"The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown."
- HP Lovecraft, Supernatural Horror in Literature
The hooded hacker hunches over a clacking keyboard, face illuminated by the dim and flickering glow of a monitor. He punches a button and executes the code. He lurks in the dark. He's a monster with the power to annihilate people, governments, and companies.
For most people, the archetypical anonymous and malcontented hacker is as mythological as ghosts and goblins. For enterprise companies, SMBs, and government agencies, however, hackers and hacking teams represent a terrifying threat. According to a recent ZDNet report, the average corporate hack costs companies $4 million. Hacking can can also damage a brand and expose employees and customers to privacy risks.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research report)
Cybersecurity experts warn that large-scale, coordinated cyber-strikes targeted at essential infrastructure, like last week's Dyn DDoS attack, could cost the economy billions of dollars in lost productivity and potentially harm individuals.
We spoke with several cyber-defense executives about cybersecurity worst-case scenarios. Each executive—CTO and SVP of customer care and co-founder of security analytics company LogRhythm, Chris Petersen, CEO and Chairman of RedSeal, Ray Rothrock, Corey Williams, Senior Director of Products and Marketing of Centrify, and Domingo Guerra, co-founder and president of Appthority—expressed cybersecurity concerns about the burgeoning IoT market, vulnerabilities with the electric grid, and mobile malware.
When attacked, TechRepublic ordinarily advises companies to follow damage-mitigation best practices. In the spirit of Halloween, however, let your fears run wild with these hacking horror stories.
Could someone die or be injured from a hack?
- Chris Petersen: Someone could absolutely be killed from a hack, and it is possible someone already has been. We've known for years that medical devices are vulnerable and could be taken over by a malicious actor operating within a hospital's network, who could easily tamper with life support or drug infusion systems, killing someone in the process. What is unique about hacking as a weapon though, is that a killing blow can be thrown from thousands of miles away. If someone hasn't already been assassinated via a targeted hack, it is only a matter of time.
- Ray Rothrock: Unfortunately, yes. Car hacking has been demonstrated. Shutting down power to a hospital can threaten lives. Network-connected healthcare devices can be misused. IoT is a new frontier with new risks - the things we're putting on the internet range from convenience devices for comfort and lighting to life-sustaining devices like pacemakers and other medical implants.
- Corey Williams: Wearables are deceptively private. Owners may feel that due to their ongoing proximity to the body, they're less likely to fall into the wrong hands. However, hackers don't need to take physical possession of a device to exploit a hole in security. The best news is that solutions already exist that can easily wrap wearables into the identity management picture.
- Domingo Guerra: While most hacks aren't life threatening, successful hacks have been executed on a pacemaker, a radiation machine (to give higher than prescribed doses), IV drip therapy devices, etc. Naturally, any attack that alters the operation of life-dependent devices or doses of life-saving drugs puts people at risk of death.
What is the real-world, material threat of a cybersecurity hack?
- Ray Rothrock: Exactly the same as the results of Stuxnet. A purely digital attack, carried on a USB stick, caused an industrial controller that had control of a real-world spinning centrifuge to misbehave. A purely digital disruption caused cracking and failure of real equipment processing real Uranium. These are well engineered attacks. In the west, we have nuclear power facilities, fuel processing plants, oil refineries, chemical plants handling toxic substances, dry cleaning facilities, even old-world manufacturing plants dealing with paints and carpets, and the noxious chemicals that go with them. Any and all of these include digital devices that can cause real world damage if connected to a network that is not resilient.
- Corey Williams: For example, the Springfield, Illinois, water utility hack from Russia in 2011 destroyed a primary water pump. The hackers stole the usernames and passwords from a third-party vendor that maintained the control software for its customers, and then used those credentials to gain remote access to the utility's network and reconfigure the pump for failure.We have all read stories of hackers remotely taking control of vehicles and interfering with the operations of the vehicle. While only a proof of concept, it constitutes a real-world threat. There is nothing inherent to being in the west that provides extra protection or exemption from the threats of cyber attackers. On the contrary, the west has become a primary target.
- Domingo Guerra: Major systems from the internet (upon which much of commerce, defense, and communications are reliant) to the power grid, the water supply, and food distribution can all be disrupted by cyber attacks. In the west this could affect our ports, major industries like tech, manufacturing, and agriculture, and make military installations vulnerable.
Could hackers take down the power grid or tamper with water supplies?
- Chris Petersen: Much of the U.S. critical infrastructure is woefully unprepared to defend itself from a highly motivated and capable threat actor. What concerns me most is an attack against our energy grid. A prolonged outage of days would be a damaging blow to our economy and likely result in loss of life. An outage of weeks could unravel our society and be the apocalyptic event "preppers" are preparing for. For more than a decade, we've known that targeted malware can damage industrial control systems (ICS), which are the same types of systems that make up our energy grid. While energy companies and utilities have improved their posture to comply with regulations like NERC / CIP, I think this will be "too little too late" if they're targeted by a highly skilled threat actor with the most sophisticated cyber weapons.
- Ray Rothrock: Absolutely, you don't have to blow up a substation to knock out a power grid anymore. It can be done with keystrokes from halfway around the world. The best defense is segmentation - separating networks from each other. Unfortunately, all the momentum these days is in the opposite direction - connecting networks and adding more things to the internet, whether they are ready for a scary, hostile environment or not. We need to plan for resilience - breaks are inevitable. When we build a chemical refinery or toxic waste pipeline, we don't just build it sensibly up front and hope for the best - we plan for failure, we design in emergency procedures and recovery plans. Much of the internet has not yet gotten around to thinking about resilience this way and can therefore fail dramatically if pushed hard.
- Corey Williams: Yes. Utilities in general often have aging, and even antiquated, infrastructure that was not designed to withstand the sophistication and ubiquity of hacking tools available today. Utilities need to add a second layer of identity assurance for access to any command and control software. This simple and inexpensive effort would ensure the availability and safety of our most precious resources.
- Domingo Guerra: Unfortunately, yes. As an example, Ted Koppel's book Lights Out warns of just how vulnerable these systems are.
In what ways does hacking undermine institutional trust? Not just in the government, but in corporations, service providers, and the economy?
- Ray Rothrock: Hacks, and the fear of hacks, increase the tendency for worried people to pull money out of the bank and put it under their mattresses instead, since those mattresses are not yet connected to the internet. We share personal information with many institutions, information that we trust they will keep confidential and secure. When their network and that trust is successfully breached, the foundations of civil society and economic behavior can crumble. Trust, trust in a brand or trust in government, takes a long time to build but can fall apart quickly after a data breach.
- Corey Williams: CEOs and executives across all enterprises are being targeted in the exact same manner as our political leaders. If they are not proactive with cybersecurity they will find themselves at the center of the next cyber-attack story. Instead of building customer relationships and brand goodwill, compromised enterprises will instead face huge barriers to regain trust and rebuild their brand.
- Domingo Guerra: One example is the slow uptake of mobile banking. Consumer studies have shown that consumers don't trust their banks to have secure mobile apps. Mobile wallet providers also suffer from lack of consumer confidence.
SEE: The Internet of Things threatens to unleash security, privacy, and legal nightmares (Tech Pro Research report)
What emerging cybersecurity trends are you monitoring?
- Ray Rothrock: Ransomware will be largely countered by better backups, but if attackers find the cost/benefit equation favorable, they will make fancier attacks which lie dormant long enough to infect backups too. IoT has barely gotten started - as we add millions, or even billions, of weakly defended, simple devices to the internet, we are likely to see even more record-breaking DDoS waves. If we put really tempting IoT devices onto the internet, we can express cross-pollination of these attacks - ransomware applied to IoT, where critical sensors will be locked down unless you pay Bitcoins to some hard to trace account. If it's your artificial lung, would you pay? So we are in for more of the same unfortunately. Coordinating attacks from multiple devices will be easier and more common. The recent DDoS attacks are good examples of that. Nothing is being destroyed or stolen, but simply impacting business processes and speed are threats to economic activity.
- Corey Williams: As we become accustomed to and even numb to the cyber-breach-of-the-day story, there always seems to be something scarier to top the last story. The recent Dyn DNS DDoS attack that crippled much of the internet is an example where the story has shifted from the "so-what" hacking of IoT devices to much larger scale implications. Botnets that leverage millions of hacked devices are capable of taking not just a single company or utility offline, but potentially whole countries at a time. Imagine if all our cell phones, instant messengers, email, and other forms of communication were impacted for even a short period of time.
- Domingo Guerra: We'll see a growing understanding of the link between mobile use and security risk at home and at work. We'll see more IoT attacks and more successful and sophisticated mobile attacks as well. On the bright side, this will also lead to increasing sophistication around detection and deeper threat intelligence. We'll see innovations in extremely advanced mobile app analytics that identify, track, and alert for things like apps making URL requests to known malicious destination addresses, or addresses that are deemed geographically undesirable by IT teams.
- Five essential cybersecurity podcasts for IT professionals (TechRepublic)
- 2017 cybercrime trends: Expect a fresh wave of ransomware and IoT hacks (TechRepublic)
- Cyberwar: The smart person's guide (TechRepublic)
- How to safely access and navigate the Dark Web (TechRepublic)
- IT Security in the Snowden Era (ZDNet)
- Cybersecurity sleuths learn to think like hackers (CNET)
- Inside look at the race to outsmart hackers (CBS News)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.