The next big threat in hacking: Data sabotage
As we speed into the future, an increasing number of components linked to our nation’s and corporations’ critical infrastructure are reliant on a connection to the Internet. The possibility of devastating cyberattacks from aggressive nation-states, cyberterrorists and hacktivists becomes much more real: All of Manhattan’s streetlights turning green at the same time; a U.S. military drone hitting an unintended target; a fleet of hundreds of driverless cars crashing into a police precinct.
Big, successful “kinetic” attacks won’t likely be the result of one or two technological tweaks or break-ins, say security experts. Instead, the attackers will use many different steps and elements to penetrate a system over time. A key piece of such cyber events will probably be some form of data sabotage, the subtle tweaking of data within transactions to gain some type of benefit. It’s a concept that U.S. intelligence officials and security firms have identified as one of cybercrime’s next big fronts for 2016. And it implies that data sabotage will also exploit less sensational, though highly influential, opportunities: manipulation of personal finance information, stock tickers or even a company’s earnings report for financial gain.
“Most of the public discussion regarding cyberthreats has focused on the confidentiality and availability of information,” James Clapper, the director of national intelligence, told Congress in September 2015. “In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity. … Decision-making by senior government officials, corporate executives, investors or others will be impaired if they cannot trust the information they are receiving.”
Data-integrity attacks have been occurring for the past few years in various sectors and forms. In 2010, the Stuxnet worm forced minor changes in targeted devices to destroy Iran’s nuclear program. And in 2013, Syrian hackers tapped into the Associated Press’ Twitter account and broadcast fake reports that President Obama had been injured in explosions at the White House; within minutes the news caused a 150-point drop in the Dow.
“Data-integrity attacks have a number of dimensions to them,” said Eddie Schwartz, international vice president at ISACA, a global cybersecurity association. “If you take a controlled system like the power grid or water system that involves machinery that’s operated by computers and make some change in the operational instructions for that equipment, that can lead to some catastrophic results — power outages or changes in chemical balance.”
And while Schwartz points out that “there’s certainly evidence through security research that such extreme-use cases are possible, if they exist, they haven’t come to the public light at this time.”
Many of the potentially catastrophic events carried out via data sabotage relate to the rise of the Internet of Things (IoT).
“IoT is a massive attack surface that allows people to touch systems that for previous decades haven’t been available to be interacted with,” said Daniel Miessler, director of client advisory services for security services firm IOActive. “This is increasing exponentially; the amount of systems that are currently online versus the amount that are going to be online in the near future is so small that whatever problems we have now will just get bigger.”
According to research firm Gartner, there were 3.6 billion IoT endpoint devices in 2013; that’s expected to rise to 8.7 billion by the end of this year. “We expect an expansion to over 29 billion IoT endpoint devices by 2020,” said Lawrence Pingree, a research director at Gartner.
Researchers at IOActive have identified specific places across numerous industries where systems remain especially susceptible to cyberattackers. Vulnerabilities abound in so-called smart cities — ultrawired locales where information and technology are used but rarely tested for cybersecurity controls — to deliver efficient use of resources. The firm found 200,000 vulnerable traffic-control sensors installed in cities, including Washington, New York, Seattle, San Francisco, London, Lyon and Melbourne.
Dave Mahon, chief security officer of broadband provider CenturyLink (CTL), says that initial targets of data-integrity attacks will be obvious ones, like military operations and critical infrastructure, as cyberwarfare capabilities of even small adversaries become more sophisticated. Others say that data manipulation will be less about large, catastrophic events and more about criminals quietly cashing in on the value of transactional data.
“Criminal enterprises — they look for levers within society that are economically tuned to helping them make money,” said IOActive’s Miessler. “If you could tweak a credit score and get a better rate on money and you’re making money by borrowing at better rates, these are things criminal enterprises look at — their ability to modify the system in some way to get an economic return.”
Manipulating credit scores or bank account numbers is a natural evolution from yesterday’s big data breaches, where the personal information on millions of U.S. shoppers, health-care patients and government workers could already be in use for such manipulation schemes.
“That’s the interesting thing about integrity attacks — they can be highly beneficial to the attacker in that they can often achieve their goals more effectively than a traditional attack,” said Steve Grobman, chief technology officer of Intel (INTC) Security Group, noting that it can be difficult for criminals to make money off stolen credit card numbers. “In an integrity attack, if you’re manipulating bank routing numbers or the way that money is transferred, you can directly steal funds and essentially capitalize on all of your theft versus the data you need to sell [in a traditional attack.]”
Integrity attacks are stealthy; the key for attackers is to fly under the radar as long as possible. In the case of a corporate competitor who wants a leg up against another company, “if you’ve tampered with financial account data bases and think of a very simple attack where you multiply all your account receivables by a random number that varies from negative 1 percent to 1 percent, that little variability in the data would go unnoticed by a casual observer,” Grobman said.
“That could completely ruin your earnings reporting, which would ruin your relationship with your customers,” he said.
J.J. Thompson, founder and CEO of security solutions provider Rook Security, cited an extreme example of an existing threat involving health-care information that could reach the level of corporate cyberwar and data sabotage: a company, dissatisfied with the way another firm is carrying out a business deal, hires someone to hack an organ transplant list to tweak a piece of information — say, inserting that the person on the list, the CEO of the rival firm, is a smoker.
“Making sure that the founder who’s holding up the deal at the prices they want gets dropped off a transplant list — that would be worth billions,” he said. “That’s an example of what can I do to make them move up or down by manipulating data downstream where nobody’s looking.”
While behavior analytics, the security technology that detects behavior anomalies throughout an entity’s system, is still very much evolving, so is the ability and willingness of at-risk entities to share threat information, which experts say will help thwart the most sophisticated cyberattackers. The passing of the Cybersecurity Information Sharing Act of 2015 in December was a start, but there are still many entities that have to adapt their data to the uniform formatting languages put in place.
It’s a tall order for corporations, many which lack even a basic cybersecurity plan.
“The problem is that the attack surface evolves constantly — it’s less cat-and-mouse and more whack-a-mole,” said John Dickson, principal with Denim Group, a security software firm. “Many companies are ill-equipped to move real fast in the market and do so securely.”
Lastly, as cyberattacks become more about big data sets, there’s a dearth of professionals who know how to interpret shared threat intelligence and make it actionable. “Info security is in a state of negative unemployment — there is way more demand for what is available,” said Gartner’s Pingree.
ISACA’s Schwartz said: “We’ve found that anywhere from 1 million to 2 million cyberprofessionals will be needed between now and 2020 to solve the gaps that exist in this world.”
Even if there were enough information security workers to construct the perfect defense, “there’s no way to test whether it’s ready, until you get attacked in the real world, and the best attacks will wait until it’s live,” Miessler said. “The only thing we can do is try to adjust quickly when it happens and not take too much damage in the process.”