If you didn't know it before, you probably know it now. After the recent ransom attacks on a US pipeline and a meatpacking plant, it's clear our economy is at the mercy of rogue cybercriminals. We know individual hospitals and other enterprises have been attacked in the past. Business is booming for these cybercriminals, whether they are working with the cooperation of foreign governments (Russia comes to mind) or not. Trains, planes, electric grids, all things military, medical systems, water, financial systems, you name it—if it's computerized, it's vulnerable.
Financial fraud and ransomware attacks have been around for a while. Individuals have been targeted for years, but ransomware attacks, in particular, are going after bigger and bigger targets nowadays. In such attacks, malicious software is injected into computer systems to steal and/or lock data. The good news is that unless you're Warren Buffet or the like, you don't have enough money to make extorting you worthwhile to the more sophisticated hackers, as long as the multi-million and billion-dollar industries are paying big bucks to cybercriminals.
How do we combat this serious threat? Forbid companies to pay ransoms, as Energy Secretary Jennifer Granholm suggests? Easier said than done. When faced with a company shut-down, I believe most company leaders would rather quietly pay the ransom without informing the government rather than risk having their data destroyed or their operations halted.
That's why I ask, WWED? If you don’t know what that means, here’s a hint: What Would Estonia Do? Yes, that country just south of Finland and bordered by Latvia, Russia, and the Baltic Sea appears to be way ahead of the US and most other nations when it comes to protecting themselves against cyberwarfare.
The reason for this expertise dates back to the 2007 Russian cyberattack on Estonia. You can read about the interesting history of Estonia elsewhere, but suffice it to say the Russian government's animosity towards that small country intensified when Estonians moved a monument dedicated to the Soviet Red Army away from the center of the capital, Tallinn, where it was erected by the Soviets in 1947, to the corner of a cemetery on the outskirts of the city.
Some Russian people living in Estonia were offended, and rioting took place in Tallinn. Over one hundred people were injured, and one person killed. The day after the disturbance began, Estonian banks, media outlets, and governmental offices were shut down by botnet cyberattacks that overwhelmed servers with spam and online requests. Estonia was a very digitally advanced country even then, and the attack left the populace without access to cash, online banking, news, or governmental services.
The attack was initiated by the Kremlin and magnified as malicious groups joined in. In the aftermath, Estonians became experts in cyber defense and established the Cyber Defense Unit, in which the country's leading IT experts volunteer to protect the nation's telecommunications infrastructure from cyberattacks. In addition, they work with youth groups and the public to promote best practices.
In 2008, The NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) was established as a multinational organization that conducts "cyberdefense research, training and exercises covering the focus areas of technology, strategy, operations and law." The host nation for this organization is—you guessed it (or should have guessed it)—Estonia.
Every year CCDCOE organizes Locked Shields, the largest and most complex international live cyber-defense exercise in the world (won by Sweden in 2021). It is responsible for the Tallinn Manual 2.0, the most comprehensive analysis of how existing international law applies to cyberspace.
What, exactly, has Estonia done to strengthen the country's protection from cybercrimes?
For starters, they promote cybersecurity awareness in their general education. Proper computer "hygiene" is encouraged. This includes password management, use of multifactor authentication, and data backups (I'm feeling negligent just writing this).
They lead the world in encryption of personal data. The national cryptographic identification system is used by the public for virtually every transaction, including voting. Everyone has a smart card linked to two encryption keys: a private key for signatures and a public key for identification. Their encryption standard is very high, at 384-bits, and their national system is continually updated to protect against vulnerabilities.
In Estonia, the public and private sectors cooperate. They have systems in place to detect intrusions and provide protection, making use of blockchain technology and a central monitoring, reporting, and resolution system for cyber incidents. Vital service providers are required to assess and manage their cyber vulnerability.
What's going on in the US?
Digital Service (USDS) was established in 2014 in response to a Chinese government hack of the US government office of personnel management. It is in the executive branch and works across the federal government to bring modern digital solutions to services such as Medicare and veteran's services.
The Cybersecurity and Infrastructure Security Agency (CISA) was established in 2018 to defend against cyberattacks. Working under the Department of Homeland Security, CISA is responsible for improving the nation's cybersecurity and communications infrastructure. Legislation allowing data sharing between the US government and technology and manufacturing companies has been criticized by privacy advocates.
In 2020 the US army and Estonian defense ministry signed an agreement enabling the countries to collaborate in cyberdefense.
Currently, there are approximately 300,000 active cybersecurity-related job openings.
Meanwhile, the US encryption standard is 128-bit to 256-bit (security increases exponentially with each bit). We still rely mainly on "wet" signatures. (How good is your signature on an iPad screen? I know mine leaves a lot to be desired.) We have quite a ways to go to catch up with Estonia.
What happened with Colonial Pipeline?
They were attacked by DarkSide, a Russian cybercriminal group that imitates legitimate businesses. DarkSide is one of many for-profit ransomware groups the Russian government allows, as long as they only attack foreign entities. DarkSide uses code resembling that used by REvil, another hacking group that was initially thought to be behind the Colonial Pipeline hack.
As I am writing this, it was announced that some of the money paid by Colonial Pipeline was recovered by federal authorities after the FBI got the private key to the DarkSide bitcoin wallet. How this was accomplished is not yet publicly known. This is the first recovery by the ransomware Justice Dept. task force. That's good news, but the problem is far from solved.
I think I'll back up my data now.