In September this year, a woman in Germany died after a hospital could not admit her since it was under a cyberattack. The woman was directed to another hospital, 20 miles away. She died since she could not receive the needed treatment in time.
Cyber incidents kill. They killed before. They will kill again.
It Happened Before
The Ashely Madison data breach is probably the most famous cyber incident with casualties. In this incident, hackers stole user data that contained details, such as names and emails of people who registered to the website and published it publicly on the internet. Since Ashely Madison is a website for finding a partner for extramarital affairs, at least two people (a police captain and a pastor) that had their names leaked could not bear the shame and committed suicide.
In another case, a computer belonging to a Romanian man got infected with police-themed ransomware. This malicious software (malware) presented a fake message to the victim, claiming it was sent by a law enforcement agency. The message stated that the victim has violated several laws, as well as that he was recorded watching porn sites. Allegedly, his only alternatives were either paying a large fine or going to jail. As a result, the man hung himself and his 4-year-old son.
Direct and Indirect
You might think – “Well, these examples are not exactly death-by-cyberattacks”. And this is somewhat true. There is a difference between attacks that directly lead to people’s death (such as turning off someone’s pacemaker) and attacks that result in casualties as a side effect. Hence, let us define the following terminology:
Type I attacks - A group of attack scenarios that directly result in casualties. This group includes scenarios such as creating an explosion in a factory during working hours and making two crowded trains collide by disconnecting their breaks remotely.
Type II attacks - A group of attack scenarios that might eventually result in casualties, but several additional actions or events are needed for this to happen. This group includes scenarios such as leaking photos that lead to people committing suicide or stressing them to the point of killing themselves and their loved ones.
Type I attacks are a much sexier topic. They are movie material. Hackers have already changed the chemical mix in a water treatment plant, taken control over a car remotely, targeted nuclear facilities, hacked insulin pumps, and inflicted physical damage in a factory. Such headlines strike fear into people’s hearts. And while I am not aware of any such case that led to people dying, this will eventually happen.
Yet, at this point in time, type II attack scenarios are much more interesting for two main reasons. Reason one - they already cost people’s lives. Reason two - while type I attacks scenarios must involve specific types of targets (airplanes, nuclear facilities, etc.), type II attack scenarios are relevant to a surprisingly large group of companies.
Our Data Can Get You Killed
Many companies that store location data know when people have an affair. Many communication companies have information about people who are secretly gay in places where being gay might get you killed (sadly, such places still exist). Every media outlet has the names of the secret sources. And every such secret, if leaked, could cost lives.
The Strava case is a great example that demonstrates how “regular” commercial companies, can gravely affect people’s lives. Towards the end of 2017, probably to promote brand awareness, Strava published a global heatmap. This beautiful map is a “visualization of two years of trailing data from Strava's global network of athletes” as the company’s blog states. Not long after the map was published, it was discovered that by doing so, the company accidentally exposed the exact location of U.S. bases in Syria and Afghanistan.
Though this is not a hacking incident, this case shows how much lives-risking-data, commercial companies hold, and the magnitude of damages that a data leakage could lead to.
A Variety of Scenarios
Data leakage is not the only possible driver for incidents that involve casualties, and type II attacks could stem from a wide variety of scenarios. In two of the examples that we have already discussed, we saw three people die because of fake threats presented by ransomware.
The recent case in Germany, that eventually led to a woman’s death, was not the first time that due to a cyberattack, a hospital was unable to admit patients. In this case “hospital’s emergency department was forced to transfer patients even though the next nearest hospital was located 70 miles away”. And as we saw, forcing patients to travel 70 extra miles for treatment could have critical implications.
It should be noted that it was already found that “increased distance [from hospitals] was associated with increased risk of death”, as was stated by research that was published in the Emergency Medicine Journal.
While researching for this article, I came across another fascinating case that was shared by a user named “Brenda”. I was not sure I should add it here since the story was not published in any formal way, but rather in the comment section of an article, and I was not able to validate the story’s authenticity. Yet, I think it is interesting enough to mention.
Brenda shared that on July 13, 2013, her 36-year-old brother’s computer got hit by malware. The malware presented a message saying that he had been caught visiting child pornography sites and that if he would not pay in 3 days, he would go to jail. She then added that her “brother got so scared that he had a massive heart attack” as a result of a heart condition that they did not know he had. Brenda shared her story as a comment.
More people are going to die. And it will probably happen sooner than you think.
- After an incident in which emails will be leaked, will hear about a jealous husband that shot the guy who slept with his wife.
- After an LGBTQ organization will be hacked, we will hear about many gay people that got executed in dark regimes.
- After an incident in which pictures will be leaked, we’ll hear about people committing suicide.
- After attack on emergency call systems (like 911 in the US) we'll hear about people getting killed because the emergency responder were not available in time
- More people will die after ransomware attacks on hospitals. And there are many other examples.
Mitigating the Psychological Gap
While physical security officers understand that preventing loss of lives is an integral part of their responsibility, the cybersecurity industry has yet to adopt this mindset. It is hard for many CISOs to accept that their actions, or lack thereof, might lead to people dying.
It is true that in some sectors, the security people’s awareness level is higher than others. Such would be the case with security teams in sectors like homeland security, aviation, pharmaceutical, etc. But as a whole, the industry’s approach towards protecting lives is that it is someone else’s job.
Even more so, the industry’s standards, methodologies, strategies, and risk management processes rarely touch on the subject of potential human casualties, and when they do, it is in a general way.
As a test case, I analyzed what is probably the most acceptable standard in the cybersecurity world, the “NIST Cybersecurity Framework”. When explaining the possible outcome of a cyber incident, the standard states:
“Similar to financial and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Cybersecurity can be an important and amplifying component of an organization’s overall risk management.”
Searching for terms related to the effect of cyber on human lives yielded zero results.
Yet, the uncomfortable truth is that security people’s decisions and actions can be causally linked to people's deaths.
Call for Action
The cyber industry has proven itself times and again in its ability to deal with the ever-expanding threat landscape. Yet, I believe that the proliferation of life-threatening attack scenarios will eventually force us to rapidly evolve and grow like never before.
The cyber industry must adopt the right mindset when human lives are at stake and incorporate this notion into our standards, policies, and methodologies.
In the meantime, organizations should incorporate the identification of attack scenarios that might affect human lives into their risk management process; prioritize the mitigation of these scenarios; notify senior management and the board of directors of the existence of such scenarios; lastly, improve the collaboration between both physical security and cybersecurity teams.