Daniel Lohrmann - Cyber Mayday and the Day After

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging-in-Publication Data is Available:

ISBN: 978-1-119-83530-1 (Hardback)

ISBN: 978-1-119-83532-5 (ePDF)

ISBN: 978-1-119-83531-8 (ePub)

COVER DESIGN: PAUL MCCARTHY

COVER ART: GETTY IMAGES: AERIALPERSPECTIVE IMAGES / JOSE A. BERNAT BACETE

We worried for decades about WMDs – weapons of mass destruction. Now it is time to worry about a new kind of WMDs – weapons of mass disruption.

–John Mariotti

Tuesday, May 1, 2035

Something was not right.

As Julie stood by the front door of her parents' home in Park Ridge, Illinois, her A-ride (slang for autonomous transportation) was nowhere in sight. She was going to be late for work. “My new boss is going to be furious,” she inwardly panicked.

This was the one day a month that she actually was required to be downtown for a team meeting, and her 7:15 a.m. FastUber pickup (with nonstop express service to the Chicago Loop) was nowhere to be found. And FastUbers are never late.

“Miranda – where is my ride? What's going on? Where are all the cars?”

Strange, no response from her automated assistant, which usually answered her questions before she even finished her sentences. Julie momentarily thought about her grandmother as she peered angrily at the small speaker over her glasses. She briefly smiled when she thought about how she nicknamed her personal assistant Miranda, in memory of her grandmother.

“Now I'm pissed! I even paid extra for express today.” As Julie noticed that both the children across the street and Mr. Stevens next door were also waiting for their rides, she realized something else must be happening. A new emotion overcame her – fear.

Julie went back in the house and shouted at the wall. “NEWS!”

A holographic image of CNN lit up the room, showing two reporters standing under a chyron reading: “BREAKING NEWS.” An artificial intelligence voice announced: “Widespread impact is simultaneously hitting global airports, Wall Street firms, international banks, the London Underground, Australian ports, and thousands of educational learning centers.”

Julie posed her question to the hologram: “Do you believe this may be a nation-state attack?”

A reporter standing in front of New York's One World Trade Center responded: “That's certainly a likely possibility. Mass transit has stopped, banks are down, some cities are experiencing power outages, hospitals are on emergency generators, school technology is down, universities have canceled classes, and, most shocking of all – trading floors from London to New York to Chicago are now closed.

“Hold on a moment, please, we are receiving word that the president of the United States has just declared a Nationwide Cyber Emergency, under the authority of the Cyber Disruption Act of 2028.”

While this 2035 Mayday scenario is just fiction, the bombardment of daily security incidents is beyond eye-opening in real life. With the ongoing digital transformation, which accelerated even faster in diverse areas of society and every corner of the globe during the COVID-19 pandemic, the impact of cyber emergency incidents has been felt from hospitals to high schools, from elections to electric grids, from main street retailers to Wall Street bankers, and from small-town PTA meetings to United Nations Security Council meetings.

The following quotes are very real, coming after an unprecedented barrage of cyberattacks hit global governments and businesses in 2020 and 2021:

President Joe Biden: “We've elevated the status of cyber issues within our government,” President Biden said in a national security speech at the State Department. “We are launching an urgent initiative to improve our capability, readiness, and resilience in cyberspace.” 1

U.S. Federal Reserve Chairman Jerome Powell: When we talk about cyber risk, what kind of scenarios are we looking at? U.S. Federal Reserve chairman Jerome Powell responded to host Scott Pelley, as part of a 60 Minutes interview, “All different kinds. I mean, there are scenarios in which a large payment utility, for example, breaks down and the payment system can't work. Payments can't be completed. There are scenarios in which a large financial institution would lose the ability to track the payments that it's making and things like that. Things like that where you would have a part of the financial system come to a halt, or perhaps even a broad part.”Powell continued: “And so we spend so much time and energy and money guarding against these things. There are cyber attacks every day on all major institutions now. And the government is working hard on that. So are all the private sector companies. There's a lot of effort going in to deal with those threats. That's a big part of the threat picture in today's world.”Pelley: “How have we gotten away with not having a disaster like that?”Powell: “You know, I don't want to jinx us. I would just say we've worked very hard at it. A lot of us have worked very hard at this and invested a lot of time and money and thought. And worked collaboratively [sic] with our allies and with other government agencies. But there's never a feeling at any time that you've done enough or that you feel safe.” 2

FireEye CEO Kevin Mandia during U.S. Senate testimony on the Solarwinds breach: “Early in our investigation, we uncovered some tell-tale signs that the attackers were likely working for and trained by a foreign intelligence service. We were able to discover and identify these signs in reliance upon our catalog of the trace evidence of thousands of computer intrusion investigations conducted over the last 17 years. We record the digital fingerprints of every investigation we have undertaken with great rigor and discipline, and we are often able to use this catalog of evidence in order to attribute the threat actors in many of the incidents we respond to.“Based on the knowledge gained through our years of experience responding to cyber incidents, we concluded that we were witnessing an attack by a nation with top-tier offensive capabilities. This attack was different from the multitude of incidents to which we have responded throughout the years. The attackers tailored their capabilities specifically to target and attack our company (and their other victims). They operated clandestinely, using methods that counter security tools and forensic examination. They also operated with both constraint and focus, targeting specific information and specific people, as if following collection requirements. They did not perform actions that were indiscriminate, and they did not appear to go on ‘fishing expeditions.’“Such focused targeting, combined with the novel combination of techniques not witnessed by us or our partners in the past, contributed to our conclusion that this was a foreign intelligence actor. Therefore, on December 8, 2020, we publicly disclosed that we were attacked by a highly sophisticated threat actor – one whose discipline, operational security, and techniques led us to believe it was a state-sponsored attack utilizing novel techniques… .” 3