The cybersecurity threat – are we protected yet?
AUSTIN, TX – We’re all aware of well-publicized security breaches and cases of cyber terrorism. In 2014 the hack of Sony Pictures brought worldwide attention and nearly brought the studio’s business to its knees, and will cost Sony millions to clean up the mess and the inevitable lawsuits over the privacy breaches. In the U.S., Chinese hackers are suspected of penetrating the government’s Office of Personnel Management (OPM) last summer, exposing 4 million Federal employee records, including social security numbers. In 2013, reports surfaced that companies working on the F-35 fighter program were hacked , and Edward Snowden’s revelations later showed how extensive the damage was.
In a panel at SXSW Interactive last week, Congressman Michael McCaul, Admiral Bobby Inman, and security industry experts Joe Ross and Dena Graziano discussed a broad range of cyber threats – to the military, U.S. businesses, and the public. In his remarks, Congressman McCaul, who chairs the house committee on Homeland Security, expressed concern that the country is not doing enough protect against the threats, which could affect the military, the private sector, and the infrastructure. While the Department of Homeland Security’s (DHS) Einstein system has been a key tool in detecting who committed breaches, it’s been more successful as a forensic tool than a preventive one.
McCaul also worries that the government has a hard time recruiting the best and brightest minds in cryptography and software, as the public sector struggles to match private-sector pay scales. He did note that the NSA and CIA have been more successful in that regard, as those agencies tend to attract people based on a sense of the mission to protect against threats, but DHS has not been as effective at attracting the same level of talent. McCaul said that private sector companies should be doing a better job for monitoring penetration attempts, and to be able to share threat information with companies in the same industry without fear of potential antitrust or collusion issues.
Dena Graziano, director of Federal Government Affairs at Symantec, noted that today’s IoT devices and software tend to have security tacked on as an afterthought. Given the nature of the SoC and firmware-based devices, adding a security layer as an add-on maybe impossible in some cases. Many have heard of the Chrysler infotainment system hack, where white-hat hackers took control of the vehicle and forced it off the road. Auto systems are complex and may have multiple attack points, although to be fair, most cars today are still not Internet-connected – but that is changing rapidly.
Joe Ross, CEO of CSID (identity protection and fraud detection company), pointed out how easy some cyber attacks have become.Ransom attacks are malware that can encrypt a user’s or sometimes a site’s data with a key that has to be paid for before you can get your data back. There are actually ransomware modules that are freely available for hackers to download and distribute. In other words, you don’t even have to be technical to be a hacker. A potential hacker can even pick pre-made fake card forms for capturing credit card information for phishing attacks. Some ransomware packages let hackers fill in the link to where users can go to unlock their data, typically by paying with Bitcoin. Hackers can essentially distribute ransomware packages as spam mail or perhaps worse, within a network they have access to where their email is trusted.
Another threat danger is the triangulation of exposed information. The data hack of adultery site Ashley Madison hack exposed some 15,000 government and military email addresses. While not a direct hack of a government site, that hack exposed those people to possible blackmail and other repercussions.
Admiral Inman served as director of the NSA and deputy director of the CIA in the late 70’s and early 80’s. He noted dryly that even the current CIA director’s personal mail account was hacked – by a 15-year-old teenager. He echoed McCaul’s concern about recruiting the right skill levels in the intelligence community. Both of them also expressed concern that skills recruitment is key to continuing to improve the ability of systems like Einstein, as well as developing better offensive cyber capabilities for the military and CIA.
No discussion on cryptography and security this year’s South by Southwest would be complete without discussing the current Apple-versus-FBI case. This panel, which included a Congressman and ex-CIA director, seemed to agree that we have to find ways of enabling law enforcement to do their jobs, but did not advocate weakening the inherent security of systems and devices to do it. McCaul argued that Congress should not embark on knee-jerk legislation based on this case. He also thought that strong security is also key to continued American innovation – both to protect technical innovation from outright theft by cyberattack, and from innovation going offshore where there are less encumbrances on using strong security in products and to protect personal and organizational information.
Last year at SXSW, authors Peter Singer and August Cole discussed their book Ghost Fleet, a fictional account about World War III and how it would be fought in not just land, sea, and air, but space and cyberspace. Perhaps the scariest part of that story was how easily cyberwarfare can bring the effect of war and severe disruption of everyday life to any population center on the globe. Cybersecurity isn’t just about protecting government systems, or infrastructure, or the military. As we depend more and more on our connected devices and entrust more control of our lives to them, strong and effective security is key to protection from potential chaos that can come from a number of bad actors – terrorists, foreign governments, or just criminal hackers.
Source | ExtremeTech
