Tales from the Typhoon are intended to illustrate the consequences of malicious cyber threat actors such as Volt Typhoon. Volt Typhoon is a state-sponsored actor based in China that typically focuses on espionage and information gathering. Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
Tales from the Typhoon are illustrative only and are not descriptions of specific incidents attributed to Volt Typhoon or other malicious threat actors. The following story is fictional. Characters are not based on real people.
Molly didn’t remember the chair being so hard. She fidgeted a bit as she looked around the room. She was in the CEO’s conference room with the CEO, the VP of Human Resources, the company’s General Counsel, and the Chief Information Security Officer. As Director of Human Resources, she’d met with these people numerous times in the past, though this situation was different.
Shelly, the CEO, spoke. “Okay, Joe. Tell me one more time. In plain English this time.”
Joe, the CISO, looked down. He thought he had explained it in plain language. “Okay, basically, someone broke into our computer network, found our customer information, and took all of it. We found out on Monday when we got a demand for payment. We’ve got experts evaluating how this happened. Our cyber insurance vendor has a negotiator onsite talking to the hackers. And the FBI is involved.”
“What do we know so far about how this happened?” asked Shelly.
“Well, it appears that malware was downloaded onto one of our workstations and then spread to a number of our servers. Normally, our intrusion detection software would catch this movement, but,” Joe paused, “the malware only stole the credentials of one of our system administrators, and then the hackers used this to move laterally among servers. So, it looked like someone authorized was just doing the job. It’s a technique called living off the land.”
Joe looked up, hoping his description wasn’t too technical.
“How did the malware get in?” asked Shelly.
“It was, um, downloaded. By the administrator whose credentials were used.”, said Joe.
“Crap. So we did this to ourselves?” Shelly looked around the room. “Don’t we train our staff not to click on suspicious links? Don’t we have some kind of policy that says they have to take the training?” asked Shelly.
“Definitely,” said Joe, “our security policies are very clear that all employees must complete the training satisfactorily. We test them twice yearly, and HR keeps track of the results.”
All eyes turned to Molly. “Um, yes, that’s true. All members of our workforce are required to take the phishing training. We track the results and make sure each workforce member has done the training.”
“And they all pass?” asked Shelly.
“At some point. I mean, some don’t the first time, but we require them to retake the training until they do,” said Molly.
“And this administrator, whatever his or her name is. They took the training. And passed?”
Molly didn’t like where this was going. “Well, he definitely took the training. But he didn’t pass. So he’s in the process of retaking it.”
The chair definitely felt less comfortable than unusual to Molly. “So he didn’t pass the training. But he still gets to keep working with our sensitive information?” asked Shelly.
Shelly turned to Joe. “Joe. You need to fix this. Update your policy. It’s a major gap to allow someone to keep doing their same job if they don’t pass the phishing training.”
Joe responded in a measured fashion. “It’s not a security policy issue. It’s an HR issue. We mandate the training and require that people pass. But unless there’s something in our employee policy that assigns a sanction to not passing, or how long people have to pass, there’s very little we can do.”
There was silence in the room. Shelly turned to Richard, the General Council, who just shrugged. Virginia, the VP of HR, chimed in, “Shel, we’re aware of this disconnect between our security policies and our policies related to workforce performance. I’ve been working with Joe and Richard, but we’re not there yet. There are some, um, considerations.”
Shelly rubbed her forehead. “Considerations? I’ve been on the phone for the last two days with the CEOs of our biggest customers, trying to calm them down. To explain that we’re still a good partner and have a handle on this. And now you’re telling me that the person who caused this problem gets to continue doing the same job with no consequences because we didn’t take a violation of a security policy as seriously as something like tardiness? Well, I’m not quite sure what to say.”
Something was definitely wrong with her chair, thought Molly. “So,” continued Shelly, “I have to talk to the board in a half hour. I’m going to tell them we’re still investigating what happened, and there are still lots of things up in the air. Right now, just between us, it seems like the only thing I know for sure is that I can’t fire the person who downloaded the malware. But he’s the only person I know I can’t fire. Richard, please stay. The rest of you, keep working on this, and we’ll meet tomorrow.”
Question: What should Molly do?
- Add that adherence to security policies is an expectation of employment.
- Add requirements into job descriptions to adhere to cyber-safe behaviors as defined by the organization.
- Add sanctions or consequences for not demonstrating cyber-safe behaviors, such as not satisfactorily completing training.
Anything else?
Al Ogata is the CEO of CyberHawaii, an information-sharing and analysis non-profit organization committed to developing and enhancing Hawaii’s cybersecurity capabilities. Al has over 40 years of experience in technology, information systems, risk management, compliance, and operations. For more information, visit CyberHawaii’s website at cyberhawaii.org.