Don’t feel like reading? Jump to my TLDR closing thoughts.
Are we completely defenseless during nation state cyber attacks? What does preparedness even look like?
Cyber attacks pose a significant threat to a nation’s critical infrastructure. This, we already know.
We have seen glimpses of digital weapons being deployed to cripple a country’s network in Ukraine where Russian hackers initially targeted MeDoc (which is basically a Ukrainian version of QuickBooks). The hackers pushed a malicious update to all MeDoc users which allowed it to tear through hundreds of corporate networks.
The malware was a modified version of the Petya ransomware, now known as NotPetya. It was extremely virulent, saturating networks very quickly and shutting all connected systems down. While it posed as a ransomware attack, NotPetya’s ransom demands were simply a masquerade to conceal what it really was: an act of cyber war. As a result of this attack, many of Ukraine’s ministries, local banks, payment systems, utilities, and even metro systems were paralyzed.
An experience from a Kiev resident during the attacks:
Mr. Bondarenko is an IT admin at the Ukrainian Health Ministry and had spent the entire day trying to contain the NotPetya ransomware attack at his job. When it was time for him to go home, he left the office and tried to get on the subway but found that NotPetya had destroyed the Kiev metro’s payment system. Naturally, he went out searching for an ATM to get some cash out in order to buy a ticket.
Except all of the ATMs he found were also destroyed by the cyber attack.
When Bondarenko finally found one ATM that was still working it had a long line of people who found themselves in the same predicament. He waited in line, withdrew his cash (which the ATM of course had a withdraw limit), bought a ticket, and took the subway to his neighborhood where he then headed to a nearby grocery store to pick up dinner for he and his family. However, the payment system at the grocery store was also paralyzed by the attack. He then repeated the same process of finding an ATM that was not down, waiting in line, withdrawing cash, and so on and so forth.
(If you want to hear more about this attack, please listen to Jack Rhysider’s podcast Darknet Diaries, episode 54; if you want to read more about Sandworm, the group who carried out the Ukrainian attack, give Andy Greenberg’s excellent work Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers).
Facing Targeted Cyber Attacks
I am not an alarmist nor am I a very political person. That being said, in today’s climate of global tensions and the ongoing threat of new conflicts arising (at the time of this writing, the US awaits retaliation from Iran after the assassination of General Qassem Soleimani), I believe the chances of digital attacks targeting our critical infrastructure is higher than ever.
So what does preparedness look like to the technical and nontechnical person alike? A first step, and a conservative approach to preparing yourself and your family to face networks being taken down (or extended periods of blackouts) is to, at the very least, HAVE SOME CASH ON HAND.
We can see through the firsthand accounts of Ukrainians of how disorienting it is when the systems we use daily and no doubt take for granted suddenly stop working without any notice. Perhaps this means you take $20-$40 of cash out each paycheck until you have an amount you’re comfortable with… having SOMETHING may prove to be extremely valuable during tumultuous times.
In 2018, we had a so called gas-shortage here in DFW which very quickly caused widespread panic. I ended up walking to a nearby gas station to buy a drink only to find a line of cars several blocks long waiting for their turn to fill their car up. Everyone was tense, nobody seemed to be looking out for one another… overall the mood seemed to be “every man for himself.” As I left the convenient store, a few people were screaming at each other over whose turn it was next. By the time I left the parking lot, the confrontation was being settled over shoves and blows.
While this “shortage” may have only lasted a few days, a week at most, there has been at least some impression left on my mind from it — no longer will I wait until my gas light is on to fill up.
I don’t want to be the one stuck in a line full of panic stricken, agitated people, waiting for what was once a necessary commodity just yesterday but had suddenly become a coveted scarcity today.
Digital attacks and cyber warfare transcends traditional boundaries. A country on the opposite side of the globe may have the capacity to cripple a metroplex by way of networked computer systems. We are not as secure digitally as we may feel physically. I believe it is a possibility that we will face persistent digital attacks in the coming years, and I believe it is a certainty that we will face them in our lifetime.
As a basic way to begin preparing for critical systems being taken down, it is advisable to have some cash on hand in the event payment systems are paralyzed (e.g. at a grocery store, gas station, or public transit). Maybe that means simply taking out $20 in cash per paycheck until you have enough for a few days of food and a full tank of gas. The idea is to not be overly paranoid and become a full blown “prepper”… but also to avoid being caught with your pants down.