How Likely Is It That a Cyber Attack Will Cause a Global Meltdown?

CYBER

uncomfortably close to the recent ‘Black Monday’ slide, which some feared was about to ring in a new global recession. Another scene in the last episode – though entirely unrelated to hacking – was also near enough to the reality of the Virginia/WDBJ shootings T that airing of the episode had to be postponed. his past summer saw audiences Meanwhile, the series tuning in to the first season of manages to makes gripping USA Network’s Mr. Robot, a viewing out of relatively show that has slowly become humdrum moments of coding. one of the most-watched new A RUDY attack becomes a dramas in the U.S. The series nail-biting race to shut down a follows the life of an alienated CS30 server. A RAT (Remote young hacker who becomes Access Trojan) is employed involved in a plot to bring and leads to the breakdown of down the global economy with a relationship. An Android a coordinated cyber attack, phone is infected with a motivating mass debt monitoring tool for nefarious cancellation and the purposes. These incidents rebalancing of wealth. Rallying further draw attention to the against the glut of previous idea that cyber attacks, while onscreen techno-thrillers, the potentially devastating, producers have aimed to ultimately come down to two portray hacking in a more grey factors: engineering skill realistic light (strictly no 3D and time. wireframe cities or Tron-esque circuit board battles). The question is, just how realistic is this fragile tele-world? When it comes to foreshadowing, Mr. Robot has already nailed a few eerie similarities to recent events IRL. An Ashley Madison data How likely is it that a cyber attack will dump provided a plot point for the writers long-before the real dump occurred in August cause a global meltdown? 2015. References to an economic collapse in Europe spurred by a Chinese stock WORDS RAUL BLOODWORTH market implosion skirted

SEPTEMBER 2015 D E F E N C E I Q CYBER CYBER

Today, many of the world’s The insider threat is arguably a enough to be trialled in the internet users possess an more ‘lethal’ human hazard. In workplace. abundance of both. But with the show, FSociety’s entire plan As with any criminal ‘script kiddies’ able to simply hinges on the use of an insider activity, we must not only download pre-programmed – our protagonist – as well as consider the opportunity but tools and execute them with the decisions of others ‘behind also the motive. State-on-state little effort, neither factor is enemy lines’ to overlook the cyber attacks are already even much of a hurdle when it criminal activity taking place. known to have an economic comes to disrupting systems at In the real world, work is being impact – particularly when it a basic level. The most undertaken to not only comes to the theft of damning notion the show enhance the monitoring of intellectual property – but the highlights is that even the employee activity but to pre- likelihood of a nation biggest corporations and the Anonymous, or the ill-fated opportunistic but the schemes emptively pinpoint where attempting to demolish another most advanced cybersecurity ‘Omegas’ and the real-life often rely on luck and disgruntled staff are most at its financial foundations firms are deeply vulnerable to Lulzsec. circumstance. Okay – this may likely to pose a threat by seems slender. We’ve already sheltered from the collateral. being taken down by a single So with this dark mirror in be partly designed to create a monitoring patterns of mentioned the integration of At the same time, it would intrusion. For ‘Evil Corp’ mind, how likely is it that a more dramatic story, but the behaviour. Several academic the global economy and the need to ensure its allies were (itself modelled on an coordinated cyber attack will steps the TV show treads are projects are experimenting with domino effect that can occur equally safe from the unflattering mashup of Enron collapse the global economy? not far off when we consider algorithms for this very when one market falls. As such, blowback. Currently, there are and other multinationals), read Most governments at least the series of events needed for purpose. Software that flags it would seem foolhardy for few countries – if any – that Sony or JP Morgan Chase. believe that the general threat a real world hacker to slip possible rogue employees is any country to consider an could claim that sort of Both suffered high-profile data of cyber criminality is worth through a net – namely the still a fledgling technology, but ‘economic strike’ unless it is economic detachment. State breaches within the past year. heavy investment, proving that concepts of employee it is now considered viable sufficiently independent and The misfortunes of ‘AllSafe’ – there at least remains a gap to incompetence and the insider the show’s cyber firm – are not close – and to continue to threat. This includes scenes a million miles from the close – as threats become more featuring a naïve CTO who calamity experienced this year numerous and sophisticated. places too much trust in his by Milan-based Hacking Team. The problems arise more in the more capable engineers and an Meanwhile, there’s barely a corporate world. The majority inept security guard who runs mask between the fictional of businesses are simply not an open-source fact-check to FSociety and the real-life prepared. This is a cold truth verify the suitability of a commonly verified by analysts person trying to enter a server from both the private and facility. This human factor is a public sectors, and remains the real problem. In fact, it is number one weak link in the statistically the biggest chain when it comes to problem. IBM pins 95% of national security. The portrayal cybersecurity flaws on human of a world that overestimates error. Initiatives like the UK’s its own security – and thereby new Cyber Essentials scheme underestimates the most severe are trying to tackle this by possibilities – does appear to ensuring companies undertake correlate. basic hygiene procedures and That brings us to the educating the average worker capabilities portrayed in the to avoid simple pitfalls, but it is show. The hacktivists in Mr. not a problem that can be Robot are smart and solved overnight.

DEFENCE IQ SEPTEMBER 2015 SEPTEMBER 2015 D E F E N C E I Q CYBER CYBER attacks have been known to would be an extremely involved. The BRICS nations disrupt critical infrastructure, dangerous thing to do. The are also consulting on an but most of these have had a chaos that would result from alternative to SWIFT to relatively contained effect and this antiquated system's “protect the member countries have comprised only a part of collapse would have enormous from any possible disruptions a wider strategic operation effects on the world's and provide better security.” (such as the 2008 Russian economy.” Enex TestLab published a invasion of Georgia). theory in June that existing and However, others disagree with former communist countries this conclusion, citing evidence are being incentivised to hack in the fact that some nations western organisations on a are now beginning to hedge platform of wealth themselves off. redistribution: “The international payment “The nations that were China has launched a domestic rival to the clearance system (SWIFT) is a staunch proponents of international payment clearance system prime target,” says Bob communism throughout these Marshall, a former systems eras, such as Russia and China engineer with MITRE are trying to make up for lost Of course, Mr. Robot’s prefer to undertake this route global economy could be Corporation. time, money is the universal antagonists are ideologically than more lethal, ‘kinetic’ obtained, on few resources, “Hundreds of billions of language, but they have 40+ motivated, seeing themselves activities. Should this happen, without first having an dollars a day flow through it. If years to make up for. How not as profiteers but as analysts are wagering more on intention of collapsing the there is one place where the does one accumulate wealth freedom fighters. The question the disruption of power or world’s markets. Advanced world has a single point of at an accelerated rate to is, would any of the usual communication networks state hackers or terrorists may failure, this is it. International To provide further scope, this make up for lost time in the suspects legitimately wish to rather than of direct attacks on even see this as a preferable finance would come to a year saw the establishment of information age? If the stats crash the world’s markets? Real the economy. After all, many tactic to attempting a full-scale complete halt if it went down. China's own, alternative are anything to go by, cyber- life hacktivist groups have been people do not bat an eyelid cyber onslaught, seeding only a It is a decades old system and international payment system attacks, fraud and hacking largely limited to attacking when share prices fall, but few necessary interruptions is used by thousands of (CIPS) which serves to process are a safe bet. With 45% of single entities and almost everyone is disturbed by needed to trigger a cascade. financial entities meaning there cross-border yuan the world’s hackers coming organisations to prove a point, suicide bombs or shootings. TV drama shows may often are many entry points. transactions and may be out of China and Russia, it be it the defacing of a website All that said, there is play fast and loose when it “Who would want to harm launched as early as September seems to be paying off.” as a warning shot to a rival evidence that motive is comes to authenticity but in it? Certainly a country that has or October. Meanwhile, Beyond state activity, ‘clan’ or mass data leaking to redundant. The University of their ability to simulate possible been prevented from using it Russia’s Central Bank attacks undertaken by criminal undermine public confidence. Cambridge Centre for Risk outcomes (and often the worst would have a motive. Some announced last December that organisations and opportunists Even the Sony hack, suggested Studies has evaluated a possible outcomes), decision- people have suggested that it had launched a domestic rival – which consistently accounts to be the result of a state- hypothetical scenario in which makers should view them as a Russia be banned. I feel that to SWIFT with over 90 banks for the majority of day-to-day sponsored use of hackers, or a a power grid failure can cost chance to absorb free lessons – cyber incidents – are most hacktivist group aided by a the United States more than $1 before reality catches up. commonly rooted in monetary disgruntled insider, sought trillion, owing to damage of gain. It’s true that these crimes extortion as its objective – not infrastructure and business have a damaging effect on the the collapse of Sony (at least as supply chains. The insurance economy – around $445 billion far as we know). Likewise, no industry alone would be a year. The question then true cyber-terrorist group has expected to lose up to $70 becomes, why topple a market yet caused the so-called ‘Cyber billion. In such a case when you can steal money with 9/11’ that is predicted year on (although described as “not relative ease and then benefit year, nor is there ample likely to occur” by the study 20 - 21 January, 2016 from the system you inhabit? evidence that terrorists would findings), mass damage to the London, UK

SEPTEMBER 2015 D E F E N C E I Q