Gaze into the crystal ball and the cybersecurity picture, like much of the coming year, is decidedly murky. But there are enough signals from 2020 to form a reasonable view of what to expect in 2021 — and it is not a pretty image.
The stage is set for nation-state hacking on a scale never seen to date. The increasing complexity of global networks will likely open holes for threat exploitation that will likely keep cybersecurity experts busy throughout the year. And social media will continue to be a robust channel for misinformation campaigns at a time when the world desperately needs reliable, trustworthy news.
The evidence for this coming scenario could be found in a wide range of sessions delivered virtually by two technology conferences last week: the CyberSecure conference, produced by MIT Technology Review, and Web Summit.
During the two-day CyberSecure event, one noted cybersecurity researcher offered a strong case for why nation-state hacking is poised to reach a whole new level and why the rest of us should care.
“This new era of espionage is a key part of statecraft in which nations compete every day, that is how the top tier of this game is played,” said Ben Buchanan, director of the Cyber AI Project, Georgetown University Center for Security and Emerging Technology. “Many of us are caught in the crossfire. We are all on the front lines of this arena of competition in ways that we were not before.”
Hackers use NSA tools
Central to Buchanan’s assessment was the Shadow Brokers, a sole hacker or group of threat actors who have yet to be fully identified, although one prominent security researcher has published a thorough analysis that points to a nation-state, either Russia or China. The Shadow Brokers first appeared in 2016 when they leaked weaponized software exploits developed by the National Security Agency.
The exploits exposed vulnerabilities in Cisco Systems Inc. routers, Linux mail servers and Microsoft Windows. Other hackers took the NSA tools and launched the WannaCry and Petya/NotPetya viruses, which ended up infecting hundreds of thousands of systems in more than 150 countries, causing an estimated combined damage in excess of $10 billion over the course of 2016 and 2017.
The ramifications from the Shadow Brokers leak have continued into the pandemic year of 2020. Although the NSA exploits were significant, the cybersecurity community was especially intrigued by an agency file that contained designations for 45 APTs or advanced persistent threats, the term used to identify nation-state hackers from signals in intelligence data.
As of April, 15 signatures from the APT file remained unidentified by security researchers, but there has been plenty of activity among those that are known. One of them – APT25 – is DarkHotel, a nation-state actor linked to North Korea who exploits vulnerabilities in Google Chrome and mail servers. DarkHotel has been identified as responsible for disrupting operations of the World Health Organization earlier this year.
“Cyberoperations are almost ordinary, they happen every single day,” Buchanan said. “This threat is constant. Nearly everyone is on the front lines of this global competition, not just the big players.”
Firewall vulnerability
The impact of Shadow Brokers highlights the importance for enterprises to avoid exposing critical information unnecessarily. Unfortunately, that did not happen in the case of Capital One Financial Corp.
The financial services organization suffered a major breach in 2019 that resulted in the theft of 100 million customer records. Names, home and email addresses, phone numbers, birth dates and personal income data were stolen.
There has been significant litigation around the breach since last year that has placed more information than usual in the public record. One MIT professor has combed through the court filings and found an instructive technology trail.
A former Amazon Web Services Inc. employee was arrested and charged for the crime, but the key flaw apparently stemmed from a misconfigured open-source web application firewall.
“Capital One was using an open-source web application firewall known as ModSecurity,” Stuart Madnick, professor of information technologies, emeritus, at the MIT Sloan School of Management, said during a CyberSecure conference presentation. “It’s known to be fairly difficult to operate. In fact, in 2017, Capital One made plans to replace it with Barracuda. But two years later, only 50% of the firewalls being used had actually been converted.”
Money laundering and misinformation
Although the person arrested in the Capital One breach claimed not to have any intention to sell the data, most hacks of valuable information like bank records are for monetary gain. The global cost of ransomware attacks this year alone is estimated to be $20 billion, with an average of $4 million per attack.
That’s giving rise to a cottage industry of security firms, such as Chainalysis Inc., that are seeking to track the flow of money as it moves through the blockchain and digital currencies. The company’s tools tracked the flow of bitcoin through four wallets associated with a major attack on Twitter accounts earlier this year.
However, the increased use of digital coin exchanges and the rise of private cryptocurrencies such as Monero have complicated the ability of law enforcement and firms such as Chainalysis to track criminal money laundering after a ransomware attack or breach.
“Privacy coins do present a problem to us,” said Kimberly Grauer, head of research for Chainalysis. “The more criminals use that, the worse it is for us.”
While nation-state hacking, infrastructure vulnerability and unchecked criminal money laundering occupied much of the cybersecurity world’s attention in 2020, there was a key question on the minds of many U.S. citizens: Would the national election be held safely and securely?
The evidence so far indicates that the answer was “yes,” although there was a development on the social media front that identified a disturbing new trend.
One of the key groups tasked with monitoring the cyberhealth of the 2020 elections in November was the Election Integrity Partnership, a coalition of security research teams focused on real time information exchange between election officials, government agencies and social media platforms.
The group is led by Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook Inc. Speaking during the Web Summit on Friday, Stamos indicated that the project found very little in the way of foreign disinformation campaigns on social media platforms. But deliberate attempts to spread false information by domestic organizations were another matter.
Although both Facebook and Twitter have made concerted efforts to flag or delete erroneous information, live videos are not subject to the same scrutiny. Apparently, a number of domestic groups figured that out and used YouTube extensively to spread misinformation during the election.
“YouTube was probably most problematic in this cycle,” said Stamos. “Some of these people have live audiences that approach the daytime viewership of CNN, so you’re talking about YouTube effectively operating as a cable network. The largest influencers get the least amount of enforcement, and we need to invert that.”
Inverting social media policies may not be completely up to platform providers in the coming year. In a Web Summit interview with Congressman Ro Khanna, who represents a broad swath of Silicon Valley, it was clear that frustration in Congress over social media platforms may be reaching the boiling point.
“These platforms have to have some sense of accountability,” said Khanna on Friday. “They’re in over their head and I think they would admit that. We’re in the ‘wild west’ of social media.”
From nation-state espionage to national elections, from data breaches to money laundering, the cybersecurity world had plenty on its plate in 2020 and the coming year does not promise to be any easier.
“Certainly, from my vantage point, I would say the adversary is winning,” said M.K. Palmore, field chief security officer at Palo Alto Networks Inc. “A cyber adversary is not your average criminal, these are men and women of high intelligence. It is not enough to assume you will not be attacked. You have to prepare.”