Welcome to New America, redesigned for what’s next.

A special message from New America’s CEO and President on our new look.

Read the Note

Close

internet services arabic

Securing Digital Dividends

Table of Contents

Introduction

At 3:35 P.M. local time on December 23, 2015, the heat clicked off in the eastern part of Ukraine. So did the lights. Three different distribution oblenergos (energy distribution companies) in eastern Ukraine had fallen prey to cyberattacks that resulted in “several outages that caused approximately 225,000 customers to lose power.”1 The details of the event are well covered, and those less familiar should refer to textbox 1.

Arguably, the problem in Ukraine started well before spring 2015 and the set of initial spear phishing emails. Most of the oblenergos in Ukraine underwent a process of privatization from the mid 1990s to the late 2000s.2 With privatization came the realization that the grid’s infrastructure was leading to inefficient and sometimes ineffectual power delivery. What followed in the early 2010s was a push to modernize Ukraine’s power transmission system. The modernization consisted of replacing some analog equipment, like breakers, with newer analog equipment. However, some modernization efforts also introduced more automation and digitization of monitoring and control systems.3 As Dejan Cerkic, a project manager who led grid modernization projects in Ukraine noted in 2012, “It is very important for a country like Ukraine to have a solid electrical system, because it is the basis of the economy.” For Cerkic, “international projects, either with European investors or with the World Bank give an opportunity to modernize the transmission system faster than it can be done using local funds.”4

Cerkic is right. This automation and digitization would enable more efficient delivery of power—from 19.71 percent power transmission lost in 2001 to 10.78 percent in 2014. 5 But the digitization of monitoring and control systems, combined with a destructive cocktail of insufficient local training on good computer hygiene, limited awareness of cyber threats, a lack of cybersecurity expertise, and limited implementation of technical solutions left the Ukrainian power grid open to new digital risks.

While the attacks on the Ukrainian power grid are perhaps the most visceral cyberattacks yet witnessed, Ukraine’s power grid is not the only digital system vulnerable to exploitation. Incidents in low-, middle-, and high-income countries alike clearly communicate the inherent risks associated with digital systems. Global ransomware incidents WannaCry and NotPetya affected all nearly sectors in 150 and 65 countries respectively.6 Liberia was taken offline entirely by cyberattacks.7 Cybercrime in Nigeria has depressed foreign direct investment.8 Cyber incidents in Bangladesh resulted in millions of dollars in theft.9 Just as digitization holds great promise to improve the conditions of humans around the world, cyber risk threatens to erase progress or even worsen conditions.

The moral of these stories? It may not be what you think. Digitization is not bad—it is good. Digitization and connectivity yield unquestionable dividends and advance human development in ways that would have been unimaginable just a century ago. But the increased use of and reliance on digital systems simply carries with it new risks. As the development of economies, institutions, and society more broadly in lower- and middle-income countries becomes increasingly reliant on digital technologies, the imperative to do a better job of building local capacity to manage digital risk increases. The role of cybersecurity for the delivery of key development outcomes and the achievement of the Sustainable Development Goals is potentially immense, as much of the work to attain these outcomes is underpinned by trust in resilient information and communication technology. Without trust in and reliability of this technology, countries and citizens will not fully reap the rewards of digitization.

Cyber insecurity is an issue simultaneously impacting human security, economic stability, and society more broadly. As development institutions seed projects to digitize greater portions of society in the hope of improving conditions around the world, little attention is paid to building cybersecurity capacity—the capacity countries need to better manage these novel risks. A community—not dissimilar to the established development community—focused on building cybersecurity capacity exists. This cybersecurity capacity building community is a loose community of practice consisting of government agencies (from ministries of foreign affairs to ministries for development and telecommunication regulators), intergovernmental organizations, nonprofit/nongovernmental organizations, and private companies. These organizations work together and separately to grow human, technical, and organizational capacity to manage and combat cyber risk.

Despite its related goals, the cybersecurity capacity building community is largely disconnected from the development community. There are a number of reasons for this division, some intentional, some accidental. Additionally, the work of the cybersecurity capacity building community is as of yet imperfect. However, the increased use of information and communication technology and digital devices as tools to deliver better development outcomes necessitates taking steps to mainstream cyber risk management and cybersecurity capacity building in development.

That is what this report is about.

The remainder of this report proceeds as follows. Chapter 1 introduces how cybersecurity contributes to better development outcomes and the achievement of the SDGs. Chapter 2 discusses the various ways in which cybersecurity could be incorporated in the development community. Chapters 3 and 4 provide overviews of the development and cybersecurity capacity building communities respectively. Chapter 5 explores the primary benefits of bridging the divide between these two communities and Chapter 6 delineates the primary challenges to doing so. Finally, Chapter 7 outlines a roadmap for overcoming these challenges and recommends specific actions for policy and decision makers to take.

Because the primary goal of this report is to help provide a blueprint for bridging a gap between two different communities, its audience is mixed. This means that some sections and even entire chapters may be review material for some readers. The report has attempted to highlight these sections for the readers and provides guidance for how to choose your own adventure in the text.

For the many things this report is about, there are two important issues in the context of development and cybersecurity that this report is not about: (1) making the development community more cybersecure in its own operations and (2) identifying good practices in cybersecurity capacity building. Scholarship to address these topics is a pressing need and both merit greater study but fall outside the scope of this project.

Box 1

What Happened in Ukraine?

It all started about six months prior to December 2015. “There were phishing emails sent out,” says Robert M. Lee,10 who was one of the lead investigators of the 2015 hack of the Ukrainian power grid. This means that operators at the oblenergos in eastern Ukraine were receiving emails about “a variety of different events going on in Ukraine.” When grid operators opened up these emails, “a piece of malware called BlackEnergy3 was dropped to the system.” BlackEnergy3 enabled “attackers to steal credentials—usernames, passwords, things like that—from the network,” which they could then use to regain access to the company’s computer networks. According to Lee, over the next six months, the attackers “spent that time researching and understanding the environment.”11

Once attackers gained the needed knowledge of the Ukrainian grid’s operating systems, they were able to use their stolen credentials to gain remote access. With this access, they opened up the necessary digital control systems, clicked a mouse a few times, and shut a series of breakers, turning off the power.12

But they were not done there. Anticipating the natural reaction of the grid operators, which would be to try to reboot their computer systems in an effort to regain control and turn the lights back on, the attackers also uploaded a common piece of malware called KillDisk to the systems. When the station operators in Ukraine attempted to reboot their devices, KillDisk kicked in, “deleting all the files and deleting all the systems.” This meant that, “while the operators are trying to recover, they’re also dealing with the fact that all their systems have gone down.”13

Ultimately, the 2015 cyber attack left more than 200,000 people without electricity for approximately three hours. But the effects of the attack lasted beyond those three hours, as the impact of the attack forced operators to switch to manual operation of portions of the grid, nullifying the positive progress of digitization of power delivery.14 And it could have been much worse. In some parts of the world, digital systems lack manual backups. In still more parts of the world, the reliance on digital systems means that localities lack the humans and expertise necessary to operate critical systems manually, even if that is an option.

Citations
  1. Robert M. Lee, Michael J. Assante, and Tim Conway. 2016. “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case.” E-ISAC. March 18. p1. source
  2. Laszlo Lovei. 1998. “Electricity Reform in Ukraine.” Public Policy for the Private Sector. Note No. 168. December..Christina Maciw, Natalie Bell, and Vitaliy Radchenko. 2009. “Ukraine Prepares 15 Oblenergos for Privatisation.” Mondaq. August 13. source
  3. Vitaliy Radchenko, Olexander Martinenko, and Inna Antipova. 2015. “CMS guide to electricity – Ukraine.” Cameron McKenna Nabarro Olswang LLP. September 1. source.
  4. World Bank. 2012. “Expanding the Ukrainian Power Transmission Grid.” World Bank. February 9. source.
  5. World Bank. “Electric power transmission and distribution losses (% of output).” World Bank – IEA Statistics. Accessed March 19, 2018. source.
  6. Melissa Hathaway. 2018. “Managing National Cyber Risk.” The Organization of American States. Forthcoming.
  7. The Guardian. 2016. “Massive cyber-attack grinds Liberia’s internet to a halt.” The Guardian. November 3. source
  8. Nigerian Communications Commission. “Effects of Cybercrime on Foreign Direct Investment and National Development.” Nigerian Communications Commissionsource.
  9. Zetter, Kim. 2016. “That Insane, $81m Bangladesh Bank Heist? Here’s what we know.” WIRED. May 17. source.
  10. In addition to running Dragos Inc., a cybersecurity company, Robert M. Lee is a Cybersecurity Policy Fellow with New America’s Cybersecurity Initiative.
  11. VICELAND. 2016. “Did Russia Hack Ukraine’s Electrical Grid?” VICELAND. November 30. 2:00 – 4:00. source.
  12. Andy Greenberg. 2017. “Watch Hackers Take Over the Mouse of a Power-Grid Computer.” WIRED. June 20. source.
  13. VICELAND. 2016. “Did Russia Hack Ukraine’s Electrical Grid?” VICELAND. November 30. 2:00 – 4:00. source.
  14. Robert M. Lee, Michael J. Assante, and Tim Conway. 2016. “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case.” E-ISAC. March 18. p2. source

Close

Introduction

View as PDF

Table of Contents

Close

Securing Digital Dividends