Cybersecurity does not just pose technical challenges; companies must always keep their eye on the human component of cyber risk. For example, even the most damaging and sophisticated hacks – such as the recent Twitter hacks – can result from spear-phishing. Imagine that: multi-billion-dollar new technology communication apparatuses brought to their knees by charming fraudsters on the phone. But the pseudo-insider risk does not end with phishing schemes. Instead, hackers and criminals of all stripes are seeking weaknesses that will enable them to gain leverage over companies.
On August 26, 2020, the United States Department of Justice charged a Russian national for offering $1 million to a Tesla employee in return for them infecting their employer’s network with malware. Egor Igorevich Kriuchkov met with the employee on multiple occasions as part of the recruitment effort. The malware was designed to exfiltrate data from Tesla. The criminal group behind the attack allegedly would then demand $4 million in return for the information.
A ransomware operation, like the one detailed in the criminal complaint, encrypts all of a company’s data and demands a hefty payment in return for the decryption key. For many companies, it is less expensive to pay the criminal’s fee than to undergo lengthy service outages. Ransomware is often spread via malware. However, this case describes using corrupted insider employees as the agents of infection. This altered tactic shows how determined criminal hackers can be.
Based upon the allegations contained in the complaint, this constituted a long-term, concerted effort by the criminals. The criminal recruiter traveled from Russia to Nevada multiple times and apparently spent many thousands of dollars wooing the individual. While remarkable, it would be foolish for companies to think this approach was novel. The fact of the matter is that international criminal espionage is a real and persistent threat.
Determined adversaries – just as with the traditional espionage world – will search for and develop human assets in their search for data. Numerous legal consequences can flow from these types of attacks. If the crime is successful, and the ransom is paid, companies can faces years of litigation to make themselves whole again. This litigation could be with their vendors, who had their services interrupted, or with the company’s own insurers.
In January 2020, long-running litigation over the cyber coverage afforded by a business owner’s policy in a 2016 ransomware attack was resolved at summary judgement by a Maryland federal judge’s order. In that case, insurance coverage was finally ordered but only after years of litigation. If an insider was the source of the ransomware, the path to coverage would be even longer and more legally treacherous.
The question then becomes, what can be done? First, companies must recognize just how enticing and valuable their digital assets have become. Just like any other valuable asset, companies must adopt a 360-degree approach to security. That approach should be regularly re-examined and scrutinized. Now that the human element has become an obvious and well-funded vector for criminal mischief, companies must re-double their internal training and education. Company employees must be taught that their access will be targeted by criminal elements and how to respond. You do not want your employee to be surprised by novel and unexpected attention. It is best to let everyone know that they are not participants in a spy movie but could participate in a prison movie, if they choose poorly.
Companies also have to begin planning for cyber litigation now, not later. The preparation on a litigation standing will re-enforce proper workflows and decision-making, even under pressure. Early litigation preparation will also strengthen later arguments that the cyber response process should be considered privileged, which is a burgeoning litigation fight. Those privilege issues should be the subject of a separate discussion. However, to paraphrase digital godfather Benjamin Franklin, smart companies know that one byte of preparation equals one terabyte of cure.