Not exactly. Cyberattacks are terrible and require the same dedication to overcome them as would any other disaster response effort. Just like natural disasters, cyberattacks cause millions of dollars in damage, disrupt infrastructure, and impede citizens from their daily lives. US cities like Baltimore, Allentown, and San Antonio have highlighted how cyberattacks are shifting how we think of disasters. Ever since May, Baltimore continues to deal with the cyberattack that shut down many of its services, and estimates put the current damage from the ransomware attack at over $18 million dollars. The city’s mayor and city council president are now calling for the ransomware attack to be classified a federal emergency, which would mark the first categorization of a cyberattack as a disaster that would require federal emergency assistance.
But should the cyberattack levelled against Baltimore be called a disaster? Baltimore believes that its situation merits the designation of “disaster” because the attacker or attackers used the EternalBlue exploit, a cyberweapon developed by the NSA, to enable the Robinhood ransomware attack carried out against the city (SmartCitiesWorld, “Baltimore Calls for Federal Emergency Declaration”). However, many cybersecurity experts have disputed the claim that the EternalBlue exploit was even part of the malware attack, as reported by cybersecurity journalist Brian Krebs (Krebs on Security, “Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware”). Even if the exploit was part of the ransomware campaign, Microsoft released the fix for that flaw in its operating system two years ago, making it appear as if Baltimore is trying to shift blame and avoid questions over why its systems weren’t patched immediately upon learning of the vulnerability.
Furthermore, what constitutes a disaster is rather difficult to determine. If we’re talking about the sheer cost of damages, according to Yale’s School of Forestry and Environmental Disasters, natural disasters caused $160 billion dollars in damage in 2018 (Yale Environment 360, “Natural Disasters Caused $160 Billion Dollars”). Compare that to ForgeRock’s recent estimation of the cost of data breaches for 2018, which calculated that the exposure of 2.8 billion consumer data records reached an estimated cost of $654 billion dollars (ForgeRock, “U.S. Consumer Data Breach Report 2019”). ForgeRock bases its estimate on the Ponemon Institute’s method for calculating the cost of data breaches in 2018 by taking into account the direct, indirect, and opportunity costs associated with detection and escalation, notification costs, post data breach response, and lost business costs.
Other similar man-made disasters, like the 2017 California wildfire caused by Pacific Gas & Electric, might look similar to Baltimore because of the neglect to update critical infrastructure. In both cases, a disaster was caused by failures in both organizations’ infrastructure, which resulted in severe costs to citizens, organizations, and municipalities. Furthermore, just like natural disasters, cyberattacks are reaching a new level of complexity that challenge traditional response efforts to contain and mitigate their effects.
Although Baltimore’s case for disaster assistance remains unclear, its situation is far from uncommon. After the 2017 NotPetya attacks that hit Ukraine and then spread around the world, Mondelez International was hit with the ransomware and ended up dealing damage upwards of $100 million for the company. When Mondelez filed an insurance claim for damages with Zurich American Insurance, because its all-risk property insurance policy covered both direct physical losses and indirect expenses from computer failures, its claim was rejected by Zurich because of an exception clause that “hostile or warlike action” protects insurers from dealing with costs related to damage incurred from war (New York Times, “Big Companies Thought Insurance Covered a Cyberattack”).
Because the US government claimed that NotPetya originated from Russian attacks against the Ukraine, insurance companies used this designation as an opportunity to wash their hands of one of the most significant cyberattacks in history. Mondelez, like other companies, have filed complaints against insurance companies, and many of these cases will not be decided for years. But without any clear definitions, companies and municipal governments are effectively collateral damage in cyberwarfare, leaving them at the mercy of more complex and unpredictable attacks.
Where do we go from here? Many organizations have a mix of current and legacy technologies in their system. An undated risk assessment report for Baltimore’s IT systems, for instance, warned that the city was using computer systems that “were a natural target for hackers and a path for more attacks in the system” (Baltimore Sun, “Baltimore’s Risk Assessment called a pair of aged city computer systems a ‘natural target for hackers'”). Failing to plan for how to deal with known vulnerabilities is planning to fail when those vulnerabilities lead to incidents.
If it’s a matter of finding resources, people, and technology to further mature security strategy, Baltimore could learn something from three UK councils that joined together under one Security Operations Center to improve efficiency, compliance, and security efforts (CSO Online, “Shared SIEM helps 3 UK local governments avoid outsourcing security”). Rather than outsource, which can be expensive and still not address underlying governance and process issues, combining resources allows smaller organizations to build what have some have called Global Security Operations Centers (GSOC). Universities, for instance, have also taken this step, showing that there are use cases for this tactic beyond three small councils in the United Kingdom.
As the above shows, there are serious advantages for building up your own security operations, especially when governments and insurance companies are still trying to figure out what to do for cities like Baltimore or companies like Mondelez.
French philosopher Maurice Blanchot wrote “disaster ruins everything, all the while leaving everything intact.” What Blanchot means is that risk is inherent to the way that we live and the way that we operate our organizations. We need to stop thinking about disasters as hypotheticals, because risk is at the center of every decision, action, and endeavor we undertake. Security Operations treats risk as an everyday reality because they embrace risk as the guiding principle of security by never ignoring the risks that could lead to disaster. Take action, because your organizations is ultimately accountable when disaster strikes.
Research by: Marc Mazur
Info-Tech Research Group
July 5, 2019