Last month, San Francisco’s Bay Area Rapid Transit, California’s largest transit system, suffered a ransomware attack that exposed highly sensitive data from the agency’s own police department.
Vice Society, a sprawling ransomware group that claimed responsibility for the attack, stole everything from master employee lists to crime lab reports and made them public, putting lives at risk. It was the latest in a long list of cyber attacks targeting transit systems and national infrastructure, and it certainly won’t be the last.
During my 12 years as Manhattan District Attorney, I witnessed the devastating effects of cyber security threats. Cybercrime in New York City affects large financial institutions, retailers and infrastructure providers every day. Whether for financial or political reasons, these organizations are attractive targets for cybercriminals.
A range of actors
When an organization is attacked, it is difficult to know the source – could it be a nation state, a cybercrime group or someone from within the organization? Nation-state actors and their proxies are constantly re-branding and reinventing themselves to avoid identification.
That said, while nation-state actors cause the most damage, more than 80% of cyber attacks are carried out by private actors.
Beyond the financial risks to businesses and individuals, cybercrime is a serious threat to our national security, with critical infrastructure being increasingly targeted every day.
Every zero-day exploit—a vulnerability in a system that has no specific fix—presents an opportunity for an adversary to intercept sensitive communications, steal valuable intellectual property, and cripple the systems that keep us safe: power, water, nuclear, hospitals. , and more
ripple effect
Cybercrime is not just about extorting money or information. These attacks erode trust in our most important institutions and sow fear and uncertainty, which is one of our adversaries’ main targets.
Here’s a look at the biggest cyber events of 2022. Digital extortion has exploded. Hacking ransomware group Lapsus$ leaked sensitive information from victims, including some of the world’s leading technology companies.
The Costa Rican government was brought to a standstill by the Russian-linked Conti ransomware. Theft from blockchain businesses has grown exponentially over the past year, with staggering losses. Last March, North Korea-linked Lazarus stole $540 million in cryptocurrency from Ronin, a popular blockchain platform.
Organizations and industries with little tolerance for downtime tend to get hit harder as bad actors target those most likely to pay. Last June, a Massachusetts-based health-care company announced a breach that affected the health information of 2 million people.
In the wake of the pandemic, manufacturing is now the most targeted industry – supply chain demands mean businesses can’t stay offline, even if every bit of data is backed up.
Better preparation is needed
Unfortunately, current cybersecurity forecasts favor the jurisdiction of criminals and state-sponsored actors and their ability to fight businesses. We are not prepared for the onslaught or the consequences that inevitably follow.
A recent Baker McKenzie survey found that cybersecurity and data breach lawsuits are the number one litigation risk concern for senior legal counsel among large corporations worldwide.
While federal agencies are laser-focused on preventing a cyber attack that results in a nuclear disaster or a nationwide power outage, state and local governments also need to take a hard look at their ability to respond to a serious cyber event.
Addressing the cyber threat problem as a crisis requires creative thinking and engagement at all levels.
When I was still DA, I asked the NYPD’s intelligence experts what would happen if we attacked our water sources. Was there a plan?
The answer made it painfully clear that we had work to do: there was no plan A and certainly no plan B. In case of serious attack on critical infrastructure, no one is coming to save us. New York must save itself.
Example of New York
So we have to work. We convened a public/private task force, including infrastructure providers, law enforcement, intelligence, and nonprofits. With the help of IBM and its training facility in Massachusetts—among others—we have trained first responders to handle cyber attacks.
Five years later, the NYC Cyber Critical Services and Infrastructure Project has its own dedicated command center and a diverse membership of nearly 300 professionals from healthcare, technology, government and other sectors.
When the Colonial Pipeline attack hit, the NYPD’s Intelligence Bureau, with the help of CCSI’s “Team of Teams,” quickly spread the word to member agencies and ensured that infrastructure providers were scouring their networks for similar attacks.
There is still work to be done, but New York has proven that this model works and can be replicated across the country relatively cheaply and quickly. For states and cities with less resources than New York City, this is crucial. They don’t have the luxury of time to achieve superior cyber security and resilience for critical infrastructure. They need it now.
Collective security efforts are critical to our security. If we’re going to have any chance of defending against significant cyber threats—the kind of attacks that can take out power grids or hospitals—we have to work together.
The United States has led the way in the development of the Internet and is home to some of the best and most innovative technology companies in the world today. We must now show the same leadership in securing it.
This article does not necessarily reflect the views of Bloomberg Industry Group, Inc., publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for us: Writer’s Guide
Author information
Cyrus Vance Jr Baker is a partner and global chair of Mackenzie’s cybersecurity practice. Prior to joining Baker McKenzie, he served three consecutive four-year terms as Manhattan District Attorney.
