March 19, 2021

One If by Land, Two If by 0 and 1


KEY TAKEAWAYS

  • There are numerous methods and types of cyberattacks; understanding the most common types of attacks can help policymakers craft appropriate responses.
  • While some of the responses to these cyberattacks are in the hands of ordinary citizens, many require action from the federal government to properly respond to the scale, sophistication, and objectives of the attacks.
  • Responding to ransomware and strengthening supply chain security are likely to be key areas of focus for lawmakers in the 117th Congress.

As the world has become dependent upon the internet and machines connected to it, the hazards of cyberattacks have become more serious. Understanding the most common types of cyberattacks can help policymakers enact legislation that enables America to secure its technology infrastructure while leading the world in innovation. It can also help Congress provide effective oversight of federal agencies and taxpayer dollars.

Common Types of Cyberattacks

Common Cyberattacks

denial of Service Attacks

Denial of service attacks aim to overwhelm a network with such a high volume of traffic that the system crashes. One type of these is distributed denial of service attacks, which are often launched using “botnets” − a combination of the words “robot” and “network.” These botnets consists of a large number of machines – computers or other connected devices – that have been infected by malware and are controlled by the attacker. For example, a 2016 attack on an information technology infrastructure company called Dyn effectively shut down access to hundreds of websites. The attackers used a botnet with a large number of compromised devices that included home routers, digital video recorders, and smart home systems. Even a smart refrigerator connected to the internet could be part of a botnet and used in a DDOS attack.

To help increase the security of these devices that make up the “Internet of Things” and mitigate the risk, Congress passed the Internet of Things Cybersecurity Improvement Act in 2020. The law requires the National Institute of Standards and Technology to develop and publish standards and guidelines for IoT devices used by the federal government.

Businesses and the government also have taken action against prominent botnets. Last October, Microsoft disrupted the “Trickbot” botnet, which had infected more than a million devices around the world which were used to distribute malware and ransomware. In January, the Department of Justice took down the Emotet botnet. According to DOJ, the malware had infected hundreds of thousands of computers throughout the United States and caused millions of dollars in damage.

Phishing

In a phishing attack, cybercriminals send emails that appear to be from a trusted source to get people to click on a link or open an attachment, which allows the attacker to gain information or somehow compromise a system. These are generally broad attacks involving millions of emails sent indiscriminately in the hope that enough people will fall for the trick to make the attack worthwhile. “Spear phishing” attacks require the criminal to take time and effort to craft personal emails aimed at specific targets. The goal in both cases is to make the messages believable, such as spoofing the “from” section of an email so it appears to come from the target’s boss.

In July, 2020, Twitter fell victim to a spear phishing attack. The attackers targeted senior Twitter employees who had administrator access to accounts. The accounts of Elon Musk, Bill Gates, Kanye West, Barack Obama, and others were hijacked and used to tweet statements in an apparent attempt to obtain cryptocurrency. The FBI arrested a 17-year-old from Tampa, Florida, who it alleged to be the “mastermind” behind the attack.

Defenses against phishing attacks include training people to spot phony emails and reducing the number of accounts that have administrator access.

Ransomware

Ransomware is a type of malicious software that prevents users from accessing computer files, data, or networks until a ransom is paid. Hospitals, school districts, colleges, police departments, and city and state governments of all sizes have been targeted by cybercriminals using ransomware.

In 2017, the “WannaCry” ransomware virus infected hundreds of thousands of computers in at least 150 countries, shutting down global shipping giant FedEx and crippling the National Health Service in the U.K. The global economic damage was as much as $4 billion.

Businesses and governments can mitigate the risk of a ransomware attack by backing up critical information and servers; conducting a cybersecurity risk analysis of their organization; testing their systems; promptly patching known vulnerabilities; and having an incident response plan in place.

Password attacks

Passwords are the most common method to authenticate users and grant access to an information system, so password attacks remain one of the most serious cybersecurity threats. Hackers can use a variety of methods to crack passwords, including dictionary attacks, where a dictionary of common passwords is used; brute force attacks, in which a barrage of random passwords are attempted on one account; or password spraying, where a few commonly used passwords are tried on thousands or even hundreds of thousands of accounts. Guessing passwords is not as difficult as it may sound. Despite years of warnings, many people use passwords that are incredibly easy to guess. In 2020 the most common password was “123456,” followed by “1234567,” “picture1,” “password,” and “12345678.”

One powerful tool to guard against password attacks is multi-factor authentication, in which logging on requires both a password and some other authentication, such as a one-time code texted to the user’s cell phone. Biometrics – fingerprints, iris scans, or even the user’s gait – provide another alternative to passwords.

Supply Chain attacks

As their name implies, supply chain attacks take advantage of the extensive global supply chains of many IT systems. Assembling a single device might involve dozens of manufacturers in multiple countries, each of which is a potential attack point. The same principle applies to software – federal agencies use hundreds of different types and versions of software from third-party vendors in their systems, all of which are potential vulnerabilities.

In 2019, the Department of Homeland Security reported federal agencies faced approximately 180 different IT-related supply chain threats. The Government Accountability Office has warned of the dangers these types of attacks can pose and identified seven best practices agencies should take to manage and mitigate supply chain risks. Unfortunately, of 23 agencies GAO examined, it found that “none had fully implemented the practices; and 14 had not implemented any practices at all.” The SolarWinds supply chain attack was successful, in part, due to agencies’ failures to implement basic cybersecurity best practices.

zero-day

Zero-day exploits take advantage of unidentified and unpatched vulnerabilities in a network or device. These can be extremely dangerous because, until they are discovered, only the attacker is aware of their existence. Zero-day exploits are often bought and sold on the black market for significant sums of money. Once a vulnerability becomes known – sometimes by the software vendor itself, sometimes by contracted cybersecurity firms, and increasingly by “white-hat” hackers or researchers – a fix for the vulnerability can be issued.

The Stuxnet virus caused considerable damage to the Iran nuclear program more than a decade ago by using multiple zero-day flaws in the Microsoft Windows operating system. North Korean hackers charged with breaking into Sony Pictures’ corporate network in 2014 also reportedly used a zero-day exploit.

Some large software companies have established “bug bounty” programs to help identify and close vulnerabilities in their products. Anyone who discovers a bug can submit a report and be paid a bounty for their efforts. Apple offers payouts of $100,000 to $1 million, depending on the type of vulnerability and operating system. Facebook has had a bug bounty program since 2011, rewarding more than 1,500 researchers from 107 countries.

Federal action

While some of the responses to these cyberattacks are in the hands of ordinary citizens − having a strong password, not falling for phishing emails − many require action from the federal government to properly respond to the scale, sophistication, and objectives of the attacks.

Ransomware has reached epidemic proportions across the country and is likely to be a focus of lawmakers this Congress. Lawmakers on both sides of the aisle have introduced ransomware legislation and announced plans for hearings to try to respond to the problem.

Congress and the administration also have been focused on ways to increase supply chain security in the wake of the devastating SolarWinds attack. On February 24, President Biden issued an executive order on America’s supply chains. It requires reports within 100 days identifying risks and policy proposals for addressing the risks in the supply chains for semiconductor manufacturing, high capacity batteries, critical minerals including rare-earth minerals, and pharmaceuticals and other critical items needed to combat the COVID-19 pandemic.

Congress also has been active in responding to the SolarWinds attack. Last month, the Senate Select Committee on Intelligence convened the first congressional hearing on the attack. The House Oversight and Reform Committee and the Homeland Security Committee followed with a joint hearing examining the role of the private sector in responding to the breach. And on March 18, the Senate Committee on Homeland Security and Governmental Affairs held a hearing to examine the federal perspective and response to the attack. More hearings will likely follow as lawmakers work to understand the damage from the attack and develop legislative proposals to strengthen supply chain security.

Issue Tag: Technology