The Rapidly Changing World of Cyber Risk

cyber Tuesday option 3The following post introduces a series that will educate readers about the nature of cyber risk and assist in assessing and improving the ability to effectively prepare for and respond to the evolving threat.

The world of private sector cyber risk changed forever in 2014.  While there has always been cyber risk to enterprises from criminals, hackers, or hacktivist groups with criminal or political agendas, most of this activity was directed at firms that had some awareness they were at risk of cyber attack and had undertaken some preparation to manage the risk. What we saw in 2014 for the first time in any meaningful sense was attacks on second or third order targets in the United States by nation-state cyber actors for political or propaganda reasons.  Two cases illustrate how the risk changed in 2014.

In October 2013, Sheldon Adelson, chairman and CEO of Las Vegas Sands,  gave a talk at Yeshiva University in which he suggested demonstrating to Iran the potential risk of their nuclear weapons aspirations by the United States launching a nuclear missile and detonating it in a remote spot in the desert of Iran.  Adelson’s remarks, when leaked, provoked a strong reaction from Iran. Four months later Las Vegas Sands suffered a massive cyber attack in which — among other effects — the attackers rewrote a piece of the firm’s Visual Basic code to destroy data on the firm’s systems and exfiltrate personal data on the firm’s clients and customers. Forensic evidence linked the attackers to servers in Iran.  In February 2015, U.S. Director of National Intelligence, James Clapper, confirmed the attack was conducted by Iran.

In late 2013 and early 2014, Sony Pictures and Entertainment (SPE) was working on a film called “The Interview” in which the CIA hires operatives to assassinate North Korean leader Kim Jong-Un.  On November 21, 2014, a number of SPE senior executives received extortionary emails from a group called God’s Apostles. Most of the executives thought the emails were SPAM and simply deleted them. The following day a massive cyber attack was executed on SPE in which intellectual property was stolen, privileged executive correspondence was stolen and leaked, Twitter accounts were taken over, sensitive salary information was leaked and terabytes of data destroyed. The enterprise was effectively shut down.  Although the main attack was purportedly conducted by a group called Guardians of Peace, forensic research suggested and U.S. Intelligence later confirmed, the attack was carried out by North Korea.

In both cases the targets had not previously considered themselves at risk of state sponsored cyber assault and were thus unprepared to manage that sort of risk.  Significantly, to the attackers, North Korea and Iran, there was no significant consequence to their attacks and tremendous political and propaganda value.  They now understand the impact of attacks on second and third order targets in the United States.

This message is not lost on other potential cyber malactors with a political, propaganda or terrorist agenda, either nation-state or non-state.  The risk has gone up immensely for U.S. firms and it is incumbent on firms to more aggressively work to understand and manage this risk.

——————–

By Robert Dannenberg, SDI Cyber Risk Practice

Where does your firm stand in the target matrix for cyber malactors?  We’ll address this in an upcoming post in the series.

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

March 17, 2015

active