DCRI’s Chief Science & Digital Officer Eric Perakslis, PhD, discusses mitigations for cyberattack as well as what to do before and during one.
By Eric Perakslis, PhD
In the prologue of her New York Times bestseller This Is How They Tell Me The World Ends, Nicole Pelroth describes how a Russian cyberattack on Ukraine in 2016 shut down government agencies, railways, ATMs, gas stations, the postal service, and even radiation monitors at the Chernobyl nuclear site. She goes on to discuss conversations with Ukrainians who felt that they avoided the worst possible outcomes only because so much of their critical infrastructure was not yet connected to the internet. These same interviewees theorized that the United States and other more “wired and connected” countries likely would have suffered far worse disruption in a similar situation.
Fast-forward 3 years to the winter of 2019, when the Department of Homeland Security issued a bulletin to law enforcement agencies stating:
“We assess that Russia would consider initiating a cyberattack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security….We assess that Russia’s threshold for conducting disruptive or destructive cyberattacks in the Homeland probably remains very high….”
Unlike preparations for the blizzard that will strike my home in Massachusetts tonight, bulletins like these raise important awareness but provide few specifics regarding what people and institutions can due to mitigate the potential effects.
Having had the luxury of time and forensics, we now have a detailed understanding of the Russian cyberattack on Ukraine, including the specific tactics used. While this yielded insights that have been used to increase our cyber resilience, we also know that Russia and other nation-state threat actors have continued to probe and attack our critical infrastructure and industries – including the biomedical sector – with the aim of finding and exploiting potential weaknesses. These activities have been well publicized and, hopefully, studied and used to increase our defenses while minimizing our risks. In the meantime, each of us can take important and worthwhile steps to protect our businesses, homes, families, and colleagues.
In a recent conversation with ED Management, I shared my thoughts about how hospital emergency departments could prepare for and withstand disruptive cyberattacks. There are 4 key things to keep in mind: 1) procedural mitigations, 2) technical mitigations, 3) what should and should not be done during an attack, and 4) how to prepare for cyberattacks. Below, I talk about each of these in detail.
Procedural Mitigations
Procedural mitigations are operational things that people can do to prevent and prepare for cybercrime. They include training, planning, and creating redundant capabilities (such as a paper printout of all important phone numbers) and are often very much within the control and reach of individuals, even if the mitigations are driven at an institutional level. Further, they can even be philosophical in nature, as many people and businesses find that the best way to minimize cyber risk is simply to connect fewer things to the internet. Limiting internet-connected devices, online accounts, and online presence are all examples of effective procedural mitigations.
One downside of procedural controls is that such decisions are often seen as something that should be done by experts, limiting the education and engagement of individuals. Further, procedural controls can be (or seem to be) taken too far, leading to increased risks. For example, employees may find a control too onerous and develop work-arounds that are actually worse than the risk a control is designed to mitigate. (Ever walk by a shared computing station in a business or medical setting and see a sticky note containing the passwords to key systems?)
Technical Controls
Technical controls include software and other tools that directly protect infrastructure such as firewalls, virtual private networks (VPNs), anti-malware software, password managers, multifactor authentication tools, and many more. While all of these are potentially effective, they are constantly being probed for weaknesses. Further, many are only effective against threats they have “seen” before. This is why your antivirus software updates daily or even more frequently, as there are between 300,000-500,000 new malware samples per day and these programs can only flag code that they have been taught to find. Again, with technical controls, prevention is far better than cure.
What to Do During a Cyberattack
When thinking through what to do before and during attacks, the concepts of incident response come into play, with the “during” phase often being the most critical. How many (actual) fire drills have you had in your professional life? Many companies run them several times per year. How many cyber incident response drills have you had? I suspect zero.
This needs to change. Just people are trained what to do when the fire alarm sounds, we all must be educated on how to respond to a cyberattack at a level that goes beyond the intuitive. Many cyberattacks are layered or even “Trojan Horse”-like. For example, an institution whose external network is failing due to a denial of service attack may also be simultaneously attacked via email. As people begin to communicate and work the problem of the network attack, their email usage spikes, providing a perfect opportunity for phishing attacks and similar exploits.
The good news about all of the above is that the better we understand threat actors and threats, the better informed we are to prevent and mitigate the risks. Below are some digital and physical measures that can be used to prepare yourselves, your homes, and your families in the event of a cyberattack.
Preparing for a Cyberattack
Digital Measures
Think about the wide range of conveniences that have transformed our lives over the last 20 years. Now, consider how we would perform daily functions if they were temporarily unavailable. For example, if the internet went down, many grocery stores would be unable to accept credit cards. In fact, depending upon the digital dependencies of their operations, they might not even be able to accept cash. If your cell phone is locked by an attack, do you have your family’s phone numbers written anywhere? Many families no longer have land line telephones (I don’t), but I always have an unopened cheap, pre-paid phone available. Think (and talk) it through with your family and make a plan.
- Have enough cash for 2-3 weeks of incidentals
- Write down all important phone numbers on paper and have available
- Purchase and activate a cheap, non-smartphone (sometimes called a “burner”) phone for emergencies
- Print out your most recent banking, credit card, and utility statements so that you have copies of all important account numbers and addresses
- Print out copies of all recurrent prescription medications
- Log out of everything before bed; clear your cache and update your antivirus and VPN software
- Delete/unsubscribe from all unnecessary accounts
- Remove any excess/past Wi-Fi connections and passwords from your mobile devices
- Change all important account passwords, preferably using a good password manager
- Disconnect any “smart” devices (refrigerators, appliances, doorbells, etc.) from the internet
- If you use electronic locks on your home, be sure to know the physical code and/or be sure that each family member has physical keys
- Completely power down all computers, smartphones, tablets, etc. when not in use
- Set up 2-factor authentication on personal devices
- Be especially mindful of loose ends, such as a child’s computer that connects to a school system network and/or online educational/classroom tools
Physical Measures
More familiar than digital measures are the physical measures families should already have in place, as these are the same sorts of things one would need in case of serious adverse weather, natural disaster, or disruption of utilities. I’ve provided a short, general list here as these should already be familiar and the details are greatly dependent upon local geography, weather, and proximity to emergency services.
- Be sure all vehicles and extra fuel cans are fully fueled
- Have backup options for heating and cooking (note: DO NOT use devices such as portable generators or grills, whether gas or charcoal, indoors or inside a garage. Make sure to follow basic safety guidelines for the use of space heaters and other devices.)
- Have 2-3 weeks of drinking water on hand
- If you have vulnerable family members living alone, take them in
- Have generators fueled and tested
- Place fresh batteries in all flashlights/lanterns
- Have a supply of candles, firewood, etc.
Lastly folks, I get it. This all feels foreign and distant, and I wish that were true. Just as we are seeing more extreme weather that necessitates better preparation, we must do the same for our cyber resilience. I could launch into statistics, but I will just share one. In 2021, there were 10% more medical records stolen than the number of inpatient hospitalizations in the US as tallied by the American Hospital Association.
If you have not read Nicole Pelroth’s book, I highly recommend it. Most information security professionals believe that we are, and have been, locked into a cyber arms race against criminals, hostile nation-states, and even domestic terrorists. It would be wonderful if this was not true, but that would also be fantasy. Stay well and be safe.