Pressure points of critical infrastructure
The World Economic Forum’s Global Risk Report for 2021 placed cyber security failure among the greatest threats facing humanity within the next decade. The WEF report states, “…attackers could trigger a breakdown in the systems that keep societies functioning.” Industry and critical infrastructure which need to be running continuously – such as Nuclear Power plants, Banking operations, Intensive
Care Units in hospitals, and Cold Storages which protect COVID vaccinations among others – could be potential targets for hackers, whether they are small groups or state actors. Concerns exist that nation-state actors will test the pressure points of critical infrastructure through hacks with the aim of sowing seeds of more chaos by disrupting the supply chains during future periods of geo-political conflict. At such times, targeting food and energy supplies of an adversary will be a classic strategy to begin with.
The hacking of the Colonial Pipeline in May 2021, which controls 45 percent of fuel in the Eastern US, led to panic buying of petrol by consumers which in turn escalated fuel prices on the entire Eastern coast. A month later, a ransomware attack on the world’s biggest meat processing company, JBS, shut down 20 percent of the meat supply of the United States and Canada, escalating concerns about the potential for a spike in meat prices and highlighted food supply as a national security threat.
“Calling the past month a tumultuous one for world’s digital policy might be an understatement,” said Lt. Col. Bryan Miranda, a security specialist and former Indian Army officer who served with Cyber Intelligence Acquisitions for the Military Intelligence and is now the co-founder at Cipher, one of the premier cyber-security firms of the country. “Cyber security is a topic that often fails to get the attention of the public until a headline hits about a company that has their personal information becoming the victim of a hack. But over the past year, a different threat has taken precedence that goes much deeper into the psyche and impacts the daily lives of ordinary citizens. The criminals have started to dig deeper into critical national infrastructure and such attacks demonstrate the reach of these events. Who could imagine that attacking and shutting down meat plants in Australia would impact meat prices in North America?”
For years, government security specialists have predicted the inevitable “Cyber 9/11,” an event originating as a digital attack that spills over into other aspects of society, causing widespread harm to people and the global financial sector. Fear sells. So, it can be really hard to know what experts really fear might happen versus hype meant to market tickets to a new security conference or drum up attention on social media towards cyber-crimes perpetrated by groups with alleged links to Russia or China.
But there are some nightmarish scenarios that have precedents. These are the scenarios that truly concern independent cyber security experts. They fall into three common themes – physical attacks that shut off or damage some aspect of critical services, financial attacks that spin out of control and lead to bank runs, and hackers changing data in a way that shakes our trust in the economy and critical institutions in the nation. Cyber-attacks, much like the JBS Meatpacking and Colonial Pipeline hacks, that cause major disruption to public services have occurred many times in the real world. But it is easy to imagine how a similar attack could shut down basic services such as electricity or water supply, which can and will adversely affect millions of people. In 2015, Ukraine’s power grid faced massive outages after a cyber-attack just two days before Christmas in the middle of a cold wave. Around a quarter of a million residents were left without power in the middle of the winter.
In the second scenario, financial regulators often talk about the risk of a “contagion” as a result of an attack on banks or institutions such as the National Stock Exchange. The fear is that a cyber-attack could create mass hysteria which will send customers rushing to banks in a panic to pull out their funds. An attack with significant impact to financial systems resulting in people being unable to get to their money can cause just as much distress to the system as a major network outage. Imagine a crippling attack that just ripples through the financial sector. If common citizens are unable to access ATM machines or if credit cards and other banking functions stop working, it would be very problematic and create mass panic which may even result in emergency-like situations.
In the third scenario, criminals or nation-states could also change data like financial information on balance sheets. There is some precedent here too. In 2015, the international investment bank BNY Mellon faced a technical glitch that mispriced some of their securities. This jammed the algorithms that are used for executing automated trades and the result was a swift 1,000-point drop in the stock market.
Tom Kellerman, a former top Cyber Security Officer for the World Bank and Chief Cyber Security Officer of security firm Carbon Black, in an interview with CNBC agreed that he was most afraid of data being altered, instead of stolen or lost. “Integrity of data is key. If you lose your ability to trust the information that is coming out of the financial sector, that is when things can turn dark and very quickly,” he said. It is interesting to note that the US government even ran a training exercise in 2015, called the Jade Helm 15. It involved four out of the five branches of US military preparing for a scenario wherein the banking sector goes under a cyber-attack from a foreign regime resulting in changing or loss of people’s financial data.
The challenge facing policymakers
Still, rising from all these digital threats is the potential for better policy and outcomes as the cyber realm has now come from being a world of techies to the world of geo-politics. Political leaders all over the world have stood up and taken a note of the seriousness of the threats posed by cyber warfare. The Huawei 5G saga is an example where companies all over the globe, policy makers and governments, especially of Denmark, India, Japan, and South Africa have raised issues about the geopolitical neutrality and the subsequent threat to sovereignty from private corporations involved within the cyber realm.
In the case of Huawei, it is alleged that the Chinese telecom company’s 5G equipment is a vector for the Chinese government to stage espionage. However, several realities exist simultaneously. Many countries have not issued a complete ban on Huawei 5G technology and the company gains more ground by the day in markets where its low pricing is a key selling point. Yet, global supply chain entanglement also means Huawei is not the last time such questions will be raised about a digital infrastructure supplier. What is needed is a sensible, deep, but not too generic, cyber security regulation.
Solutions at hand
On an enterprise level, the crucial challenge which India faces in terms of making a concrete cyber infrastructure can be solved by adopting the Zero Trust Architecture. The increase in Work from Home (WFH), Bring Your Own Device (BYOD), Internet of Things (IoT) and hybrid cloud, blurs the border between what is on premises and what is beyond the perimeter. Old school hardened network perimeters alone are no longer effective for maintaining enterprise security.
Zero Trust is a design approach to creating an information technology environment that could reduce an organisation’s risk exposure in a borderless world. In layman’s terms, Zero Trust Architecture treats all users, and all nodes as the potential threat and thus verifies every single point with utmost priority. Implementing Zero Trust Architecture with a proper DevOps approach will certainly contain the damage as it tests everything and trusts nothing. Hedera Hashgraph, a Zero Trust network architecture protocol partly owned by the likes of Google, LG, Tata Communications, Wipro, Boeing, IBM among others, negates the issue with most centralised networks, that is, a single point of failure.
Adopting Hedera Hashgraph as a security layer is cost effective, easy to implement, energy efficient, public but privacy-enabled solution which can be adopted by institutions, enterprises and individuals world over today. The likes of NASA, Standard Bank, IIT Madras, Shinhan Bank are already implementing the network within their own information technology environment and even Reserve Bank of India in a recent working paper referred to the Hashgraph technology as a possible solution for all their rotary, secure funds transfer and storage needs.
For common citizens like you and I, industry experts have encouraged best practices and a greater awareness of the threats. Therefore, on an individual level, to protect your data from cyber breach, the advice more or less remains the same. Do not click on unknown attachments; always use strong and unique passwords; enable two factor authentication; update your Operating System and other apps regularly and also keep an up-to-date backup of all your important files. Because even if it is not visible right away, it appears that ransomware is here to stay.
(Lt Gen Abhay Krishna (Retd) Former Army Commander of South Western, Eastern and Central Commands has been International Associate Arbitrator. Most recently he was serving as a Chief Commissioner West Bengal, RTPS Commission.)