Often called non-violent or non-kinetic attacks, the simple truth is that there is a credible capability to use cyber attacks to achieve kinetic effects. Kinetic Cyber refers to a class of cyber attack that can cause direct or indirect physical damage, injury or death solely through the exploitation of vulnerable information systems and processes. This is why I decided to attend Hack NYC this year. Held annually, this conference has several sponsors including Microsoft, VMware, Goldman Sachs, and Adobe. The mission statement explains that HACK NYC “an event is about sharing big ideas on how we will fortify our daily life and economic vitality.”
This is right up my alley, so I attended HACK NYC in May and got to participate in some great talks. The first of these was entitled 'Cyber Crisis Simulation' which was billed as “a simulated crisis that is unfolding on a national scale. Triggered by a yet unknown adversary, what started as a technical issue has become a city wide impact, affecting millions of citizens, several industries, and spanning government jurisdictions.” This sounded like a real life version of the game Risk, so I decided to attend.
In this interactive session, the audience was divided up and each team was given a scenario. Each group was asked to discuss and debate the scenario and then explain to the rest of the participants why we came up with our plan. The scenarios seemed like something out of a Batman movie! The first stated that the mayor of NYC was sent an email from an unknown source threatening an attack on several of the city’s hospitals. The attacker threatened to start deleting patient files, shut down the AC, and stop the elevators unless paid 500,000 USD in bitcoin.
Our team considered how to verify if the hospital networks were actually compromised. We asked ourselves questions such as how far reaching was the attack or were there assets that were not affected? We strategized on how to help people that were in the infected hospitals, how to slow or stop the damage and whether or not we would pay the ransom. What, if anything, would we tell the media? What would we inform/advise the mayor to do?
We ultimately decided that 500,000 USD was cheaper than the cost of lives.
The stakes were raised in the second scenario presented. In another email to the mayor, the hackers got control of medical records and were altering allergy information. They also threatened ‘fireworks’ at the Yankees vs Mets game and that they had somehow stopped all 911 emergency calls.
In this scenario it was verified that the attackers have taken patient medical records about allergies and the problem is now statewide. They demanded 5,000,000 USD in 4 hours.
While this seems like a really bad day for the city, our team looked at the problems from all angles, many of which were quite revealing. If there is one lesson to be learned here, it’s that all of these dire situations really require the solutions to understand all of the data involved and the ability to quickly see that data in context. I couldn't help but to think that Gemini Enterprise would have been a huge asset in this capacity. Using Gemini’s machine reasoning would have assisted even the greenest of analysts in understanding the relationships between all of the data sources required to find, isolate, and remove the threat.
HACK NYC was an amazing event. I would highly recommend it to anyone. To find out more information and learn about upcoming events, check out their website. [http://https://q22018.hacknyc.com/en/] and keep a lookout for my next post where I’ll chat more about my experiences at HACK NYC!