To say that the planning of the D-Day invasion by U.S., British, and other Allied forces was a complex endeavor would be an understatement, to say the least.
A U.S. army pamphlet on the Normandy invasion sketches the results of the planning succinctly: “A great invasion force stood off the Normandy coast of France as dawn broke on 6 June 1944: 9 battleships, 23 cruisers, 104 destroyers, and 71 large landing craft of various descriptions as well as troop transports, mine sweepers, and merchantmen — in all, nearly 5,000 ships of every type, the largest armada ever assembled.”
The planning, some say, began as early as 1940, when a massive German onslaught forced British troops out of Germany. Look at a vintage map of the operation, and you’ll see arrows swooping, overlapping, and curling through various points of vulnerability, starting with the beaches of Northern France.
To attempt to map the threat posed today by cyberattacks against the United States and its allies by hackers deployed by enemy nations in the same way the Allied leaders did at the end of World War II might seem illogical. After all, the attacks aren’t on actual places but in cyberspace, and the weapons involve software rather than physical ammunition.
But to Reid Sawyer, a long-time veteran of military intelligence and now a senior vice president in charge of cyber risks at JLT Specialty Insurance Services, the interconnectedness of the U.S. economy and its vast number of potential hacking vulnerabilities might make a similar kind of mapping effort quite useful these days.
That’s because massive, concerted cyberattacks on companies — attacks seemingly driven by enemy nations — increasingly resemble D-Day-like campaigns, Sawyer says, noting that he and some of his colleagues have begun to subscribe to what he calls “the campaign theory of espionage” as a way of understanding such attacks.
“When we think of these massive [hacking] organizations, we can picture these big sweeping arrows toward Utah beach in Normandy,” he said during a session on nation-state attacks at a conference on cyber risks sponsored last week in New York by Advisen, a risk-data consulting firm.
Like the Allied generals, the heads of these criminal organizations plot out soft targets in vast supply chains and joint ventures and similar extended inter-company links, according to Sawyer, who had a 22-year career in the U.S. Army, most recently as the senior intelligence strategist for the Middle East and South Asia at U.S. Central Command.
“This is really happening all the time” he said of such cyber warfare approaches, in which enemy strategists are continually searching for entry points by asking questions like: “Where is my opening? What is the company that all the JV’s are participating in?”
Such campaigns represent “significant targeted planning efforts,” Sawyer says. But the difficulty in mounting strong defenses against them is that “I’m not sure that U.S. companies are thinking that way.”
One prominent example of an apparently state-supported effort is the attack in June that hit a variety of companies in Ukraine, including banks and the the state’s power distributor, but spread to the United States and around the world, noted Haris Shawl,a cyber threat intelligence manager at PwC.
Ukraine blamed Russia for the attack, although some Russian companies were reportedly hit. The attack employed “NotPetya,” a cyber weapon in which “ransomware was more or less the cover for a destructive attack,” Shawl explained.
Other examples of confirmed or possible nation-state attacks are the 2014 SONY Pictures hack, reportedly by North Korea, and last month’s distributed-denial-of-service attack against Sweden’s train system, according to Shawl.
“These attacks are sophisticated and take months of planning.[They] are the kinds of threats that are going to be made against U.S. companies,” said Shawl. “If you have intellectual property that’s important to your assets, it’s the people that you do business with that the nation-states are going to get to.”
On the other hand, “if they want to get to a particular company, they’re going to go through you,” he added.
Both speakers cautioned executives working for small or mid-size enterprises against thinking that state-sponsored cyber attacks can’t affect their companies because they’re small and less visible. “The problem is that small companies are involved with innovation and are therefore a target,” especially smaller tech companies linked to the IT systems of larger corporations, according to Sawyer.
Another appeal for nation-state cyber attackers is that “smaller companies are particularly vulnerable because they don’t have the resources … to protect themselves,” he said, adding that “when an attack happens in the SME space, the financial effects tend to be a lot greater, and the recovery is even more difficult.”
Two trends that are exacerbating the cyber risks U.S. companies now face are the widespread siting of their systems in the cloud and the increasing use of sensors as part of the internet of things(IoT), according to Shawl.
“You see nation-state attackers compromising cloud service providers,” he said.
As a result, corporate information security managers are “not even seeing the attacker come in, because [they’re] giving [their] data to a [service provider] willingly,” Shawl added, suggesting that cloud service providers may delay alerting their clients about penetration by hackers.
Further, participation in the IoT “can open up companies to attacks significantly,” he said. For example, if a company has a smart refrigerator on its premises, “if that refrigerator gets an update from the refrigerator company software vendor, that’s an access point into [the company’s] network in [its] physical space.”
Image: Thinkstock