2017 saw some of the most sensational and devastating cyberattacks in history. From the Equifax breach, widely considered the most devastating cyberattack in history, to the Bad Rabbit ransomware epidemic, hackers have diversified their tactics and capitalized on a wide spectrum of vulnerabilities to wreak havoc on whole industries.
While all kinds of organizations, from government agencies to multinational corporations, have been victimized by cyber criminals over the past year, the danger to national critical infrastructure is the most pressing threat, in both exploitable vulnerabilities and potential damage of an attack. Identifying the patterns and trends of recent hacks can give insight into what methods hackers will likely employ over the coming year.
Understanding the Vulnerability of National Critical Infrastructure
Critical infrastructure is exposed in a number of ways. The first has been manifest by the trends in technological development over the past several years. Over the past several years, an important shift has occurred within the operations protocols for running the critical infrastructure of most modern nations.
The machines and systems used to handle everything from water movement to electrical power to healthcare facilities has turned from being manually and analog-operated to completely digitized. These digital systems both control the infrastructure and collect and store data on their operations.
While this has certainly had its benefits by increasing efficiency and operational scale, the move has also exposed critical infrastructure to threats from criminals and other malicious actors in the cyber sphere. Furthermore, due to the rapid spread of digitization, the industry must now deal with a significant shortage of experts with the requisite skills to secure the infrastructure in its new digital platform. Since cyber has taken over control systems, there is a need for analysts who understand both digital security and control system technology.
The threat of equipment being hacked at various points along the supply chain has increased the risk to critical infrastructure. “Supply chain hacks,” as they are often referred to, includes compromising both hardware and software at some stage before it comes into possession of a user. Hackers have been known to use this tactic targeting critical infrastructure, in particular.
The 2014 series of HAVEX Trojan hacks stand as a strong example. Cyber criminals were able to hack into the sites of program developers and digitally poison download commands on various sites that hackers assessed would be visited by critical infrastructure firms. This has proved to be a significant liability for many Western nations.
Other factors contributing to the increased threat include the expanded market for malware tools via the dark web, as well as tendencies within industries dealing with critical infrastructure failing to update operating systems, a problem that profoundly contributed to the WannaCry epidemic (see below).
The Growing Trend
In short, the potential exposure of critical infrastructure is real. The attempts, many of which have been successful, of hackers to capitalize on these weaknesses serve as a testament to this.
Attacks demonstrating this vulnerability are not altogether new. The U.S., for instance, for years fended off Iran-backed hackers targeting its critical infrastructure before the current “cold peace” attained through Obama’s nuclear deal. The Iranians had a few significant successes over that period, including the infiltration of the computer systems controlling a major dam in upstate New York in 2013. The hackers would have been able to release the water held back by the dam if not for the fortunate fact that the sluice gate had been manually disconnected from the digital grid for maintenance purposes.
There were also several high-profile attacks on critical infrastructure in 2017. Arguably the most severe instance was the WannaCry epidemic. In the May series of attacks, hackers unleashed a ransomware program that targeted British National Health Service (NHS) hospitals, among other victims. Unable to access their data, many NHS facilities grounded to a halt and were forced to turn patients away.
The WannaCry epidemic highlighted the particular vulnerability of organizations in charge of critical infrastructure. It was later discovered that hackers were able to penetrate NHS and other systems by exploiting a long-existent flaw in old versions of the Windows operating system.
Ironically, Microsoft had made a patch for the flaw publicly available after company analysts had discovered it months before the WannaCry epidemic. In an analysis of critical infrastructure attacks over the past several years, researchers of the Organization of American States found that half of all successful hacks were due to vulnerabilities left by unpatched programs.
The year ended with another surprising attack on critical infrastructure, this time in an as-of-now unspecified location in the United States. In early December, hackers deployed malware designed to manipulate industrial safety systems against an electrical power station equipped with Schneider Electric brand machinery.
In a report on the attack issued by Mandiant, analysts stated that hackers had developing the malicious programs, dubbed Triton, in order to cause “physical damage” to power stations and shutdown operations.
Highly reminiscent of the Iranian attack in New York nearly five years ago, Triton is representative of a growing trend that is indicative of the direction hackers will likely be moving in the near future — namely attacks that disrupt the physical functioning of infrastructure systems. As cyber researchers from Dragos related, “the tradecraft displayed is now available as a blueprint to other adversaries,” and that Triton “represents an escalation in the type of attacks seen to date, as it is specifically designed to target the safety function of the process.”
Formulating a Response
Compounding the danger of the vulnerabilities is the suspicion that rogue state sponsors are the primary culprits behind many of these attacks. Both the U.S. and the UK, for instance, reached the conclusion that the North Korea-affiliated Lazarus group was behind the WannaCry catastrophe. The recent Triton attack was also assessed by Mandiant, in the above-referenced report, to be the work of an “actor sponsored by a nation state.”
In the face of this escalating threat, governments have begun to formulate new policies to correct these vulnerabilities. Already in October, legislation was introduced in the U.S. requiring security and intelligence arms in Washington to give an all-encompassing assessment of the digital grid.
The bill requires several federal agencies and their heads, including the Director of National Intelligence, the Secretary of Energy, and the Secretary of Homeland Security, to team up and produce a report delineating the risks to critical infrastructure and how to correct them. What is important about this legislation, in particular, is that it lays the groundwork for Washington to potentially regulate private industry dealing with critical infrastructure systems.
This may be a welcome change. Considering that many of the dangers to critical infrastructure come from outdated operating systems, standards of application, and program security, it would likely help to have enforceable standards across the whole sector.
Defining the Problem
Even if countries pass legislation to create new rules on operating critical infrastructure, countries will still be left with the more basic problem of defining what actually constitutes critical infrastructure. This is absolutely essential from a strategic perspective. If the international community has correctly assessed that the emerging criminals and state-backed hackers will focus on critical infrastructure, then it is vitally important to determine what targets are included in this category. This is no simple task, for a variety of reasons.
First off, industries are resistant to having themselves branded as critical infrastructure, out of concern that this designation will ultimately lead to more governmental control. Take, for example, the announcement of former Secretary of Homeland Security Jeh Johnson defining state and local elections as critical infrastructure. Johnson faced strong opposition from some state election officials claiming that this would spell a federal takeover of the electoral process.
In the end, a comprehensive effort by the U.S., or any country, will involve a balancing act of weighing private and local government autonomy against national security concerns. What seems to be certain, however, is that with critical infrastructure now at the top of cyber risks, the challenge of securing these systems will grow more difficult. It is now incumbent on firms involved in operating and contracting for these systems to look to the future and plan how to meet that challenge successfully.
The civil war in Yemen will soon hit its 1,000-day milestone. Since clashes between the warring factions began three years ago, the interests and concerns for the United States in the Gulf nation have been building and changing, creating an increasingly complicated web through which policymakers and war planners now need to traverse.
America’s security interests in Yemen began in the early years of Bush’s global War on Terror. One of the first targets was Ali Qaed Sinan Al-Harethi, a key suspect in the USS Cole bombing, who was killed in a Predator drone strike in November 2002. Since then, America’s emphasis on Yemen has grown.
Over the next several years, Yemen became a center of Al-Qaeda operations under its regional branch, Al-Qaeda in the Arabian Peninsula (AQAP), formed in 2009 by a merger between two offshoots of the Jihadist network in Saudi Arabia and Yemen. U.S. intelligence relentlessly chased down AQAP officers, mostly in the less populated eastern regions of the country, such as the Ma’rib province.
The commencement of the Yemen civil war in 2015 created a whole new arena for U.S. intelligence and defense to operate in. The outbreak of violence further undermined law and order in a country already hard-pressed to maintain government control. Al-Qaeda was able to further solidify its control over large swaths of territory in the country’s east.
First and foremost, the war has created fertile ground for the expansion of jihadist groups in the country. ISIS established its Yemen province in 2014, capitalizing on sectarian fractures, which were then exacerbated by the civil war, to rake in recruits. When the Islamic State came onto the scene, it opened up a new front for the American intelligence community.
While many observers were led to assess the group as an inconsequential factor in the country — primarily due its lack of territorial control — the recent beginning of drone strikes aimed at ISIS fighters in Yemen suggests that the group has also become an important threat in the eyes of U.S. policymakers.
As violence escalated, the U.S. was forced to close its embassy in the capital of Sana’a. The move drastically curtailed America’s ability to conduct counterterrorism operations in Yemen, as the CIA was running its operatives primarily under the guise of diplomatic workers in the embassy.
The second paradigm shift brought on by the civil war has been the opening of a proxy conflict between the Iran-led Shiite Axis and a coalition of regional nations headed by Saudi Arabia. While Iran began funneling weapons and funding to the anti-government Houthi rebels, Saudi Arabia has been backing forces loyal to president Abdrabbuh Mansur Hadi, while waging its own brutal air campaign in the country.
With all its flaws, the U.S. has a deep interest in backing its Saudi allies in Yemen. Saudi Arabia provides the U.S. with military installations and cooperates with the U.S. in intelligence gathering efforts, not to mention the business and energy interests that the U.S. has relating to the Saudi oil industry, a relationship that continues to grow to this day.
The escalating conflict in Yemen has shown a real need for America to protect its Saudi allies. Ballistic missiles provided by Iran have repeatedly been fired into Saudi Arabia over the past several years. The U.S. has thrown in substantial support for Saudi Arabia on this issue specifically. The U.S. provided the Saudis with Patriot anti-missile systems to defend its most sensitive locations, especially around the capital of Riyadh.
However, the U.S. has stopped short of becoming a full-fledged member of the Saudi coalition. The U.S. could not fully support the brutal tactics of the Saudi kingdom in putting down the Houthi faction. Assisting its allies in the region was limited to defensive assets like maintaining the Patriot batteries stationed in Saudi Arabia and other logistical support such as refueling Saudi war planes flying back and forth from bombing sorties. Even this minimal support has not been easy for the U.S. to maintain.
The involvement in the civil war has drawn tremendous criticism from both policymakers and the public. Furthermore, despite the public narrative depicting the Saudis as America’s sole concern in Yemen, American strategists see their interests in Yemen as not necessarily bound to the civil war. While it is important for the administration to track down and eliminate AQAP members, this is seen as having nothing to do with what is essentially a local conflict between opposing factions.
Over the recent period, however, signs have been popping up indicating that the U.S. is expanding its involvement in Yemen, perhaps indicating a broader commitment in the country all along.
Recently, US Central Command (CENTCOM) revealed that the military has conducted over 120 strikes in Yemen since the start of this year, in order to “disrupt” militant activity in the country. This number included “several ground operations” according to the official statement. In light of this CENTCOM report, the infamous Yemen raid approved by President Trump in January that resulted in the death of a Navy SEAL team member and as many as 30 civilians was only the first of many ground operations that have taken place in 2017.
Drone strikes in Yemen have apparently been ramping up as well. While American drones have been conducting strikes in Yemen for years, the number of strikes has risen over the past several months. Most of these attacks have been targeting jihadist groups not necessarily connected to the civil war.
However, there are clear signs that the U.S. is targeting Houthi assets as well. In early October, an American Reaper drone was shot down by Houthi rebels with a surface-to-air missile near the capital of Sana’a. In response to the incident, a Pentagon spokesperson admitted that the drone was on a mission aimed at Houthi targets, and, more importantly, that such operations are regular occurrences.
Ironically, as America continues to escalate its military activity in Yemen, the government has also begun to signal its desire to immediately cease all hostilities in the country. State department officials announced late last week the position of the United States that the Yemen conflict cannot be resolved through conflict, only “aggressive diplomacy.” Furthermore, according to Deputy Assistant Secretary of State Tim Lenderking, there is “room for the Houthis in a political settlement” that the U.S. can live with. “We’re pushing everybody to move into a political process as quickly as we can,” Lenkering added.
These statements by American diplomats underscore the serious dilemma that the U.S. has to now deal with in Yemen.
On the one hand, the U.S. cannot stand idly by, watching the deteriorating humanitarian crisis in Yemen, a problem that has truly spiraled out of control. In what has become likely the largest current humanitarian crisis in the world, some 80 percent of the Yemeni population now lacks access to food, fuel and clean water, according to the Red Cross. Adding to this is the fact that at least 50 percent of Yemen’s health care facilities have been destroyed in the past two and a half years of fighting, leaving the diseased and weak population with no recourse.
This nationwide horror was brought about by the relentless coalition bombing and allowed to fester due to a three-week Saudi blockade of the country, lifted only earlier this month. Keeping Yemen from descending further into famine and rampant disease will require a massive internationally orchestrated effort, something obviously not possible as long as the two sides in the civil war continue to be at each other’s throats.
Lenderking alluded to this quandary that the U.S. finds itself in during his statement to the press. “We cannot welcome [the Houthis] when they rocket our allies like Saudi Arabia on a regular basis, and also not when the Houthis are menacing the border of Saudi Arabia, which is something that goes on very consistently,” he said.
Right now, America must pursue a delicate balance: protect its interests in the country, while not further conflagrating the already-desperate situation of the Yemeni people and effectively pushing for an end to the violence.
The U.S. has the leverage to push such a strategy forward. While America should not cease the purely defensive assistance it offers to Saudi Arabia and other coalition members, it can pull the plug on all other forms of logistical support. This includes the refueling and other maintenance support to coalition military assets. Ending all attack and reconnaissance drone operations in the conflict zones, especially in the regions around the capital of Sana’a, would send a strong message to all parties that the U.S. is serious about not supporting the continuation of violence.
In this way, the U.S. will be able to advance both of its interests in the Yemeni civil war: helping to keep its allies safe from attack, and pressuring coalition members to halt hostilities.