What if a technically sophisticated adversary, such as Russia or China wanted to create chaos in the United States – how would he or she do it? What if a technically sophisticated lone wolf hacker wanted to do it, is it possible?
My answer would be: Possible – absolutely! Probable: I don’t know. Concerning: You Betcha!
John Moynihan, president of Minuteman Consultancy, a Massachusetts based cybersecurity consultancy and former CISO for the Massachusetts Department of Revenue, has come up with a scenario that certainly ranks on the concerning side.
Now remember, the hacker’s motivation is to create chaos not make money. He or she may make money as a sideline from the event, but that is not the primary goal.
What if one of these hackers who seem to be able to hack into an awful lot of companies, decided to hack into Medicare (gee, we already know that government security isn’t very good) or the IRS or a large insurance company or a bank? Or all of the above.
Now let’s assume that this hacker gets administrative credentials as happened in the Office Of Personnel Management or the Anthem Blue Cross breaches. These are two very high profile cases where this DID happen, so this is very realistic.
So far we have two very plausible pre-conditions.
Now let’s assume that this hacker decides to access databases and slowly but systematically change data. If it is a bank, then change the amounts of deposits and withdrawals. For Medicare, you could change coverages or claims information. For the IRS, you could change refund amounts.
The hacker would do this relatively slowly over a period of time. Maybe days, maybe weeks, but slow enough to escape notice for a little while.
If you spread this out over time, you could not just restore from a backup because you don’t know how far to back up and you may not be able to add all the changes that occurred since them.
The banks or Medicare or whoever would investigate, but in the meantime, but would probably have to shutdown the systems – no deposits or withdrawals until they could figure out what happened. No claims being paid.
That wouldn’t cause too much chaos would it?
If the hacker was smart, he or she might go after databases that you might not see the changes in quickly such as your 401k.
According to a study done by Osterman Research, 47% of the respondents said that there was no person or group responsible for making sure that there were no unauthorized changes to the raw databases in their organization.
This is definitely possible to do – not easy, but far from impossible.
If the hacker were to do this randomly, across industries and across the country, it would reduce the confidence that people have in institutions. Enough of it and confidence broadly crumbles. Not good.
So how likely is this – I haven’t a clue.
Could Trump’s bestus friend, Putin do this – Absolutely.
Are there other people who could do this – Yes, but to do this on a large scale would require major resources.
One other way to do this – as we have seen for years, retail and hospitality point of sale systems have been as secure as a screen door in a hurricane.
What if the attacker just randomly changed transactions in those systems at hundreds (or tens of thousands) of compromised systems across industries and across the country? The banks would have no reason to suspect the transactions are compromised until people started complaining. If you only changed the transactions a little bit, it would likely take quite a while to detect. If your restaurant bill was $23.48 and the hacker changed it to $27.28, you might not notice it. But as the banks were to see hundreds of thousands of incorrect transactions, how would they respond?
I don’t think they have a plan for it. Remember, in this case, the bank’s systems didn’t get compromised, so backups would be useless. And, if the bogus data was coming from enough merchants, it would be very difficult to shut down. Unless, of course, you shut down the credit card system until you got it figured out. Now that wouldn’t cause much chaos would it?
This is the drawback of no paper audit trail.
Another place where there is no paper audit trail – the presidential election. And, it is too late to fix that problem.
Of course the legal system would want to put someone in jail, but even if they did, that would not straighten out the mess.
Information for this post came from Dark Reading.