Analysis | Don't panic. It might not be a cyberattack. – The Washington Post

Below: U.K. mail service faces a disruption, and the Guardian says the cyberattack that hit the U.K. newspaper was ransomware. First:

The FAA outage illustrates the risks of jumping to conclusions about cyberattacks

Every time there’s a major technological outage, like the disruption of Federal Aviation Administration systems Tuesday night that caused thousands of flights to be delayed, speculation quickly erupts blaming a possible cyberattack.

And every time, cyber experts respond: Stop doing that.

To be sure, Transportation Secretary Pete Buttigieg said there’s no evidence a hack was responsible, but that officials couldn’t rule out such a possibility.

Some of those aforementioned cyber experts are at least sympathetic to the natural tendency of people to speculate about, well, everything. And whatever the case ends up being for the FAA, tech outages like the one that agency experienced — leading to widespread flight cancellations and delays — can illustrate the potential havoc of a successful cyberattack.

But mostly, the sentiment of cyber observers is that it’s a bad idea to jump to conclusions, especially publicly.

“If we keep crying wolf, then we lose the ability to educate and solve real problems,” Bryson Bort, founder of the cybersecurity company Scythe, told me. “We live in the glassiest house in the world with our reliance on information systems.”

Overall, the speculation has been more muted this time than with other tech outages, said Jeffrey Troy, president of the Aviation Information Sharing and Analysis Center, an organization devoted to sharing threat information within the aviation industry.

“I’m not seeing a lot of calls and panic that there’s a big ransomware event or that the FAA is not going to be able to function,” Troy told me. “People are getting back to the business of aviation.”

• There can even be an upside to people thinking about different potential causes of an outage. “If you have people going in there with different mindsets, when you go to find the root cause, you’ll be as open-minded as possible,” he said.

A preliminary examination pointed to a damaged database file as the culprit, according to the FAA. But the investigation is ongoing, my colleagues Ian Duncan, Michael Laris, Katherine Shaver and Lori Aratani reported.

(Canada suffered a similar outage Wednesday, but it didn’t delay flights.)

The available evidence didn’t stop speculation, of course. People assuming that a cyberattack is responsible for any given outage is a growing trend, Shawn Henry, chief security officer at CrowdStrike, told me. 

“Over time, more recently, we have seen people default to that,” Henry said. “But they’ve defaulted to it because there have been a lot more attacks. There’s a lot more awareness of the adversary capabilities.”

• It’s wise for victims to not declare the cause of an outage until they know for sure, he said. “There are going to be glitches, software updates, hardware malfunctions, crashes, somebody making a mistake coding something incorrectly,” he said.
• That said, “If the media and the general public are speculating, there’s no harm in that other than perhaps unnecessarily getting people agitated and adding some anxiety to people’s lives,” he said. “But that’s what happens with people and the media.”

Sometimes, those non-cyberattack incidents might be more damaging, contended Dmitri Alperovitch, chair of the Silverado Policy Accelerator, on Twitter:

The cyber industry tends to reply to speculation about cyber incidents with memes centered on the Domain Name System, given how fundamental it is to internet routing and how problems with it are often the cause of what’s actually gone wrong, Bort said. Here’s Brett Callow, a threat analyst at the cybersecurity company Emsisoft:

None of this undermines the discussions that the United States and other nations are having about what protective steps — potentially including more regulation — policymakers should take to protect critical infrastructure sectors like transportation.

Even if a cyberattack didn’t cause the FAA outage, the outage might in fact feed into those discussions. Here’s former NATO supreme allied commander James Stavridis, a vice chair at the Carlyle Group, an investment firm:

And here’s John Hultquist, vice president of intelligence analysis at the Google-owned Mandiant Threat Intelligence, taking in the larger picture:

The federal government has been looking closely at cybersecurity threats for aviation. The Transportation Security Administration has been developing rules for the aviation sector. The White House also has briefed industry representatives on threats.

The most recent, prominent confirmed cyberattacks on the sector came in October, when a Russian group knocked some airport websites offline with distributed denial-of-service attacks that flooded the sites with phony traffic.

But maybe what’s needed right now in response to the FAA tech outage is simply an improvement to technology.

“Americans deserve an end-to-end travel experience that is seamless and secure,” said Geoff Freeman, president of the U.S. Travel Association, a trade group that represents the travel industry. “We call on federal policymakers to modernize our vital air travel infrastructure to ensure our systems are able to meet demand safely and efficiently.”

‘Cyber incident’ disrupts U.K. postal service

Royal Mail said it couldn’t send mail internationally as a result of the incident, the BBC’s Tom Espiner reports. The mail service is calling it a “cyber incident” and not a “cyberattack” and doesn’t know what was behind the incident.

“The back office system that has been affected is used by Royal Mail to prepare mail for dispatch abroad, and to track and trace overseas items,” Epiner writes. “It is in use at six sites, including Royal Mail’s huge Heathrow distribution center in Slough, which has been affected by the incident. It is unclear how long the disruption will continue, and mail that has already been shipped for export may be delayed.”

The National Cyber Security Center and National Crime Agency are trying to figure out what happened, and regulators have been notified about the incident.

Cyberattack on the Guardian was ransomware, the newspaper says

The U.K. newspaper said the hack probably happened after someone clicked on a phishing email, the Guardian’s Dan Milmo reports. Executives at the company said they believe that it was a “criminal ransomware attack, and not the specific targeting of the Guardian as a media organization,” Milmo reports. The cyberattack was discovered Dec. 20.

The hackers obtained the personal data of U.K. employees. But “we have seen no evidence that any data has been exposed online thus far, and we continue to monitor this very closely,” according to the executives — Guardian Media Group chief executive Anna Bateson and the Guardian editor in chief Katharine Viner.

The company said it didn’t have reason to believe that subscriber data or data of its staff in the United States or Australia had been accessed.

Twitter says ‘no evidence’ user data being sold online came from hack

Blockbuster New York Times story accidentally leaked phone numbers of Russian soldiers criticizing war (Motherboard)

Liquor Control Board of Ontario investigating after ‘cybersecurity incident’ knocks out website and mobile app (CBC News)

• Gen. Paul Nakasone, who leads the National Security Agency and U.S. Cyber Command, speaks at a public forum on a government surveillance authority on Thursday. April Doss and Christopher Fonzone, the top lawyers at the National Security Agency and Office of the Director of National Intelligence, are also slated to speak at the event, which is hosted by the Privacy and Civil Liberties Oversight Board.
• Cybersecurity practitioners meet with cybersecurity staffers on Thursday as part of Hackers on the Hill. 

Thanks for reading. See you tomorrow.