Last month, San Francisco’s Bay Area Rapid Transit, California’s largest transit system, suffered a ransomware attack that exposed highly sensitive data from the agency’s own police department.
Vice Society, the prolific ransomware group that claimed responsibility for the attack, stole everything from master employee lists to crime lab reports and made them public, putting lives at risk. This was just the latest in a long list of cyber attacks targeting transit systems and national infrastructure, and it certainly won’t be the last.
During my 12 years as Manhattan District Attorney, I witnessed the harmful effects of cybersecurity threats. Cybercrime in New York City impacts massive financial institutions, retailers, and infrastructure providers every day. These entities are attractive targets of cybercriminals, whether for financial or political reasons.
Range of Actors
When an organization is attacked, it’s hard to know the source—could it be a nation state, a cybercrime group, or someone from within the organization? Nation-state actors and their proxies are constantly re-branding and re-inventing to avoid detection.
That said, though nation-state actors tend to cause the most damage, over 80% of cyberattacks are carried out by private actors.
Beyond the financial risk to businesses and individuals, cybercrime is a grave threat to our national security, with critical infrastructure targeted more and more every day.
Every zero-day exploit—a vulnerability in a system that has no known fix—represents an opportunity for an enemy to intercept sensitive communications, steal valuable intellectual property, and cripple the systems that keep us safe: power, water, nuclear, hospitals, and more.
Cyber crime is not just about extracting money or data. These attacks diminish trust in our most important institutions and sow fear and uncertainty, which is one of the principal goals of our adversaries.
A look at some of the biggest cyber events of 2022 drives this home. There has been an explosion of digital extortion. Hacking ransomware group Lapsus$ leaked sensitive data from victims including the world’s leading technology companies.
Costa Rica’s government was brought to a standstill by Conti ransomware, linked to Russia. Thefts from blockchain businesses grew exponentially in the last year, with staggering losses. Last March, North Korea-linked Lazarus stole $540 million in cryptocurrency from Ronin, a popular blockchain platform.
Organizations and industries with little tolerance for downtime continue to be hit hard because bad actors target those that are most likely to pay. Last June, a Massachusetts-based health-care company announced a breach affecting the health data of 2 million people.
In the wake of the pandemic, manufacturing is now the most-targeted industry—supply chain demand means that businesses can’t afford to be offline, even if every bit of data is backed up.
Better Preparation Is Needed
Unfortunately, the current cybersecurity forecast favors criminals and state-sponsored actors over the ability of jurisdictions and businesses to fight them. We’re not prepared for attacks or the aftermath that inevitably follows.
A recent Baker McKenzie survey found that lawsuits over cybersecurity and data breaches were the number-one litigation risk concern for senior legal counsel inside large corporations globally.
Though federal agencies are laser-focused on preventing a cyberattack that results in a nuclear disaster or a nationwide power outage, state and local governments also need to take a hard look at their ability to respond to a serious cyber event.
We need creative thinking and engagement at every level to address the cyber threat problem as the crisis that it is.
When I was still DA, I asked intelligence experts in the NYPD what would happen if we were hit with an attack on, for example, our water sources. Was there a plan?
The answer made painfully clear that we had work to do: there was no plan A and there certainly wasn’t a plan B. In the event of a serious attack on critical infrastructure, no one was coming to save us. New York would have to save itself.
New York’s Example
So we got to work. We convened a public/private task force, including infrastructure providers, law enforcement, intelligence, and nonprofits. We trained first responders to manage a cyberattack, with the support of—among others—IBM and its training facility in Massachusetts.
Five years in, the NYC Cyber Critical Services and Infrastructure Project has its own dedicated command center and a diverse membership of almost 300 professionals from health care, tech, government, and other sectors.
When the Colonial Pipeline attack hit, the NYPD’s Intelligence Bureau quickly leveraged CCSI’s “team of teams” to spread the word throughout member organizations and made sure that infrastructure providers were scouring their networks for similar attacks.
There is work still to do, but New York has proven that this model works and can be replicated across the country, at relatively little cost and quickly. For states and cities that are less-resourced than New York City, that is hugely important. They don’t have the luxury of time to achieve higher cybersecurity and resiliency for critical infrastructure. They need it now.
Collective security efforts are critical to our security. If we are going to have any chance of defending ourselves against significant cyber threats—the type of attacks that can take out a power grid or a hospital—we need to work together.
The US led the way in developing the internet and today is home to the best and most innovative technology companies in the world. We now need to show the same leadership in securing it.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for Us: Author Guidelines
Cyrus Vance Jr. is a partner and global chair of Baker McKenzie’s cybersecurity practice. Prior to joining Baker McKenzie, he served three consecutive four-year terms as Manhattan District Attorney.