Are Cyberattacks the Result of Conflict Culture?
By Cy Nelson, December 27, 2021
As a member of Infragard, I’ve been attending FBI briefings to help organizations deal with one of the biggest cyberattacks to ever target the USA government. On December 8, 2020, FireEye discovered a Trojan Horse in a SolarWinds software update that has infected more than 18,000 organizations in the USA including our government. Unfortunately, this malware has been silently spying on the government since March 2020.[2,3,4] How did this happen? And more importantly, how can we prevent a future attack? The answer may surprise you.
Bad actors planned this attack carefully. They most likely learned technical details by pretending to be SolarWinds customers or by posing questions to online technical communities who routinely answer questions asked by strangers. They may have chosen this supply-chain attack when they discovered that SolarWinds recommends turning off anti-malware checks when updating their software. The vulnerability was not purely technical. Social engineering or “the art of the con” was also involved.
Let’s face it, forensic analysis will identify where to add new technical controls. While that is important, bad actors will find new ways around them. Let’s attempt to understand and to resolve the root cause of this cyberattack. Why do bad actors want to attack the USA? For the past four years, our foreign policy has glorified the “conflict culture”. USA leaders filled the media and social media with blaming, shaming, lying, name-calling and all the drama that make TV reality (Reality TV) an addictive, adrenaline high. Sure, ratings soared, the stock market roared, and we were entertained but did this conflict culture cause cyberattacks?
Rewind to 2014 and remember when Sony was attacked. Bad actors called, “Guardians of Peace”, demanded that Sony not release a film because it showed Kim Jong-un being humiliated and assassinated. Kim Jung-un is the leader of North Korea who recently taught us the English word “dotard”. When Sony ignored the Guardians, they leaked confidential data about Sony including social security numbers for 47,000 employees. Then, they erased Sony’s computers. It wasn’t until they threatened another 911 terrorist attack that Sony cancelled the New York premiere. United States intelligence officials believe that the attack was sponsored by the government of North Korea. Did Sony’s participation in conflict culture cause this cyberattack?
Fast-forward to 2020, the California Employment Development Department (EDD) has been scammed out of about 2 billion dollars due to false unemployment claims. The Saturday, December 19, 2020, Los Angeles Times reports that a former contract employee allegedly used her expertise of the EDD system to file fraudelent, pandemic-related, unemployment claims to pay her boyfriend and his friends. Her boyfriend is serving 94 years to life at California State Prison on a murder conviction. Federal investigators say other bad actors are being investigated for similar crimes. Did our conflict culture cause this cyberattack?
All of these cyberattacks have many things in common, but let’s look for the root cause. Sony made a film where talk show hosts humiliated then assassinated the leader of North Korea. We may or may not agree with North Korean policies, but we can agree that public humiliation often leads to revenge attacks.
The EDD attack was perpetrated by an insider who allegedly stole credentials and gave them to a criminal. Certainly, EDD needs funding to properly vette their new hires and to update their computer controls, but, perhaps our conflict culture contributed to this individual feeling disenfranchised. Her name is Nyika Gomez.
Conflict is the root cause of most attacks including cyberattacks. Here’s the surprise. Compassion is more profitable than conflict. When I led projects in China, our success depended on newly formed teams trusting each other. On my first trip, I looked across the conference table as Chinese scientists blushed and stammered struggling to introduce themselves to me in English. During the project, they were shy about telling the true status. The project took longer than expected. As soon as I got home, I bought Pimsleur, the study guide used by CIA agents to quickly learn languages. On the second trip, I introduced myself in Chinese. My accent was poor and I stammered but I saw smiles of compassion on the faces of my colleagues. They spent the rest of our spare time teaching me to speak Chinese. We finished ahead of schedule. This is one example of the notion of good manners and the golden rule, “treat others the way you want to be treated.”
In our reality TV world, some people may believe that good etiquette or religious teachings are old-fashioned. How about basic self-protection? I was hiking in the desert and came upon a baby rattlesnake who was coiled up sleeping in the sun. Baby rattlesnakes are vital to their desert ecosystem, but they are deadly poisonous to humans. I could have poked it with my hiking stick to see it jump. That conflict between me and the snake would have been exciting. But I am a visiter to the desert. The snake would have been justified in protecting itself by biting me on the ankle and killing me.
The Chairperson of the Sony Motion Pictures Group took the opposite approach when she failed to respect the leader of North Korea. The result, Sony reported paying $35 million to restore their financial and IT systems. The total actual cost of the attack is unknown. Numerous lawsuits were filed by employees due to the indentity theft. Sony was asked to explain the gender pay gap that was uncovered. The Chairperson stepped down. Sony’s reputation was damaged. When I interviewed for a cybersecurity position at Sony in 2017, human resources and management personnel told me they were still having difficulty attracting well-qualified talent. I passed.
As a society, an organization, a cybersecurity professional, or a news reporter, let’s re-think promoting conflict culture. Can we protect ourselves from attack by creating a culture of compassion? Perhaps the first rule of Compassion Culture could be: don’t poke a rattlesnake.
Please share your thoughts about Compassion Culture on twitter: @RoboThot_ai
 Infragard, 2020. https://www.infragard.org/
 Suspected Russian hackers spied on U.S. Treasury emails. Christopher Bing, Jack Stubbs, Joseph Menn, and Raphael Satter; Editing by Chris Sanders, Daniel Wallis and Diane Craft. Reuters, December 13, 2020. https://www.reuters.com/article/BigStory12/idUSKBN28N0PG
 Explained: A massive hack in the US, using a novel set of tools, 2020. https://indianexpress.com/article/explained/us-solarwinds-hack-cybersecurity-fireeye-russia-7110550/
 CISA Updates Alert and Releases Supplemental Guidance on Emergency Directive for SolarWinds Orion Compromise, 2020. https://us-cert.cisa.gov/ncas/current-activity/2020/12/19/cisa-updates-alert-and-releases-supplemental-guidance-emergency
 What Data Center IT Security Pros Must Know About the SolarWinds Vulnerability, 2020. https://www.datacenterknowledge.com/security/what-data-center-it-security-pros-must-know-about-solarwinds-vulnerability
 The Interview. Wikipedia, 2020. https://en.wikipedia.org/wiki/The_Interview
 Sony Pictures hack. Wikipedia, 2020. https://en.wikipedia.org/wiki/Sony_Pictures_hack
 California unemployment fraud amid COVID-19 pandemic may total $2 billion, Bank of America says By Patrick McGreevy. December 2020.
 Hack to cost Sony $35 million in IT repairs by By Tim Hornyak. February, 2015. https://www.networkworld.com/article/2879814/sony-hack-cost-15-million-but-earnings-unaffected.html
 Sony Pictures hack has cost the company only $15 million so far by Steven Musil. February, 2015. https://www.cnet.com/news/sony-pictures-hack-to-cost-the-company-only-15-million/