Cyber Criminals and the Potential for Cyber War How do we protect ourselves and our country? Sharon oNeal sharononeal@email.Arizona.edu 520-822-4040

Interesting Cyber Facts Cyber Crime damage costs to reach $6 trillion annually by 2021 Human attack surface to reach 6 billion people by 2022 Typical Dwell Time in public Infrastructure networks before Penetration Detection: 128 Days Every minute 1,080 hacks occur 27 Days to Resolve at an average cost of ~$ 7.4M / incident Software Code: 4.9 Flaws/1000 Lines of Code 1 to 5% represent a serious vulnerability Typical Penetration Detector: External Vulnerability Assessment Currently more than 1.5 Million Cyber Security Jobs are unfilled (Expected to rise to 3.5M by 2021) Attacker only needs 0.0001 Success Rate Most Asset Owners aren’t aware of their Outbound Traffic: Number of Connections Length of Connection Amount of Data % Encrypted Destination IP Interesting Cyber Facts And here are some more compelling statistics for you to contemplate: Cyber crime damage costs to hit $6 trillion annually by 2021 (up from $3 a year ago) Predictions and observations provide a 30,000-foot view of the cybersecurity industr Cybersecurity spending to exceed $1 trillion from 2017 to 2021.  Cyber crime will more than triple the number of unfilled cybersecurity jobs, which is predicted to reach 3.5 million by 2021. Human attack surface to reach 6 billion people by 2022.  There are 3.8 billion internet users in 2017 (51 percent of the world’s population of 7 billion), up from 2 billion in 2015. Global ransomware damage costs are predicted to exceed $5 billion in 2017.  Billionaire businessman Warren Buffet takes it a step further and says that cyber attacks are the number one problem with mankind, even worse than nuclear weapons

Cyber threat landscape Let’s look at a top level view of the current cyber landscape. Who are the actors? Govts, ideological groups, organized crime, private individuals. What are some of the techniques they use? Other Statistics: Top 3 Cyber threats last year: Social Engineering: 52% of all threats Insider Threat accounts for 40% of all threats APT: 39% Recent high profile case of the Insider Threat – Chelsea Manning leaked 750K classified and unclassified documents to WikiLeaks motivated by crowdsourcing – getting others to come to c=the conclustion that the war was not worthwhile.) and Edward Snowden who released thousands of documents revealing several global surveillance programs by the NSA and other govt agencies. A subject of controversy, Snowden has been variously called a hero, a whistleblower, a dissident, a traitor and a patriot. His disclosures have fueled debate over mass surveillance, government secrecy, and the balance between national security and information privacy. Currently lives in an undisclosed location in Russia who has granted him temporary asylum. How do they gain access to a corporations/ organization’s systems: suppliers, employers and contractors, mobile devices, network access, physical access. Co-mingled corporate and personal assets, excessive 3rd party access, lack of secure supply chain, patching and system upgrades, outdated equipment and lack of installing software updates, inexperienced cyber architects, lack of business risk aseesment and ineffective mitigation strategies. Let’s talk about IoT – projected to have more than 50B connected devices by 2020 Cyber threat landscape Source: https://www2.deloitte.com/content/dam/Deloitte/us/Documents/energy-resources/us-er-cyber-risk-protecting-our-critical-infrastructure.pdf

Dept of homeland Security (DHS) – 16 Critical Infrastructure Sectors In 2013, then President Obama issues an Executive Order 13636 – titled “improving Critical Infrastructure Cyber Security”, which among other things called for the establishment of a voluntary risk- based Cyber Security Frameowkr between private and public sectors. Also the DHS identified 16 critical infrastructure sectors in response to the POTUS Policy Directive-21 Critical Infrastructure Security and Resilience directs the Executive Branch, led by DHS, in coordination with NIST, NSA and sector Agencies to: * develop near-real time physical and cyber situational awareness capability * understand cascading consequences of infrastructure failures * mature public-private partnerships * update the National Infrastructure Protection Plan * develop comprehensive research and development plan The nation's critical infrastructure provides the essential services that underpin American society and serve as the backbone of our nation's economy, security, and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, the stores we shop in, and the communication systems we rely on to stay in touch with friends and family. Overall, there are 16 critical infrastructure sectors that compose the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. The National Protection and Programs Directorate's Office of Infrastructure Protection (IP) leads the coordinated national effort to manage risks to the nation's critical infrastructure and enhance the security and resilience of America's physical and cyber infrastructure. Clearly, government and businesses alike all need to dedicate more resources to becoming more cyber-vigilant towards anticipating, protecting, and responding to potential and future cyber attacks. Complex Interactions With Limited Corresponding Government - Industry Expertise & Accountability

Cyber risks impacts energy critical infrastructure Threat Map for the Energy Sector Let’s consider one of the 16 sectors that seems to be getting a lot of attention these days in the wake of Maria and the destruction and damage caused from natural sources. When I hear the projections of how long it will take to rebuild the PR infrastructure, it helps me to grasp the reality of how vulnerable and reliant we all are on our energy sources. Here is an example of a recent attack against an electrical grid that happened in the Ukraine.: In Dec 2015 a presumed Russian cyber attacker successfully seized control of an energy control center in Western Ukraine that left more than 230K people without power for up to 6 hours. This marked the first time a cyber weapon was successfully used against a nation’s power grid. The attackers were very skilled who carefully planned their attack over many months, first doing reconnaissance to study networks and siphon operator credentials, then launching a synchronized assault. The attackers overwrote firmware on critical devices at 16 different substations, leaving them unresponsive to remote commands from operators. From what is known about the attack, the experts feel that they could have left the system permanently inoperable, but they didn't. Some speculate that it was a message from Russia not to pursue pending power plant legislation. Others feel it was a “dry run” for a future attack. Legend: Source: https://www2.deloitte.com/content/dam/Deloitte/us/Documents/energy-resources/us-er-cyber-risk-protecting-our-critical-infrastructure.pdf

Healthcare Cyber Attack Trends: 2015 - 2019 Medical and personal information theft due to healthcare provider data breachers will impact 1/13 patients 25M patients will have their medical information stolen 6M patients will become victims of medical identify theft 4M patients will pay out of pocket costs related to medical identity theft What about the healthcare sector? This chart shows cyber attack trends over a 5 year period. 25M patients will shave their medical information stolen. 6M patients will become victims of medical identify theft. 4M will pay out of pocket costs related to medical identity theft. What about the technologies that run our modern hospitals and treatment facilities? Can you imagine the impact of our health institutions if they were victims of cyber attacks that took down their ability to provide critical and life saving healthcare to millions of patients across the country? Scary – isn’t it?

Source: http://www. securitymea

Defense Department Cyber spending From 2015 – 2020, the current planned expenditures within the DoD is ~$37B. The majority of that spending will be in cyberspace operations and IA. A much smaller amount will be spent by USCybercom and S&T funding (research). Is it enough? How does this compare to conventional defense spending? In 2017, the planned DoD spend plan was $598B – for one year. That means that in terms of defense spending, <1% of all DoD spending goes to Cyber related activities. Defense Department Cyber spending

STUXNET: one of the world’s first digital weapons A malicious computer worm first identified in 2010. Infiltrated tht entered the computer system at a uranium enrichment facility via a removable USB memory stick. Targets industrial computer systems and was responsible for causing substantial damage to Iran’s nuclear program Stuxnet reportedly compromised Iranian programmable logic controllers and caused the fast-spinning centrifuges to tear themselves apart Prohibited the manufacturing of uranium STUXNET Destroyed Manufacturing Equipment Connected to a Secure, Closed Network