On each Friday for the month of February, RSM’s Julia Polyak will be providing an article on the future of cyber-attacks and cyber-warfare, and how organizations can remain aware of emerging threats in this landscape.
Please note that the views expressed in this article are opinionated and reflect the author’s perspective, and readers are encouraged to consider multiple viewpoints and engage in critical thinking.
You’ve read the news, seen the posts on social media, and heard someone talking about it, talking about a massive cyber-attack. This massive cyber-attack, better known as a cyber catastrophe, is not a theoretical threat anymore. A cyber-attack of this magnitude could incite societal panic, chaos, and reactions. Examples of what could lead to this would be infrastructure disruption, financial system outage, mass surveillance, or even a national internet shutdown.
You might be wondering, if threat actors were capable of a cyber-attack of this size, why haven’t we seen it before? In recent years, there has been more awareness of the reliance on digital infrastructures, which means if these infrastructures were to be taken down, this would incite a catastrophic cyber event. For years, threat actors have been testing the waters, seeing what sort of disruption they could cause.
Now more than ever, we’re seeing threat actors targeting critical infrastructures, mode of transportation, means of telecommunications, and more. It is believed that many threat actors are just attempting to obtain a foothold at the moment to determine what sort of methods of attack would cause the most disruption. It is important to note that so far, disruption, damage and chaos have been the bulk of the results of larger cyber-attacks, as major disruption is perceived as what can cause societal panic and chaos. In this case, what can the world do to prepare for these cyber events should they happen in the near future?
Preparing for a cyber-attack, even theoretical ones, at an individual, organizational, and governmental level is essential in staying ahead of the threat actors. This doesn’t mean to start building a bunker because you should worry about a mass outage and your safety because that is not the case. Let’s look at what preparation might look like from each of these levels. From an individual level, this would be ensuring that you have backups, and being knowledgeable on daily functions should you lose internet, financial systems, cellular, etc. Consider a power outage: when there were first power outages, it certainly caused panic, and in some cases still does. However, people have adapted and learned how to prepare for an outage. Technology has advanced and we’ve become so reliant on digital infrastructures that this is will be like power outages in your home – just a small storm that we’ll have to learn to prepare for. For those at an individual level who feel like taking a more advanced approach, this would look like developing a secure home network, ensuring proper encryption protocols are utilized, that firewalls are in place and configured properly, and regularly ensuring that security updates have been installed. From an organizational standpoint, you could follow the same approach at an individual level, with the addition of ensuring you have a strong, updated incident response plan, as well as strong security awareness training. To read more on the importance of security awareness training at an organizational level, see here. Preparing for a catastrophic cyber event from a governmental level is going to look a lot different. While the first thing would be ensuring the previous strategies have been implemented, organizations and agencies should regularly revisit and update their cyber incident response framework in use as well as their cybersecurity strategy. On a broader scale, cybersecurity education, training, and collaboration are will be critical for governments looking to prepare for a cyber event of this size. The more this information is spread, shared, and discussed, the more people will be able to prepare, learn and educate on the importance of cyber events.
Unfortunately, there is no way of knowing what a cyber event of this magnitude would look like, because it hasn’t happened yet. Another possibility is that it might never happen, because while there may be evidence to support the prediction of something like a cyber catastrophe in our near future, we can’t know or predict threat actors and the cyber events that may occur. Like all strategies, they develop over time and can become more complex, more dangerous. They could also become easier to predict and defend against, as we see more of them. One example of a recent event is in 2021, a hacker was able to get into a Florida water treatment system, trying to increase the levels of sodium hydroxide, which put thousands at risk of being poisoned. This is an example of an attack meant to cause damage and hurt people, which is not common in cyber attacks that are displayed on the news. Cyber events that are meant to inflict this sort of damage should be taken with more seriousness, as anything that has the ability to be “hacked” should be secured. Technology has advanced at a rate where proficiency and speed were seen as more important than security, and now there are too many flaws and weaknesses in simple infrastructure that could’ve been prevented.
This isn’t meant to scare anyone, because there are real threats every day in all sorts of ways, but it is meant to inform, educate and raise awareness in today’s society. The likelihood of a cyber event of this measure cannot be calculated, as it is something that the world is still assessing. When calculating the likelihood of risk for a mass cyber event, look at the nature of the events that have happened, their impact and the likelihood of their sophistication increasing.
No matter who you are, what job you are, or your technical knowledge, cyber plays a role in our everyday lives now. It’s important that we continue to spread awareness, educate, and collaborate on the current issues in cybersecurity to develop solutions and maintain best practices. We don’t know if a cyber catastrophe is coming, and we don’t know what the threat actor’s tactics are, but we can do our part to keep ourselves, our organizations, and our government safe.
Additional Resources
United States Computer Emergency Readiness Team (US-CERT): https://www.us-cert.gov/
National Cyber Security Centre (NCSC) – UK: https://www.ncsc.gov.uk/
Australian Cyber Security Centre (ACSC): https://www.cyber.gov.au/
Someone tried to poison a Florida city by hacking into the water treatment system, sheriff says | CNN