Emergent Phenomena
Published in

Emergent Phenomena

This is an email from Cyber-Physical, a newsletter by Emergent Phenomena.

On cyber-attacks, supply chains, and Simone Biles

In an increasingly connected world, it’s no surprise when cyber-attacks have propagating consequences, and social media discussions influence opinions

Network of retweets containing the words “Simone” and “Biles” | Skanda Vivek

A day before the 2021 Independence Day holiday long weekend, on July 2nd 2021, software product company Kaseya announced that they were the victim of a sophisticated cyber-attack. While a fewer than 60 Kaseya customers were impacted, thousands of businesses were affected and millions of systems compromised. This is because Kaseya is an important node in a complex network of software products that companies rely on. Kaseya’s customers are not the businesses themselves, but managed service providers (MSPs). MSPs in turn offer services in maintaining IT infrastructures for businesses. These services are authentication, remote access, cloud storage, cybersecurity, and more. Top MSPs include IBM, Accenture, Infosys.

Google description of Kaseya

A ransomware group known as REvil exploited multiple vulnerabilities in the Virtual System Administrator (VSA) product from Kaseya, and left data encrypted. REvil published a blog demanding $70 million in ransomware from Kaseya, after which they would publicly reveal how to decrypt the data.

This means that MSP providers who rely on the VSA product in turn to perform their IT services, were not able to do so for the businesses that employed them. But what sort of information does the VSA product provide?

According to this video from Kaseya, apparently quite a lot. The host of Kaseya functions are tied to key IT services like storage of multiple passwords, remote control, ensuring compliance with software updates, and more. Thus some companies that are heavily reliant on Kaseya might be impaired in performing their functions.

The Supply Chain Effect

More interesting is that some of these companies might not even have known they were dependent on Kaseya, as they are not directly linked to Kaseya, but rather — indirectly through their IT service provider. This illustrates the supply chain effect, which has been made popular in the aftermath of the SolarWinds attack that illustrated how attacks on unaccounted vendor software can have propagating consequences that are of particular concern when such vendors are used by almost all Fortune 500 companies and multiple governmental agencies.

Larger supply chains are a consequence of our increasingly connected world, and feature in almost every industry from vehicle manufacturing to Dairy companies.

Supply chains in an Iranian Dairy company

Supply chain dependencies are impacting the automobile industry. The automobile industry is losing billions of dollars not because people don’t want to buy cars, but due to semiconductor chip shortages, that began during the COVID pandemic. Workers were not able to work as much due to lockdowns, and multiple industries feared a loss of customers — resulting in a reduced global supply of semiconductor chips. With economies beginning to recover, supply is not able to keep up with demand. Ford CEO Jim Farley commented:

this is perhaps “the greatest supply shock” I have ever seen.

Supply chain intermittencies and cyber-attacks that propagate through vendor-customer relations showcase that there are plenty of concerns due to the lack accounting for the increasingly complex interconnected systems that make up our society. This is not helped by the lack of incentives for companies to think about the larger consequences of failures in their systems. For example, Colonial Pipeline was not held liable for the propagating consequences of ransomware attacks on their systems that caused gas shortages for more than a week. But apart from the real physical impacts of such failures, accurate information is critical for stakeholders to make decisions that ultimately impact the society.

Information networks

Even though we have unprecedented access to real and historical logs of events — whether through news articles, videos, pictures, cell phone records, and numerous other modern devices, our society is polarized when it comes to discussions on seemingly basic topics — like who won the election.

Tom Brady joking that half the country doesn’t believe his team won

Social media sites like Facebook and Twitter with billions and millions of users respectively, are representative of national and global discussions and opinions. Data from these sites could be extremely useful for making quick decisions during emergencies. For example, during the Colonial Pipeline cyber-attack, people were not aware which regions were impacted, which resulted in artificial gas shortages due to panic buying. Even more concerning was when panic buyers were filling empty bags with gasoline.

https://twitter.com/USCPSC/status/1392482092823502849

Statements like this illustrate the power of providing information during emergencies through social media sites. At the same time however, such sites are prone to fake information — as we have all evidenced from the previous president condoning the activities of protestors during the Capitol Riots.

In a recent example, we are seeing how the world is judging Olympic gymnast Simone Biles after the information about her decision to withdraw. In my recent article, I show how data from 400k+ tweets shows that most people generally support Simone Biles decision, and why that is a positive step for all of us.

Building resilience to supply chain cyber-attacks

Hopefully I’ve illustrated that building resilience to cyber-attacks that propagate to multiple societal systems requires multiple levels of coordination. The first, is of course preventing the attack from happening in the first place. In recent times, much emphasis has been placed on Zero trust security architectures, a series of protocols to help improve cybersecurity including Multi Factor Authentication, and segmenting networks in the event that malicious actors gain control of one sub component, they do not impact the entire network. Broadly, the zero trust model assumes that malicious actors are present both inside and outside traditional network boundaries, and requires continues verification of authenticity.

However, zero trust alone is not enough. Hopefully this reduces the number of breaches after wide adoption, but there are definitely still going to be security breaches even after companies widely adopt the zero trust model. We would still need to be prepared for the propagating consequences of successful attacks. In the case of cyber-attacks on critical infrastructures such as connected vehicles, water purification systems, or energy pipelines, these solutions could be early detection of impacts such as unnatural traffic jams resulting from large-scale vehicular attacks, sudden reduction in water quality, or drops in pipeline productivity.

At the same time, stakeholders must do their best to keep information in the public discussion as authentic as possible, to enable quick response and not fuel panic. A recent Science article in 2018 found that on Twitter, “lies spread faster than the truth” — in part enabled by the degree of novelty of fake news. This is of particular concern during disasters when people fear the worst.

If you enjoyed this week’s post, please share or tell someone that might enjoy holistic perspectives on the interconnections between technology and modern societies. Feel free to also post any comments in the post discussions on the cyber-physical substack page. This is a small, but growing effort and I hope that you will join me in discovering and building resilient societies.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store