by Jeff D’Alessio, Editor, The News-Gazette, Champaign, IL
Not a week seems to go by anymore without news of another U.S. agency or business falling victim to a cyberattack.
For perspective on the problem, we rounded up a panel of experts to answer 10 questions — kicking off a new, occasional N-G series breaking down important issues making news.
Are enough of the right powerful Americans aware of the severity of the threat and treating it as such?
Says Cyberscout chairman and Credit.com co-founder ADAM LEVIN, author of ‘Swiped: How To Protect Yourself In A World Full of Scammers, Phishers, And Identity Thieves’: “You’d have to be living under a bottle cap on the bottom of loon lake to miss the enormity of the problem we all face. There is no longer an excuse among those in power. The threat is constant and pervasive.
“That said, former President Trump’s Twitter account was breached because of poor cyber hygiene. Bottom line: Most of us know there is a problem, but everyone has yet to on-board a defensive, best-practice, solution-oriented outlook.
“The establishment of CISA and President Biden’s head-on approach with Vladimir Putin about recent ransomware attacks suggest a change in attitude. More recently, the Department of Justice acknowledged aggressive disruption campaigns against threat actors. We have to assume all the letter agencies are actively engaged in this invisible war on cybercrime.”
Says Reuters investigative reporter JOSEPH MENN, author of ‘Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World’: “Yes, finally, we are getting close to a critical mass of important people in Washington grasping how serious the cybersecurity problem is. That is a huge improvement from where we were ten years ago when I wrote a book largely aimed at raising that kind of awareness.
“It is beyond unfortunate that it took crippling attacks on hospitals during a pandemic and one on a major pipeline for us to get there. You can’t fix a problem, as the alcoholics say until you acknowledge you have one.
“Unfortunately, that is just the beginning. The White House and Congress get that organized criminals, including many operating out of Russia, have little to fear from law enforcement and tens of millions of dollars in rewards out there for the taking. They get that China and others are stealing intellectual property and harvesting intelligence on a massive scale. But that is only one side of the equation, and frankly, the one they can do the least about.
“The bigger issue is the appalling state of our defense in anything connected to the net. DHS and the NSA are doing a better job than previously providing information on attacks and guidance on how to avoid being the easiest victim. But what it would really take to stem the tide is something like a new, opt-in internet, with different protocols and authentication. That would take massive research and development led by the federal government with aid from universities and others, and I am seeing nothing close to that level of funding.”
For those Americans who don’t view cybersecurity as a serious threat, what’s your best case for why they ought to?
Says Red Branch Consulting founder and former Homeland Security official PAUL ROSENZWEIG, author of ‘Cyber Warfare: How Conflicts in Cyberspace are Challenging America and Changing the World’: “If a world without gasoline or beef was not sufficiently scary, imagine this: Your heart monitor kills you or all of a sudden your car won’t brake. Everything — and I do mean everything — that is connected to the Internet is potentially vulnerable.
“And increasingly, everything you rely on each day is connected. That prospect ought to convince you that cybersecurity is serious.
“Here’s a story worth telling: I have a friend David who is a diabetic. For years, he had to prick his finger, test his blood and inject insulin. Then he got an insulin pump, which changed his life. And about five years ago, he got one of the new Internet-connected, programmable pumps, which was even better — no more visits to the doctor, just got blood tests.
“And then some hackers demonstrated that they could crack the security on his insulin pump and give him a fatal — or maybe just near-fatal — dose of insulin. His lifesaving device just became his own self-assassination machine.”
Besides avoiding emails from Nigerian princes and choosing unpredictable passwords, what’s one step anyone can take to decrease their chances of falling prey to a cyber crook?
Says University of Illinois alumna PARISA TABRIZ, Google’s self-described ‘security princess’ and head of Chrome product, engineering, and UX: “Enable second-factor security on all your accounts, or wherever it’s made available.
“Also, verify your account recovery settings every year or so. Exploiting weak or outdated account recovery settings is a common way attackers attempt account hijacking.”
Says UI grad MATT LOWE, global cybersecurity policy and standards manager at IBM: “People tend to get annoyed when they get a notification to update their operating system, software applications or browsers and will often opt for the ‘update later’ option so that they can continue doing what they were doing without risking a computer restart.
“But this happens to be when your devices and apps are especially vulnerable to hackers because these software updates include fixes to features and performance as well as to security.”
Says UI grad LARRY CLINTON, president of the Internet Security Alliance: “Dedicate a computer/device — one your children cannot use — for sensitive or financial communications.”
Says KLARA NAHRSTEDT, director of the UI’s Coordinated Science Laboratory: “Don’t go to strange websites when searching for a product. Various third-party websites could have malicious codes in them to steal or damage private information from your computer.”
Says VASU JAKKAL, CVP of Security at Microsoft: “Multi-factor authentication is such an accessible and easy defense that people can use to better protect themselves.”
“In addition to creating strong passwords, or going passwordless where I can, I always enable multi-factor authentication for any account that provides the options — email, social media, financial accounts. It makes a huge difference in preventing compromise due to weak or leaked passwords.”
Says Champaign cybersecurity consultant JOHN BAMBENEK: “One of the things I tell my clients to focus on is trying to minimize the amount of sensitive information they email or store online.
“For example, if you are buying or refinancing a house, don’t email your tax returns. Bring them in.”
We’ve heard a lot about May’s high-profile ransomware attack on the Colonial Pipeline. But what is hackers’ motivation for attacking small businesses, as they have in droves?
Says Liberty Group Ventures CEO KIERSTEN TODT: “As the managing director of the Cyber Readiness Institute, I work primarily with global small businesses. Small businesses, like small governments, school districts, and individuals, often wonder why they would be attacked or targeted. There are two key components of cybersecurity that are important to remember.
“One, data surpassed oil as the most valuable global commodity over two years ago. All businesses collect and have data, and every individual captures their personal data on their multiple devices — therefore, the devices that store personal data, the companies that store data, are valuable and are a target for compromise.
“Additionally, small businesses and individuals are often compromised not because they are a destination for malicious actors but because they are an entry/access point, a door, to the actual target of the malicious actor.
“Hackers look for the weakest link to compromise — some way to access a larger enterprise. Small businesses and individuals are targeted to either be that access point or for the data they hold.”
What’s your version of America’s worst cyber nightmare?
Says RIANA PFEFFERKORN, a research scholar at the Stanford Internet Observatory: “Russian hackers, who have repeatedly attacked America’s power grid previously — and we’ve done the same to them — succeed in disrupting the supply of electricity for long enough and to a large enough swath of the country to result in significant bodily harm and loss of life.
“We’ve seen the havoc that climate change-exacerbated severe weather events can play with the power supply, including in Texas this past winter and the recent ‘heat dome’ in the Pacific Northwest. Lack of access to heat in the winter and cooling in the summer is lethal.
“Hackers could time an attack to take advantage of underlying weather conditions. And regardless of the time of year, lack of electrical power is also a dire threat to the millions of Americans who live with severe illnesses or disabilities. Electricity powers the medical devices that keep people alive and mobile, such as breathing machines and home dialysis equipment; the refrigerators that keep lifesaving medications at the proper temperature; and battery-powered wheelchairs and scooters.
“For the Russians to escalate their cyberattacks to cause widespread loss of life would be foolish, however, because the federal government has signaled to Russia that it has the capabilities to strike back and will not hesitate to use them. I, therefore, suspect that Russia will continue to keep its attacks below the level that would justify the use of force in response, as it has done to date.”
Says LANCE HOFFMAN, founder of the Cyber Security and Privacy Research Institute: “Every American should fear a critical infrastructure meltdown. While today’s Internet has proved remarkably resilient in handling increased traffic due to the COVID crisis, many people still don’t realize that it is now a part of our critical infrastructure, just like roads, bridges, transportation, water, and energy systems.
“If a significant part of it were unavailable or, worse, providing fake data due to an attack by hostile forces foreign or domestic, and the contingency plans in place to recover and move on were inadequate — as they are now — then the same effects we saw from COVID would play out: slowing down of the economy, individuals and groups taking sides on ‘who’s to blame,’ etc.
“The time has come for each organization, small and large, to put a contingency plan in place. Directors of businesses and leaders of government agencies should insist that these be reviewed frequently and tested to the extent feasible.”
Says New America strategist and senior fellow PETER SINGER, author of ‘Cybersecurity and Cyberwar: What Everyone Needs to Know’: “The Internet is increasingly becoming what is known as the ‘Internet of Things.’ The networks are now connecting devices used to operate our world, from smart power grids to smart thermostats to even individual parts in your car or a jet engine.
“This yields massive economic and environmental gains, a more efficient world. But it also means that the hacks are set to move from merely stealing information — which was bad enough when it was email or your credit card — to holding systems themselves hostage.
“In the research for our book ‘Burn-In,’ we showed how someone could use a computer to do anything from poison a water supply to crash a plane.
“So expect a future where a computer doesn’t just connect you, but can also be a weapon.”
Says Bawn founder JONATHAN TRIMBLE, former chief technology officer of the FBI’s Information Management Division: “The recent ransomware attack on the Colonial Pipeline which impacted fuel availability for millions of people on the East Coast, and the Fastly software bug, leading to an outage of a large portion of news sites, have underscored that there are critical junctures within our infrastructure that have enormous nationwide impacts when they fail.
“The general public generally isn’t aware where these chokepoints are, but our adversaries have invested a great deal of effort in researching American infrastructure to locate vulnerabilities for exploitation. The compromise of Solarwinds in late 2020 was a sophisticated attack that required extensive reconnaissance to find a subtle vulnerability and develop the means to exploit it — America’s nation-state adversaries are sophisticated in their technical approach, patient in finding vulnerabilities, and strategic about when to exploit them.
“A coordinated attack against multiple infrastructure chokepoints may be the next thing we see on the cyber front. We can generally recover from cyberattacks that cause data or power outages. What concerns me most is the attack that manipulates data to the extent that people lose confidence in a major system’s integrity.
“These may be systems that support voting, finance, judicial or medical processes. A massive attack that undermines people’s confidence and sows discord would have a long-term negative impact on the U.S.”
Says FRANK CILLUFFO, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security: “Frankly, what we have already seen is keeping me up at night and underscores the need to prioritize cybersecurity.
“For years, our adversaries — China in particular — have persistently engaged in brazen and massive theft of intellectual property. The upshot of that activity? It puts U.S. economic competitiveness in peril. Add to that the ransomware epidemic — wherein cybercriminals indiscriminately target just about everyone, from schools to hospitals and companies both small and large, including victims that provide critical national functions and services underpinning our modern society.
“If that isn’t enough, there is the possibility of what we have seen overseas potentially coming soon to a U.S. ‘theater near you’. Here I am thinking, for example, of the 2015 cyberattacks on Ukraine’s electric grid, which disrupted the power supply in the middle of winter. That case allowed Russian actors to test, hone and refine their cyber skills in executing a malicious attack on a practice field close to home.
“And all of this is happening at a time when countries are increasingly integrating cyber capabilities into their warfighting strategy and doctrine. The U.S. has long been in the crosshairs of many and varied actors with hostile intent whose exploitation of computer networks has laid the groundwork for the attack.
“Topping the list of concerns is a sustained campaign against systemically important critical infrastructures. Notably, an attack that could cascade into another with potentially catastrophic results.
“One domain we need to pay greater attention to in the days ahead is the intersection between cyber and space. The two are inextricably intertwined, and using cyber, or similar means, to subvert our eyes and ears in space could leave our country blind and deaf.
“Put simply, our ability to network has far outpaced our ability to protect networks. Now is the time to heed the call to action and invest in our cybersecurity workforce, impose cost and consequence on bad cyber behavior and ensure the U.S. leads the way technologically.”
True or false: Most U.S. breaches that take place in the U.S. aren’t ever reported?
True, says Harvard’s BRUCE SCHNEIER, the brains behind the popular blog Schneier on Security: “Sometimes, it’s because the victims aren’t aware that they’ve been hacked. Sometimes, it’s because police investigations are ongoing. And sometimes, it’s because the victims want to avoid being described as having lousy security in the press.
“The truth is that we have no idea how many unreported breaches are occurring and what the historical trends are. It makes mitigation efforts very difficult.”
So, how do you fix it?
Says UI grad DAVE MIHELCIC, former chief technology officer at the Defense Information Systems Agency: “Most private business and public organizations fail to take basic cyber hygiene steps and invest in the operational infrastructure to operate securely.
“Worse yet, many boards, CEOs, and senior administrators actively ignore the problems when they are identified.
“The U.S. must pass legislation making corporate and federal leaders civilly and potentially even criminally liable if they fail to exercise due diligence in securing systems, networks, and data under their purview.”
What’s the financial toll of all of these breaches and who’s benefiting?
Says JAMES LEWIS, senior VP at the Center for Strategic and International Studies: “Weak cybersecurity probably cost the U.S. about $100 billion a year for at least the last 10 years, so more than a $1 trillion in losses.
“Cyber is a symptom of a larger disrespect in which China, Russia, and Iran hold us, like the 1930s when Germany and Japan thought America was weak and could be pushed around.
“We want to get ahead of the problem of opponents thinking they can do what they like before it gets worse.”
What’s the pie-in-the-sky long-term fix?
Says JAMES CLAPPER, U.S. director of national intelligence from 2010-17: “International cyber norms that the Big Three in cyber — Russia, China and us — would sign up to and, importantly, enforce. We’re not there, and I see no prospect of such agreement.
“I think a useful comparison is the law of the sea, which took decades and decades to develop. But now, most sea-faring countries abide by it because it is in their interests to do so.”
Why aren’t more people better informed about such a critical issue?
Says JAMIE WINTERTON, director of strategy for Arizona State’s Global Security Initiative: “Pre-pandemic, I participated in a few Cybersecurity Self-Defense events, where we taught people how to secure their personal data. I often started conversations by asking people, ‘What kinds of things are you worried about?’ The answer I got most often was, ‘I don’t know; there are so many problems and so few solutions that I don’t even know what to worry about.’
“As technologists, we haven’t done a good job of realistically explaining security threats and how to mitigate them to non-experts. So I think most people know that there are serious cybersecurity threats, but many of them feel powerless, either because of the magnitude of the issues or because we’ve thrown so much technobabble at them that they have given up trying to participate. And that is a big vulnerability we’ll have to contend with.
“Over the past few years — even the past few months — the accelerating attacks on critical infrastructure have made it clear just how tightly we’re all connected via the Internet. Power and water supplies, fuel pipelines, healthcare and finance systems, education — all of these things are online now. We usually think of these things as separate systems, but they all are connected, to each other and to all of us, online.
“There are huge benefits to this connectivity, but there are also huge potential problems if these systems aren’t properly secured. Some of these problems are literally life-or-death — like power outages, tainted water, shortages in supplies, or the inability to provide critical life-saving medical care at the moment it’s needed. This is why we should be taking cybersecurity very seriously.”