We need to talk about that €4.3 million Meath County Council "sophisticated" so-called "cyberattack" that emerged into the light of day last week like Donald Trump's 400lb hacker from his bedroom lair.
In brief, Meath County Council was the victim of a particularly popular type of scam in which, typically, an employee who has control of accounts is sent a spoof message purporting to be from, say, the company chief executive. That person is asked to transfer a large sum of money into an account. The money is duly wired to the scammers. Oops.
If the whole thing comes to light fast enough, the money can perhaps be retrieved or frozen, as was the case with the Meath mega-sum, now resting in a Hong Kong account.
Where to begin?
I know exactly where, because one thing about this whole scam made my skin crawl: the use of the word “cyber”. Can we just lay off the “cyber”?
At every mention of the word cyber, my will to live declines further. What makes media and communications people rush to use it about anything related to computers and the internet? With the Meath story, cyber was splattered everywhere.
I get that this may not be understood clearly by most of the world, but the use of cyber is controlled by very strict rules.
Thanks to mathematician Norbert Wiener's 1948 book Cybernetics or Control and Communication in the Animal and the Machine, it's acceptable to utilise cyber in order to discuss cybernetics (should you be so inclined) or even cyborgs – short for cybernetic organisms.
And cyber also may be deployed at will when discussing William Gibson's famed 1984 novel Neuromancer, which is credited with introducing the term cyberspace to the world. The popularity of the novel, however, seems to be responsible for the release into the wild of all the unwanted silly cyber variations that plague us today.
Just because the novel is cool cyberpunk (arguably, an allowed usage) does not mean your use of cyber is cool. It almost certainly is not.
Nothing flags a wannabe geek desperately vying for street cred, a generalist in search of a trendy speciality, or an insecure self-promotional IT security professional like sticking cyber in front of a job title or using the word liberally in reference to anything digital.
This is of course why governments, surveillance agencies and a host of makey-uppy experts wave the word around. But please, I beg of you, just back away slowly from the term unless you know how to handle it properly. Especially if what you are referring to is plain old boring, if still very effective, fraud. Not a “cyberattack”. Especially not a “sophisticated” cyberattack. Not even a “serious, attempted cyber-enabled offence” as the council statement had it.
Because let’s make one thing clear. If the term cyberattack is going to be forced on us, it has to at least be in the context in which it is just about acceptable for security experts to sometimes use it. That means a major and debilitating attack using computers and the internet, by the most sophisticated of criminal hackers or those acting on behalf of a nation state.
Garden variety fraud
It should not be used just because an email was used to perpetrate a garden variety fraud, as in the case of the Meath embarrassment. It could just as easily have been a letter in the post, a text or a phone call. But in this case “the vector of attack” (see how I went all IT security professional there?) appears to have been an email. This uses basic social engineering – pretend to be someone you are not and sometimes a third party will be taken in and you’ll get useful information, access to networks, or money transfers.
Common they may be, but the fact that this scam came within a hair’s breadth of succeeding raises many questions. Such as, how could a sum that large – or even a fraction that large – be approved for transfer just by an email? Doesn’t a €4.3 million transfer trigger some basic internal security, such as a confirmation phone call to a known individual? Or two people to approve it? Didn’t a massive transfer request from Meath to a Hong Kong account seem a little . . strange?
By international measures, this was indeed a big scam. When the FBI sent out an alert last spring warning about a massive increase in these so-called CEO scams, it noted the average loss to duped companies was $25,000-$75,000. Chump change to Meath.
Mattel – the giant multinational toy company – lost $3 million in 2015 to a CEO scam. Meath County Council nearly outperformed Mattel.
Incidentally, one common way of perpetrating these scams, according to the FBI, is free email services. Hack into someone in authority’s account, send an email seeming to come from that person . . . Just saying, maybe some of our politicians and State employees need to think again about those Gmail accounts they also use for business matters.