Security is both a benefit and a concern for enterprises when it comes to cloud computing. On the one hand, Datamation found in its State of the Cloud, 2019 survey that many organizations are moving to the cloud because they found that cloud-service providers (CSPs) offer better all-around security than they could achieve by themselves. […]… Read More
The post Thunder on the Horizon: 4 Security Threats for the Cloud appeared first on The State of Security.
Reading Time: ~ 4 min.
In my previous blog post, Why Healthcare Organizations are Easy Targets for Cybercrime, I discussed various reasons that hospitals and healthcare organizations make desirable and lucrative targets for hackers. In this second installment, I’ll go over how criminals are attacking these organizations, the methods they use, and also what needs to be done to begin to address this dangerous threat.
Medical Device Compromise
As I mentioned in my first blog on this topic, there is a wide array of connected medical devices in a hospital environment. These devices can be classified into 5 broad categories:
- Consumer wearables, such as sleep pattern monitors, fitness trackers, etc.
- Patient monitoring devices, including insulin pumps, ECG, heart rate monitors etc.
- IVD, blood analyzers, etc.
- Embedded devices, such as pacemakers and implants
- In-house equipment, like medicine dispensing systems, MRI, CT, and X-ray machines, etc.
Devices like these can he hacked in an alarming number of ways. In addition to attacks that could endanger patients’ lives, such as remotely tampering with pacemakers or insulin pumps, these devices may be exploited to enable data theft or to gain access to other hospital infrastructure or systems. In one example from 2017, penetration tester Saurabh Harit managed to compromise a digital pen used for writing prescriptions, which gave him access to a patient database and scans of each prescription.
Learn how can endpoint protection help you secure your business.
Medical data is a valuable commodity that is openly traded on the dark web. Although hackers and automated malware are often to blame, old-fashioned user error can play a major role in these types of compromises. Phishing remains a preferred method for stealing data and infiltrating networks.
Some examples of stolen medical data include:
- Patient data. Identity and insurance fraud are relatively easy when you have access to the kinds of data medical organizations store about their patients. Additionally, this information can be used to charge expensive medical procedures, claim prescription drugs, or be exploited to breach other organizations outside of the healthcare industry. It can even be used for personal extortion and a host of other crimes.
- Administrative paperwork. Criminals may target medical licenses to forge prescriptions and commit other types of fraud or extortion.
- Prescription information. Criminals may forge prescriptions or drug labels and use them for purposes like fraud and even drug smuggling.
- Biometric data. As biometrics are increasingly used in security measures and law enforcement practices, records of fingerprints, ocular scans, and even heartbeats could be stolen and used for nefarious purposes.
Because the services that medical facilities provide are essential and often cannot be disrupted without serious risk to patients, ransomware is a weapon of choice. Many organizations have no choice but to pay the ransom, and some health facilities have had to shut down permanently due to these attacks.
Medical facilities worldwide have turned patients away, curtailed or suspended services, and even closed as a result of ransomware attacks. The groups that carry out these attacks have typically done recon on their targets to discover exactly how to breach them and which systems to encrypt to cause maximum disruption.
Of course, when we talk about ransomware affecting healthcare organizations, one attack stands out above them all: WannaCry. This nasty threat spread like wildfire across the world in 2017 and crippled many organizations through a combination of lateral wormlike propagation and machine-wrecking encryption. One of the largest and most publicized victims was the U.K.’s National Health Service. The attack “disrupted services across one-third of hospital trusts and around 8% of GP practices,” according to a report published by the NHS a year later. On top of that, ambulance services were affected and over 19,000 appointments were cancelled.
Despite the financial gains to be had when attacking healthcare organizations, WannaCry was actually an example of a cyber-weapon spreading far beyond its intended targets; the attack was not specifically aimed at the NHS or other health orgs affected.
Ultimately, WannaCry really highlighted the poor security practices prevalent in so many healthcare organizations. The NHS fell under a lot of scrutiny in the aftermath of the attack, particularly as Microsoft had issued a Windows® update that would have fixed the exploited vulnerability months before. Since then, the health service has undertaken a number of changes to shore up defenses.
According to a survey of industry Chief Information Security Officers (CISOs) by Carbon Black, the state of cybersecurity in healthcare is somewhat bleak, if unsurprising.
- 83% of surveyed healthcare organizations said they’ve seen an increase in cyberattacks over the past year.
- Two-thirds (66%) of surveyed healthcare organizations said cyberattacks have become more sophisticated over the past year.
- With increased adoption of medical and IoT devices, the surface area for healthcare attacks is becoming even larger.
- Limited cybersecurity staffing and stagnant cybersecurity budgets in the industry further compound the issues.
Other reports by security companies Thales and Fortinet paint a similar picture. A recent report in the HIPAA Journal puts data breaches at record levels in 2019.
What Needs to Happen
Healthcare’s poor track record when it comes to updates, patching and obsolete operating systems needs to be addressed—no question. Below are some of the other things that need to happen to improve security all around at hospitals and other healthcare practices.
- All staff members should be trained on security risks and best practices to avoid them.
- Medical device designers need to adopt security as a design principle ASAP.
- Hospitals and other facilities need to better audit and patch their devices, operating systems, applications, firmware, etc. to help eliminate vulnerabilities.
- Government initiatives and coordination are essential, not just for the public facilities they run but also for private practices.
- All healthcare practices should have antivirus and other cybersecurity solutions and should have access to security teams who can investigate any breaches to identify and address vulnerabilities.
- Access to devices, middleware, and APIs should be restricted where possible and secured.
And, finally, the “blame game” culture that pervades healthcare needs to be seen for what it really is: an obstacle to progress. Cybersecurity is a group effort that we should all share. From governing bodies to businesses to individual users, each of us has a role to play in creating a more secure connected world.
The post Healthcare Cyber Threats That Should Keep You up at Night appeared first on Webroot Blog.
Price List: £41.99
Only for today on Amazon: £21.71
Actress refuses to play into hacker’s hands, and publishes topless images of herself.
Over the course of just a few decades, the world has entered into a digital age in which powerful evolving cyber capabilities provide access to everyone connected online from any place on the planet. Those capabilities could be harnessed for the benefit of humanity; they might also be abused, leading to enormous harms and posing serious risks to the safety and stability of the entire world.
A strategy of international cooperation is crucial to mitigate the threats of abuse of cyberspace, primarily by clarifying the “red lines” in the field of cybersecurity and determining how to verify and enforce states’ compliance with their legal obligations in the field. The five permanent members of the U.N. Security Council (the P5) should have a decisive role in meeting this challenge. Yet while the P5 have had some success when mitigating the risks posed by weapons of mass destruction, the group is unlikely to be able to duplicate this pattern of action in cyberspace considering the rising tensions among the P5 and the geopolitical divisions in cyberspace. These divisions manifested in the 2017 failure of the United Nations Group of Governmental Experts on Information Security (UN-GGE) to produce a consensus report after two decades and five sessions of governmental groups of experts. Nevertheless, given the significance and seriousness of the risks that cyber operations pose to the safety and stability of states, giving up on collective action altogether is also unacceptable.
Currently, states have used three main modes of action to meet the challenge, which I will briefly review below. Recent developments have highlighted the mode embraced and implemented by the U.S. and its close allies: a deterrence-based approach combined with a high degree of ambiguity regarding questions of law and policy in cyberspace. However, this ambiguity undermines attempts to develop clear rules for the conduct of states in cyberspace and thereby adversely affects both the effectiveness of deterrence and the legitimacy of cyber operations conducted to compel compliance with general nonbinding norms and principles. This approach should be reconsidered in favor of a clearer and more balanced strategy that can gain at least the international acceptance of like-minded states.
Current Modes of Action
Since the failure of the UN-GGE in June 2017, key states active in cyberspace have mainly taken three separate modes of action to mitigate the threats posed in or through cyberspace. First, states have resumed international cooperation through two new parallel groups of governmental experts, instead of the one that collapsed. Both new groups act in accordance with two bidirectional resolutions, which the U.N. General Assembly adopted in December 2018. One resolution, led by the United States, established the GGE (Group of Governmental Experts) and the other, led by Russia and China, established the OEWG (Open-Ended Working Group). The two groups’ mandates have significant overlap, as both are authorized to discuss, inter alia, the development of rules and norms in the field of cybersecurity and how international law applies to the use of information and communications technologies. Importantly, the new (i.e., sixth) UN-GGE comprises 25 experts representing 25 states, including the P5, whereas the new OEWG is open to all U.N. member states. Since both groups act on the basis of consensus, we will have to wait and see whether either or both will succeed in overcoming the difficulties that caused the failure of the UN-GGE’s fifth round.
Second, states have engaged in voluntary international initiatives such as the Paris Call, the Cybersecurity Tech Accord, the Charter of Trust and the Global Commission on the Stability of Cyberspace (GCSC). These efforts were initiated by major tech corporations in cooperation with states, think tanks and civil society organizations. These private actors have stepped into the standard-setting arena largely because of a sense of societal responsibility, with a view to fill the void created by the influential states, whose strategy has been to adopt a policy of silence or ambiguity.
The common goal of all those initiatives is to articulate nonbinding norms for cyberspace and to ensure cybersecurity through international cooperation between all relevant stakeholders, inter alia, states, the private tech sector and civil society organizations. They seek to achieve this while preserving neutrality and credibility to reinforce trust and confidence in their processes. In principle, such initiatives should have included most concerned states, including the U.S., the U.K., Russia and China, but these states have refrained from officially becoming involved in such initiatives, ostensibly because they have embraced a policy of ambiguity regarding norms of conduct in cyberspace. This could be considered the Achilles heel of these initiatives—but it does not have to be so, as long as expectations remain modest and reasonable. By acknowledging that states and only states are entitled to determine what constitutes binding law in cyberspace (although adoption of such laws anytime soon seems unlikely), these initiatives have only limited and indirect impact on state practice in cyberspace. Still, they may softly and gradually influence such practice.
Third, states have embraced a deterrence-based strategy. The most powerful states in cyberspace—namely, Russia and China on one side, and the U.S. and the U.K. on the other—have funneled their efforts and resources into a vigorous cyber arms race, motivated by their own strategic considerations. The greater technological advantage gained by one side, the more intensified the mistrust and the fear in the mindset of the other. That may trigger retaliatory responses, not necessarily confined to cyberspace, to reestablish the balance of powers or to ensure mutual deterrence. Obviously, such a response is risky—but if managed cautiously, U.S. deterrence may be more successful. Still, it will probably not be enough to meet the long-term challenge of ensuring security and stability in cyberspace.
The U.S. has implemented a three-layer deterrence doctrine as emphasized in the National Cyber Strategy and the Defense Department’s 2018 Cyber Strategy, as well as by the U.K. minister of foreign affairs, who depicted it as a new deterrence doctrine endorsed by the U.K.
The first layer is identification and attribution, when the evidence is sufficient and public attribution may not jeopardize strategic interests. Second is naming, shaming and indicting, when the amount of evidence gathered allows it. Finally, there is lawful retaliation, mostly by retorsions such as diplomatic or economic sanctions, which are lawful acts though unfriendly within interstate relations. Although these layers of operation could be implemented consecutively or separately by any concerned state considering its self-interests in any given scenario, they were tailor-made for the U.S. and its national security interests. Unsurprisingly, the U.S. is the only state that has implemented a doctrine involving all three layers.
A short review of recent developments indicates a change in the U.S. policy in cyberspace toward more a proactive and deterrent approach to ensure compliance of states with nonbinding norms that reflect responsible state behavior.
- Setting the Norms
The new National Cyber Strategy encourages “universal adherence to cyber norms: [i]nternational law and voluntary non-binding norms of responsible state behavior in cyberspace provide stabilizing, security-enhancing standards that define acceptable behavior to all states and promote greater predictability and stability in cyberspace ….” Eventually, it refers to the 2017 G7- Declaration of Responsible State Behavior, including the norms, rules and principles of responsible behavior of states consensually endorsed in the UN.-GGE third (2013) and fourth (2015) rounds, and the U.N. Charter.
- Collective Attribution
This involves formalizing cooperation with like-minded states to jointly and publicly attribute responsibility for cyber attacks. Attributing the May 2017 WannaCry cyber operation and the June 2017 NotPetya operation at the outset of 2018 (see here, here and here) was a precursor to such enhanced cooperation. In October and December 2018, the U.S and its close allies, mainly its Five Eyes partners (Australia, Canada, New Zealand, and the U.K.), jointly attributed responsibility to Russia and China, respectively, for a series of cyber operations conducted by the GRU (including disruptive and destructive operations) and the group known as APT10 (including economic espionage) against numerous states (see here, here, here, here and here).
- Coordinated Retaliation and Imposing Consequences
The updated National Cyber Strategy calls for the deterrence of irresponsible state behavior by imposing consequences for breaching nonbinding norms, such as those endorsed by the UN-GGE and mentioned above. This combines with the launching of an International Cyber Deterrence Initiative by a coalition of like-minded states to coordinate and support each partner’s response to significant malicious cyber incidents. The U.S. implemented this strategy by indicting Russian and Chinese governmental operatives for the GRU and APT10 operations (see here and here), in addition to personal sanctions imposed against the Russian and Chinese defendants. However, the U.S. allies had little ability to impose additional costs, especially because the targeted states are superpower states, such as China and Russia. Nevertheless, the U.K., the U.S. and the Netherlands coordinated unprecedented exposure of intelligence about GRU’s operatives, methods and cyber operations to harm its operational capabilities (here and here). The U.K. and the U.S. coordinated exposure of intelligence also against China’s APT10 (here and here).
Furthermore, at the national level, Congress has adopted active defense principles toward specific states (Russia, China, North Korea and Iran). This involves removing bureaucratic restrictions and authorizing offensive-defensive actions “to disrupt, defeat, and deter” should any of the four countries conduct malicious activity in cyberspace against the U.S. and the American people, including attempting to influence American elections and democratic political processes. In the same vein, the Defense Department’s 2018 Cyber Strategy includes “defense forward” as a deterrent measure, defining it as “disrupt[ing] or halt[ing] malicious cyber activity at its source, including activity that falls below the level of armed conflict.” In other words, the policy tackles emerging threats immediately at the source and may include cyber activities below the threshold of “use of force” within the adversary’s network or territory, by virtue of the relevant authorities delegated down to the appropriate level in U.S. Cyber Command.
In the time since the power to approve specific offensive cyber operations has been delegated down, it has been used much more frequently and effectively, including in a preventive manner during the U.S. midterm elections in November 2018 (see also here). In a recent statement, U.S. National Security Adviser John Bolton emphasized the United States’s improved “capabilities across the board to engage in more offensive cyber activities” and told Russia and any other state engaged in cyber operations against the U.S. that they “will pay the price … we will impose costs on you until you get the point.”
It is worth noting that the active defense approach has been endorsed publicly by senior officials such as the British minister of foreign affairs and even the French minister of defense, who suggested France’s approval of the approach while presenting the new French national cyber strategy. Still, from the perspective of international law, the legality of this proactive approach—which may include “hack-back” actions and other intrusion operations—is questionable. It depends on the way legal terms such as “sovereignty” and “countermeasures” would be interpreted and consensually applied in cyberspace.
Ambiguity and Deterrence
In a recent article for the American Journal of International law, Yuval Shany and I present an investigation of 11 cyber operations that occurred from 2013 to summer 2018, including, inter alia, the hack of the Democratic National Committee, the hack of Sony, the Office of Personnel Management hack, and the WannaCry and NotPetya cyber operations. All these operations were deemed to be executed by states or state-sponsored groups or individuals. Our findings indicated that victim states and attackers as well have endorsed a policy of ambiguity and silence. The goal of such approach is to maintain as much leeway as possible under the legal, technological and political uncertainties of cyberspace—thus, we wrote, “[E]ven when [states] acknowledge that they were victims of cyber operations directed against them, the rhetoric they use to describe the operation and their planned reaction thereto tends not to include legal arguments or references to specific norms of international law.”
When operating under conditions of significant normative uncertainty, Shany and I argue, states employ three interrelated strategies: “optionality,” regarding international law as an optional legal framework, which states may or may not invoke and apply; “parallel tracks,” the development through state practice of formal rules backed by opinio juris and informal set of rules shaped by practice without the sense of a legal obligation, both of which can presumably limit state power; and “gradations in law enforcement,” distinguishing between violations that are likely to lead to some form of response and those unlikely to do so.
It is worth noting that states did not reference any violation of an international obligation regarding the cyber operations that were collectively attributed (WannaCry, NotPetya, and the APT10 and GRU operations). This is consistent with the strategy of optionality: Treating the applicable international law framework as optional allows states to choose whether or not to invoke the legal discourse of international rights and obligations regarding their mutual interactions in cyberspace.
Undertaking retorsions and criminal indictments coincides with the strategies of “parallel tracks” and “gradations in law enforcement.” This is seemingly a reasonable compromise between the deterrence and ambiguity considerations. Hence, despite strong rhetoric about imposing consequences as a deterring retaliation, the U.S. and its close allies have so far applied only retorsions, which are lawful acts, though unfriendly—in lieu of countermeasures, unlawful acts in response to the violation of an international obligation. Countermeasures carry the risk of qualifying as a violation of international law by itself, if undertaken mistakenly.
The U.S. determination to implement a deterrence-based approach in cyberspace in tandem with its policy of ambiguity and silence may weaken deterrence and harm U.S. credibility. It also blurs the message of adherence to the rule of law in cyberspace, which is particularly concerning at a time when the question of how international law should be applied is still open ended and the law unclear and underdeveloped.
Attributing responsibility for violating nonbinding norms and undertaking punitive or retributive measures might be legally problematic, to say the least. Moreover, any attribution claim should refer to a violation of an international obligation, which should be clear and unequivocal. Enforcing nonbinding norms or principles with no clear contents is unacceptable and contradicts basic requirements of the principle of legality, which demands strict articulation of any legal prohibition. A state that deliberately ignores nonbinding norms is not in violation of its international obligations and therefore cannot be legally subjected to countermeasures, nor can it face consequences according to the deterrence-based approach.
Obviously, the policy of ambiguity is legitimate and premised on a common objective of maintaining operational latitude that remains as wide as possible, both defensively and offensively. However, this policy may result in a vicious cycle. While it serves states’ interest in maintaining latitude, it creates a significant obstacle in establishing accountability, which requires a clear binding legal framework and an efficient enforcement mechanism—both of which have not yet been formulated and cannot be shaped under conditions of uncertainty.
Ultimately, the tit-for-tat imposition of consequences provides the U.S. and its close allies with a prominent deterrence tool to deploy against their adversaries. That might be useful against a nonstate actor or less powerful state. But when the adversary is, for instance, Russia or China, the risk of escalation is much more serious.
Bearing in mind the uncertainties regarding the rising tensions among powerful states in cyberspace, along with evolving technological capabilities, ambiguity and deterrence are not a zero-sum game. They can and should be rebalanced.
The recent collective attribution claims rely mainly on close cooperation among intelligence communities, primarily the Five Eyes and several additional Western allies. The content and amount of evidence remain classified, and the standard of proof is enunciated by short sentences or phrases such as “highly likely,” “high confidence,” “almost certainly responsible” and “highest level of probability.” That lack of transparency reinforces the adverse effect on the process’s credibility, which, in turn, may affect the legitimacy of any act taken in retaliation.
Nevertheless, there are some options that should be considered to increase legitimacy and credibility while implementing limited transparency. A priority should be reinforcing cooperation among an increasing number of like-minded states; collective attribution should involve more than a select group of states. Even more so, substantiating attribution claims also requires permanent cooperation with private cybersecurity and tech firms such as GAFAM (Google, Apple, Facebook, Amazon and Microsoft). Establishing parallel cooperation between states on the one hand and private companies on the other while maintaining national security will be a challenge. But as insurmountable as it may appear, it will be a worthy challenge to tackle.
Exactly a year ago, U.K. Attorney General Jeremy Wright made a significant step toward setting opinio juris regarding the application of international law to cyberspace. Most relevant were his comments on the principle of sovereignty in cyberspace: The U.K. does not recognize the existence of a cyber-specific rule on violations of territorial sovereignty. Furthermore, the speech negated the applicability of two traditional obligations: the obligation to provide advance notification prior to executing countermeasures and the obligation to disclose evidence justifying attribution. Moreover, the attorney general emphasized the importance of international law in cyberspace despite the restrictions this places on states’ freedom of action: “[B]ecause we believe that a rules-based international order makes the world a safer place … it must also follow that a rules-based international order can only prevail when the rules can be clearly understood and that where they are unclear we seek to bring clarity.”
Considering the recent developments in cyberspace, it is time for the U.S.—as a leading superpower in the international community, and primarily in cyberspace—to take the lead in clarifying its legal and political stances regarding the application of international law in cyberspace, particularly on essential issues such as sovereignty, nonintervention, due diligence, countermeasures, the evidentiary standard and even the boundaries of legitimate espionage. Although this will reduce the level of ambiguity, it should not necessarily remove it totally—a gradual reduction in the level of ambiguity might be even better.
The U.S. should also prioritize reinforcing international cooperation to ascertain that the International Cyber Deterrence Initiative (ICDI) does not just focus on deterrence through joint imposition of consequences. Instead, the initiative should attempt to establish accountability in cyberspace by relying on a defined legal framework that includes binding rules and clear attribution and enforcement mechanisms. This could be done in parallel or in combination with the other modes of action described at the outset. Determining how to do this will be the responsibility of the ICDI, or, more accurately, the International Cyber Accountability Initiative (ICAI) to decide.
Two decades have passed since the UN-GGE was established with the mandate to examine and recommend how to meet the challenges and close the increasing gap between international law and evolving technology in cyberspace. Time is running out. International achievements in standards setting are limited, and cyber threats are increasing exponentially. The international community, particularly democracies led by Western major powers, should enter the third decade of the digital age equipped with broadly accepted tools and strong willingness to establish accountability in cyberspace based on clear, binding rules and enforcement mechanisms.