Why we need to take Ukraine BlackEnergy seriously
On December 23, Ukraine civilians experienced the first known incident of a widespread power outage potentially caused by malware. This is the second militaristic use of cyberwarfare to date, but it won’t be the last.
The gravity of this event wasn’t lost on the U.S. The Department of Energy and the Department of Homeland Security are looking at the Ukrainian attack and our own infrastructure. An increase in funds was specifically given to focus on protecting our infrastructure from the same fate.
The attack was most likely carried out by a Russian hacker group known as Sandworm.
Among the malware found on these systems, the existence of BlackEnergy leads to concerns that it may have played a major role. For the first few years of its existence, BlackEnergy was a simple crimeware tool that even amateur hackers could utilize. But within a few years, it was updated and became much more dangerous.
We’ve been fearing the militarization of cyber threats for some time, and that moment is now. It’s an unquestionable danger that the U.S. needs to protect itself against. Our critical infrastructure is in the dark ages, so we need to spend money in the right places and catch up with modern threats.
The weight of the dark
The BlackEnergy hack is one of the first to cause citywide problems — and its implications are devastating. We take electricity for granted, but because it permeates so much of our lives, society is thrown into chaos without it. This is increasingly true with the emergence of the Internet of Things. In major cities, total power failure would lead to civil unrest, hospitals and other emergency services being unable to operate, and death tolls skyrocketing.
Researchers from Yale School of Forestry & Environmental Studies and Johns Hopkins University studied mortality rates during the 2003 blackout in New York City. They calculated expected mortality rates without the blackout and found a larger number of deaths related to the blackout than was reported by the city. The researchers attributed 90 deaths to the blackout while New York City only reported six.
Perhaps more frightening than the thought of a major blackout is the fact that small-scale cyberattacks happen all the time. According to a USA TODAY analysis of federal energy records, some part of America’s power grid suffers a cyber or physical attack about once every four days.
These small-scale attacks are manageable, but they point to bigger problems.
Being honest about risks
With such devastating consequences on the line, the threat hackers pose cannot be understated. Misdemeanor cybercrime, like using a distributed denial of service on a website, happens every day. These attacks are on a much smaller scale, but we’ve seen escalations of these attacks in recent years, which many experts think points to increasing risks of larger attacks.
Our country’s infrastructure is online, which means that anyone clever enough can break through the existing safeguards and gain access. If we don’t want the bad guys to get to it, we need more intelligent systems that can respond as attacks increase — surpassing our ability to react. We need to be more intelligent about how we respond, but we also need to lay out the rules.
Encourage Congress to spend money on creating a more intelligent response to these attacks. Also, access to power currently belongs to private enterprises, so support your local power vendor and municipality in building defensive measures — and even encourage them to work together in a public-private partnership.
With platforms like STIX and TAXII, threat intelligence can be easily shared throughout sectors. These advancements should already be on their way to protecting us against cyberwarfare.
But one of the biggest problems is that no one has defined a cyber act of war. It’s time to start defining rules like “Don’t turn off the civilian power grid so hospitals and emergency services can continue.”
If we don’t clearly define the rules of war for the cyber world, encourage intelligence-sharing across sectors, and employ more intelligent systems that can defend our networks and infrastructure against malicious attacks, then there will continue to be deadly cyberattacks and unclear definitions around what they mean. This is not a time to panic; this an opportunity for us to build a better, more intelligent infrastructure in the U.S.