On Thursday April 6, 2017, President Trump ordered a Tomahawk missile attack on a Syrian military airfield. This was a direct response to President Assad’s use of sarin gas to attack Syrian dissidents. Just two days later, the password to an encrypted archive of cyber weapons (stolen from the U.S. National Security Agency) was posted by the so-called Shadow Brokers cyber group. This hacking group is thought to have connections with Russia, which is the leading supporter of the Assad regime. They were angered by President Trump’s action.
An immediate beneficiary of this password release was the Lazarus Group, linked with North Korea, which had been launching ransomware attacks at targets over the previous several months. What they lacked was an effective tool to propagate their ransomware from computer to computer. This missing tool, a Microsoft Windows bug called “EternalBlue”, they now were gifted thanks to Shadow Brokers.
The recent Equifax incident was by all measures a significant cyberattack. As the press statement released by Equifax on September 8 highlighted, the data theft potentially impacted approximately 143 million U.S. consumers. To put this into perspective this represents nearly 70 percent of the U.S. working population.
However, we should not be surprised. RMS tracks data theft among other types of cyber events on an ongoing basis, and we have seen numerous events of this magnitude or larger over the last few years. This Equifax breach would have ranked just #7 on the list of the largest data breaches in the 2017 RMS Cyber Risk Landscape report.
We tend to think that critical systems responsible for managing oil rigs, power stations, steel production plants, are somewhat immune to what happens in the “wild west” of cyberspace. News of cyberattacks tend to focus on data theft, financial heists, or bringing down websites; they are contained within IT systems. If cyberattacks are contained in the cyber world, then the logic goes that only cyber insurers should be concerned by the risk.
There is also a sense of security in the belief that critical control systems for “real world” assets and processes would either be too mechanical, too old, not connected to the same network as the wider Internet, or would run on their own networks. The reality is that industrial control systems (ICS) that manage energy, water, transport, communications, and manufacturing plants, are increasingly managed and controlled remotely or need to be networked. Wherever the systems need to use a network, the systems are exposed to vulnerabilities on that network. For non-cyber insurers, this risk needs to be assessed and managed.
The event is arguably the most significant cyber-catastrophe to date and clearly demonstrates the systemic nature of cyber risk. A single vulnerability was utilized to spread malware to over 300,000 machines in over 150 countries causing havoc to industries as diverse as hospitals and car manufacturers.