How to withstand a cyberattack

Imagine turning on your radio this morning only to find the electricity on the blink. You think nothing of it and head to office. There you discover that hackers tied to an extremist group have penetrated the industrial controls of India’s northern grid and shut off the electricity across northern India. The attackers manipulated server data overnight and fried transformers at dozens of substations.

The disruption is far worse than the power outages of 2012. It impacts hospitals, the transportation system, as well as water systems. Hundreds of people die from heat exhaustion. Efforts are on to secure the grid servers but it takes weeks due to a lack of trained and organized personnel.

This is a fictional scenario, of course. Yet today, such cyberthreats to critical infrastructure confront industry and government leaders across the globe.

Consider just two recent attacks. In 2012, a hostile actor conducted a destructive cyberattack on the hard drives of Saudi Aramco, one of the world’s largest oil companies. The hackers overwrote 30,000 drives and forced employees to revert to faxing and typewriting to continue business transactions. Then in a historic event this past December, hackers reportedly tied to Russia disrupted the Ukrainian energy grid—shutting off electricity for 225,000 Ukrainians for one to six hours across all affected areas.

Today, our reliance on the Internet potentially presents what British sociologist Anthony Giddens terms a “high consequence risk”. A high consequence risk could be a financial recession, a terrorist attack, or tsunami. Such disruptive events have always been a dangerous and transformative part of the human experience; recall the ancient city of Pompei, here one day and gone the next. Yet, as Giddens argues, today the technology that runs our world, our tightly coupled urban populations, and our globally interconnected systems mean that smaller groups can have an impact disproportionate to their size.

The question thus becomes, how do we prevent such risks from occurring? More importantly, how do we withstand them when they do? Organizations can take steps now to prevent a cyberdisruption; the first step is to understand how and why cyberspace presents itself as a potential high-consequence risk.

We encounter the Internet first as an engine of innovation of wonder. Consider Psy’s Gangnam Style music video, seen by more than 2.3 billion people online; the ease of online banking; or how you can book a cab with Ola or Uber with just one click.

Yet, there is a dark side to all this connectivity. It used to be that the only way for one country to strike at another was to invest in military systems that could cross terrain. Today, an actor in one region of the world can reach out and touch another country’s computer systems without ever leaving his office. We are cheek-to-cheek with all 3.3 billion online users, the good, the bad, and the ugly. Code is susceptible to manipulation just like the humans that invented it. This has profound implications for international security. Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity. We are vulnerable to disruptive and destructive cyberattacks by state and non-state groups. We are behind in making the necessary investments to protect our assets. We are unprepared for what may happen when an attack gets through and disrupts our critical infrastructure.

So we face multiple variants of two potential futures. The first is our current trajectory: during hostilities between two parties, a capable actor will likely try to deploy cyber weapons against an opponent’s critical infrastructure to gain an advantage. If executed correctly, such a destructive attack could lead to a loss of life or significant destruction of property far worse than the cyberattacks seen to date.

In a second possible future, however, organizations can work together to create cultures of cybersecurity that take root until our most vital systems and missions are secured and our societies made more resilient to potential attacks. So how do we get there?

Through practical and deliberate steps.

Technology is clearly a key part of the story. Let’s look at just a few key stakeholders. Global information technology companies such as Microsoft and Google and Baidu work to close vulnerabilities in computer code and deploy tools, like multi-factor authentication, to help users protect themselves. Cybersecurity firms develop technologies and methods to help companies secure their systems against advancing threats. Governments invest in cybersecurity teams and capabilities to secure government networks and to augment the private sector in a crisis.

Yet the most important part of our cybersecurity story is not technology: it’s people.

This is why, as a first step, every data-dependent organization needs some kind of cyberstrategy to manage its workforce and protect its interests. Strategies help organizations to frame the world and prioritize investments. They can set objectives, with deadlines, to hold leaders and organizations accountable. Not every executive needs to understand how code works. Not every organization needs 6,200 elite cyber operators, like the US Defense Department currently requires for its missions. But every organization does need to plan and invest.

Second, meeting the basics matters. In North Korea’s hack of Sony Pictures Entertainment, it was reported that Sony kept all of its passwords in a folder labelled “password.” Leaders need to develop cultures that reject such poor practices as a part of their DNA, opting instead for multi-factor authentication, strong passwords for access, and encryption for data at rest and data in motion. Accountability matters, and organizations should create cultures where employees’ bad practices carry repercussions.

Third, leaders in government and the private sector need to work together to prevent and respond to cyberattacks. While private companies can block a significant number of intrusions through their own cybersecurity investments, there may be times when governments need to help blunt an ongoing cyberattack with their own capabilities and, more importantly, work to re-establish deterrence to prevent further conflict escalation.

Private companies should never respond to an intrusion by hacking back against a foreign actor; response options must remain the province of the state so as to maintain stability within the international system. In North Korea’s hack of Sony Pictures Entertainment, for example, the US government determined that a response was required and placed additional economic sanctions on the North Korean regime. Similarly the US government opted to indict seven Iranian hackers following recently disclosed intrusions and distributed denial of service attacks on US companies. Governments must work with the private sector to communicate about intrusions and determine appropriate response options to blunt ongoing attacks and prevent future incidents.

Fourth and finally, organizations need to build resilience to cyberattacks. This means planning not only for adversaries breaching the moat of firewalls and intrusion detection systems, but also getting into the castle and stealing the crown jewels. Companies should identify the potential impacts of major operational disruptions on their infrastructure, such as the loss or disruption of banking data, and invest in measures to continue operations if the event of an incident. Business continuity plans should be more than just paper documents. The organization should invest in technical measures for backing up data and operational exercises to continue operations without assured data access.

The recent announcement of a framework agreement for cybersecurity cooperation between the US and India includes a focus on the resilience of critical infrastructure. The US has developed resiliency assessments for firms to determine their level of resiliency preparedness. In India, many businesses already have generators—which reportedly allowed the Delhi Airport to come online quickly after the power outage of 2012. The two nations should work together to share lessons learned from their diverse experiences in dealing with disruptions.

While we cannot anticipate every high-consequence risk, we know that we are vulnerable in cyberspace. States don’t need massive armies to strike each other. A hacker can turn 1s and 0s into malicious software that can affect our data. Today, we are unprepared for what that may mean. Every organization must play a part in preparing for a potential attack by securing the assets that matter most.

The good news is that while our technology may be disrupted, our social bonds cannot easily be hacked. An adversary’s greatest goal is to disrupt a country’s source of strength, to include the governmental and economic systems that give the state its political legitimacy. Our ability to work together—to support each other across sectors and agencies, to think through problems and implement solutions, to communicate and manage risk—remains our greatest asset against any adversary’s plans. When and how an attack may happen is outside our control. Yet, through good leadership and practical steps, we can begin to get our countries and companies ready today.

Jonathan Reiber is a senior fellow at the University of California at Berkeley’s Center for Long-Term Cybersecurity.