It’s been 40 years since Lisa Donnan has queued for gas. But last month the cybersecurity expert found herself joining the long lines of cars across the east coast of the US looking for fuel after the latest in a series of cyber-attacks had shut down the pipeline that provides fuel to 45% of the region.
“The last time I did that was in the Iran crisis,” she said. “My dad had to wait with me.”
The hack of the Colonial Pipeline was just one of a series of cyber-attacks that have hit the US and elsewhere recently. Hackers have taken down JBS, the world’s largest meat processor, disrupting the global meat market, closed schools in Iowa and hit hospitals in Ireland in what experts say is a dangerous escalation of a crime wave that has swelled from the small-scale blackmail operations of a few years ago to major assaults that threaten the livelihoods – and potentially lives – of millions.
Many of the recent attacks have been sourced to operations in Russia and US officials say that Russia’s responsibility for ransomware attacks carried out from its territory would be a central issue when Joe Biden meets Vladimir Putin in Geneva next Wednesday.
“One of the things that President Biden will make clear to President Putin, when he sees him, is that states cannot be in the business of harboring those who are engaged in these kinds of attacks,” the secretary of state, Tony Blinken, told Congress this week.
Eric Green, the senior director for Russia and central Asia in the national security council, said that one of the expected outcomes from the Geneva summit was a routine dialogue between senior US and Russian officials aimed at bringing greater stability and predictability to the relationship. One of the issues in the dialogue would be ransomware attacks.
“When we talk about strategic stability cyber will also certainly be on the agenda,” Green said in a recent discussion organised by the Centre for a New American Security. “The recent ransomware attacks remind us that the cyber domain is prone to misperceptions and that there are dangerous escalation risks.”
US officials say America will be pushing for Nato to expand its involvement in cyberdefence at the alliance summit in Brussels. But the unanswered question is how to respond to ransomware attacks by criminal groups for whom their host countries deny responsibility.
“Putin will deny interfering in US politics or conducting cyber-attacks, asserting that Washington has no proof, while rejecting the legitimacy of US concerns about what happens within Russia,” said Steven Pifer, former deputy assistant secretary of state for European and Eurasian affairs and now a senior fellow at the Brookings Institution.
“Biden should not waste time arguing. He should aim instead to ensure that Putin has a clear understanding of what conduct is out of bounds.”
The pressure for Biden to act is rising. There has been a 62% increase in ransomware globally since 2019, and 158% spike in North America, according to the 2021 SonicWall Cyber Threat Report. Alongside that rise, the nature of the crimes and their targets are also changing.
“We are seeing more attacks, more sophisticated attacks, bigger attacks and the scary thing is we are seeing them more on supply chains,” said Donnan. “It used to be about financial exfiltration, stealing money, and reputational damage. It’s now in a life-threatening environment. That is a dramatic change.”
Now a partner at the cybersecurity private equity investor Option3Ventures, Donnan says she doesn’t expect to see any let-up in attacks. Nation states including Russia, China and North Korea are getting more ambitious in their attacks and the criminal enterprises that operate under their wings are getting more brazen.
“The landscape is ripe and ready for attack from a perfect storm of hackers, nation states and the average cybercriminal,” she said.
Part of the recent surge is down to the pandemic, which has helped the hackers by accelerating the digitization of business and giving them more access points as people and businesses have moved to work remotely.
On top of that there has been an explosion in software development, much of which was not built with security in mind from the beginning, said Donnan. “We still have a culture of get to market, be first. We are designing code without security in mind,” she said.
Lastly there are few consequences to cybercrime. Cryptocurrencies are the preferred payment for ransoms and are as hard to track as the origins of the hack. With the authorities unlikely to crack the case anytime soon – if ever – for many targets not paying is a difficult choice. Joseph Blount, Colonial’s chief executive, told Congress last week that he decided to pay the $4.4m bitcoin ransom to get the pipeline back online after he saw “pandemonium going on at the markets”.
Politicians hit out at Blount for the company’s failure to stop the hack. But the government itself has also failed to stop numerous hacks and not paying the ransom can be more expensive than paying up and potentially leave companies open to further assaults. JBS paid $11m in bitcoin to its hackers, even though it had mostly fixed its problems, hoping the payment would prevent further issues arising from the attack.
In 2019 Baltimore was hit with a cyber-attack that seized control of parts of its government. The hackers demanded $760,000 in bitcoin but the mayor, Bernard “Jack” Young, refused to pay. The cost of rebuilding its systems has now reached $18.2m.
Publicly the FBI advises victims not to pay a ransom in order to discourage perpetrators from targeting more victims. But privately they will tell targets that they understand if they feel the need to pay.
In the Colonial case the FBI managed to seize the majority of the bitcoin payment – a hopeful sign that may discourage some attackers, according to experts – but the fact remains that most of these crimes go unpunished.
“It’s very difficult to prosecute, it takes a long time, it takes cooperation geopolitically because most of these attacks come from offshore,” said Donnan. “The government only has so many resources. It doesn’t take a lot of tools or brain capacity to do these things,” she said. “You can buy a tool kit on the dark web.”
One irony of the current wave of hacks is that the US is under attack by tools developed by its own National Security Agency (NSA). In 2016 an online group called the Shadow Brokers claimed to have infiltrated the Equation Group, the NSA’s own private hacking group, and obtained malware used by the US to target its enemies.
In June 2017 the same cyber-attack tool developed by the NSA, called EternalBlue, was used to launch a series of attacks on Ukraine, affecting the government, banks and transportation systems and taking the radiation monitoring system at Chernobyl offline. That attack then spread around the world, hitting companies that had offices in Ukraine including FedEx, the advertising agency WPP, pharmaceutical company Merck and consumer goods maker Reckitt Benckiser.
The escalation in cases comes even as spending on security is rising dramatically. The US is the number one country for cybercrime and also spends the most on cybersecurity.
In 2015 the US Office of Personnel Management (OPM) announced it was hacked in 2015, one of the largest data thefts in history. Since then the US has spent $115bn on cybersecurity and the White House is asking Congress to commit roughly $10bn to civilian government cybersecurity next year – a jump of nearly 14%. Industry spent $41bn on cybersecurity in 2019 and is expected to have spent $53bn in 2020.
Even after all that money has been spent, said Donnan “we are still exposed because there is no consequence.”
But there are rewards.
Three years ago Paul Ferrillo, a partner at New York law firm Seyfarth Shaw who specialises in cybersecurity, says he was settling ransomware hacks for five bitcoin (about $6,000 per bitcoin then and currently around $36,000 each). “Now you are lucky if it’s 75 bitcoin or 100. I heard of one demand recently for $140m,” he said.
“If this is the new normal, they are winning,” he said. “These criminal actors are well-funded and smart whether they are state-funded or not. We need to be as smart as they are.”
Ferrillo said there was no silver bullet that would solve the crisis and that everyone from the government to the private citizen had to play a part. Companies have to get better at managing their data, storing backups offline and making sure it is harder to get into their systems.
He also wants to see more transparency from industry. Companies have often hidden hacks because they don’t want to look like “doofuses”, he said. “But when industry shares information, we all get smarter. We understand where we should look and how we should do better.”
But tackling this explosion in hacking will take action from everyone, he said, from government to private citizens. “Cybersecurity is a shared responsibility. We are all in this together,” he said.
The British start-up plans to use the funds to expand after it announced the opening of a European HQ in Dublin last month.
TrueLayer has raised $130m in a funding round that saw participation from Stripe and gives the fintech start-up a post-money valuation of over $1bn.
The British company, which develops APIs to securely connect fintech platforms directly to banks, announced last month that it’s opening a European HQ in Dublin, hiring 25 people. TrueLayer has received authorisation from the Central Bank to operate in Ireland.
The round was led by Tiger Global Management, and comes after TrueLayer’s $70m Series D round in April of this year. The company has now raised about $272m in total.
Alex Cook, partner at Tiger Global Management, commented: “The shift to alternative payment methods is accelerating with the global growth of online commerce, and we believe TrueLayer will play a central role in making these payment methods more accessible.
“We’re excited to partner with Francesco, Luca and the TrueLayer team as they help customers increase conversion and continue to grow the network.”
Stripe, which last week announced its intention to grow its Dublin presence significantly, was already an investor in TrueLayer. The Irish-founded payments giant has invested numerous up-and-coming fintech ventures across the US and Europe, such as a renewed interest in Ramp in late August.
Speaking to the Irish Times, TrueLayer Ireland CEO and general manager for Europe Joe Morley said: “The fundraise allows us to commit even further to our markets in Europe…and allows us to start thinking about broader expansion.
“But our focus in the short to medium term is to make sure we win in Europe so we’re really doubling down on what we had already initiated with our last funding round.”
Morley formerly worked as an executive at Facebook and WhatsApp, and is joined by fellow Facebook alum Leigh-Anne Cotter as TrueLayer Ireland COO.
TrueLayer says that, during 2021, it has so far seen a 400pc increase in volume of payments and 800pc increase in total payment valuation through its APIs. It also claims to have “millions of customers” and more than 10,000 developers using its systems.
The company plans to use the fresh funding to expand into new markets and to increase the penetration of open banking services in regions in which it already operates.
The world’s biggest tech companies are coming out with bold commitments to tackle their climate impact but when it comes to using their corporate muscle to advocate for stronger climate policies, their engagement is almost nonexistent, according to a new report.
Apple, Amazon, Alphabet (Google’s parent company), Facebook and Microsoft poured about $65m into lobbying in 2020, but an average of only 6% of their lobbying activity between July 2020 and June 2021 was related to climate policy, according to an analysis from the thinktank InfluenceMap, which tracked companies’ self-reported lobbying on federal legislation.
The report also sought to capture tech companies’ overall engagement with climate policy by analyzing activities including their top-level communications as well as lobbying on specific legislation. It found that climate-related engagement levels of three of the five companies – Amazon, Alphabet and Microsoft – had declined compared to the previous year.
Tech companies, which have some of the deepest pockets in corporate America, have been racing to come out with increasingly ambitious climate pledges. Amazon has a target to be net zero by 2040 and to power its operations with 100% renewable energy by 2025, and Facebook has a target of net zero emissions for its entire supply chain by 2030.
In 2020, Microsoft pledged to become carbon negative by 2030 and by 2050 to have removed all the carbon the company has ever emitted. Apple has committed to become carbon neutral across its whole supply chain by 2030.
And Google has pledged to power its operations with 100% carbon-free energy by 2030, without using renewable certificates to offset any fossil-generated power. “The science is clear, we have until 2030 to chart a sustainable course for our planet or face the worst consequences of climate change,” the Google and Alphabet CEO, Sundar Pichai, said in a video announcing the policy.
Yet this strong pro-climate rhetoric is not being matched by action at a policy level, according to the report. “These gigantic companies that completely dominate the stock market are not really deploying that political capital at all,” said the InfluenceMap executive director, Dylan Tanner.
Tech companies have not been entirely silent. Apple, for example, has expressed support for the Biden administration’s proposed clean energy standard, which aims for all US-generated electricity to be renewable by 2035.
But these efforts are significantly outweighed by those of big oil and gas companies, which have ramped up their climate lobbying over the same timeframe, according to the report. “Most of their political advocacy is devoted to climate change and it’s negative,” said Tanner.
A lack of engagement is especially disappointing given the new momentum around climate action under the Biden administration, said Bill Weihl, a former Facebook and Google sustainability executive and now executive director of Climate Voice, which mobilizes tech workers to lobby their companies on climate action. “The dominant business voice on these issues is advocating against the kind of policies that we need,” he said.
Joe Biden’s $3.5tn budget reconciliation bill, which includes large investments for climate action, is facing fierce opposition from some industry groups. The US Chamber of Commerce, the country’s most powerful business lobbying group, has said it will “do everything we can to prevent this tax raising, job killing reconciliation bill from becoming law”. All of the tech companies, with the exception of Apple, are members of the Chamber.
“Our best chance to lead the planet to safety in the race against climate change is through this reconciliation bill, yet InfluenceMap has shown that big tech is still MIA on climate in Congress,” said Senator Sheldon Whitehouse, a Rhode Island Democrat and longtime advocate for climate legislation.
Microsoft and Apple declined to comment on the report and Alphabet did not respond to requests for comment. A spokesperson for Amazon said the company engages at local, state and international levels to “actively advocate for policies that promote clean energy, increase access to renewable electricity, and decarbonize the transportation system”.
A Facebook spokesperson said “we’re committed to fighting climate change and are taking substantive steps without waiting for any legislative action”, adding that the company supports the Paris climate agreement goals and helped found the Renewable Energy Buyers Alliance.
But these actions are not enough given the scale of the crisis, said Tanner. The UN warned in a report published on Friday that even if current climate emissions targets are met, the world is still on a “catastrophic pathway” for 2.7C of heating by the end of the century. “We’re running out of time,” Tanner said, “physically on climate but also on a public policy level.”
TechUK – the UK’s digital trade association representing computer giants and start-ups alike – has called on firms to check their green credentials and make sure they stand up to scrutiny.
The warning comes as UK businesses were told to brush up on their eco-claims or risk public humiliation and enforcement action by the Competition and Markets Authority (CMA).
Businesses have until the New Year to make sure their environmental claims – such as those regarding energy consumption, packaging, recycling, and product lifecycle assessments – comply with the law and are not simply an exercise in greenwashing.
As part of its efforts to steer companies, the CMA has published a six-point Green Claims Code in a bid to make it clear that anyone spouting eco-friendly claims “must not omit or hide important information” and “must consider the full life cycle of the product.”
The CMA is targeting sectors that some onlookers may regard as low hanging fruit including textiles and fashion, energy-hungry travel and transport, and fast-moving consumer goods.
However, any sector and the companies that operate within it – including tech – could fall within the CMA’s crosshairs.
In a statement, Andrea Coscelli, chief exec of the CMA, said: “We’re concerned that too many businesses are falsely taking credit for being green, while genuinely eco-friendly firms don’t get the recognition they deserve. Any business that fails to comply with the law risks damaging its reputation with customers and could face action from the CMA.”
However, there are worries the new rules may lead to confusion. In its evidence to the CMA, techUK said the six principles set out in the guidance were “not specific enough” and also called for more information to help tech firms. It also warned that different variables made in lifecycle assessments could lead to misleading results [PDF].
In a statement, Susanne Baker, associate director for Climate, Environment and Sustainability, techUK, told us: “The CMA’s guidance is important for any company making a green claim about their services, products and company. With more green claims being made by the tech sector than ever before, it’s absolutely vital that these aren’t deemed to be greenwashing.
“Firms have until the new year to address this and will need to think carefully about any green claim they make, be sure they can substantiate them, that they aren’t misleading, and are truthful and accurate,” she said.
The CMA announced that it was investigating the impact of green marketing on consumers last year when it found that 40 per cent of green claims made online could be misleading – suggesting that thousands of businesses could be breaking the law.
Amazon recently found itself fending off a whistle-blower’s claims alleging it dumped unsold goods to landfill, and later bragged that it had achieved lower carbon “intensity” in its business practices. The latter claim was shot down by an unimpressed scientist close to The Reg who remarked that the fact Amazon’s business was growing was not “helpful to Earth”, and the fact it polluted less per unit of activity didn’t change the bottom line “which is that they are polluting more this year than they did last year.”
Meanwhile, Tesla CEO Elon Musk recently announced the electric car maker will stop accepting Bitcoin payments for its vehicles, due to the “increasing use” of fossil fuels, particularly coal, to support Bitcoin’s electricity-hungry mining and transaction processing.
An Intel sponsored report by non-profit Resilience First, highlighted in June the role of tech in reaching net-zero carbon emission goals. However, making chips has been a dirty business, with a 2002 study concluding that a single 2g semiconductor chip required a whopping 1.6kg of secondary fossil fuels and 72g of chemical inputs to be put into production. ®