When Cybersecurity Becomes Cyber Warfare

• By Glenn Meeks
• 10/01/18

My last two columns have been about Cyber Security and, unfortunately, I need to take a deeper dive into that realm and talk about cyber warfare and its’ potential impact. First, we will define the difference. Cyber security deals with the hacker who wants to prove their skills or make a point and criminals who will steal or leverage data that has value. Cyber warfare is more about nation states who wish to harm the economy or infrastructure of other nation states and do not care about unintentional “collateral damage.” Cyber warfare is more oriented towards the destruction of data and infrastructure than leveraging data.

Most of us are unaware of two devastating attacks occurring last year. In May of 2017, North Korea targeted Taiwan through a semiconductor manufacturer using malicious ransomeware called “Wanna-Cry,” that spread far beyond Taiwan, costing an estimated $4 billion to $8 billion. The attack did not require human negligence to propagate the worm, because it was totally automated, looking for and exploiting a Windows Operating System vulnerability.

Even though the worm-encrypted data required payment in “bitcoins” (hard to trace cryptocurrency) for the encryption key, North Korea was more interested in showing off and demonstrating their capabilities than gaining funds through illegal actions.

The second, and much more devastating attack, was perpetrated by Russia against Ukraine. The Russian military infected a single Ukraine-based server that provided updates to an application called M.E.Doc; essentially, it is a Ukrainian version of Quickbooks used by everyone who files taxes or does business in the country. This malware, called “NotPetya” (a play on words - Petya is a known ransomware also attributed to Russia as the point of origin), was a cyber bomb. It did not simply encrypt data and hold it for ransom, the application irreversibly encrypted the computer/server master boot records that tell the computer where to find its own operating system. No key even exists to un-encrypt the file—the computers could not even restart.

Within hours, it raced around world crippling; hospitals in Pennsylvania, a chocolate factory in Tasmania, international companies like Danish shipping line Maersk, pharmaceutical giant Merck, FedEx European subsidiary, and even back in Russia, the Russian state-owned oil company—Rosneft. The low end of total costs is currently hitting $10 billion. For example, Maersk, with 18,000 container vessels at ports around the world, had to rebuild their entire system from scratch. That is 4,000 servers and 45,000 computing devices in 157 countries, with all of the applications and databases. Yes, they had backups, but they had to start with brand new devices or completely wipe existing computers and reload them like the manufacturer does at the factory.

In both situations, it started with a cyberattack perpetrated by one nation state targeting a nation state they considered their adversary. Yet, these cyber weapons could not be controlled once they were released and damaged many businesses.

Why am I writing about Cyber Warfare in a school facilities magazine? It is simply part of the world we live in. There is irony that of the two primary hacker tools used by NotPetya, one was created by the US National Security Agency (NSA) and leaked in a security breach!!! If the NSA can get hacked, there are no boundaries in cyber warfare, and your district is at risk.

The information currently being released regarding both attacks indicate the entry points were servers or computers using Operating Systems no longer supported by the developer. Microsoft released a security patch that addressed the vulnerability exploited by NotPetya, but those patches were never received by servers and employee computers running software versions no longer supported by Microsoft. A second point of post-event analysis was the lack of network segmentation.

The message to your cabinet is that the district IT systems are at risk. Protection means providing a budget sufficient to keep all of the server and computer operating systems current. That may have a cascading effect.

If your old application cannot run under the new server version, you have to upgrade your application. Segment your network using Identification and Authentication Management tools so that your firewall monitors the public and private side of your network looking for suspicious activity. Make sure all security patches have been installed, that your backups occur daily, and your security subscriptions are up to date.

This article originally appeared in the School Planning & Management October 2018 issue of Spaces4Learning.