Report: Nation-State Malware Attack Could Cripple US

Breach Preparedness , Critical Infrastructure Security , Cyberwarfare / Nation-state attacks

Government, Industry Need to Work More Closely on Response Plans(jeremy_kirk) • February 6, 2019    Report: Nation-State Malware Attack Could Cripple USCyber warfare specialists with Maryland's Air National Guard at Warfield Air National Guard Base in Middle River, Maryland. (Photo: J.M. Eddins Jr./U.S. Air Force)

Without improved coordination, the U.S. government and private companies could be caught flat-footed if a nation-state hit the software supply chain with malware or a worm. That's the conclusion of a report, or "after-action memo," released Tuesday by the Foundation for Defense of Democracies and The Chertoff Group consultancy.

See Also: Sunset of Windows Server 2008: Migrate with Docker

In October 2018, the groups held a tabletop exercise theorizing what would happen after what's termed a "cyber-enabled economic warfare," or CEEW, event.

Such a strike would be intended to cripple the country's economy and infrastructure. The impacts could be severe, affecting food supplies, healthcare and financial services, possibly sparking a public panic, the report says.

imageDavid London

The exercise involved former government officials from the CIA, NSA and FBI, as well as a dozen top executives from industries including energy, finance, technology and manufacturing.

Most top executives are realistic that they may not get much immediate assistance from the government, says David London, senior director at The Chertoff Group. "Those who are well-briefed are astute enough to know ... there isn't going to be the government bandwidth to be able to assist in response and recovery for all organizations," he says.

Lack of Technical Data Sharing

But the idea is to jump start initiatives that would help an array of industries to at least anticipate how such an attack would affect their operations and what government resources are available.

The groups' report lays out a series of recommendations, many of which have been discussed before. For example, it concludes that the government and the privacy sector need to more closely together to figure what each needs from the other, as well as overcome concerns over sharing technical data.

imageThe 'after-action memo'

Although the U.S. government has been working to bolster its capacity and private sector cooperation for reacting to major cyber incidents, there's agreement it may not be enough. London says there has been progress, as many critical industries such as finance and energy are participating in collaborative groups, including the U.S. National Cybersecurity and Communications Integration Center.

The aim, however, should be for the government and private companies to have that "muscle memory" of what to do when an incident erupts, London says.

"There is a lot of embedded and highly regularized coordination, but when you take a cyber scenario and put it on steroids ... those models can start to fray," London says.

"These interactions with foreign governments may run in direct conflict with what the U.S. government is doing or planning in response to the cyberattacks."
—Annie Fixler, Foundation for Defense of Democracy

There are also concerns that with a lack of U.S. government support, private companies may try to directly engage foreign governments to call off an attack, says Annie Fixler, a policy analyst at the Foundation for Defense of Democracies. That could mean a violation of the Logan Act of 1799, which forbids unauthorized people from negotiating with other governments.

"These interactions with foreign governments may run in direct conflict with what [U.S. government] is doing or planning in response to the cyberattacks," Fixler says. "And at the same time, the [U.S. government] also needs to convince the private sector that it can and will come to their defense in a CEEW scenario to pre-empt them from taking independent actions."

'Feel the Pain'

The NotPetya malware attack, which was blamed on Russia, is thought to have been a test run to see what kind of damage could be inflicted on another country. The malware was seeded in a software update for a type of Ukrainian accounting software (see: Teardown of 'NotPetya' Malware: Here's What We Know).

But because it was a worm, it quickly spread outside Ukraine, causing hundreds of millions of dollars in damages for companies including FedEx, shipping company Maersk, pharmaceutical company Merck and more (see: FedEx Warns NotPetya Will 'Negatively Affect' Profits).

The malware scenario used in the tabletop exercise drew inspiration from recent cyberattacks, including the 2016 and 2017 attacks on the Ukraine's electrical grid as well as NotPetya. Software supply chains are a major risk surface because they can touch many industries, London says.

"We wanted to make sure they [the participants] could all feel the pain in one way or another," London says.

The report highlights once again the communication failures that have been outlined over the last decade that could hold back cyber incident responses, says Chris Pierson, CEO of concierge cybersecurity firm BlackCloak. "But education and awareness will only go so far, now it is time for action."