Cyber Ransom – The Next Wave

If you live in Virginia, you may want to look at a series of articles about the recent ‘capture’ of medical records that are being held for ransom. The articles appear on Schneier.com, WashingtonPost.com, and SecurityFocus.com. The ‘abduction’ and ransom demand were first reported last week by WikiLeaks.org. Someone broke into the Commonwealth of Virginia's Department of Health Professions’ computer network and reportedly stole 8.26 million patient medical records and almost 36 million prescriptions and claimed to have destroyed the back-up files. They offered to return the records for $10 Million; lacking payment of the ransom they stated that they would offer them to the highest bidder. The incident is still in the early stages of investigation and it is not currently clear if the perpetrator actually intends to try to collect the ransom. What is clear is that this is not a new problem. The article on SecurityFocus.com describes at least three other cyber system ransom attacks and the WashingtonPost.com article describes another ransom attack on a health care web site. For readers of this blog, perhaps the most disturbing of those reports is the last one from the SecurityFocus.com article: “Other hackers have targeted the critical infrastructure of power companies, claiming they would darken cities unless they were paid.” This is based on the CIA report that I discussed early last year. It seems obvious to me that sooner or later (if it hasn’t been done already) someone is going to hold a high-risk chemical facility control system for ransom, threatening to release a toxic chemical from a storage tank or process, or threaten to shut down a critical process in an unsafe manner. In either case inadequate control system security measures will put management in the classic ransom dilemma: to pay (and pay again, and again…) or to refuse to pay? The rich and powerful have long ago determined that it saves money to pay money for adequate security to prevent kidnappings. High-risk chemical facilities need to spend the money necessary to protect their control systems from cyber kidnapping.