The world is hardly wired for cyber resilience
Defending civilian targets and infrastructure against rising cyberattacks will stretch the capability of governments
M.K. Narayanan
A
string of high-profile cyber-
attacks in recent months has
exposed vulnerabilities in
the critical infrastructure of even
advanced nations. This has rein-
forced the need for improved de-
fences against actual, and poten-
tial, cyberattacks by all countries
across continents.
America under attack
Several high-profile cyberattacks
were reported from the United
States during the past several
months. Towards the end of 2020,
for instance, a major cyberattack
headlined ‘SolarWinds’ — and be-
lieved to have been sponsored
from Russia — had rocked the U.S.
It involved data breaches across
several wings of the U.S. govern-
ment, including defence, energy
and state. Before the U.S. could
even recover from this breach,
thousands of U.S. organisations
were hacked in early 2021 in an un-
usually aggressive cyberattack, by
a Chinese group Hafnium, which
had exploited serious flaws in Mi-
crosoft’s software, thus gaining re-
mote control over affected
systems.
In quick succession, thereafter,
the U.S. has witnessed three more
major attacks: an audacious ran-
somware attack by Russia/East Eu-
rope-based cybercriminals, styled
DarkSide, on Colonial Pipeline
(which is the main supplier of oil
to the U.S. East Coast), compelling
the company to temporarily shut
down operations. The siege was
lifted after Colonial Pipeline paid
out several million dollars as ran-
som to unlock its computers and
release its files. There are reports
of the ransom being received in
bitcoins which was later seized by
the U.S government. Another Rus-
sia-backed group, Nobellium, next
launched a phishing attack on
3,000 e-mail accounts, targeting
USAID and several other organisa-
tions. Early this month, JBS SA, the
U.S. subsidiary of a Brazilian meat
processing company, was the tar- to entire communities. and abuse. With mobile and cloud
get of a ransomware attack; the It would be a mistake to believe computing expanding rapidly, and
company also paid a ransom in that we can hope for a respite from also given the nature of the on-go-
millions. cyberattacks such as ransomware ing pandemic, cybersecurity pro-
GETTY IMAGES/ISTOCKPHOTO
and phishing. Cybercriminals are fessionals are now engaged in
Now, civilian targets becoming more sophisticated, and building a ‘Zero Trust Based Envi-
These attacks were all primarily are now engaged in stealing sensi- ronment’, viz., zero trust on end
on civilian targets, though each tive data in targeted computers be- point devices, zero trust on identi-
one was of critical importance. fore launching a ransomware at- ty, and zero trust on the network
Obviously cyber, which is often re- tack. This is resulting in a kind of to protect all sensitive data. What
ferred to as the fifth domain/di- ‘double jeopardy’ for the targeted is of interest is that there do exist
mension of warfare, is now largely victim. Also, today’s cybercrimi- quite a few niche companies to-
being employed against civilian region. nals, specially those specialising in day, which have developed (or are
targets, bringing the war into our Cyber warfare is replete with ransomware and similar attacks, developing) newer technologies to
homes. Most nations have been several damaging methodologies. are different from the ordinary create a Zero Trust Based environ-
concentrating till date mainly on In the civilian domain, two key run-of-the-mill criminals. Many ment employing: software defined
erecting cyber defences to protect manifestations of the ‘cat and are known to practise ‘reverse en- solutions for agile perimeter se-
military and strategic targets, but mouse game’ of cyber warfare to- gineering’ and employ ‘penetra- curity, secure gateways, cloud ac-
this will now need to change. The day, are ransomware and phish- tion testers’ to probe high secure cess security, privileged access
obsession of military cyber plan- ing, including spear phishing. networks. management, threat intelligence
ners has been to erect defences Ransomware attacks have skyrock- The bad news is that the cyber platforms, static and dynamic data
against software vulnerabilities re- eted, with demands and payments landscape is poised to undergo masking, etc. The moot point is
ferred to as ‘Zero-day’, that had going into multi-millions of dol- more fundamental changes. Mo- whether not only those in authori-
the capability to cripple a system lars. India figures prominently in tivation for cyberattacks vary: for ty but even more so those in the
and could lie undetected for a long this list, being one of the most af- (some) nation states, the motiva- world of business, (specially oil
time. (The most celebrated Zero- fected. Also experts believe that of tion is geopolitical transformation; and finance, and specifically
day software of this kind to date is late, the recovery cost from the im- for cybercriminals, it is increased health care) are aware of this —
Stuxnet, which almost crippled pact of a ransomware attack — in profits; for terror groups, the mo- and, more important, are ready to
Iran’s uranium enrichment pro- India, for example, has tripled — tivation remains much the same, utilise these technologies — to
gramme some years back). Today, and mid-sized companies, in par- but the risk factor may be lower. ward-off a cyberattack and safe-
other Zero-day software, no doubt ticular, today face a catastrophic However, it is ‘insider threats’ — guard their data.
exist, though little is known about situation, if attacked, and may due to discontent with the man-
them. What is, however, evident is even have to cease operations. agement or for personal reasons — Preparation is needed
that a whole new market currently Thus, the need to be aware of the that could well become an omni- Building deep technology in cyber
exists for Zero day software out- nature of the cyber threat to their potent reality. is essential. New technologies
side the military domain, and the businesses and take adequate pre- such as artificial intelligence, Ma-
world must prepare for this cautionary measures, has become Need for data protection chine learning and quantum com-
eventuality. extremely vital. Banking and fi- Cybersecurity essentially hinges puting, also present new oppor-
Defending civilian targets, and nancial services were most prone on data protection. As data be- tunities. Nations that are
more so critical infrastructure, to ransomware attacks till date, comes the world’s most precious adequately prepared — concep-
against cyberattacks such as ran- but oil, electricity grids, and lately, commodity, attacks on data and tually and technologically — and
somware and phishing, including health care, have begun to figure data systems are bound to intensi- have made rapid progress in artifi-
spear phishing, apart from un- prominently. fy. Reportedly, we create more cial intelligence and quantum
known Zero day software, is al- than three quintillion bytes of data computing and the like will have a
most certain to stretch the capabil- Zeroing in on health care everyday (some put it at over 2.5 clear advantage over states that lag
ity and resources of governments What is specially worrisome at this quintillion) — with several billion behind in these fields. Pressure al-
across the globe, somewhat in the time, when a pandemic is raging, devices interconnected to billions so needs to be put on officials in
manner that nations have been is the number of cyberattacks on of end point devices exchanging the public domain, as also compa-
forced to find the resources and health-care systems. With data be- petabytes of sensitive data, on the ny boards, to carry out regular vul-
the methods to deal with the CO- coming a vital element in today’s network. This is only bound to nerability assessments and create
VID-19 pandemic. One related pro- world, personal information has grow. Ensuring data protection necessary awareness of the grow-
blem is that the distinction bet- become a vital commodity. One of could, hence, prove to be a rather ing cyber threat. In the end, it
ween military and civilian targets the more vulnerable areas where thankless task, complicating the might be appropriate to quote IBM
is increasingly getting erased and data tends to be linked to a specific lives of Information and other se- Chairman, Arvind Krishna, that
the consequences of this could be individual is in health care. Com- curity professionals. cybersecurity will be “the pressing
indeterminate. For instance, the promised ‘health information’ is The data life cycle can broadly issue of this decade” and that “va-
2012 cyberattack on Aramco, em- proving to be a vital commodity be classified into data at rest lue lies in the data and people are
ploying the Shamoon virus, which for use by cybercriminals. All indi- (when it is being created and going to come after that data”.
wiped out the memories of cations are that cybercriminals are stored), data in motion (when it is
30,000 computers of the Saudi increasingly targeting a nation’s being transmitted across insecure M.K. Narayanan, currently Executive
Aramco Oil Corporation, has ever health-care system and trying to and uncontrolled networks), and Chairman of CyQureX Pvt. Ltd., a U.K.-
since been one reason for the very gain access to patients’ data. The data in use (when it is being con- U.S.A. cybersecurity joint venture, is a
frosty relations between different available data aggravates the risk sumed). Constant exposure lends former National Security Adviser and a
countries in West Asia and the Gulf not only to the individual but also itself to ever increasing data thefts former Governor of West Bengal