Which attacker category might have the objective of retaliation against an employer

Abstract

Cyberattacks have become as commonplace as the Internet itself. Each year, industry reports, media outlets and academic articles highlight this increased prevalence, spanning both the amount and variety of attacks and cybercrimes. In this article, we seek to further advance discussions on cyber threats, cognitive vulnerabilities and cyberpsychology through a critical reflection on the social and psychological aspects related to cyberattacks. In particular, we are interested in understanding how members of the public perceive and engage with risk and how they are impacted during and after a cyberattack has occurred. This research focuses on key cognitive issues relevant to comprehending public reactions to malicious cyber events including risk perception, protection motivation, culture and attacker characteristics (e.g., attacker identity, target identity and scale of attack). To consider the applicability of our findings, we investigate two significant cyberattacks over the last few years, namely the WannaCry attack of 2017 and the Lloyds Banking Group attack in the same year.

1 Introduction

Cyberattacks on Critical Infrastructure (CI) have been recognized as a significant problem since the discovery of the Stuxnet worm in July 2010 [1]. The Stuxnet worm was primarily designed and developed to target an Industrial Control System (ICS). ICSs are used in gas pipelines, power plants, and chemical and petrochemical plants. The attackers designed Stuxnet to inflict damage by reprogramming programmable logic controllers (PLC) to control ICSs. After the discovery of Stuxnet, similar malware that targets ICSs has been discovered.

Cyber incidents that target ICSs are security, safety, and business problems. Such abnormal events affect physical devices, such as actuators and sensors. If a cyberattack results in manufacturing operations being shut down, a company will lose significant revenue. In addition, if a cyberattack targets systems that require safety operations, the operators will be endangered. For example, cyberattacks on an iron furnace have been reported [2]. In addition to safety risks, cyberattacks continue to pose serious financial risk for companies [3]. Therefore, cyberattacks should be prevented to ensure corporate resilience.

In addition to awareness of potential cyberattacks, the need for cybersecurity training has increased. The National Institute of Standards and Technology (NIST) specifies that incident response teams should be assigned and trained to develop incident response capabilities against cyberattacks. NIST SP 800-61 [4] describes the ability required for an incident response as follows: “Managers should be technically adept and have excellent communication skills.” A capability for an incident response requires technical skill and non-technical skill. Several authorities have developed tabletop cybersecurity exercises to improve technical security awareness. Tomomi et al. described a technical exercise from the perspective of non-technical skills [5]. However, most security exercises focus on the technical aspects of incident responses. In other words, they are not designed to evaluate a team’s non-technical skills even though it is obvious that a team’s non-technical skills will affect overall performance.

In this paper, a tabletop exercise that involves participant communication skills and decision-making processes in a complex environment is proposed. The remainder of this paper is organized as follows. The basic exercise is explained in Section 2. The proposed exercise structure is described in Section 3. A prototype implementation and initial trial are discussed in Section 4, and conclusions are presented in Section 5.

The Inadequacy of Control Laws for Preventing Safety Issues Arising from Cyberattacks

Cyberattacks may target a variety of communication channels within feedback control loops, including the communication between the sensors and controller, and also between the controller and the actuators. Attacks of the latter type bypass controllers in a feedback loop completely and therefore cannot be stopped by adjusting the control system design. In Durand [2018], we explored several different MPC designs with respect to whether they are resilient to cyberattacks in which false state measurement information was provided to the MPC’s at each sampling time. A case in which cyberattack-resilience of a control system against sensor measurement falsification is achieved is in the case that the operating steady-state is open-loop stable, such that the open-loop stable input (which is independent of feedback and therefore independent of the process sensors) can be utilized to drive the closed-loop state to the steady-state regardless of whether an attacker can modify the sensor readings or not. The fact that the success of this approach relies on a lack of feedback indicates that it is difficult to conceive of control designs which utilize feedback but do not produce problematic inputs when state measurements are falsified. Another concept that has been explored for utilizing controllers in preventing cyberattacks from being successful has involved controller or instrumentation reconfiguration after an attack is detected. A difficulty with this approach is that detection of the attack, a pre-requisite to switching to a control strategy which maintains safe operation during the attack, requires some expectation of what the attacks will target, so that metrics related to the expected target can be monitored. Given the complexity of large-scale chemical plants and interactions between units, determining all of the types of attack targets may be difficult. In conclusion, there are many methods for evading control-focused efforts for preventing safety issues due to cyberattacks.

The costs of cybercrime to firms' financial performance and reputation

Cyberattacks have been found to affect firms in significant ways. For instance, a study by Saridakis, Mohammed, and Sookram (2015) find that the losses which firms encounter due to a crime have both immediate and long-term negative effects on the firms' innovative activities. Additionally, the Information Security Breaches Survey commissioned by the Department of Business, Innovation and Skills (BIS, 2013), in the United Kingdom, showed that 87% of participant firms in all sectors had experienced at least one attack or breach in the previous year (Hayes & Bodhani, 2013). On the other hand, the recent Cyber Security Breaches survey (2018), commissioned by the Department for Digital, Culture, Media and Sport (2018), showed that 42% of micro and small firms in the United Kingdom experienced at least one attack or breach in the previous years. A recent study by Romanosky (2016) showed that the total cost from cyberattacks was 8.5 billion USD yearly. In addition, their results showed that firms experienced lower annual revenues (by 0.4%) as a result of these cyberattacks. According to Cambell, Gordon, Loeb, and Zhou (2003), a firm's performance is significantly and negatively affected by cyber-based crimes due to the market reaction when there is a security breach that allows unauthorized individuals to access confidential information. A study by Cavusoglu, Mishra, and Raghunathan (2004) found that firms that had information breaches lose on average 2.1% of market value within 2 days of the announcement. Another study by Acquisti, Friedman, and Telang (2006) found that on the day of a data breach announcement, the firms' market value is significantly and negatively impacted. Furthermore, a recent study by Arcuri, Brogi, and Gandolfi (2017) found that negative market returns always follow the announcement of a cyberattack.

When firms are victims of cyber-based crimes, the reputational risk associated with these crimes extends far beyond monetary damages (Hamilton Place Strategies, 2015). For example, if a firm in the financial sector, such as a bank, experiences a cyberattack where their clients' sensitive and personal information were to be obtained by unauthorized individuals, then these clients will lose trust in that bank and therefore transfer to a more secure bank. It can also expose these clients to other types of crimes because their home addresses, job addresses and account details are no longer kept confidential, thus giving criminals financial motivation to commit a crime. The direct cost of a cyberattack can be quite substantial depending on the type of data acquired by the attackers as well as the firm size and reputation. Although the reputational risk can be difficult to measure, the damage to reputation from a cyberattack sometimes far exceeds the direct cost of the cyberattack. For example, the damage of target's data breach of 2013 cost the company 252 million USD in data breach–related expenses. However, only 90 million USD of that was offset by insurance recoveries (Hamilton Place Strategies, 2015).

1 Introduction

Cyberattacks targeting on physical damage are usually based on false data injection. Values of measurements (or actuator setpoints) are exchanged by different values. The manipulated values pretend a system state that is different from the actual one. For causing physical damage, the manipulated system variables can pretend to require setpoint values different from the ones the actual system state requires. This can cause control actions running the system into a critical state or prevent mandatory control interventions. Manipulated actuator setpoints can directly cause critical system states. Attacks can also aim at production losses, either by disturbance of product quality or by extending down times.

Many of these manipulations can be realized in a manner they are not detected by common protection systems on comparing values to ranges of safe service. As data reconciliation uses a more detailed description of the system, taking into account the relations between variables, it is able to detect and localize false data injection in many more cases.

The manipulation can be implemented e.g. by modifying the measurement itself, by modifying the preprocessing of values in smart sensors, by modifying the communication interface, messages, or communication connections or by manipulating the values in the process control system. This variety of possible attack vectors as well as the existence of unknown ones cannot be satisfactorily faced with attacker models. For our detection method, prior knowledge that is more general is used to improve the detection, such as exposition to networks or informational commonalities effecting the vulnerability towards cyberattacks. This also prefers anomalies caused by manipulations against sensor failures that are also detected by the anomaly detection.

This paper will give a brief summary to gross error detection based on data reconciliation and our extension for the detection of cyberattacks in section 2. In section 3, the modelling of dynamic system relations and the adaptation for data reconciliation is described. Section 4 shows the evaluation of the detection performance. Therefore, a simulated example system with manipulations is used to generate receiver operating characteristic curves (ROC-Curves).

Threats

The threats to IT systems must be a high priority for mitigation to ensure the survival of our nation. Snow (2011), of the FBI, notes that with enough time, motivation, and funding, a determined offender will probably penetrate any system connected to the Internet. In reference to the costs of cybercrime, Snow writes that we cannot accurately define and calculate losses. The estimates of losses in the last five years range between millions to hundreds of billions of dollars. Snow cites a 2010 study by the Ponemon Institute that showed the median annual cost of cybercrime to a single organization ranges between $1 million and $52 million. Henry (2011), also of the FBI, looked to the 2010 Norton Cybercrime Report that put global annual losses to cybercrime at nearly $400 billion with over one million victims every day. He referred to one company victimized by a cyber-intrusion estimating that it lost 10 years of research and development work valued at about $1 billion dollars in one night.

There are many types of threats to cyberspace and information technology, and an all-hazards approach is best for protection. We often think about hackers attacking computer systems; however, the threats and hazards are broad and include disgruntled employees, errors, natural disasters, and accidents. Earlier chapters cover topics such as internal threats, business continuity, and resilience. Here an emphasis is placed on cyberattacks.

Cyberattacks offer several advantages to offenders. They include no physical intrusion, safety for the offender, no significant funding required, possible profit, usually no state sponsor, immense challenges for IT specialists and investigators, and enormous potential harm to victims. Computer crimes can be divided into four categories according to Taylor et al. (2006: 9–15). These categories are as follows:

Computer as a target: This includes the attacker who alters data. A business can be harmed if, say, decisions are made based on the altered data. Another example is denying use of the system by legitimate individuals. Among the variations of this example is the denial-of-service attack. This networking prank initiates many requests for information to clog the system, slow performance, and crash the site. It may be used to cover up another cybercrime. Defacement of websites is another example in this category, which may be referred to as malicious acts.

Computer as instrument of a crime: In this category, the offender uses the computer to commit a crime. Examples are theft, fraud, and threats.

Computer as incidental to a crime: This category involves the use of a computer to facilitate and enhance crimes. For example, computers that speed transactions aid money laundering. In addition, offenders use computers to maintain records of their illegal enterprises.

Crimes associated with the prevalence of computers: This category includes crimes against the computer-related industry and its customers. An example is software piracy.

Common terms associated with cyber threats follow. Experts differ on the definitions of such terms. According to Smith (2013: 12), a compromised system is no longer trustworthy to use because security methods many be disabled, proprietary information may be at risk, and unauthorized software may be secretly installed for a variety of harmful purposes. Malware (malicious software) is a general term referring to programs that create annoying or harmful actions. Often masquerading as useful programs or embedded into useful programs so users activate them, malware includes Trojan horses, viruses, worms, and spyware. A Trojan horse is a program, unknown to the user, which contains instructions that exploit a known vulnerability in software. Smith (2013: 440) explains that viruses and worms copy themselves and spread. He adds that “while a virus may infect USB drives, diskettes, and application programs, worms infect host computers.” A worm will spread itself across networks and the Internet. Defenses include behavior blockers that stop suspicious code based on behavior patterns rather than signatures and applications that quarantine viruses in shielded areas. A logic bomb contains instructions in a program that creates a malicious act at a predetermined time or if the offender (e.g., employee) is not able to deactivate it on a regular basis. Programs are available that monitor applications seeking to change other applications or files when such a bomb goes off.

Dumpster diving involves searching garbage for information, sometimes used to support social engineering (i.e., using human interaction or social skills to trick a person into revealing sensitive information). An example of social engineering is a person being convinced to open an e-mail attachment or visit a malicious website. Another example is a hacker telephoning a corporate employee and claiming to be a corporate IT technician needing an access code to repair the system.

The U.S. Government Accountability Office (2005c) studied spam, phishing, and spyware threats to federal IT systems, and its findings have relevance to state and local governments and the private sector. Explanations of each threat follow.

Spam is the distribution of unsolicited commercial e-mail. It has been a nuisance to individuals and organizations by inundating them with e-mail advertisements for services, products, and offensive subject matter. Spammers can forge an e-mail header so the message disguises the actual source. The spam problem is made worse because it is a profitable business. Sending spam is inexpensive and sales do result.

As with other security methods through history, adversaries constantly seek methods to circumvent defenses. This is an ongoing “cat and mouse” competition. Anti-spam measures have caused spammers to design techniques to bypass detection and filtration. Spammer techniques include using alternate spelling, disguising the addresses in e-mails, and inserting the text as an image so a filter cannot read it. Compromised systems are regularly being used to send spam, making it difficult to track the source of spam.

Phishing is a word coined from the analogy that offenders use e-mail bait to fish for personal information. The origin of the word is from 1996 when hackers were stealing America Online (AOL) accounts by scamming passwords from unsuspecting AOL customers. Hackers often replace f with ph, and thus, the name phishing developed.

Phishing often uses spam or pop-up messages that trick people into disclosing a variety of sensitive identification information (e.g., credit card and Social Security numbers and passwords). For example, one ploy is for a phisher to send e-mails appearing as a legitimate business to potential victims. The e-mail requests an “update” of ID information or even participation in “enhanced protection against hackers, spyware, etc.” Phishing applies a combination of technical methods and social engineering.

Zeller (2006) reports that key logging programs copy the keystrokes of computer users and send the information to offenders. These programs exploit security weaknesses and examine the path that carries information from the keyboard to other parts of the computer. Sources of the key logging programs include web pages, software downloads, and e-mail attachments. Since these programs are often hidden inside other software and infect computers, they are under the category of Trojan horses.

Spyware lacks an accepted definition by experts and even proposed legislation (U.S. Government Accountability Office, 2005c: 31). The definitions vary depending on whether the user consented to the downloading of the software, the types of information the spyware collects, and the nature of the harm. Spyware is grouped into two major purposes: advertising and surveillance. Often in exchange for a free service (e.g., allegedly scanning for threats), spyware can deliver advertisements. It can collect web surfing history and online buying habits, among other information. Other types of software are used for surveillance and to steal information. Consumers find it difficult to distinguish between helpful and harmful spyware.

Spyware is difficult to detect, and users may not know their system contains it. Spyware typically does not have its own uninstall program, and users must remove it manually or use a separate tool. Some types of spyware install multiple copies, and they can disable antispyware and antivirus applications and firewalls.

The potential for financial gain has caused spammers, malware writers, and hackers to combine their methods into blended cyber threats. Security analysts are seeing an increase in blended threats and destructive payloads. Blended cyber threats combine the characteristics of different types of malicious code to bypass security controls. The U.S. Government Accountability Office (2005c) and the National Institute of Standards and Technology have advised agencies to use a layered security (defense-in-depth) approach, including strong passwords, patches, antivirus software, firewalls, software security settings, backup files, vulnerability assessments, and intrusion detection systems.

Not only could a blended cyberattack cause harm, but also a blended cyber-physical attack can aggravate damage and hamper recovery. An example of a blended cyber-physical attack is penetrating a DCS/SCADA to alter a manufacturing process to cause a fire and then physically attacking a fire brigade and their equipment.

Smith (2013: 440) explains that many malware packages produce and operate botnets for financial gain. Snow (2011) explains that cyber criminals are business savvy. In reference to botnets, criminal groups hire programmers who write the malicious software, salespeople who sell or lease it, and support personnel to service customers. A botnet is produced when a hacker infiltrates a host computer via a Trojan, worm, or virus and it is hidden while providing a “backdoor” to control a computer which is referred to as a bot. “Networks of bots” refers to personal computers (PCs) infected with malicious software that enables the hacker to control the PCs. “Internet bots” operate automated tasks over the Internet. Bots perform repetitive tasks at a much higher rate than humans perform and use automated script to fetch, analyze, and file information from web servers.

Acohido and Swartz (2006) write about hackers who use botnets, as described next. From his home in Downey, California, Jeanson Ancheta, a 19-year-old high school dropout, controlled thousands of compromised PCs, or bots, which earned him enough cash to purchase a BMW and spend hundreds of dollars a week on clothes and car parts. However, he was caught by authorities and pleaded guilty to federal charges of hijacking thousands of PCs and selling access to others to spread spam and attack websites. The threat is global, as evidenced by the arrest of Farid Essebar, an 18-year-old resident of Morocco, who was linked to botnets. Tim Cranton, director of Microsoft’s Internet Safety Enforcement Team, refers to botnets as the tool of choice for those using the Internet to commit crimes. They assemble networks of infected PCs to acquire cash and are paid for each PC they attack with ads. Although neophytes are slack about covering their tracks, they provide authorities with insight about their methods. In contrast, more sophisticated offenders work with organized crime groups who are more difficult to apprehend. Millions of PCs connected to the Internet globally are controlled by thousands of botnets. Smith (2013: 441) recommends that PC owners maintain up-to-date software, try to avoid using infected USB drives, and exercise caution prior to opening e-mail and attachments.

The McAfee Threat Report (Bu et al., 2012) described growth in mobile-based malware and botnets, with an increase in successful prosecutions of cybercriminals. Not only did Android become the largest target for mobile malware, an app allows penetration of a PC from a phone or tablet. Bu et al. report that data breaches have risen rapidly via hacking, malware, fraud, and insiders. During the third quarter, McAfee Labs recorded an average of 6,500 bad websites per day. Cyberattacks on infrastructures during the quarter targeted the South Houston Water and Sewer Department, a hospital in Georgia that was forced to stop admitting patients, and an ambulance communications system in New Zealand.

Hacktivism refers to politically motivated electronic protesting. Groups such as Anonymous use cyberspace to protest and commit cybercrimes. This group does not have a leader, but relies on collective, individual action in cyberspace such as the Distributed Denial of Service attacks against the recording and motion picture industries and various businesses. In 2011, Anonymous hacked into a U.S. security company with government contracts, stole thousands of e-mails, and posted them online. This was in retaliation for the company identifying members of Anonymous (Snow, 2011). Hacktivist activity also includes publishing police officer personal and family information on the Internet. In 2012, the FBI arrested a core member of Anonymous and one of the world’s most-wanted cybercriminals. Hector Xavier Monsegur, 28, a self-taught computer programmer and welfare recipient, resided in a public housing project in New York City. When arrested, he became an informant and helped build cases against other offenders in the United States and Europe who hacked into corporate and government websites (Associated Press, 2012).

DiLonardo (2011: 66) sees exploitation on sites like Twitter because of abbreviated URLs (i.e., Uniform Resource Locators that are the addresses of documents on the Internet) that make it easier for criminals to direct users to bad websites. Noting that many cell phones, TVs, DVDs, iPads, and other devices are also web browsers, DiLonardo writes that this technology provides more opportunities for hackers.

1 Introduction

Cyberattacks and defenses against them are conducted in complex environments, with numerous factors contributing to attack success and mission impacts. Network topology, host configurations, vulnerabilities, firewall settings, intrusion detection systems, mission dependencies, and many other elements can play parts. To go beyond rudimentary assessments of security posture, organizations need to merge isolated data into higher-level knowledge of network-wide attack vulnerability and mission readiness in the face of cyber threats.

Network environments are always changing, with machines added and removed, patches applied, applications installed, firewall rules changed, etc., all with potential impact on security posture. Intrusion alerts and antivirus warnings need attention, and even seemingly benign events such as logins, service connections, and file share accesses may be associated with adversary activity.

The problem is often not lack of available information, but rather the ability to assemble disparate pieces of information into an overall picture for situational awareness, optimal courses of action, and maintaining mission readiness. Security analysts and operators can be overwhelmed by a variety of consoles from multiple tools; each tool provides only a limited view of one aspect of the overall space under consideration. Tools such as security information and event management (SIEM) can help by normalizing data and bringing it together under a common framework. But the data still remain as individual pieces of information, rather than a comprehensive model of network-wide vulnerability paths, adversary activities, and potential mission impacts.

Our goal is to maximize the ability to discover potential threats and mission impacts, while minimizing the time needed for organizing multiple disparate data sources into meaningful relationships. For example, in the well-publicized Target retailer data breach (Harris and Perlroth, 2014), it was revealed that cyber defenders were actually aware of an alert for a particular aspect of the attack, but decided that it was a false positive. We could surmise that if those defenders understood the potential downstream ramifications of that alert, they would have considered it much more carefully, preformed additional investigations, etc. The goal is to provide the higher-order correlations that defenders need for truly informed decisions.

For the Target data breach, the attack began with a compromise within a partner (contractor) network. A common way for this to happen is through Trojan malware. Alerts for such malware are happening with high frequency in many environments and are often considered a low business risk (i.e., mainly a risk for individual clients). However, in the case of the Target breach, the infected host in the contractor became a launching point into the Target network. Several other steps were part of the breach, in which the attackers incrementally increased their scope of control, until they met their attack goals (exfiltrating large-scale credit card data).

The key lesson is that there were multiple attack steps, with multiple corresponding opportunities for detection. However, such alerts and other indicators occur within a large background of event noise. Since it is not practical for human defenders to consider all the possible multistep inferences, this needs to be automated. Also, defenders can make even more informed decisions (and reduce numbers of truly critical incidents to consider) by focusing such inference on mission-critical network assets. This can also be done preemptively, to discover and reduce such critical vulnerability paths.

To help address these challenges, we introduce CyGraph, a tool for cyber warfare analytics, visualization, and knowledge management. CyGraph brings together isolated data and events into an ongoing overall picture for decision support and situational awareness. It prioritizes exposed vulnerabilities, mapped to potential threats, in the context of mission-critical assets. In the face of actual attacks, it correlates intrusion alerts to known vulnerability paths and suggests best courses of action for responding to attacks. For postattack forensics, it shows vulnerable paths that may warrant deeper inspection.

CyGraph builds an attack graph model that maps the potential attack paths through a network. This includes any network attributes that potentially contribute to attack success, such as network topology, firewall rules, host configurations, and vulnerabilities. The dynamically evolving attack graph provides the context for reacting appropriately to attacks and protecting mission-critical assets. CyGraph then ingests network events such as intrusion detection alerts and other sensor outputs, including packet capture. It also incorporates mission dependencies, showing how mission objectives, tasks, and information depend on cyber assets.

CyGraph fuses information from a variety of data sources to build its unified graph-based model. As shown in Fig. 1, this is a layered model, which includes the comprehensive information needed for making informed judgments about mission readiness in the face of cyber warfare.

The network infrastructure layer captures how the network is segmented and organized topologically, the locations of sensors, etc. The cyber posture layer considers elements within the network infrastructure that might impact cyberattacks/defenses, e.g., host configurations, vulnerabilities, services, shared resources, firewall policies, etc. The cyber threats layer describes potential adversary threats, for application against the defensive posture. This includes threat intelligence (e.g., shared among trusted partners) as well as event streams of alerts and other behavioral indicators. Finally, the mission dependencies layer captures dependencies among various mission components (from high-level objectives to tasks that support objectives to information required for task, etc.), as well as the particular cyber assets that support the mission components.

CyGraph has the potential for dramatically shortening the analytical cycle. It provides the network-specific context needed for mapping cyber threats to specific network environments, reducing false alarms, and suggesting optimal attack responses. It helps prioritize exposed vulnerabilities, alone and in combination, with focus on protecting mission-critical assets against potential threat sources. It also provides the context for correlating intrusion alerts and other kinds of network events, matching them to known vulnerability paths. This in turn suggests best courses of action for responding to attacks. Specifically, for postattack situational awareness, CyGraph shows possible paths leading up to the current attack locus (backward looking) as well as potential paths for the attacker to advance the attack (forward looking). It also provides a comprehensive framework for computing a variety of metrics for tracking security readiness over time.

CyGraph provides comprehensive query capabilities over its graph knowledge base, including a query language specific to its knowledge domain. This supports a range of cyber analysis tasks, such as mapping an attacker's potential reach and combining isolated alerts into coordinated multistep attack campaigns. CyGraph also provides a variety of interactive visualization capabilities for portraying complex graph query results.

Section 2 discusses previous work related to the CyGraph system. Section 3 then describes CyGraph in more detail. In Section 4, we examine a number of example applications of CyGraph. Section 5 then summarizes this chapter.

Query 1: If there is a cyberattack should it be labelled as cyberterrorism?

Any cyberattack should not be called cyberterrorism in the media. Cyberattacks occur on networks all the time and are typically carried out through weaknesses and exploits in the systems. Malicious hackers may want to prevent systems from being available, choose to destroy data or interfere with the proper operation of ICT infrastructure. In order to carry out a cyberterrorist attack, the perpetrator, motive, target, aim, and effect need to be evaluated. Attacks stemming from terrorist groups aiming to interfere/disrupt critical systems with the goal of promoting a philosophical ideal related to religion, political or socio-political uses may be termed cyberterrorism. However, an attacker trying to expose a company's password list may not be hacking to protest the government.

All acts of ‘Internet anarchy’ do not necessarily constitute cyberterrorism. Cybercriminals hack for different purposes than cyberterrorists. The goal in terrorism is to inflict pain, suffering and fear on its victims. Cybercriminals, however, hack for financial benefits, fraud, boosting their ego, challenging themselves or revenge. Cyberterrorists aim to destroy and damage critical infrastructure in order to promote their cause, gain publicity and overall to cause fear.

While cybercrime is often motivated by economic gain, and hacking, or Internet vandalism, often is done to satisfy the hacker's ego, cyberterror is fuelled by an ideology (Curran, 2016).

10.4.1 Addressing cyberattacks and data breaches in healthcare

Increasingly, cyberattacks are targeting electronic databases that hold sensitive health-related information. In the United States, this was first generally acknowledged by the Presidential Decision Directive (PDD) 63, resulting in the formation of Information Sharing and Analysis Centers (ISACs). One of these—the National Health ISAC, later renamed as Health Information Sharing and Analysis Center (H-ISAC) to reflect its international membership, is a global platform for health sector stakeholders to share information on cyber and physical threats to sensitive health data. [72] Despite efforts to share best practices globally, however, significant vulnerabilities to data privacy and security exist in all healthcare systems around the world. AI tools make defense against threats in the cyber space more complex given its reliance on complex data sources and predictive methods. In turn, techniques such as deep learning are used for adversarial sample detection, malware detection, and network intrusion detection and help defend systems against attacks that humans may not detect themselves. [73] A short discussion about deep learning and its implications for data privacy is included in the Box.

Deep learning and data privacy

Deep learning is one of several common ML methods, relying on artificial neural networks to train its own capabilities, which are then used for inference from raw data. Given the requirement for deep learning to comb through large amounts of data, encryption of sensitive information may create delays in algorithm processing, limiting its deployment in areas like healthcare. Deep learning algorithms are susceptible to common attack types, such as adversarial perturbation (caused by their linear nature), and may be more difficult to interpret than conventional risk calculations, for example. Conversely, deep learning is also used to improve system security, such as by detecting network intrusions. AI still needs refinement in this area, however: it suffers from a high false-positive incidence, a lack of generalizability, and has significant infrastructure demands due to growing network speeds and sizes. [74]

1 Research Background

In recent years, Cyberattacks to Industrial Control System (ICS), the core functions of Critical Infrastructures (CIs) such as power plants and chemical plants has been increasing year by year. In 2010, the uranium enrichment centrifuge fell into dysfunction at Iran's nuclear facility (Nobutaka Oguma, 2011) and the blast furnace was damaged in the German steelworks plant in 2014 (Motohiro Tsuchiya, 2015). Also, two large power outages occurred in Ukraine in 2015 and 2016 (Toshio Miyachi, 2016).

In Japan, the Tokyo Olympic and Paralympic Games are scheduled to be held in 2020. It is said that the 2012 London Olympic Games could have resulted in the loss of lighting at the opening ceremony site due to cyberattacks (BBC NEWS, 2013). For this reason, it is urgent for companies holding CIs in Japan to secure cybersecurity in ICS for the Tokyo Olympic and Paralympic Games (Nihon Keizai Shimbun, 2017).

Cyberattacks against ICS affect not only cyberspace but also the physical world. As a result, there are concerns about destruction of the equipment itself, leakage of dangerous substances, and explosion accidents. Also, in recent years as the sophistication of cyberattacks methods increases, preparing cybersecurity measures on the premise of receiving cyberattacks is regarded as important. One of the cybersecurity measures is a rapid and appropriate response by the organization to mitigate damage and bring the situation under control after cyberattacks occur. Thus, it is essential to formulate a response plan in advance for events caused by cyberattack (from now on referred to as "cyber incidents"). For this reason, the authors have developed the cyber exercise to assist companies holding CIs in formulating their cyber incident response plans (Hidekazu Hirai, 2017).