Cyberthreats are increasing, and are playing out on a global stage. Credit cards are at risk, of course, but so are smart grids, oil pipelines and, well, pretty much everything. Samuel S. Visner, director of National Cybersecurity FFRDC, tells Karen Webster that nation-states are emerging threats, but FIs and others can wage effective battle against cyberattacks. Here’s how.
It’s the stuff of movies — but, yes, possibly of reality, too.
Go to sleep one night, and all is well. Wake up and the power’s out. The internet is down, government services are at a standstill. The bank accounts? Well, they’re frozen, and it doesn’t really matter, because all the accounts have been drained right down to zero. War’s been waged against the U.S., with massive casualties mounting, and no bullets or bombs have marked the conflict. The aggressors in this cyberwar? Unseen and possibly unknown.
The Bad Actors
To that end, Director Samuel S. Visner of the National Cybersecurity Federally Funded Research and Development Center (FFRDC) — managed by nonprofit MITRE, in support of the NIST National Cybersecurity Center of Excellence — told Karen Webster that cybersecurity threats to institutions and enterprises exist at several levels.
There are, of course, individuals who want to steal money, find financial information and steal credentials, he said.
Then, there are nation-states that are greedy and want money. He stated that North Korea is at the top of the list, acting, when it comes to cybersecurity, like any other thief or cybercriminal. As he noted, North Korea, acting as a singular cyberthreat, will do what it can to gain access to and compromise the credentials of foreign organizations with money — and, in turn, gain access to that money, of course. As Visner added, North Korea has been persistent and, to some extent, successful in its efforts.
Beyond the lures of money, there are other nation-states that may want access to a financial system, but for different reasons.
The Corrosion Of Power
As Visner told Webster, there is the possibility that an attack on a country’s financial system — especially the United States’ — would be a component of efforts to take down the power grid, the key infrastructure and the banking system. It’s not for financial gain, but a way of weakening the country, either in the press or in terms of the victimized country’s standing on the world stage.
“In this case,” he said, “nation-states are looking to gain power by corroding the influence of other countries.”
Consider the example of Russia, which he noted has used Ukraine, essentially, as a laboratory for such corrosive efforts, using cyberattacks to impact infrastructure and government services, and diminish Ukraine’s sovereignty. In the case of the United States, he maintained that the U.S. wields a great deal of influence, especially in the international monetary system.
“Our currency is the world’s reserve currency,” said Visner, “and the U.S. is an economic counterweight in the world.”
The U.S. is home to 5 percent of the world’s population, but more than 20 percent of the globe’s gross domestic product. The Bretton Woods framework for commercial and financial relations still holds sway decades after that system of monetary management was established.
Against that backdrop, the U.S. remains an attractive target for countries that are interested in using informational technology, smart cities, artificial intelligence and other means to establish themselves as a “superpower for IT,” and diminish the global influence of the United States — rather than solely in an effort to wage war.
The Financial Institutions And APT
It’s no surprise, then, that U.S. financial institutions (FIs) are a particularly prime target for cyberattacks. As Visner told Webster, regardless of the motivations of the attacker, it is critical that FIs understand the attacks are becoming increasingly sophisticated.
He related the concept of the “advanced persistent threat” (APT), which uses a robust arsenal of weapons in a cyberattack, and where the attacker has a strong concept of the target’s operations and resources. The attacks can fly under the radar, and, in some cases, once the attacker has infiltrated an FI’s system, they can lie undetected, even dormant, for years before doing damage.
In other words, patience has its (ill-intended) rewards.
At risk, then, are smaller FIs — those located in what might be termed the American heartland, and where knowledge or resources dedicated to fighting cyberattacks may not be as robust as seen with larger FIs. Hackers also gain entrance into smaller FIs through a number of internal conduits, where there are voluntary bad actors — employees who can be swayed to sell their credentials for monetary rewards, or the unwitting insider who clicks on a phishing email.
“These employees make a mistake, or they are badly trained, or they are too busy in an organization that has told them that cybersecurity is a top priority along with 25 other top priorities,” said Visner.
There are also occasions when compromised smaller organizations are already acquired by larger firms in strategic acquisitions, where the hackers now have access to both firms’ critical technology systems as they cross-pollinate IT and cross-sell each other’s products and services to unwitting customers.
Visner said cyberattacks against these heartland firms are successful because many firms — including the private firms that own and operate critical parts of the U.S. infrastructure — do not do what is necessary to protect themselves. This includes neglecting the use of dual-factor authentication within systems, or installing security patches with haste. He noted that best practices aimed at protecting companies of all sizes would include managing passwords and dual-factor authentication, especially when it comes to server access.
When asked about cryptocurrencies, proponents touted for their anonymity and security that extend beyond the central banking system, Visner said they “conceivably create a less transparent world” that may be a lure for cyberthieves. Cryptos also have one inherent flaw, he added — namely, that digital coins must be related to something tangible or, as he said, “there is nothing tangible you can do with it.”
For now, though, crypto has its place among thieves as a way to hide money laundering and terrorist financing activities. One way to diminish the value of cryptocurrency as a place to store what one has stolen is to “make it harder to steal things in the first place” through proactive cybersecurity efforts.
In one illustration, he noted that state and local municipalities have, in recent years, been targeted in ransomware attacks, where data is encrypted, and de-encryption tech is promised only if the attackers are paid in cryptos. The agency that has unpolluted, continually backed-up data that refreshes every few minutes need not fear such extortion attempts, he said.
In the battle for cybersecurity, said Visner, “we have to start with the understanding that the adversaries are not 10-feet tall. They do, in fact, put their pants on one leg at a time. You know they’re there. They’re not bulletproof super villains. They make mistakes. Their technology is not necessarily superior to the technology that anyone can get.”