Finger-pointing from the vantage of hindsight
Last year, nearly 18 years after the 9/11 terrorist attacks, three former Department of Homeland Security secretaries urged the U.S. government to place cybersecurity at the top of the national threat list. The call to action was issued prior to any knowledge of a looming pandemic, and adherence to such a call may have prevented some of the COVID-19-related impacts we are currently seeing due to insufficient resources dedicated to cyber preparedness.
The exploitation of widespread weaknesses by threat actors is not a novel concept, and while there are many critics who argue that more could have and should have been done, quick to quip that hindsight is 20/20 in 2020, it is unlikely that a disaster of this scale could have ever been predicted.
Puerto Rico: A country at risk over the years
Natural and man-made disasters alike have left vast portions of the population open and vulnerable to cyber threats, siphoning much-needed funding, halting progress toward rebuilding and preying on society during times of crisis.
Puerto Rico is a glaring example, seemingly unable to catch a break when it comes to the vulnerabilities faced due to natural disasters. The country struggles with an unrelenting recession, and this baseline of economic disrepair coupled with an ongoing series of natural disasters has made it a target of cyber criminals. Most recently, in February the government of the U.S. island territory reported it lost more than $2.6 million after falling prey to a Business Email Compromise scam. It is unclear whether the funds that were slated for reconstruction efforts will ever be recovered.
Lessons learned from Hurricane Sandy
Hurricane Sandy, the deadliest storm in recent history to pummel the coast of the Atlantic, killed 233 people in eight countries, affected 24 U.S. states and was responsible for $64 billion in damage. One security operations team analyzed traffic for the three months directly after Hurricane Sandy, and the data showed a significant drop in network traffic access across clients located in New York City for the two weeks during and after the storm. As network activity declined significantly, the number of attacks surged. Massive power outages left the financial hub of downtown Manhattan vacant, and without the vigilance of IT security supervisors, one of the world’s largest troves of financial information was hit by attacks that crippled some operations for months.
The business continuity plans (BCPs) and disaster recovery plans (DRPs) to house data in New Jersey were fatally flawed, as weather patterns are state-agnostic, and much of the backup data housed in New Jersey was also compromised. Hurricane Sandy quickly became a litmus test, and despite the devastation, BCPs and DRPs became a top priority in major organizations’ funding strategies. As the American Bar Association Cybersecurity Handbook reads, “If a client’s disaster recovery plans cannot pass the ‘Hurricane Sandy test,’ such plans might also fail if cyber incidents caused prolonged disruptions.” While companies’ contingency plans developed post-Sandy were well thought out and undoubtedly have helped to deter many potential attacks, these plans were not designed with the ramifications of a pandemic in mind.
One can hope that lessons learned and tactics put in place today will make the COVID-19 pandemic of 2020 the last time we are left to wonder “What if?” with such regret. Post-coronavirus, each demographic variant, including geography, industry and economic subsector, will have its own chapter in the “pandemic handbook,” as permutations of situation and effect are infinite.