Case Study

How The CyberPeace Institute Responds to a Cyberattack

Download PDF
The report that follows has been developed to showcase how the CyberPeace Institute would operate in response to, and in the wake of a significant cyber incident.

To illustrate how each of the Institute’s three functions would come into play once the organization is fully operational, this case study is built around a fictional global ransomware attack called “WreckWeb.” Based on several real world precedents, this fictional account walks the reader through each of the Institute’s functions from the perspectives of the individuals who would be tasked with leading the Institute’s efforts: assisting vulnerable victims, conducting attack analyses, and sharing their findings.

In order to capture the nature, scale and impact of such a global cyberattack, the report begins by highlighting in particular the consequences of the 2017 “NotPetya” attack and the gaps in the international response. While NotPetya was chosen as one prominent example, similar events take place with increasing frequency each passing year and underline the core mission of the Institute to operate in response to attacks that cause “significant and direct harm on civilians and/or civilian infrastructure.”

Anatomy of a global cyber incident – NotPetya

An overview of how the NotPetya attack unfolded

The NotPetya malware was first deployed via commercial tax software in Ukraine and then spread autonomously via tools developed by the US military – tools that had been stolen and repurposed. NotPetya was initially thought to be ransomware, a type of malicious software designed to deny access to a computer system or data until a ransom is paid. The reality was far worse and it quickly became apparent that the malware was instead designed to permanently damage computer systems. The attack spread across the globe, taking businesses and critical services offline, and causing billions of dollars of damage in a matter of days.

Find out more about the attack HERE

Image Accompanying the Anatomy of a global cyber incident – NotPetya section

CyberPeace Institute Function: Assistance

An overview of how the CyberPeace Institute could support civilian victims

In the midst of a global ransomware attack, the CyberPeace Institute coordinates rapid response efforts to aid vulnerable populations. In this section of the case study, time is of the essence as the coordinator of the Institute’s assistance efforts, Francois Mittlestand, races against the clock to deliver technical support to a humanitarian aid organization operating in a conflict zone that suddenly finds itself unable to access critical systems in the face of a spreading global ransomware attack known as "WreckWeb."

Find out more about how the CyberPeace Institute can support victims of sophisticated cyberattacks HERE

Image Accompanying the CyberPeace Institute Function: Assistance section

CyberPeace Institute Functions: Accountability

An overview of how the CyberPeace Institute could generate greater transparency as it relates to sophisticated cyberattacks

In the wake of significant attacks, the world is often left with more questions than answers. This portion of the case study captures how the CyberPeace Institute’s Director of Accountability, Stefanija Dolenc, leads a consortium of experts in a deliberate and methodical analysis of both the technical nature of the WreckWeb attack and the breadth of its impact. This work illuminates how the attack was conducted, as well as who was impacted, to provide an authoritative and independent accounting of the harm done by WreckWeb.

Find out more about how the CyberPeace Institute can drive greater accountability for perpetrators of cyberattacks HERE

Image Accompanying the CyberPeace Institute Functions: Accountability section

CyberPeace Institute Function: Advancement

An overview of how the CyberPeace Institute could drive greater adherence to international rules

Attacks in cyberspace often evade scrutiny in the public eye and fail to be recognized as violations of expectations by the international community. This final chapter in the case study tells the story of how Kal Sunghyon leads the CyberPeace Institute’s Advancement work, picking up where the Accountability analyses left off. Follow Kal as he convenes legal experts to review the WreckWeb attack and determine where laws and norms were violated. Then read about how the analysis work and legal conclusions are shared in publications around the world, encouraging citizens everywhere to take notice and promote adherence to international rules in cyberspace.

Find out more about how the CyberPeace Institute can advance binding rules on HERE

Image Accompanying the CyberPeace Institute Function: Advancement section
For the purposes of this report, there are presumptions made about how particular individuals and organizations might engage with the work of the CyberPeace Institute. This is purely to illustrate how the Institute would operate, and is not meant to reflect actual commitments or obligations by third parties. The employees and activities of the CyberPeace Institute included in the report are also fictitious, but based on anticipated behaviors. Ultimately, this case study provides exemplary context for how we envision the CyberPeace Institute would partner with others, operate efficiently and effectively, and add unique value to the ecosystem going forward to support a more safe and secure cyberspace.