According to recent reports, a woman in Germany died after a ransomware attack against a hospital system forced her to be rerouted to a more remote facility, delaying critical treatment by an hour. This event is undoubtedly a tragedy for the woman, her family, for Germany, and for the security community.
It is also a prime example of the reason we in the security community exist and what we work daily to protect against, and a stark reminder that what we do is important and cannot be taken for granted.
I feel compelled to write about this event because to me, this is truly an inflection point for the security industry. We have raised the alarm for years and years about the potential for cyberattacks to have an adverse affect the physical realm, and this event realizes that fear in a more visceral way than ever before.
Yes, we have seen cyberattacks that target physical systems as with Stuxnet, many disinformation campaigns, and other malicious activity. However, this ransomware attack truly broke boundaries because it resulted in the direct loss of human life.
The physical world and the digital become more connected day by day. Every technological advancement has another “side of the pancake” - a vulnerability, an opportunity for disruption, the possibility for damage. This connection has accelerated with the pandemic, where many of us have been forced into remote work situations over a very short period of time.
Not only this, but we are also societally pained. We have friends, family, acquaintances with serious medical conditions, growing mental health issues, and a near constant state of mourning for the losses we have already suffered worldwide. This leaves us vulnerable to attack both mentally and physically by criminal groups looking to make a quick buck.
The Hacker Ethic states that one of the core tenets of a hacker is that they must value World Improvement. I am fully supportive of hacking for ethical purposes, especially when it is to support an organization and to make security better. That isn’t the reality here. The individuals leveraging this situation are not hackers, they are attackers. They are criminals.
At the end of the day, as defenders we are here to fight them. We need to unify against this common foe, both in spirit and in practice. We must continue the culture shift towards seeing attacker behavior as detrimental to the society in which we live. Whether they are the ones developing the malware, selling it, or paying for it, if they are doing it to harm society or carry out criminal activities, they are criminals.
In security, we talk a lot about the CIA triad: confidentiality, integrity, availability. Typically, we talk about this in the context of data, but in this case, it impacted the availability of an entire physical system at a crucial time. We are seeing cyberattacks used indiscriminately as a blunt weapon, in many cases for financial gain.
However, these attacks can have a much more dire impact when they affect the availability of a critical system at a critical time. What’s worse, attackers know that the more crucial the availability of a system, the more money the defender may be willing to pay for ransom. This will continue as malware for monetary gain becomes more accessible with Malware-as-a-Service.
For every security person (of which I know many are quite busy), please try to take a moment to pause and reflect on what you are doing, why you are here, and what this event means for you. This should be a rallying cry for each of us, both as individual security professionals and a community of defenders. Let's do everything we possibly can to stop this from happening again.