Cyberwarfare

How real is the threat and how are businesses preparing?

By Kevin Manne

With the Russian invasion of Ukraine shining a spotlight on the issue of digital warfare, we asked two cybersecurity scholars—Alan Katerinsky and Dominic Sellitto, both clinical assistant professors from the school’s Management Science and Systems Department—to share their perspectives on the potential threat of cyberattacks and how it’s affecting businesses.  

Alan Katerinsky: I consider us a vulnerable population. If someone is going to hit us with a Pearl Harbor-like cyberattack—a really serious attack to shake people up—it’s going to come through finance. And one of the things we did during Russian sanctions was decouple them from the international banking system, which may be one of the best moves that was ever done inadvertently, because now they’re cut off. But that doesn’t mean Russia can’t hire someone to do it for them—there’s an awful lot going on in the background that we do not know.

Dominic Sellitto: In the leadup to the conflict in Ukraine, we saw a number of attacks on the country’s websites, particularly government sites, with the goal of destabilizing the region. It can be difficult to know who is initiating these attacks because ambiguity can still exist on the internet. Nation states can use proxies so actions may not be traceable back to the country itself, but the intent usually gives it away.

AK: The cyberwarfare that’s possible from all this is still not yet realized. We are protecting as best we can, but our railroad crossings, natural gas systems and water treatment plants are not protected, by and large. The electrical system has been constantly upgraded so it’s better protected than it was five or 10 years ago. 

But another threat to consider is ransomware in hospitals. In an environment like that—where you’re responsible for hundreds of people in medical trauma—it’s very easy to get distracted, click on the wrong thing and wipe out a computer system. Then multiply that by every city in America. 

DS: And that’s something that has happened already. The WannaCry ransomware attack that hit the National Health Service in England and health care facilities around the world was crafted using vulnerabilities stolen from a contractor doing work for the U.S. government—which goes to show how decentralized we’ve become in terms of how many third parties most organizations have to work with and trust. 

AK: The other thing to consider are attacks from the physical realm onto the cyber realm. For example, cutting transatlantic cables to the United States would be a massive attack on economic and communications infrastructure around the world. Or, one good missile packed with buckshot at the right height could take out most of the GPS satellites, which would disrupt all of our transportation, location and communication systems, not to mention all the GPS targeting for our military. 

DS: It’s important to draw a distinction between these different types of cyberwarfare. A lot of what we’re seeing on the news is information warfare—with fake social media posts and flooding communications channels with garbage data. But another, perhaps less flashy, kind of attack are distributed denial of service attacks that cause the breakdown of web services around the world and are a real concern even beyond information warfare. 

AK: As for businesses, the old thinking was that they’d protect their computer systems because it would affect stock prices, but the reality is that it doesn’t. Stocks may lose points for a short period of time, but studies have shown that within a year, prices are back up to where they were before the breach. What I worry about is that people will give up and take all of it as the price of doing business, and then it won’t be just losing your customer base or some credit card numbers, it’ll be a power plant, oil refinery or sewage treatment plant shut down. The one thing we cannot do is give up. 

DS: Unfortunately, many companies won’t do anything until there’s some sort of legislation with teeth, and that is the current push. And the “with teeth” part is important because we do have legislation, but it has largely bared no teeth. There is some optimism, however, in the form of general consumers—we have to vote with our money and push companies to do better with the information they’re storing, and how they’re storing it and securing their systems.