Cyber extortion: The next new scramble

Amidst resurging Covid-19 pandemic, an epidemic of cyber-extortion is pummeling aspects of the US economy and the government is at a loss how to deal with it.

Uju Okoye began working as a nurse four years after migrating to the United States. After joining her husband in Chicago, Uju began taking classes in a community college to get needed prerequisites for a nursing degree. Three years later, the banker-turned nurse who worked with a leading bank in Lagos for six years, earned her nursing degree. Now she works for Hospital Sisters Health System, a multi-institutional health care system operating in Illinois and Wisconsin.  Uju still remembers the day in August 2019 when she went to work and the whole hospital computer network was shut down. As Uju recalls, “we couldn’t do anything. The entire system was shut down. We lost all patient records. For days the whole system was in chaos.” Two years after the attack, it is still unclear who hacked the hospital computer system.

Whether it is a clandestine group hacking an entire hospital computer network or some bogeymen of the Kremlin attempting to steal classified information from the Pentagon, the Internet landscape has been transformed into a binary battlefield. It is a battle that the United States is struggling to get a handle on.

Some cyber security experts worry that the US is lagging behind in a war that it must necessarily win.  For the wizards of the underworld, who needs a gun when you have a keyboard? Why spend tens of billion dollars on an aircraft carrier when you can disable it digitally?  Why have an army of ten thousand, when two men behind a computer can wreak havoc of equal proportion?  Generations of technological breakthroughs have made what was once inconceivable years ago very easy. What used to require Gestapo-like dungeon crawling displays of wit and nimbleness can now happen with such a breathtaking ease.

Two April incidents, eight years apart, show just how fast times have changed: On April 16, 2013, a group of snipers physically slipped into an underground vault in San Jose, California and surgically knocked out 17 giant transformers that supplied power to parts of Silicon Valley. In a blink of an eye, parts of the Valley, the very heartbeat of America’s tech-driven economy went dark. For a while it appeared the valley had sunk; it felt like this temple of gold once called “valley of heart’s delight”, was headed for destruction. The tech companies scuttled in utter disarray as police scrambled to fish out the culprits. The gods and goddess of Facebook, Google, Apple and other tech empires hurtled in shock. Many ran helter-skelter. It was as if Armageddon had finally come.

The military-style nature of the raid and the precision with which it was executed raised concerns about future attacks. The attackers came at midnight, outsmarted security cameras and motion sensors, destroyed telecommunications cables in the vault and disappeared into the gloom. Was the attack the work of vandals, disgruntled former employees or something far more sinister – a trial run by an individual or a terrorist organization bent on destroying America’s power grid?  That question remains unanswered till date. Shortly after the incident, Mark Johnson, an executive of PG&E, the company that managed the San Jose power stations described the attack as “a dress rehearsal for future attacks.”

On April 29, 2021, eight years after the California attack, hackers gained entry into the networks of Colonial Pipeline, the largest pipeline system for refined oil in the US and massively disrupted gas supply in the country. Colonial Pipeline, a private utility company with headquarters in Georgia, supplies nearly half the gasoline consumed in the region. It moves around 2.5 million barrels of gasoline, diesel, and jet fuel daily from Georgia to New York and towns and cities in-between.  Within days of the attack, gas stations ran out of supply as those with supply scrambled to contain long lines, gas prices skyrocketed. At a point in May, nearly 90 percent of stations in Washington DC had “no gas” in their front spaces. The neighbouring state of Virginia declared a state of emergency to keep its gas supply from being depleted and warned that price gouging will not be tolerated. But that did little to assuage the fears of its residents.  As tension grew, news leaked that Colonial Pipeline paid the hackers $5 million via crypto-currency to regain control of its systems.

Washington DC-based Ifeoma Okonkwo said, “it’s the first time I’ve been in a queue to get gas since I came to this country 25 years ago.”

Colonial Pipeline is one of US most critical fuel arteries. The attack on its infrastructure was seen by many as an attack on America. The real fear now is – which entity is next.   As Bruce Schneier, a fellow at the Berkman Klein Center for Internet and Society at Harvard University, notes, “the war of the future will not only be about explosions, but will also be about disabling the systems that make armies run. It’s not that bases will get blown up; it’s that some bases will lose power, data, and communications. It’s not that self-driving trucks will suddenly go mad and begin rolling over friendly soldiers; it’s that they’ll casually roll off roads or into water where they sit, rusting, and in need of repair. It’s not that targeting systems on guns will be retargeted to 1600 Pennsylvania Avenue (White House); it’s that many of them could simply turn off and not turn back on again.”

Cyber piracy is a real danger in a world that is increasingly digitalized and interconnected.  Cyber piracy typically involves malware that encrypts files on a device or network that results in the system becoming inoperable. The criminals behind such attacks typically demand ransom in exchange for the release of seized data.  The management of Colonial Pipeline paid $4.4 million to regain control of its systems after it was hacked. Joseph Blount, CEO of Colonial Pipeline, said he authorized the ransom payment because executives were unsure how badly the cyberattack had breached its systems, and how long it would take to bring the pipeline back. “I know that’s a highly controversial decision,” Blount said after the crippling hack. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.” The payment was made in cryptocurrency which made paper trail difficult. Last month, the FBI announced it recovered $2.3 million in bitcoin paid in the ransom but the criminals are still at large.

Ngozi Anaka, a nurse in one of the local affiliates of Mass General Brigham (MGB), Massachusetts biggest private hospital system, remembers receiving phishing mails in her official email account periodically. The management sends the emails to gauge staff alertness to malware attacks. Staff are expected to detect such emails and report them as such emails could be used to install malwares that could freeze the entire system and as part of a ransomware attack. “It’s a test system created to intuitively remind us of what not to do. Don’t open suspicious emails as hackers could use them to attack the entire system.” A data breach in June 2019 compromised the health information of nearly 10,000 MGB patients.  “Those criminals just don’t care,” says Ngozi.

The attack, which is now common in hospitals across the US, highlights why healthcare cybersecurity defenses must be robust. “Patient data is highly valuable to hackers, who often use the stolen information to commit further crimes like identity theft, said Matt Aldridge, a Boston-based cybersecurity expert. “Health data is incredibly important to people and is far more personal than other information.”

According to Colin Bastable of Lucy Security, “the medical industry was the first to be phished over 20 years ago, and it still leads the way in data incontinence.” Another security expert, Dan Tuchler, says “we don’t have much experience yet in what kind of lasting damage can be caused with this very personal information, but this is surely going to grow in the future.”

US hospitals and clinics are under relentless cyberattack. The criminals understand health info is highly protected data.  Last year an eastern European group known as Ryuk hit at least 235 facilities, raking in more than $100 million in ransom payment. Ransomware attacks cost US healthcare organisations $21 billion in 2020, according to a recent analysis by security company, Comparitech. The healthcare sector is a consequential part of the US economy.  The US, on a per capita basis, spends more on healthcare than other developed countries.  1 in 8 people employed in the US works in healthcare, according to the Bureau of Labour Statistics.

Healthcare spending in the US topped $3.8 trillion — nearly 18% of the gross domestic product in 2019.  It is projected to reach $6.2 trillion, or at least 20% of GDP by 2028. Besides, hospitals make good targets for ransomware because victims are more likely to pay the ransom as quickly as possible given the possible consequences of any delay in accessing their systems.  In 2020, cyberattack affected more than 600 separate clinics, hospitals, and organisations, and over 18 million patient records.  The 18 million patient data affected signifies 470 percent increase from 2019.

Covid-19 stretched American hospitals to their elastic limits. As they recover from the worst days of the virus, cyberattacks are increasingly becoming the new system disruptor and stressor.  The FBI advises victims not to pay ransoms to the hackers.

“Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organisations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” according to a release by the agency.

Who listens when the panic alarm is buzzing?  As data from the FBI indicates, not many. More than 1 in 3 health care organisations opt to pay after every cyberattack. It is not just hospitals and oil suppliers that are paying these ransoms. The highest known ransom paid this year by a US company was by JBS, a meat processing company which dolled out $11 million in bitcoins to cybercriminals to avoid further disruptions to its services.