The Gray Market: Why a Colossal Hack of US Interests Should Wake Up the Art Industry to Cybersecurity Threats (and Other Insights)
Our columnist sees the breach of SolarWinds as a red alert about the heightened danger of cybercrime in the work-from-home era.
Every Monday morning, Artnet News brings you The Gray Market. The column decodes important stories from the previous week—and offers unparalleled insight into the inner workings of the art industry in the process.
This week, a reinforcement of the maxim that only the paranoid survive…
ONCE MORE INTO THE BREACH
Last Sunday, Reuters broke the news of what appears to be one of the most expansive, longest-running, and most damaging hacks in US history. The story should also double as a visceral reminder that, as the art market continues its aggressive march into enhanced online sales and global connectivity, cybersecurity deserves far more attention than it’s likely gotten during this anarchic year.
First uncovered by the cybersecurity firm FireEye, the mega-breach qualifies as what experts call a “supply-chain attack.” Rather than directly infiltrating their targets by stealing employees’ usernames and passwords, hackers instead broke into software that the true targets installed from a legitimate third-party supplier as part of a regular systems update. The corrupt software then provided the assailants a difficult-to-detect back door into the end user’s network—a back door that has been swinging open for six to nine months, per multiple reports.
Central to the debacle is a Texas-based IT company called SolarWinds, which produces software that manages the server networks of major public and private clients alike. According to Reuters, the firm’s “customers include most of America’s Fortune 500 companies, the top 10 US telecommunications providers, all five branches of the US military, the State Department, the National Security Agency, and the Office of President of the United States.”
While the full extent of the SolarWinds breach will not be known for months, Microsoft confirmed that the hackers exploited at least “40 companies, government agencies, and think tanks,” per the New York Times. “Nearly half” of that cohort’s members are private tech companies, with “many” specializing in cybersecurity. An earlier Times story identified the Department of Homeland Security and “parts of the Pentagon” as confirmed government victims.
Secretary of State Mike Pompeo stated on Saturday that US officials “can say pretty clearly” that the culprits were Russian state actors. Russian officials have vigorously denied responsibility.
Despite the fog of cyberwar, there is a strong belief that the damage is extensive. In a New York Times op-ed last Wednesday, Thomas Bossert, the homeland security advisor for former president George W. Bush, contends the hackers “most certainly” gained “complete control” over hundreds of the networks they infiltrated, giving them “the power to destroy or alter data and impersonate legitimate people.” He suggests they also retain passive spying privileges inside many more systems.
So how scared should the art industry be about this digital debacle? As usual, there is good news and bad news…
ART OF THE STEAL
Let’s start with the positive side. Put simply, the art industry is nowhere near large or consequential enough to attract digital espionage as laborious and sophisticated as the kind at the crux of the SolarWinds story. According to Bossert, supply-chain attacks can take years to execute, which is why they are “almost always the product of a nation-state.”
But the bad news is twofold: first, the arts ecosystem is still valuable enough to attract small-time cyberthieves; and second, most of the industry’s participants are still so ill-fortified that even relatively simple hacks can be devastating.
In case it slipped your mind at some point during daily life’s monthslong meltdown into experiential fondue, hackers have spent the past few years assailing different facets of the art ecosystem with a variety of techniques. A lawsuit filed in January sprung from a cyberthief’s interception of a $3.1 million wire transfer between a Dutch museum and a British dealer during the would-be sale of a John Constable painting. The culprit used what’s known as a “man in the middle” attack, in which a hacker infiltrates a company’s email system and begins impersonating the buyer and seller to divert communications and funds their own way before disappearing.
The same technique played a central role in what The Art Newspaper called a “cyber crime wave” that washed through galleries including Hauser & Wirth, Simon Lee, and Thomas Dane in 2017. (Hauser & Wirth managed a “full recovery” of the funds in question, but Lee and Dane were not as fortunate.)
Sales aren’t the only point of digital vulnerability for the arts, either. In May 2019, the Asian Art Museum of San Francisco was hit with a ransomware attack, in which hackers take control of a target’s digital infrastructure and threaten to corrupt or obliterate it unless the victim coughs up a sizable fee (usually payable in cryptocurrency).
Fortunately, the Asian Art Museum managed to thwart the attack with the help of the city’s IT experts. But Tyler Cohen Wood, a cybersecurity consultant and the former cyber deputy chief of the Defense Intelligence Agency, told my colleague Sarah Cascone at the time that he was “surprised that hacking hasn’t happened at more museums.” The reason? Their records contain a treasure trove of personal and financial information on donors and their collections.
Even art-services providers have been breached. In February 2019, a “large-scale hack” of 16 websites led to data on one million Artsy users being made available on the dark web—just a small tranche of a package of 617 million sets of online-account details collectively priced at under $20,000. The Artsy data exposed by the breach was relatively harmless; according to Artsy’s then-CTO Daniel Doubrovkine, it mainly consisted of users’ names, emails, and IP addresses, and there was “no evidence that commercial or financial information was involved.”
A similar episode played out just this September, when the infiltration of a cloud-computing company named Blackbaud resulted in personal information on donors to roughly 200 US and UK institutions winding up in hackers’ hands. Luckily, as in the Artsy breach, Blackbaud asserted that financial details were not among the pilfered data.
Still, these episodes should have been a wake-up call to the whole industry about the importance of cybersecurity—an importance that has only increased during our forced pivot online.
Setting aside the rise in digital transactions, the number of soft spots in the art industry’s cyber-defenses has greatly increased thanks to the work-from-home surge. This shift in white-collar labor practices has meant more digital communication reliant on personal telecom networks, equipment, and protocols, all of which tend to be less standardized—and therefore less secure—than even modest corporate equivalents.
Hackers have already exploited this change at the financial apex of the private sector. Over the summer, the New York Times relayed that Symantec Corporation, a cybersecurity subsidiary of enterprise-software giant Broadcom, “reported that Russian hackers had exploited the sudden change in American work habits to inject code into corporate networks with a speed and breadth not previously witnessed.” In the crosshairs were at least 31 companies “including major American brands and Fortune 500 firms.”
Although Symantec did not publicly disclose the names of the targets or the value of the ransoms, the cybercriminals (who dubbed themselves Evil Corp. in smirking honor of the hacker-centric cable drama Mr. Robot) had demanded fees north of $10 million in previous attacks.
Similar to the SolarWinds mega-breach uncovered last week, the scale of the potential payoffs sought by Evil Corp. ensures that the arts likely don’t have to worry about this group in particular. (The Times reported that Evil Corp’s malware “looked for a sign that the computer was part of a major corporate or government network” before striking.)
But as we’ve seen again and again, our niche business has proven to be low-hanging fruit for much less advanced digital brigands. In the sudden transition to mass work from home, as well as a challenging (to say the least) fiscal year, how many dealers, institutions, auction houses, advisors, and art-services companies have had the wherewithal to even review, let alone upgrade, their cyberdefenses?
How many who have managed to weather the storm so far feel like now is the time to focus on this hard, boring, and potentially expensive element of their operations? How many are hoping that the approaching end to lockdown life is near enough that they can skate by without reworking their digital infrastructure?
At the same time, how many hackers probing the business landscape for weaknesses are asking these same questions—and answering them with the same low estimates that I am?
It’s not a thought that will warm up many art professionals as we plunge into this uniquely dark winter. But as is so often the case, what we least want to think about is what we most need to.
[Reuters | The New York Times]
That’s all for this week. ‘Til next time, remember what might be the only point where cybersecurity experts and therapists agree: it’s almost impossible to meaningfully connect without making yourself vulnerable.
Follow Artnet News on Facebook:
Want to stay ahead of the art world? Subscribe to our newsletter to get the breaking news, eye-opening interviews, and incisive critical takes that drive the conversation forward.