Mitigating Risk & Compliance

Not that long ago, we saw the disruption of connectivity across the entire US East Coast with the Dyn attack – costing companies an estimated billions of dollars in damage. Hackers used malware to take over millions of unsecured IoT devices and launch sophisticated and coordinated waves of attacks to overwhelm Dyn's servers and bring down large ecommerce, social media, and entertainment companies such as Paypal, Twitter and Spotify. While several years ago, the Dyn attack serves as a dark milestone as the world's largest, most coordinated, and effective IoT cyber attack in history.

More recently, the US saw foreign states penetrate the highest level of government for months, with what has become known as the SolarWinds attack. Couple that with the cyberattacks on pharmaceutical companies developing the COVID-19 vaccine, and the risk is very real. In addition, the persistent threats to infrastructure can cost more than money; they can cause the loss of life.The 2020 winter storms in Texas illustrate how critical our dependence on infrastructure has become, and the havoc that could be caused by a successful attack on power grids. And what we have witnessed to date may just be the beginning or, if nothing else, the tip of the iceberg. These events aren’t just indicative of the actual risk today, but rather a small glimpse into what the telescoping magnitude of risk could look like in the future. 

In fact, four days after this article was originally published in Pipeline magazine, a coordinated ransomware attack was conducted against Colonial Pipeline, which is being viewed as “one of the most significant attacks on critical national infrastructure in history.” The attack, coordinated by the Russian-based cybercrime organization DarkSide, shut down the flow of oil, gas, diesel,  and jet fuel to nearly half of the US East Coast, affecting millions of people and disrupting hospital, medical, emergency, first responders, transport, and air services.

Failing to comply with regulations creates a wide variety of risks. To the companies at the epicenter of a breach, like Dyn or SolarWinds, the damage to brand recognition can be almost incalculable. Their brand has now become synonymous and forever aligned with the term, “breach.” In the case of Colonial, the company shelled out nearly five million dollars to recover their data and control of their systems. However, the public risk, may actually be higher. In the case of SolarWinds, the breach has led to the increase of tensions between the US and Russia.

In April, we learned that Russian-backed cyberterrorist organization REvil was responsible for a ransomware attack on the Taiwanese Apple-supplier Quanta, and began releasing Apple’s intellectual property on the internet – and stated that it will continue to do so – unless it meets its demand for a 50 million dollar payment. Leading some to speculate the attack was a response to the sanctions recently levied on Russia by the US for its part in the SolarWinds breach.  And SolarWinds isn’t going away, as Microsoft reported in a blog post that a second attack seems to have conducted by the same group as the first, which began in February and culminated through May 2021.

In response, the US Department of Justice has announced the launch of a multilateral task force comprised of Executive, Judicial, Treasury, and Intelligence agencies to investigate and respond to nation-state-sponsored ransomware attacks. This comes just weeks after the White House had already announced the launch of the Unified Coordination Group (UCG) following a Microsoft breach which has been attributed to China. These things tend to escalate quickly.

These are just a few examples that underscore the important of a good security posture, encompassing both regulatory compliance and lawful intelligence. It is also why failing to comply with these regulations comes with steep penalties. These penalties can range from $10,000 to $50,000 dollars per incident, per day, or more – including the revocation of your FCC license.