Executive Summary
Over the past two years the number of cybercrimes has risen significantly. In fact, last year the U.S. Federal Trade Commission received 1.4 million reports of identity theft last year, which had doubled the number from 2019. Research has shown that remote workers are less cautious, and in turn, more vulnerable outside of their organization’s network. Not only has cybercrime increased but the cost of breaches has also steadily increased. Google registered 2,145,013 phishing sites as of January 17, 2021. This is up from 1,690,000 on January 19, 2020, a 27% increase YOY. To make matters worse, nearly 80% of senior IT and IT security leaders believe their organizations lack the necessary protection against cyberattacks. This is after the increased IT security investments made in 2020 to deal with distributed IT and work-from-home challenges. Further with the world being forced into having more of a remote environment and relying on technology, somehow 20% of organizations worldwide have no plans when it comes to protecting themselves against cybercrime events. To reiterate, cybercrime is up, the costs of cybercrime are increasing, and despite the additional funding allocated by organizations, companies regardless of size and industry still lack the necessary protections.
With the future of the pandemic nowhere in sight, every business from mining to consumer goods has had to adopt new technology to adapt to the “new normal” in the digital age to stay competitive. The world will store 200 zettabytes of data by 2025 on private and public IT infrastructures, cloud data centers, on personal computing devices, smartphones and on IoT (Internet-of-Things) devices. This is a contributing factor why cybercrime will cost the world $10.5 trillion annually by 2025. Not only is cybercrime increasing and the costs associated with it, but cybercrime is also evolving. As short as 10 years ago cyber criminals would send ransomware through pop messages claiming the victim’s data was encrypted and to send payment in return for the encryption key to reverse the malware attack. Within the past 2-3 years ransomware has evolved to be only more malicious to the point that not only will the data be encypted on the victim’s computer or network, but the data will be exfiltrated from the victim. In other words, a victim’s data is not only encrypted so they can no longer access, but the hacker can further extort the victim to release the data into the public domain.
The U.S. strategy on cybersecurity has been a priority of offense over defense and as a result cybercrime has started to show its ugly head more and more by only becoming worse. If the U.S. continues its current strategy the previous mentioned statistics will only get worse; therefore, the U.S. needs to adopt more of a strategy that prioritizes defense. However, just one new strategy will not be enough; instead, there needs to be a combination. First, organizations need to prioritize investing in security solutions that help reduce the risks and plan and test an incident response plan. Second, there should be a priority on educating and training employees to be better aware of safe computing practices. Third, organizations can adopt a zero trust IT security model.
The goal of this paper is a call for a new strategy on cybersecurity. First, it will start off with real life incidents of cybercrime attacks on critical infrastructures abroad and in the U.S. Second, it will define what is offensive cybersecurity vs defensive cybersecurity and the U.S. strategies. Third, it will explore the potential reasoning behind the discrepancy and some lasting effects. Finally, it will explore the prementioned combination of solutions to implement a more defensive approach on cybersecurity.
Introduction
The first cyberattack against critical infrastructure happened in Ukraine. In fact, Ukraine suffered an attack on their critical infrastructure in 2015 and 2016. On December 23, 2015, right before a worker was going to go home for the day, he noticed that the cursor on his computer suddenly started moving across the screen all by itself. He watched as the cursor started moving toward the buttons that control the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. The worker grabbed his mouse and desperately tried to take control of the server, but he was unable. He watched the cursor move toward another breaker, but the machine logged him out. Although he tried frantically to log back in, the attackers had changed his password preventing him from gaining re-entry. All he could do was stare helplessly at his screen while the ghosts in the machine clicked open one breaker after another, eventually taking about 30 substations offline. The attackers didn’t stop there, however. They also struck two other power distribution centers at the same time, nearly doubling the number of substations taken offline and leaving more than 230,000 residents in the dark. If that weren’t enough, they also disabled backup power supplies to two of the three distribution centers, leaving operators themselves stumbling in the dark. The second attack which occurred almost exactly one year after the previous outage on December 17, 2016, struck the Pivnichna substation outside the capital city Kiev, and cut power a few minutes before midnight local time December 17, leaving customers in part of Kiev and a surrounding area in the dark on a Saturday night. The outage lasted only an hour, and power was restored a little after 1 am. The more recent attack occurred at a transmission facility, as opposed to the 2015 attack that affected a distribution facility and was not as far-reaching. The 2016 attack could have been much worse because disruptions to a transmission facility could impact a wider area than distribution facilities. Ukraine believes that these “ghosts” is Russia, who has also been accused of messing with U.S. elections. Instead, of messing with elections Russia could have tried to do the same thing to Ukraine with the U.S. The U.S. over the past couple of years have invested heavily in “smart grid” technologies. Scott Aaronson, executive director for security and business continuity at the Edison Electric Institute, which represents large, investor-owned utilities said “It is good we have automation, which gives us better situational awareness. But it also increases the attack surfaces.” Michael Assante, a director of the SANS Institute, a leading cybersecurity training firm stated that “Automation is driving incredible benefits… we’ve consolidated and centralized a lot. You just need to keep in mind it also lets the bad guys do the same thing.” Benjamin Beberness, a Washington state utility executive invited National Guard cyber experts to test his utility’s defenses. In early spring of 2015, a “red team” of National Guard cyber experts had taken just 22 minutes to break into Beberness’ electricity company, the Snohomish County Public Utility District, north of Seattle. “The cyberattack chain that the National Guard used against us, it’s almost verbatim what happened in Ukraine,” said Beberness. At the Everett, Wash., utility and at the Ukraine oblenergos power companies, employees recklessly clicked on a phishing email with concealed malware that took the attackers inside the utility’s business computers. “It only took one click for somebody to get in,” Beberness said of his utility’s fate. Once in, the Guard cyber experts found pathways into a test operations network that mirrored the Snohomish control system. After Seattle’s power system, Snohomish is the second largest publicly owned utility in the state, with nearly 340,000 customers. A key difference between this U.S. “simulation” and Ukraine is that after cutting off power to nearly 250,000 homes and businesses in western Ukraine, the cyber terrorists delivered a final punch to the gut. The hackers wrecked some of the digital controls the operators needed to restart the system remotely. An aptly named cyber weapon called “KillDisk” hidden inside the Ukraine system erased parts of the operators’ startup software. These substations across the Ukraine utilities’ grid networks still had Soviet-era manual controls, so crews were able to restore power by hand within six hours. The U.S. does not have these manual controls; therefore, the Unites States network would be down longer than Ukraine’s.
Switching from a U.S. simulation, to an actual attack the Colonial Pipeline was shut down on May 7, 2021. 5,500 miles of pipeline, which carries 45% of the east coast’s fuel supplies and travels through 14 southern and eastern US states were shut down and resulted in a panic where people rushed to gas stations and were forced to wait hours all while the price of gas hit its highest point in years. A group of cybercriminals called Darkside has taken responsibility for the ransomware attack and were able to get $5 million ransom. The group has been in operation for over three years and is believed to be started around 2018. Originally the group only typically focused on lower end ransoms. The average Darkside attack would ask for anywhere from $80,000 to $100,000 ransom, and they would typically do eight to ten of these attacks a month. This equals about to $12 million a year. Recently, they started targeting and going after bigger organizations. Colonial is the most evident about this and instead of going after smaller entities they would rather go after one big one. One theory among cybersecurity watchers is that this could even be a promotional effort by the cybercriminal group. Groups like Darkside don’t just profit from their attacks. Frequently they will also sell ransomware software to would-be cyber-attackers on the dark web. A common thought is why pay the ransom if the effects can be just as bad as Colonial. However, in most cases, organizations have little option but to pay the ransom. After the city of Baltimore was attacked in May 2019, it decided not to pay the ransom of 13 bitcoins, which at the time came to roughly $91,000. It was a noble move, but not a financially successful one it cost the city more than $18.2 million in the recovery process. By early July, Baltimore had already spent over $5 million towards recovery. Of that, $2.8 million was spent on forensic analysis and detection. Around $600,000 was used to deploy new systems and to replace hard drives. Another $1.9 million was dedicated to new hardware and software related to ransomware recovery. Baltimore’s budget office had estimated the overall cost to slightly above $18.2 million. This includes about $10 million that the city will spend on recovery effort by year-end and $8.2 million in potential loss or delayed revenue such as money from property taxes, real estate fees, and some fines. An audit from Baltimore’s information technology department has revealed that outdated proper backup methods was the main reason for the loss of data.
U.S. Strategies on Cybersecurity
The differences between offensive cybersecurity and defensive cybersecurity cannot be understated. Offensive cybersecurity is all about tackling and outmaneuvering. The focus here is on seeking out the hackers, and in some cases, attempting to disable or “hack back” to disrupt their operations. Offensive cybersecurity can also help identify vulnerabilities or weaknesses in your defense. Defensive cybersecurity is all about blocking. This could come in the form of both tools and actions. You have your defensive tools that are designed to prevent or mitigate the effects of a cyberattack such as antivirus software, firewalls, etc. Then you have your defensive actions, which include things like patching software and fixing system vulnerabilities.
Over 20 years and four presidential administrations, the U.S. claims to have prioritized cybersecurity and resilience through partnerships between the public and private sectors. The very first presidential document on cyber strategy, President Clinton’s PDD-63 of 1998, asserted that it “will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber-attacks on our critical infrastructures, including especially our cyber systems.” President Bush’s National Strategy to Secure Cyberspace of 2003 aspired to “to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States.” President Obama continued to stress the “defensive” focus but starred to suggest more of an “active defense” in his 2015 speech at the Cybersecurity and Consumer Protection Summit. President Trump continued to stress the defensive approach of his predecessors, but Trump took more of an active approach. His National Cyber Strategy promised to “punish those who use cyber tools for malicious purposes” if necessary, with an entire pillar on “peace through strength,” concepts almost entirely missing from prior policies. The “strength” in this pillar is only about responding to adversary attacks, with nothing on U.S. offensive and espionage efforts.
However, before buying into the “defensive front” all you have to do is follow the money. The Fiscal 2020 President’s budget on cybersecurity which was published in March 2019 reveals a very different story. Cybersecurity spending on civilian departments such as the Homeland Security, State, Treasury and Justice is dwarfed by the spending that goes toward the military and the budget revealed some facts.
“The Defense Department’s cyber-related budget is nearly 25 percent higher than the total going to all civilian departments, including the departments of Homeland Security, Treasury and Energy, which not only have to defend their own critical systems but also partner with critical infrastructure to help secure the energy, finance, transportation, and health sectors ($9.6 billion compared to $7.8 billion). The funds to support just the headquarters element—that is, not even the operational teams in facilities outside of headquarters—of U.S. Cyber Command are 33 percent higher than all the cyber-related funding to the State Department ($532 million compared to $400 million). Just the increased funding to Defense was 30 percent higher than the total Homeland Security budget to improve the security of federal networks ($909 million compared to $694.1 million). The Defense Department is budgeted two and a half times as much just for cyber operations as the Cybersecurity and Infrastructure Security Agency (CISA), which is nominally in charge of cybersecurity ($3.7 billion compared to $1.47 billion). In fact, the cyber operations budget is higher than the budgets for the CISA, the FBI and the Department of Justice’s National Security Division combined ($3.7 billion compared to $2.21 billion). The Defense Department’s cyber operations have nearly 10 times the funding as the relevant Homeland Security defensive operational element, the National Cybersecurity and Communications Integration Center (NCCIC) ($3.7 billion compared to $371.4 million). The U.S. government budgeted as much on military construction for cyber units as it did for the entirety of Homeland Security ($1.9 billion for each).”[1]
If the focus for the strategy of cybersecurity is supposed to be defensive rather than offensive, then the spending between the two should at least be pretty similar. The NCCIC, which is supposed to be the “Nation’s flagship cyber defense, incident response, and operational integration center,” gets just one dollar for every ten that goes to military offensive and defensive operations. However, this funding gap goes all the way back to George W. Bush administration. Only ten percent of the allocated $3.6 billion went to the Department of Homeland Security; meanwhile, the rest of the funding went to the military. “Budget plans in 2014 show the US Air Force spending 2.4 times as much on cyber offense research as on cyber defense” and in 2012, “the Pentagon spent roughly eight times as much [as Homeland Security] not even including the NSA’s classified budget (according to the Edward Snowden leaks this budget is around $10.5 billion).[2]
Potential Reasoning and Effects
The reason for the wide discrepancy on the strategy for offense vs defense cybersecurity strategy is that the media focuses on offense. Mainly because of the operations are classified, the U.S. does not publicize the punches we throw but the punches we take. With the U.S. playing more of the victim card, our strategy externally can be more aggressive. Former National Security Advisor John Bolton announced that, “any nation that’s taking cyber activity against the United States … should expect we will respond offensively as well as defensively.” Gen. Mark Milley, in his confirmation testimony to be the new chairman of the Joint Chiefs of Staff, emphasized this focus: “We have to have those offensive capabilities … if [adversaries] know that we have an incredible offensive capability, then that should deter them from conducting attacks on us.”
Due to the focus of offense vs defense, the talent of people finding zero-days is skewed more to the black market and everyone is more vulnerable. A zero day is a vulnerability in software or hardware that can create a multitude of problems that gives zero opportunity for detection until it is too late. There are three types of markets for zero days. There are black, gray, and white markets. The black market sellers can include hackers and organizations, while buyers can include criminals or criminal organizations. The gray market is technically legal, but it is unregulated. The white market buyers can include software makers such as Facebook, Google, Microsoft, LinkedIn. These buyers will offer sums of money to anyone who finds and discloses the existence of a vulnerability to them. The amounts of money offered are widely different. Jason Haddix, the head of trust and security at the bug bounty platform BugCrowd which runs programs for hundreds of companies and products said, “There are different classes of vulnerabilities. If it’s a zero-day that causes remote code execution against a server or if it’s a low information level vulnerability but it’s still unknown, both floors have risen. You can see some zero-days go for as high as $50,000.” That’s the number for bug bounty platforms (white market). On the offensive side of the market, the price goes much higher. Zerodium, a company that buys and sells zero-day research, lists $1.5 million as the top price it will pay for a single submission. The company paid out $600,000 per month for undisclosed vulnerabilities, according to a 2015 interview with the CEO.“Bug bounties and other defensive contests are far too low in relative price to be directly competitive with the offense market prices and that will always be the case,” said Katie Moussouris, founder and CEO of cybersecurity firm Luta Security. National governments, state-actors, and criminal organizations are competing against each other on the black market with six-figure rewards; yet these large payouts are creating a dangerous effect. The talent pool for the developers and testers of the bounty programs could be driven to black market for the money. Governments, state-actors, and criminal organizations are stockpiling zero-days. Hackers with nefarious reasons can steal these zero-days and bid them off. Whoever receives these zero days are unknown and the reasons for getting them are unknown. A huge computer breach allowed hackers to spend months in the U.S. government networks and other private systems around the world. These hackers are believed to be from Russia and attached their malware to a software update from SolarWinds. Many federal agencies and thousands of companies worldwide use SolarWinds’ Orion software to monitor their computer networks. SolarWinds said that nearly 18,000 of its customers, in the government and private sectors, received the bad software update. The U.S. government entities affected includes the Commerce Department, the Department of Homeland Security, the Pentagon, the Treasury Department, the U.S. Postal Service and the National Institutes of Health. After studying the malware, FireEye said it believed the breaches were carefully targeted: “These compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction.” A group called the Shadow Brokers claimed to have infiltrated an elite hacking unit linked to the National Security Agency and stolen state “cyber weapons” and is now auctioning them off to the highest bidder. The stolen malware is said to belong to Equation Group, a sophisticated hacking team believed to be operated by the NSA. “We auction best files to highest bidder. Auction files better than Stuxnet,” said the group, referring to the sophisticated digital weapon, believed to be funded by the US and Israel, that sabotaged Iran’s nuclear programme. The hackers are asking for a whopping one million bitcoins, which is around $580mllion, to release the best files. The files and pictures of the cache that were offered for free as “proof” include filenames correspond to those mentioned in documents leaked by whistleblower Edward Snowden, including “BANANAGLEE”, “JETPLOW” and “EPICBANANA”.
In order to get more of a defensive strategy for cybersecurity a number of solutions will be needed. First organizations need to prioritize on investing in security solutions and testing an incident response plan. The incident response plan should cover multiple cyberattacks or organizations should have multiple incident response plans for particular cybercrimes. For example, could have plans in response to a network intrusion, ransomware, and data breach response. These incident plans will help ensure that you business know how to respond to a cyberattack not just the IT department. Second, the education and training of employees need to be prioritized whether you are in the public or private sector. IT experts believe that the switch to working from home has made people lazy in their safe computing practices. Despite increased security practices, workers find way to work around them and without realizing are making themselves and their employers more vulnerable. For example, one of the new implemented practices has been multi-factor authentication. This requires people to use an additional method to prove their identity, whether it be through text, email, etc. Workers have gotten around this by using their personal emails to send company information. Workers are less scrutinized at home and are able to get away with this. Therefore, education and training are needed more than ever. Some experts have suggested the adoption of a Zero Trust IT Security Model. The zero trust model is focused on the concept that users inside a network are no more trustworthy than users outside a network. The zero trust model requires strictly enforced user controls to ensure limited access for all users and assumes that all traffic traveling over an organization’s network is threat traffic until authorized by the IT team. In order to effectively implement a zero trust model, organizations must implement measures to visualize and log all network traffic and implement and enforce strong access controls for federal employees and contractors who access government networks and applications. This method could potentially cut down on phishing attacks. Phishing is the practice of sending emails that appears to be from reputable companies or from higher executives in a company that ask for personal information or specific actions such as send an amount of money to an account. Additionally, the government could take more of an active approach to cybersecurity. The government could mandate federal cybersecurity standards and partner with the private and public sectors to create more incentives for bug-bounty programs.
Conclusion
We may not be able to stop every cybercrime, but we need to be preventive rather than reactive. The number of cybercrimes is increasing, the costs associated with cybercrimes is increasing, and cybercrime is evolving. It would be asinine to continue the offensive strategy and could lead to some devastating effects. The adoption of the previously mentioned strategies would help shape a more defensive approach to cybersecurity and establish more protections against cybercrime.
Bibliography
Al Jazeera. “Recent Cyberattacks Reveal US Utilities’ Extreme Vulnerability.” Business and Economy News | Al Jazeera, Al Jazeera, 14 June 2021, https://www.aljazeera.com/economy/2021/6/14/recent-cyber-attacks-reveal-us-utilities-extreme-vulnerability.
Cripps, David. “Tackling the Cybercrime Pandemic in 2021.” Security Magazine RSS, Security Magazine, 20 Sept. 2021, https://www.securitymagazine.com/articles/96134-tackling-the-cybercrime-pandemic-in-2021.
“The Cyber Budget Shows What the U.S. Values-and It Isn’t Defense.” Lawfare, 3 June 2020, https://www.lawfareblog.com/cyber-budget-shows-what-us-values%E2%80%94and-it-isnt-defense.
Dark, Stephen. “Zero-Days: Whoops! We Just Shut down the Planet.” The Fifth Estate, 29 June 2021, https://thefifthestate.com.au/business/public-community/zero-days-whoops-we-just-shut-down-the-planet/.
Gewirtz, David. “Covid Cybercrime: 10 Disturbing Statistics to Keep You Awake Tonight.” ZDNet, ZDNet, 14 Sept. 2020, https://www.zdnet.com/article/ten-disturbing-coronavirus-related-cybercrime-statistics-to-keep-you-awake-tonight/.
“How the Colonial Pipeline Hack Is Part of a Growing Ransomware Trend in the US.” The Guardian, Guardian News and Media, 14 May 2021, https://www.theguardian.com/technology/2021/may/13/colonial-pipeline-ransomware-attack-cyber-crime.
Jr, Bernd Debusmann. “Why Remote Working Leaves US Vulnerable to Cyber-Attacks.” BBC News, BBC, 25 July 2021, https://www.bbc.com/news/business-57847652.
O’Neill, Patrick Howell. “Zero-Day Exploits Are Rarer and More Expensive than Ever, Researchers Say.” CyberScoop, 28 Feb. 2019, https://www.cyberscoop.com/zero-day-vulns-are-rarer-and-more-expensive-than-ever/.
PERLROTH, NICOLE. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. BLOOMSBURY, 2022.
[1] Teplow, Lily. “Should We Be Playing Offense or Defense in Cybersecurity?” Huntress, https://www.huntress.com/blog/should-we-be-playing-offense-or-defense-in-cybersecurity.
[2] Id.