersecurity by nation-states.
At the time, Russia was considered to have the most sophisticated cyber capabilities but such prowess was generally engaged in cybercrime as opposed to nation-state activity. China did not necessarily pose an immediate threat either, as they were primarily focused on stealing IP. Then there were some like Iran that did hold a grudge towards countries like the United States but did not have the cyber skills. In a very short span of time, that landscape shifted markedly and countries around the world began to heavily invest in their cyber arsenal. Russia’s aims quickly changed, and the world underestimated how fast Iran would catch up skills-wise. In fact, nothing demonstrated this better than the Shamoon virus they unleashed in 2012, which wiped data from tens of thousands of computers owned by Saudi Aramco.
It wasn’t until three years later though – when the New York Times itself fell victim to Chinese hackers seeking to uncover the publication’s confidential sources – that Perlroth, personally, experienced a wake-up call. As Perlroth waited for a cavalry that would never appear and a conviction that would never come, it dawned on the journalist that the organisation itself had to learn to fend for itself. She quickly realised that cyber warfare is not a military exercise, but a societal and organisational problem. Therefore, it is critical that greater awareness is raised among the public about the threats that exist. Equally important, the language we use to communicate this should be ‘dumbed down’, with all jargon removed.
It is often easy for individuals and organisations to think: what would any nation-state want with me? Particularly, when the business does not operate directly within critical national infrastructure. Yet, Nicole has seen first-hand how a mom-and-pop welding shop out in the country had put Fortune 500 companies at risk. She reiterated that, while the affiliations may not be apparent, critical national infrastructure is an ecosystem and most attacks are enabled by the weakest link. With that said, building a strong cybersecurity culture is incredibly important.