NotPetya, Trump and a Cyber Katrina
In May the WannaCry ransomware attack hit approximately 400,000 computers in 150 countries. Ransomware is a form of malware that encrypts some portion of your computer files, demanding payment by the victim via Bitcoin to regain access. WannaCry was the largest ransomware attack in history, yielding over $100,000 in ransomware payments and causing approximately $1-4 billion in economic damage.
That was the warning. Nearly 7 weeks later, the NotPetya attack struck and spread to 65 countries in what seemed like a WannaCry sequel. Except the ransomware component was designed in a manner that the payment address was easily shut down and the files were destroyed regardless of payment. Analysts concluded that the ransomware component was a “lure to control the media narrative” and hide what was an attack by a state actor.
The attack, which came on the eve of the holiday marking Ukraine’s adoption of its Constitution of Independence in 1996, hit Ukrainian ministries, banks, transportation systems and the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant. For the past two years, Russia has been waging a cyber war against Ukraine, with Ukraine’s President indicating there were 6,500 attacks over a two-month period in late 2016.
While Ukraine may have been the target, NotPetya spread with serious collateral damage across the globe including U.S. companies such as FedEx, Merck, Nuance Communications, several hospitals and the world’s largest law firm DLA Piper. Estimates of total damage from NotPetya are uncertain since some of the victims are still recovering, but FedEx has filed a warning with the Securities and Exchange Commission that the event would have a material impact on its performance.
NATO’s Cooperative Cyber Defence Centre of Excellence (CCD-COE), a NATO-funded think tank, concluded that NotPetya had the markings of a state actor attack, with Ukraine pointing the finger at Russia. NATO’s Secretary General also warned that a material cyber-attack against a NATO nation could trigger Article 5 of the North Atlantic Treaty requiring a military response in defense of the target.
And where was the Trump administration? Cue crickets chirping. Trump continues to reject the unanimous assessment of the intelligence community that Russia interfered with the 2016 election; and since he apparently views any discussion of Russian cyber-attacks, whether in connection the 2016 election or otherwise, as a challenge to the legitimacy of his election, he refuses to engage the issue altogether. A White House staffer recently acknowledged that there is no evidence that Trump has dedicated any time to the issue.
The Trump White House has failed to nominate any candidates for key cyber positions at the Defense, Commerce and Homeland Security Departments. Even worse, Secretary of State Tillerson plans to eliminate the Office of Cyber Coordinator, which played a vital role during the Obama administration in getting China to curb its cyber-attacks under threat of sanctions.
So when President Trump met with President Putin ten days after the NotPetya attack, which impacted the world’s largest container ship and supply vessel operator (Maersk), the world’s largest cargo airlines (FedEx), the world’s largest advertising company (WPP), the world largest law firm (DLA Piper) and the world’s 8th largest pharmaceutical company with economic damage potentially in the billions, what did he do?
Worse than nothing. President Trump accepted Putin’s claim of non-responsibility for interference with the 2016 election and, inexplicably, agreed to a joint Cyber Security unit with Russia.
While Trump backed away from the idea of a joint unit after widespread negative response that included Senator Lindsey Graham’s pronouncement that “it’s pretty close” to being “the dumbest idea I’ve ever heard”; Kremlin sources have since confirmed that the joint efforts are in the works. National Security Agency Director Mike Rogers, who has expressed frustration over the administration’s inattentiveness to the potential cyber threat posed by Russia, has since stated bluntly that now is not the time for cooperation with Russia.
Trump’s AWOL status in addressing the Russian cyber threat is alarming since NATO CCD-COE concluded that the attack was a “declaration of power – demonstration of the acquired disruptive capability and readiness to use it” and it has been met with no response. Like Neville Chamberlain nearly 80 years ago, Trump has given an aggressor the green light.
This month, Lloyd’s of London issued a warning that a serious cyber-attack could cost the U.S. economy as much as $121.4 billion, exceeding the costs of Hurricane Katrina. Katrina is a useful analogy since there were ample reports about the devastation that would occur if a major Hurricane hit New Orleans and yet the Bush administration was totally unprepared when it happened.
A decade later, it is the same story. Trump’s appeasement in Hamburg coupled with his refusal to acknowledge the escalation of Russian cyber-attacks and his administration’s being asleep at the wheel on cyber defense makes such a Cyber Katrina a very real and immediate threat.