“This article was originally published with Security Toolbox on September 15, 2020. You can view the original content, here.”
Domestic and international politics have invaded the field of data security, and the COVID-19 pandemic has only added to this invasion. Shane O’Donnell a partner & Chief Audit Executive at The Mako Group and Sean Griffin, a member at Dykema explains how security leaders can safeguard their crucial IT infrastructure in this new era of data security and navigate foreign and domestic politically motivated leaks.
Like it or not, domestic and international politics have invaded the field of data security. Of course, COVID-19 has assisted this invasion, but other political factors from the upcoming US election to this summer’s Black Lives Matter protests have played a part. Data security professionals must therefore keep an eye not only on their IT infrastructure but the practical consequences of recent political actions.
Foreign and Domestic Politically Motivated Leaks
From abroad, we must address dangers posed by Advanced Persistent Threats (APTs)— state-sponsored hackers that attack US companies in the hopes of sowing political, technological, or financial disruption. APTs have been fairly indiscriminate in their targeting, but healthcare companies were a favorite APT target, as foreign governments sought to extract data relating to healthcare research; security officials in the United States, the United Kingdom, and Canada recently announced that a Russian APT called APT29 is targeting organizations involved in national and international COVID-19 responses.
Domestic political concerns also bring data security implications. Recently, a New York law firm suffered a ransomware attack wherein the attackers promised to leak information from the firm’s servers pertaining to President Trump if their demands were not met. In 2017, the Chinese government allegedly hacked a law firm’s server and published personal information belonging to the firm’s client, a dissident; a court recently denied the law firm’s motion to dismiss the dissident’s suit against it.
Law enforcement officials have contributed to data insecurity. This summer, the New York Police Department’s union tweeted a picture of a computer screen showing personally identifiable information of New York mayor Bill de Blasio’s daughter, Chiara, after she was arrested during a Black Lives Matter protest. Shortly thereafter, police officers in Norman, Oklahoma posted a city council member’s address after she proposed a police budget cut; days later, the member’s neighbor was assaulted by an assailant who allegedly made a political threat.
Also, an arsonist reportedly firebombed the Maricopa County Democratic Party headquarters in Phoenix, Arizona on or about June 24. Democratic County Chairman Steven Slugocki was quoted as saying, “Our computers, our phones, our tablets, our printers, everything to get out the vote was destroyed in the fire last night. . . It’s a devastating loss for us.” This incident shows not only the political nature of data security incidents but also the need to take physical security and technological measures into account.
These leaks and breaches come at a cost to government activities. Currently, governments are asking their citizens to trust them with more of their personal information, including their location data, to combat COVID-19 and other ills. In part to shore up public trust, various states have imposed limits on law enforcement agencies’ use of personal information, and the federal government may follow suit. The police union’s privacy leak represents the sort of disclosure that could undermine the public trust necessary for governmental contact tracing to work.
In light of the foregoing, we can expect two things. First, we can expect the trend of politically motivated leaks to continue, as they have for years. Second, in light of governments’ and government-affiliated entities’ accidental and/or intentional disclosures of public information, we can expect lawmakers to focus on data security for government entities going forward.
Safeguarding in the New Era of Data Security
As the stories above prove, we are in a new era of data security. Technology has become more entangled in our lives and the threat actor profile has morphed. Originally, organizations needed to only worry about bored teenagers and disgruntled employees seeking to damage an organization. The bored teenagers launched unsophisticated attacks that could be easily detected, and disgruntled employees could be easily stifled with properly implemented access controls.
However, as data has become king and organizations store everything online from trade secrets to personally identifiable information, the threat actors have evolved to APTs, as described above. We now have hacktivists seeking to discredit and defraud organizations they believe to be on the wrong side of history, nation states waging war against corporate entities, and career criminals using malware to turn a profit. The overarching goal varies based on the threat actor and their attack methods. Organizations must identify the most plausible threat actors and place security controls accordingly to thwart them. Frameworks such as MITRE’s ATT&K Framework can assist organizations in identifying these attack methods. It’s not just the overseas APTs anymore, cyber warfare can happen anywhere, and organizations and governments need to prepare.
Part of this preparation includes protecting physical infrastructure. As the country becomes more divided and politics enter the cyber world, more and more parties will have an interest in gaining access to other’s networks and physical buildings. After years of experience performing social engineering and physical penetration testing activities, it is apparent that organizations need to shore up these areas of security more than ever before.
In the cybersecurity field, we are often told at the outset of engagements that “there is no chance you will get in.” Unfortunately, most of the time we do get in. On engagements where firms are engaged to legally break into buildings, it is much easier than you would imagine accessing sensitive areas of an organization’s physical infrastructure. Whether it is an employee out smoking who holds the door open, a locked door that does not shut correctly, or a front desk person who is a little too trusting of someone in a suit; if we act the part, we get in. This also tends to be easier when visiting an organization’s overseas locations.
In overseas locations, doors seem to be left open to server rooms more often and building security can be easy to bypass. Entering buildings overseas and breaching the network can provide the same level of access as if the compromise was stateside. Organizations need to take a hard look at their cybersecurity programs and controls in light of recent events and make the appropriate changes. As long as entities continue to make mistakes when it comes to properly secure data and physical locations, threat actors will continue to have success exploiting those mistakes.
For more information regarding this article, please contact Sean Griffin.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.