A cyber crime wave on companies and health services around the world is leading to calls for a kinetic response amid increasing geopolitical tension.
In June, alone 37 companies and organisations around the globe announced that they had been the victims of a cyberattack of which five were significant health organisations. While according to a report from Associated Press, the US is losing billions to online fraud, citing a figure from the US Securities and Exchange Commission of $137 billion in 2022.
Following Future Intelligence’s PassW0rd radio programme ‘Cybercrime and punishment’ highlighting that the patience of Western governments had become exhausted by the number of ransomware attacks, a number of commentators have suggested that physical retaliation may need to be considered to counter the cyber crime wave.
Cyber crime increasing geopolitical tensions
In one incident of note, the Russian supermarket chain, Verny, was also attacked so that it was unable to process digital payments. No ransom was demanded, and no group took responsibility, provoking speculation that it could have been a tit-for-tat response for the attacks on the West. The Verny attack was one of two that occurred in Russia last month. If the claims of tit-for-tat response are true, it risks raising geopolitical tension and escalation.
The sheer scale of the attacks on Western companies is now provoking open calls for action.
Speaking in the PassW0rd programme the Finnish billionaire Risto Siilasmaa, founder of the cybersecurity company With Secure and the man credited with turning around the fortunes of the mobile phone company Nokia said that there was a need to change the way we respond to cyber incidents and acknowledge their very real-world consequences.
“It’s a mystery to me why we are not doing that as we know for sure that, for example, Russia has been very diligently trying to make people lose trust in the core societal systems like the judicial system or parts of the political system that are essential to our societies, and we just watch from the side. We don’t react, we don’t retaliate in any way.
“If we have a small shooting incident at the border, we are all up in arms, and it’s very, very serious, and we talk about it in the media for days and days. We should issue sanctions, for example, for cyberattacks or attempt to influence elections. We need to take it as seriously as it truly is.”
Targetting the cyber criminals
An exasperation echoed by Microsoft President Brad Smith at a congressional hearing on the 13th of June, who stated that the U.S. government needs to “draw red lines” so it is clear to the world “what they cannot do without accountability.”
“We need collective action with the private and public sector and with allied governments so that when those red lines are crossed, there is a public response and people know what has happened,” he said. “We need to start defining some consequences right now because these threat actors are living in a world where they are not facing consequences.”
Red lines that US leaders had identified over a decade ago. Speaking in a 2014 interview with PassW0rd, the then acting US Cyber Security Czar Melissa Hathaway, said that she felt that the US should make sure that cyber criminals were aware that certain areas such as hospitals were sacrosanct and that attacks on them would draw an immediate physical response.
Consequences that some say should include using practices like extraordinary rendition, the kidnapping of cyber criminals. A process fraught with diplomatic difficulties, but one given the amount of cyber criminals now on sanctions lists that may become increasingly likely. In May, a coalition of police forces including the UK National Crime Agency and the US FBI announced they had disrupted a Russian crime group known as Lockbit, which was responsible for around $1 billion of ransomware attacks. The group’s leader, Dmitry Khoroshev, has had his identity revealed and has been added to international sanctions lists. A reward of $10 million has been offered for information leading to Khoroshev’s capture by the US authorities.
Crime wave targetting hospital patients
In the latest spate of attacks in June, over 37 organisations world-wide revealed that their systems had been attacked by hackers, five of them health systems including the UK’s National Health Service.
The attack on two NHS hospital trusts in London crippled King’s College Hospital, Guy’s Hospital, St Thomas’ Hospital, Royal Brompton Hospital, and Evelina London Children’s Hospital. It caused the postponement of more than 800 planned operations and 700 outpatient appointments. The attacks effected cancer patients and people needing organ transplants and is thought to be the work of Qilin, a Russian cybercrime gang, which demanded $50 million to restore the systems.
The gang attacked the hospitals via computers run by Synnovis, a company which provides pathology services to hospitals and GP surgeries in the capital.
Also attacked in June’s cyber crime wave in the US was the giant Change Healthcare, Ascension Healthcare, and Geisinger Healthcare, while elsewhere the South African National Health Laboratory Service was also hit provoking concern that the criminal groups were homing in on health systems due to the urgency of freeing up patient data and their vulnerability due to antiquated systems and poor security.
“The healthcare industry in particular is really old, meaning the software, the computer infrastructure is really dated and a lot of them are hard to update, and it’s caused a little bit of a conundrum here where you have hackers really accelerating their attacks and their technological ability,” said Steve McKeon, an expert on healthcare systems and the CEO of MacGyver Tech.
“On the other side, you have the healthcare industry really not stepping up their game at the same level as the hackers are. Unfortunately, I think it’s going to take government oversight for that to happen because most of these companies see security as a burden and not as something that should be top of their list of priorities.”
Attacks spark calls for improved cybersecurity
Many of those interviewed for the PassW0rd programme, pointed out that problems with attribution mean that there are huge dangers associated with retaliation using kinetic weapons such as missiles, a factor underlined by Simon Hodgkinson, a former head of cybersecurity for the oil giant BP, who is a strategic adviser to the cybersecurity company Semperis.
“Some criminal gangs are harboured by nations, but that doesn’t mean they’re physically there. Even if you can attribute the attack to a nation. We’ve seen quite a few comments from the US government about China recently. But even if you can directly attribute that, that doesn’t necessarily mean the actors are there.
I have seen attacks coming in from proxies. So potentially Iranians acting on behalf of Russians, because you’re looking at the tactics, techniques and procedures and saying, well, that’s attributed to that threat actor, but it’s coming through Russian infrastructure.
So, attribution is going to be difficult, and people would have to be really convinced before it escalates into kinetic space that this was directed by a state government,” said Hodgkinson, pointing out that the only real indications that he had seen came about due to the impact of sanctions.
“I saw a direct correlation whenever anybody applied trade sanctions in response to attacks from certain countries. So North Korea when the trade sanctions increased, you’d see more cyber, cybercrime. Iran, when their sanctions were really turned up in 2018, we saw so many more attacks because cyber was a mechanism for funding Iran’s economy.
The NATO position
The possibility of a kinetic response to a cyber-attack was first raised by NATO in 2010 but has slipped down the agenda until now. The announcement of the NATO policy, first published by Future Intelligence and The Sunday Times, followed a series of Russian-linked cyber crime wave attacks against NATO members and warnings from intelligence services of the growing threat from China. A team of NATO experts led by Madeleine Albright, the former US Secretary of State, has warned that the next attack on a NATO country “may well come down a fibre-optic cable”.
A report by Albright’s group said that a cyber-attack on the critical infrastructure of a NATO country could equate to an armed attack, justifying retaliation.
Article 5 is the cornerstone of the 1949 NATO charter, laying down that “an armed attack” against one or more NATO countries “shall be considered an attack against them all”.
“A large-scale attack on NATO’s command and control systems or energy grids could possibly lead to collective defence measures under article 5,” the experts said, suggesting where Microsoft’s Brad Smith might lay out some red lines.
The debate over whether a physical response is needed is not a new one. In 2009, The UK and US Governments started work on “strikeback.” An initiative to hit back at the hackers in response to the unprecedented level of attacks being suffered from hacking groups in China, Russia and North Korea, which were suspected of being state sponsored. Among intelligence circles in Washington, DC, at the time the idea of hitting back at foreign hacking groups was being described as the hottest topic in cyberspace though one that only recently seen results when Khoroshev’s Lockbit group was taken down by the authorities.
New guidelines on cyber resilience expected
Though in the face of the current cyber crime wave, most experts are cautioning resilience and cyber crime best practices as the solution. A policy rumoured to about to be announced by the UK’s new Labour administration in the King’s Speech, which is expected to set out minimum cybersecurity standards for hospitals and those companies involved in the data supply chains for health services.
“We really must start looking at cybersecurity from a resiliency perspective. And we must change the way that we operate. Threat actors know what’s valuable. They know in the US, Social Security numbers are valuable, and in the US, we’ve tied Social Security numbers to everything. So, we until we really stop tying all that information, and we devalue what it is, they’re getting their hands on, they’re still going to see value in it,” said Melissa Ventrone, who is the head of the Chicago law practice Clark Hill’s cybersecurity team, and a specialist in ransomware recovery.
“On this concept of resiliency, if we could come up with a concept that enables or helps in the healthcare space. Let’s say a hospital gets hit by ransomware, are there facilities that we can set up that they could plug into almost immediately to continue providing the care and when they’re back up then it gets transferred back over?
“If you have a business, you should be required to have this resiliency concept. So, if something does happen, then you can still continue to operate, provide services to consumers, customers, and businesses. It should be mandated.”
