With the ever-growing interconnectivity of the world and its exponentially expanding dependency on the internet, one threat has proven to be steadily growing alongside it as well. Indeed, as of 2020, about 59% of the total world population was connected to the internet one way or the other. (Clement, J. 2020, July 24). The count that barely even reflects the number of people really depending on it and its continuous operating in making possible the well-functioning of most essential infrastructures of virtually any country in the world. Therefore, the cyber-security threat has been the most prominent intimidation to the modern world order, especially when approaching the ‘Western’ more developed, technologically advanced, and integrated societies. Therefore, seeing that such a threat was starting to be an almost existential menace in the making, these more advanced countries had to develop ways and strategies to prevent Cyber-attacks. Indeed, the really problematic part of the cyber world is that, contrary to most other kinds of threats, the 0 risk never exists. Apparently, attacking in the cyber world is at an always advantageous point since it only has to discover the tiniest weakness that even billions of dollars in Cyber-defense programs would have overlooked. Or the tiniest crunch in the armor in order to sneak into the system and easily, with barely even substantial funding, create a catastrophic scenario for the country or the company being targeted. Therefore, advanced countries had to come with an extended National Cyber-Security Strategy (NCSS) to be as prepared as possible to resist such attacks. Or at least be resilient and prepared enough to be able to recover from one as quickly as possible. But being able to deflect any and every threat is virtually impossible, even for the most advanced nation in the world and the threatened hegemon of the world’s current world order, the United States of America (USA).
In this article, one will try to see how, even with a developed NCSS trying to include all sides of the threat, attacks still succeed and appear where they are not expected with tremendous success and massively destructive potential. Indeed, with the analysis of a case study, one will try to see how and where a country can be found the most vulnerable despite an extensive counter cyber-threat program and strategy. In a place it did not expect and how human error and weakness can be seen as the most sensitive of the weak spots in every cyber-security strategy.
In order to extend on this article, one needs to describe in a few sentences the NCSS of the USA. Such strategy is virtually expanding alongside the same lines for most developed nations. As such, most were first issued between 2003 and 2009. (Luiijf, H. A. M., Besseling, K., Spoelstra, M., & De Graaf, P. 2011, September). The USA established its own in 2003 and decided to implicitly incorporate all Cyber Threats to the Information and Communication Technologies (ICT). As such, it was relating explicitly to National Security Strategy and Critical Infrastructure Protection Strategy and addressing CT to Critical Infrastructure (CI), Defense Abilities, Economic Prosperity, Globalization, National Security, Public Confidence in ICT, and the Social life of the everyday Citizens. Moreover, determining itself at countering CT from the whole range of Cyber Attacks, from activism to terrorism, from large-scale attacks to criminal and organized crime, and from espionage to cyber warfare. Therefore, essentially trying to include the whole spectrum of CT in its NCSS in order to be better prepared to deal with it.
But all this, and billions of dollars funneled into such extensive security, and network, still does leave open some holes. Thus, where the smart and even less technological maleficent cyber actor can infiltrate himself and create extensive damages, as will be shown in the following case study. And so did the Syrian Electronic Army on the day of the 23rd of April 2013. When they found an easily exploitable breach in the Twitter account of the Associated Press (AP), the weak link of the USA cyber-security system that day, and managed to publish and share a tweet with their 2 million followers that two explosions occurred in the White House, injuring the then-elected President Barrack Obama. (Springer, Berlin, Heidelberg. Fisher, M. 2013).
The hack was fake, of course, and only lasted around 5 minutes due to the fact that the hacker decided not to close the door behind him and not change the password he used. Hence, proving that human error can be beneficial to both sides of the spectrum. However, in these 5 minutes, it took between 1:08 p.m., when the Stock Market started nose-diving, and 1:13 p.m., when it was fixed, and information was spread that it was only an erroneous announcement, the Dow Jones had lost 150 points and virtually erased around 136 Billion dollars in equity market value. (Springer, M. 2013). Which, for the best, got back up almost instantly after it was proven it was false information. But still, this leaves the question open. How come, that one of the most advanced society and security agencies in the world was overplayed by some petty hacker sitting in a war zone in Syria.
What Could Have Happened If Breaching Was Successfully Implemented?
Indeed, it seems the attack was not made to create real damages, but the consequences could have been catastrophic had it happen in multiple news outlets at once and would have been fixed right away. Such an attack would have succeeded in impacting the country’s economical safety, its citizens’ social life, confidence in their government capacity, and even its national abilities by crashing one of the country’s most critical infrastructures in a way no one ever saw coming. Indeed, had it been done for money, one could have made millions and even billions by orchestrating such an attack on the USA or any other important country and timing stocks sales or acquisition perfectly. And had it been an enemy state actor with better capacity and more nefarious intentions, the consequences could have been catastrophic.
But this leaves the question, how was such an cyber attack made possible? To this question, the answer is most simple. By exploiting what always proves to be the most sensitive and weakest link of any security system. No matter how extensive and high-tech it can be. The Human Factor. As would say the famous Albert Einstein’ Two things are infinite: the universe and human stupidity; and I’m not sure about the universe’ (Einstein, A. 2012). Indeed, Human Weakness, if in an obvious brute force breaking of a password going from 1 to 9, or as of here, the sending of malware through the ‘phishing’ technic of an e-mail to one of the low ranking staff members of the AP, is always the best way to go when going against a technologically advanced system. And once again here, it proved to be the failing link that in other circumstances could have brought the most powerful nation of the world to its knees at the hand of a handful of Syrian hackers had it been done with more preparation and focused intent. Even though the consequences for Syria might have been as well catastrophic, it had to endure the USA’s Wrath afterward.
Cyber-Security and Governance – Conclusion
Therefore, following this case study, one can conclude that no matter the extent of the countermeasures, the NCSS strategy, or how many billions are spent in the CT security apparatus and system – the 0-risk point can never be reached. If only for the reason that the most critical factor in such a system will always be the human operator. Whom will, at contrario to machines, always also be the most prominent to error, no matter how much education and money is poured into forming them. On low-ranking operators, from any of the side system or organizations, such as here, the media and social media can be the cause of a catastrophic breach and is virtually impossible to prevent in the long term. Without even talking about a 0-day malware event, that as for the COVID-19 on the human society, is a threat that no-one can ever see coming. But only deal with its consequences the best way possible.
- Clement, J. (2020, July 24). Digital users worldwide 2020. Retrieved September 29, 2020, from https://www.statista.com/statistics/617136/digital-population-worldwide/
- Einstein, A. (2012). Albert Einstein Quotes. Retrieved from BrainyQuote. com.
- Fisher, M. (2013). Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism. Washington Post, 23.
- Luiijf, H. A. M., Besseling, K., Spoelstra, M., & De Graaf, P. (2011, September). Ten national cyber security strategies: A comparison. In International Workshop on Critical Information Infrastructures Security (pp. 1-17). Springer, Berlin, Heidelberg.