AIAA

The World's Forum for Aerospace Leadership

  • MY AIAA
  • Donate
  • Press Room
  • Renew
  • View Cart
American Institute of Aeronautics and Astronautics

    Making it Sense of it All

    Making Sense of It All

    Cybersecurity is so important, ubiquitous, and fast-changing that barely a day goes by without a major cybersecurity news story or incident (as the Recent Headlines to the right demonstrate).

    To help AIAA members begin making sense of all the cybersecurity news, this month Protocol (i) presents a framework for how to think about cyber attacks based on the motivations behind them, (ii) looks at two case studies to understand the kinds of consequences that can result from cyber incidents, and (iii) offers three questions you can ask to start understanding cyber risk for your own organization.

    Motivations for Cyber Attacks


    Cyber attackers hack organizations or individuals for a variety of reasons. To help understand cyber attacks and the motivations behind them, the Good Harbor Security Risk Management team has developed the following framework they refer to as CHEWI™.


    The acronym CHEWI™ stands for the five motivations for cyber attacks: Crime, Hacktivism, Espionage, War, and Interference, each illustrated by these examples:

    • Crime: This year, cyber criminals compromised the systems of banks in several countries and used the global SWIFT financial network to route tens of millions of dollars into their accounts. Cyber crime also includes incidents like ransomware (when criminals encrypt an organization’s data and will only unlock it if they are paid a ransom), CEO email scams (when criminals spoof emails “from the CEO” to trick employees into wiring money to a criminal’s account), hijacking vendor payments, or stealing personally identifiable information (PII) to sell on the black market.

    • Hacktivism: Hacktivism occurs when groups or individuals hack in order to advance a political or social cause, often by raising awareness about an issue by disrupting services or disclosing secrets. Beginning in 2012, Wikileaks published millions of emails that had been stolen from the global intelligence company Strategic Forecasting, Inc., or Stratfor, by hackers associated with the hacking collective Anonymous.

    • Espionage: In 2014, a grand jury in Pennsylvania indicted five Chinese military hackers for computer hacking and industrial espionage targeting six American companies in the energy and manufacturing sectors. In 2015, personal information on more than 20 million government employees was stolen from the U.S. Office of Personnel Management, in a case of governmental espionage.

    • War: The spectre of cyber war reared its head in 2007, when the Estonian government announced it was under attack by Russia, and in the summer of 2008, when Russian tanks rolled into Georgia at the same time as cyber attacks disrupted Georgian political and media websites, an early demonstration of cyber attacks’ role in wartime.

    • Interference: In October 2016, the U.S. Director of National Intelligence and Secretary of Homeland Security issued a joint statement stating that Russia’s “senior-most officials” directed cyber-enabled thefts and disclosures of emails from U.S. institutions “to interfere with the U.S. election process."


    The CHEWI™ framework is useful to keep in mind when reading about cyber-attacks or trying to understand and manage your own risk.


    Real-World Consequences


    Cyber incidents can have financial, operational, reputational, legal, and potentially life-threatening consequences.


    While breaches of big companies grab the headlines, cyber incidents are often most devastating for small or medium businesses that lack the financial resources to survive and recover from the consequences. The following case studies demonstrate how cyber attacks affected two companies, one large and one small.


    Case Study: Yahoo


    In September, Yahoo disclosed a two-year-old breach in which the PII of more than 500 million accounts were compromised. The PII included consumers’ passwords, email addresses, birthdays, and security questions/answers. Yahoo is now the subject of at least 23 consumer class action lawsuits, plus federal and state investigations, and its reputation has been tarnished because of its poor security and how it handled disclosing the breach.


    Perhaps even worse, Yahoo was on the cusp of being acquired by Verizon for nearly $5 billion, and that deal is now in jeopardy. Since the disclosure, Verizon warned that the breach could be material, and even though it may proceed with the acquisition at a significantly reduced price tag, Yahoo had to warn its investors that Verizon could cancel the deal in its entirety.


    The consequences for Yahoo are wide-ranging and severe.


    Case Study: Code Spaces


    In the summer of 2014, a lesser known hack occurred. Code Spaces, a small business that provided hosting solutions for software developers, suffered a distributed denial of service (DDOS) attack that shut down its services; the attacker demanded a ransom payment to stop the attack. Instead of paying the ransom, the Code Spaces team tried to regain control of their systems, but before they could, the attacker wiped most of the company’s data and backups.


    Within weeks, the company shuttered its doors, saying that the reputational damage and the costs of dealing with the incident had put it in an “irreversible position both financially and in terms of ongoing credibility.”


    What About My Organization?


    Risks vary for every organization depending on business operations, geography, culture, data, technology, and more.


    As organizations wrestle with how to prioritize and manage cyber risks, they should start by asking these key questions:

    • What are our “crown jewels,” the data, information, or technology that are most critical to my organization? Consider the three critical attributes of information security: Confidentiality, Integrity, and Availability. What are the “crown jewels” whose confidentiality, integrity, and/or availability are most important to protect?

    • Who is responsible for cybersecurity risk management in my organization, for both the corporate network and product security? How are we making decisions about what risks are acceptable and which aren’t?

    • Do we build security in from the beginning, for both our products and our organization, across all teams, or is it an after-thought or left to the IT team alone?