It's early on a Sunday morning and something's wrong. Hannah, an ER physician, logs into a workstation to dictate patient notes and this message pops up "Your network has been penetrated and your files have been encrypted with strong encryption. We hold the key. Please contact us if you want to see your files again."
A fire breaks out in the data center of a defense contractor. Vital systems and all of their intellectual property are destroyed. The company has no choice but to file for bankruptcy.
A man is promised money, an apartment, and women in exchange for Trade Secrets. Before he can leave the country, he is arrested. But it's too late — the technology is already in the hands of China and the victim company will lose over $800 million. What is the technology that is so sought after? Stealth fighter technology? Quantum computers? Keep reading to find out.
These stories are not from spy novels.
They are not fiction.
They happened to real people.
Their impact was severe.
At the Heart of the Matter
You can't touch it. You can't eat it. You can't smell it.
Intangible, yet tremendously valuable.
What is it?
Information.
We live in "the information age."
Never has information been more accessible...and yet I fear we take it for granted.
A Walk Down Memory Lane (optional)
Back in the day, you had to be a "computer geek" in order to use the internet. One by one, obstacles for easy access to information tumbled and fell. With the creation of the world wide web [2], internet browsers, and search engines, the "information super highway" became accessible to everyone.
Challenges
While such easy access to information has revolutionized the world, there are some tremendous challenges.
TMI - Too much information! We are inundated regularly with more news, alerts, and information than at any time in history.
Disinformation. It has never been more easy to spread disinformation.
Theft of information on an unprecedented scale. NSA Director, US Army General Keith Alexander called cybercrime — including intellectual property theft — "the greatest transfer of wealth in history." [3]
Ransomware — Information held hostage!
Blackmail — "We will release private information about you, your clients, your patients unless you pay."
Privacy — Companies like facebook and google know so much about each and every one of us.
Cybersecurity or Information Security?
Cybersecurity — that's what I do. That is the commonly accepted term.
I prefer the broader term "Information Security."[4] I worry that sometimes we lose sight of just how vital information is when we speak of "cybersecurity" even though protecting information and information systems is what cybersecurity is all about.
Additionally, there is a lot more to securing your organization than just the security of your computers and cloud hosted data — what about printouts with confidential information that get left lying around? What about staff who speak about confidential information within earshot of the public? (this can be quite common in a healthcare setting, but we have probably all been to coffee shops where someone was loudly talking about confidential matters on the phone while working there on the free wifi)
The term "Information Security" covers these areas which cybersecurity does not include.
Information is the life blood of our modern society!
Whether that be valuable intellectual property, financial market data, healthcare data, or the vast trove of books and knowledge that mankind has accumulated over the years.
Do we take Information for Granted?
I believe that information is taken for granted. Often it is not until after something horrible happens that people begin to appreciate just how vital it was for achieving their mission. Sometimes organizations fail to consider what the impact would be if their information were stolen, altered, encrypted, or destroyed. With that in mind, let's consider some real life examples.
Real Life Examples
Let's return to the stories mentioned at the outset of this article — these are just a few stories I have either experienced first hand or heard about from colleagues over the years.
At first I wanted to call these "horror stories" but that sounds too much like a work of fiction.
These are all real life stories which illustrate how vital it is to protect information.
Ransomware
Sadly I have been involved with quite a few ransomware events at Hospitals over the years. They ran the gamut from small hospitals with almost no resources to larger hospitals with thousands of computers. I will never share the names of a specific Hospital out of respect to them, even when details of the event are published in the news. I do not believe that a Hospital should continue to be shamed endlessly for a ransomware event. They are a victim. This is a composite of what a typical ransomware event looks like.
It is 3:00 AM on a Sunday morning. It is New Years day, and the Emergency Room is especially busy when Nursing staff notice that they are unable to access records. IT is slow to respond to the call due to the reduced staffing, but pretty soon a blurry eyed IT staffer has dialed in remotely to see what is wrong with the servers.
The IT staffer sees strange files on the EHR servers. The files have random gibberish names and extensions of".locky" — "jKmn9234.locky" for example. There is also a file called _HELP_instructions.html which states that all of the files have been encrypted and will only be restored upon payment of a ransom. Immediately he contacts the IT Manager who contacts his boss as well.
While it appears that most systems have been encrypted, they immediately take the step of disconnecting all of these servers from the network to prevent any further spread. They initiate incident response procedures, pulling in the Hospital leadership for an emergency meeting.
The decision is made to initiate "back to paper" procedures and to divert all incoming patients to another facility about 30 minutes away because staff are struggling to care for existing patients. Critical information has thankfully been backed up as static copies of patient files to an "offline EHR" system. Soon staff have printed off details of allergies, medications, diagnoses, and other vital data so that they can continue to provide safe patient care.
Through the Hospital's Cyber Insurance an incident response firm is pulled in to determine how the hackers got in and to close any backdoors. The FBI works with the incident responders and provides important information about the ransomware variant — who is behind it, how to prevent it from spreading, and how the hackers maintain persistence on the network.
After 6 days of working night and day, the go ahead is given to wipe and restore all of the desktops, laptops, and servers and to restore the patient data from backup disks kept off site. The initial data backup has been corrupted, but eventually they are able to restore from an older backup and they only lose two days of patient data.This rebuild and restoration process takes another 3 weeks. During this down time, clinical staff are struggling with the unfamiliar paper procedures and the rate of errors in clinical care has gone up. Staff are understandably tired and stressed.
Information Security is a patient safety issue. Consider the following adverse impacts of a ransomware event:
Patient data may be inaccessible - vital details like allergies and medication schedules are lost.
Medical Errors - Studies have shown that more errors are made in patient care during ransomware events.
Care is delayed - Patients are re-routed to other hospitals, which may be understaffed for the surge.
Cost - Ultimately, the cost of a ransomware incident in direct costs and lost revenue may weaken the ability of the Hospital to deliver quality care in the future, or the Hospital may even close. We all lose when this happens.
The Fire
A former coworker told me about the case of a defense contractor whostored all of their data — their vital technical data and intellectual property — on one mainframe in a single
data center. Their data storage vendor eventually convinced them to back up everything to a second system. This second system was set up in the data center and everything was copied over to it. However, they procrastinated for many months about moving this second system to another data center when the unthinkable occurred — a fire. Both the original system and the backups were completely destroyed.
This business is no longer.
Intellectual Property Theft
A Chinese firm — Sinovel — stole vital intellectual property from Boston based firm American Superconductor [5], causing its stock to plummet (check out the company's stock price online - it takes a dive in 2011), resulting in a market loss of about $1 billion. To add insult to injury, Sinovel obtained contracts to deliver several wind turbines to provide electricity for infrastructure in the Boston area [6]. The FBI actually downloaded code from one of these wind turbines [7] and demonstrated that it was code stolen from American Superconductor.
To date, American Superconductor's stock has not recovered.
IP Theft from China has generally been ignored by many executives for a variety of reasons:
CEOs see great opportunity in China, so they are heavily incentivized to take the risk of doing business there.
To many executives it sounds like a Hollywood script. It seems farfetched that a nation state would be interested in their IP. But consider that Chinese operatives have stolen or attempted to steal IP related to genetically modified corn, medical robots, wind turbines, foam, and much more.
Cybersecurity is often considered the responsibility of IT when Executives should be actively involved in securing information in its many forms.
A lack of knowledge and appreciation for how corporate and nation state espionage is actually done. In a future blog I will explore the tactics of espionage and why it is important for you to understand them.
Information as Currency
I found a number of blogs speaking of information as being the currency of today. There are a few ways to view information as currency:
Intellectual property and trade secrets can be tremendously valuable, enabling a company to dominate a market.
Data about consumers — both as individuals and aggregated — is valuable to companies and advertisers, and is bought and sold.
The Intelligence Community — Governments spend significant sums to understand what other nations are doing, thinking, and saying, as well as to identify non-nation state threat actors.
While some may acknowledge that "data is the new currency," few organizations are treating information as carefully as they do actual currency.
In the financial services industry we see a much higher level of cybersecurity maturity than we do in Healthcare and other verticals. Partly this is because it's so easy to determine cyber crime losses that involve actual money. How do you put a value on the disruption to a healthcare organization that experiences a serious ransomware event? It's not so clearcut and there is a serious human toll that cannot be quantified.
The Importance of Motivation
I hope you enjoyed reading this article. My goal with this blog is to provide more than just information but also motivation. I have observed that even when risks are well communicated to the Executives, the Security professional might be dismissed as "paranoid" or "worrying about things that will never happen." Hopefully the real life stories here can provide the additional push required to "move the needle" on your information security program.
Please comment on this blog post about your past experiences with technology or how you have observed information being taken for granted.
Coming Soon!
In upcoming blog posts I will cover
Ransomware Incident Response
Privacy
Third Party Security Risk Management
Open Source Software Security
Securing Intellectual Property
Espionage Tactics and why you should care about them
and much more.
References
https://blog.pressreader.com/libraries-institutions/21st-century-library-evolution-timeline - a nice read about the history of Libraries.
https://www.scienceandmediamuseum.org.uk/objects-and-stories/short-history-internet
https://www.forbes.com/advisor/education/information-security-vs-cyber-security/
American Superconductor IP theft case - https://www.nbcnews.com/news/world/chinese-firm-paid-insider-kill-my-company-american-ceo-says-flna6c10858966
https://www.fbi.gov/video-repository/made-in-beijing-trailer-030722.mp4/view - In my opinion, a must see documentary put together by the FBI.
https://www.fbi.gov/video-repository/newss-the-company-man-protecting-americas-secrets/view - an excellent video put together by the FBI. This is not a spy movie, this is real life.
Disclaimer: The information provided here (“material”) is intended for informational purposes only and does not constitute legal or professional advice. This material is not warranted to be exhaustive or complete. Additionally, every organization has a unique set of circumstances, business requirements, contractual obligations, and regulatory compliance requirements which we are unaware of. No guarantee is made that use of this material will secure your organization and help you to meet your compliance obligations.
Comentarios