All cybersecurity strategies are based on considerations of the acts of sophisticated and highly motivated threat actors like ransomware groups or nation/state-sponsored actors, as they should be. InfoSec teams today rely on highly skilled Red Team professionals to emulate the tactics and techniques of these threat actors to ensure readiness and resiliency against advanced attacks. But every once in a while, a cybersecurity event occurs with significant consequences from the actions of the most innocent and unwitting reminding us of the fragility of the internet-connected world. Here are a few we’ve dug up from the depths of the internet. If you know of any not mentioned, please share them in the comments.
The Old Lady Who Tried to Steal the Internet
They say the Internet is just a bunch of wires. No kidding! In March 2011, while scavenging for some copper to sell as scrap metal, an elderly Georgian lady unintentionally severed some of the exposed fiber optics cables causing an internet outage for the entire country of Armenia. And in case you are wondering, at the time, Armenia’s internet-connected population would have consisted of close to half a million users. It’d have been a pretty amusing tale if not for how distraught the woman felt in the aftermath of the incident. Nonetheless, it is a stark reminder of how fragile our critical infrastructure can be. Read about it further at https://www.smh.com.au/technology/i-have-no-idea-what-the-internet-is-scavenging-pensioner-facing-prison-over-cable-cut-20110411-1d9ri.html.
It’s worth mentioning that this is far from a unique occurrence. And it’s not limited to humans disrupting communications with accidental physical damage to cabling. Several members of the animal and aquatic kingdom have clashed with the internet (remember it’s just a bunch of cables) including dolphins, whales, beavers, otters, monkeys, squirrels, Canadian raccoons, bats, and rats.
Suspending the Web: Rebellion of an Open-Source Purist
In a possible foreshadowing of the software supply chain-based cyber attacks, an open-source developer unwittingly halted all development of a vast majority of websites built using the exceedingly popular React library. Data suggest that close to 12 million live sites are built using React. Following a dispute with a corporate and the maintainers of the npm service over a package name conflict, the open-source developer rebelled by taking down all his open-source libraries. Unknowingly, several popular packages had either a direct or transitive dependency on one of the packages that were unpublished by the open-source developer in protest of npm’s decision to grant the name to the corporate entity that owned the trademark. And as the impact of the now-missing library cascaded, all development on major platforms came to a grinding halt. It is a somewhat amusing and alarming tale of mostly unintended consequences, once again exposing the shaky house of cards that is the web. Hop over to Quartz to read more about the sequence of events that unfolded (warning: explicit language).
The Perfect Spy: A Fitness App
Governments, military and defense agencies, and corporations invest significant efforts and dollars into protecting their most sensitive assets and especially information. Nations have been known to employ advanced techniques of digital surveillance as part of their spycraft or to intimidate and suppress dissidents. And then there is the case of a mobile app that rendered the meticulously designed and enforced controls of military secrecy completely useless. This is the story of the fitness tracking, data-centric app, Strava and the it’s release of the global activity heat map in late 2017. Very quickly, curious sets of eyes began scouring the visualized data to locate the presence of sensitive military bases and intelligence agency sites. No doubt, the engineers responsible for the feature were understandably proud of the incredible work, without remotely anticipating the unintended consequences. It was probably one of the most glaring (literally) demonstrations of the ease with which we leave behind digital footprints to be tracked. It was an eye-opener especially for agencies that go to utmost lengths to maintain secrecy and provoked a review of military service policies.
These are but a few examples that highlight why cybersecurity strategies need to account for more than just known threats from advanced attackers and incorporate resiliency against the unintended consequences of the unsophisticated and unwitting.