Hack Me Twice, Shame On Me
It is almost becoming tedious; every week or two another major U.S. institution, government department or major corporation is hacked. In the last two years, successful hacks of Premera Blue Cross, Anthem, Target, Home Depot, J.P. Morgan, EBay and Sony Pictures saw the personal, medical or financial data in some 550 million accounts compromised. Forbes reported that a hacking ring managed to steal over $1 billion from some 100 banks around the world. Government offices and departments that have been hacked include the White House, Department of Defense, Department of State, USPS and NOAA. The Pentagon’s cyber defenses are tested 250,000 times an hour.
The latest hacking outrage was the successful penetration of the Office of Personnel Management (OPM) that saw the personal information, including that related to security questionnaires of 21.5 million current, former and wannabe federal employees compromised. It is widely reported that the source of the attack came from China. This would have been bad enough as a surprise attack, a cyber Pearl Harbor. But it turns out that, according to The New York Times, for five years prior to the OPM attack, “American intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers.” This group of hackers spent almost a year penetrating OPM’s antiquated security and wandering through its computer systems. It gets worse still. Business Insider reported that OPM hired contractors to manage their systems who employed systems administrators located overseas, including in China.
U.S. critical infrastructure is also under continuous threat of penetration. In 2013 and 2014 there were more than 220 incidents of energy companies being successfully hacked. The well-respected cyber security firm FireEye stated in its 2013 annual report that it had identified some 50 specific types of malware that were designed to target energy systems. In testimony last Fall before the House Intelligence Committee, NSA Director Admiral Michael Rogers declared that:
“Whether it’s generating power across this nation, whether it’s moving water and fuel … Once you’re into the system and you’re able to do that, it enables you to do things like, if I want to tell power turbines to go offline and stop generating power, you can do that. If I wanted to segment the transmission system so that you couldn’t distribute the power that was coming out of the power stations, this would enable you to do that. It enables you to shut down every segmented, very tailored parts of our infrastructure.”
It is hard to be too angry at Chinese hackers (and their Russian counterparts) when they penetrate our public and private networks, spend months if not years sorting through all the information and take everything of value back home because we make it so damn easy. Private companies often don’t pay much attention to cyber security because they cannot assess the seriousness of the threat and the potential impact on their business of being attacked. Many financial institutions have a vested interest in protecting credit card information and electronic transactions because they are legally liable to make good on the losses. In general, this patchwork approach to securing critical infrastructure with no overall strategy, manager or surveillance capability is unlikely to prove successful.
By way of contrast, DoD has done a much better job than most organizations, both public and private, protecting its networks, devices and data. But even here, the current ways of managing security and the existing cyber security architectures are fast becoming inadequate in the face of multiple challenges. The threat is becoming more sophisticated. The networks themselves are growing and changing with the addition of millions of end points and new devices, ever increasing demands for high speed bandwidth and the introduction of new apps. New security tools and methods must be integrated with existing capabilities in order to provide protection against the full range of threats. Because of declining defense budgets, all these challenges must be addressed in a cost-effective manner.
Existing DoD cyber defenses must be complemented by new technologies and techniques in an overall open architecture that provides continuous end-to-end network surveillance, modeling and threat warning, and real-time attack characterization and response. This can only be achieved by employing a single system manager, one that can build on successful experiences with current cyber security methods and tools, but able to bring into play the newest technologies, particularly automation. If the Pentagon doesn’t act now to address the multiple challenges to the security of its network then shame on it.
Find Archived Articles: