Companies should protect more than their firms in cybersecurity
Whether it is cybersecurity, counterterrorism, infrastructure protection, election integrity, or disinformation campaigns levied by bad actors, the coronavirus has amplified gaps and exacerbated vulnerabilities. We have seen industries and policymakers attempt to negotiate with the pandemic by cutting corners and down playing the severity of the threat.
Once they realize it cannot be mitigated by silver bullet and eleventh hour solutions, we see frantic approaches emerge with the hope that respected institutions and strong expertise can dig them out of the hole of their own creation. The heartbreaking lessons learned are that there is no substitute for rigorous preparedness, immediate mitigation of threats is a necessity, and willful ignorance for whatever reasons will end in tragedy.
This dynamic is not new to the national security community. It illustrates that there are no shortcuts, there is no better time than now to deal with emerging threats, and that investment in these protections and tripwires is a must. The coronavirus has been an unforgiving case study that brings these tenants to light. The crisis has also stretched our ability to manage preparedness and resilience operations to the brink. It has painted clear bullseyes of vulnerability across the national security enterprise.
Most notable is the critical infrastructure of the energy sector. We have all seen oil prices caving in on an industry once thought to be indestructible. The industry has been a target for terrorist attacks, intellectual espionage, and insider threats, so the pandemic and the economic havoc that it has unleashed have only exacerbated these vulnerabilities. There is concern that companies that discounted preparedness and resilience protections before the coronavirus will continue to ignore these critical measures due to the current market focus on crashing demand and revenue.
A case study on ignoring warning signs involves an energy infrastructure company based out of Oklahoma. It is my hope that firms in this industry as well as other critical infrastructure entities will learn from this example and take preparedness and mitigation practices with utmost seriousness. This company was part of the Apollo data breach two years ago that left a database of over 200 million contacts from around 10 million companies exposed. Apollo was a startup company that provided sales and market analysis for clients by utilizing massive commercial datasets.
To conduct that high level of analysis, Apollo needed access to sensitive proprietary data like personal identifiable information from the board of directors of the Oklahoma company. That information was compromised and exposed in the data breach. Further, employee user login information was found on online forums where information can be shared with little to no digital fingerprints on the open web, which was an indication that the data breach was exploited and such vulnerability had spread.
Once the cat is out of the bag in regard to sensitive information leaking, you either immediately work to mitigate the situation at breakneck speed or the vulnerability will metastasize with even much worse consequences. Mitigation tactics ironically tend to be simple in nature, such as notifying those affected to change password information, increasing vigilance, and enabling two factor authentication. It appears that these simple measures were not taken because there is evidence that compromised information was used to socially engineer more nefarious escalated threats.
Drawing on the coronavirus dynamic example, we now understand that if immediate measures such as social distancing are ignored or people are not informed about infectious hotspots and given instructions to act, the disease will spread with devastating effect. Digging even further on how the initial Apollo data breach metastasized, there is evidence of spoofed board of director email addresses with Russian and Chinese domains. It therefore does not take a lot of imagination to see how bad it is.
The threat has evolved to focus on entities outside of the company, such as clients, shareholders, and others. These spoofed email addresses can be utilized to spearfish those who have done business with the company. Since Russian operatives have their fingerprints on this, it can be further exploited to spread disinformation and leverage its foreign influence. The affiliated hacker collective is known to sell information on such exploited data breaches, so there remains a possibility that compromised company and partner information could still be exchanging virtual hands.
While it is easy to classify these vulnerabilities as information technology issues, they contain broad reaching ramifications to every company and industries at large. Much like the coronavirus, if any infection is left to run wild, then it will affect those who are in the same orbit and, in many cases, unknowingly until it is far too late. The lesson is that it is better to put out fires fast when it comes to cybersecurity rather than have to deal with a full blown conflagration. The lack of action places others at risk.
Nate Snyder is a senior advisor with Cambridge Global Advisors. He is a former counterterrorism official with the Homeland Security Department.