A common nightmare scenario in the business world is that a hacker will crack a company's digital defenses, steal sensitive data or disable the network. Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit (US-CCU), an independent organization that churns out information security data on behalf of the government, says enterprises face a darker possibility.
Online outlaws could quietly penetrate the network and, over six to eight months, alter critical data so that it's no longer accurate. For instance, an attacker could access a health insurance company's patient records and modify information on a person's prescriptions or surgical history. Or an attacker could access an automotive company's database and tamper with specifications on various car parts.
"The big worry shouldn't be that someone's going to shut down a company's computer system," Borg said. "If you shut down almost anything in our economy for a couple days, the damage is minimal. We have enough inventory to time shift our activities so we're not badly hurt. But if the attacker causes physical damage or makes it so the business process is faulty, the damage can be horrendous."
Borg and US-CCU research director John Bumgarner have developed a draft checklist designed to help businesses examine such digital doomsday scenarios so they can thwart them or at least mitigate the consequences. It was unveiled at last week's GovSec conference in Washington, D.C., and Borg and Bumgarner ultimately hope the U.S. Department of Homeland Security (DHS) will adopt the checklist as part of an official standard. DHS has not yet approved the draft.
The checklist consists of 478 questions meant to help enterprises assess their ability to handle a variety of cyberattacks. It is divided into six categories:
In the human operator section, for example, enterprises are asked such questions as:
At GovSec and other conferences, Borg said he's been trying to "wake people up" to the scenarios the US-CCU checklist is designed to address. In some industries, he said, not taking the proper precautions as soon as possible could be disastrous.
"If hospitals are denied access to someone's insurance information, it's a nuisance," he said. "If someone accesses a hospital computer [and] changes numbers, tampers with dosage schedules and announces his handiwork six months later, panic could ensue, people would be afraid to go to a medical facility and the health industry could suffer massive lawsuits and bankruptcies."
In the auto industry, tampering with auto parts data could lead to cars failing on the road, people getting injured or killed and the auto manufacturer going belly-up. "People would stop buying cars," Borg said.
He acknowledged these kinds of attacks aren't happening much right now. But, he said, there have been isolated cases in the financial sector. Other intelligence suggests the digital underground has the ability and motivation to do a lot more damage.
"Our job is to look at some of these scenarios and help people prepare," he said, "but I can tell you that we have seen some worrisome signs. Last spring we started getting evidence of a shift" in the digital underground, with emphasis shifting from worms to what could be done with unfettered access to a corporate network.
One result has been the mountain of corporate data breaches this past year. But the bad guys have plenty of motivation to go beyond simply extracting someone's personal data for the sake of identity theft.
"If you can cause a huge economic event, you can make a huge profit off it," he said. "If you can damage an industry and radically change demand for a commodity, there are ways to make an awful lot of money in the process."
He noted that right after the Sept. 11 terrorist attacks, there was speculation in the security community that members of Al Qaeda had cashed in some airline stocks before the attacks.
Is Borg's warning resonating with audiences? He believes so.
"GovSec was attended by a lot of police officers and people in government," Borg said. "Some in the audience said they hadn't previously appreciated the concept of the threat as I articulated it. A lot of people say they hadn't looked at it this way."