US warns of rising threat of cyber attacks to national and economic security

Top U.S. spies announced this week that cyber attacks are even more concerning than dangers posed by terrorism. The Obama administration has clearly outlined its concerns about cyber attacks with its cyber security initiative and recently signed an executive order for the improvement of critical infrastructure.

There is a popular misconception that the U.S. government is the main target of cyber attacks. While the Department of Homeland Security is forced to deal with a barrage of attacks on a daily basis, every organization is a target. Approximately 90 percent of IT infrastructure in the U.S. resides in the private sector and the reality is that most organizations skimp on computer security. Many also forget how interconnected organizations are with each other. For example, law firms are vast data warehouses of intellectual property through their involvement in civil litigation but might not be at the forefront of network security.

One could argue that we are largely bereft of effective legislation to prompt organizations to implement the necessary enhancements to security of their computer systems. Last year a Russian hacker group compromised more than six million customer passwords from LinkedIn and millions of eHarmony accounts were also stolen as a result of poor security. These passwords were then posted online by the Russian hacker forum.

We have become numb to many of these compromises because potential access to business contacts or a dating site seems innocuous but it is likely that many of those compromised passwords were probably the same passwords used by users for their online banking accounts or for access to their corporate email accounts.

At a recent cyber crime event, hosted by Pace University and the ACCA, Chris Novak, who is involved with managing the Verizon RISK Team, reported that many network compromises could have been averted through low cost fixes. The absence of legislation means that LinkedIn, eHarmony and other companies that lose customer data have no liability if their clients later become victims of identity theft. To reiterate, there are no penalties or repercussions for having ineffective security.

It should be noted that not all industries are failing when it comes to network security. Banks and financial institutions have made significant investments in computer security – particularly over the past five years. Payment Card Industry Data Security Standards (PCI DSS) and the upcoming introduction of EMV (Europay, MasterCard and Visa) chip and PIN standards for payment cards in the U.S. is a step in the right direction because organizations are being mandated to improve security or face financial penalties. Sadly, other industries have not followed suit.

The recent report by Mandiant illustrates how extensive the theft of intellectual property in the U.S., by China, has been. These advance persistent threats (APTs) are government-sponsored according to law enforcement.

Secretary of Defense Leon Panetta last year highlighted the potential destruction associated with cyber attacks. He noted how government-sponsored attacks from rogue nations could result in loss of life. Metro systems and air control systems are part of this critical infrastructure, which could be compromised.

No longer are we simply considering data exfiltration or monetary theft but potential casualties. Recent research has illustrated how malware is now rampant in medical devices, which is a tremendous concern. At the behest of DHS, a recent experiment at the University of Texas at Austin demonstrated how easy it is to hack into a drone. Militants have also been successful in the past of hacking into U.S. military drones. The potential to hack into these drones and change their coordinates is frightening.

When President Obama talks about training people to fill open positions, many of those jobs are in information technology and more specifically in computer security and computer forensics. We need to encourage more high school students to consider degree programs in security. Enrollments in IT across the country are still down significantly and many still do not realize the potential for employment. Grant funding has been made to universities but a lot more can be done to build up programs in security at colleges around the country.

Hayes is a professor at Pace University’s Seidenberg School of Computer Science and Information Systems in New York. As the Computer Information Systems Program Chair at Pace, Hayes has cultivated partnerships with the New York Police Department, United Nations, and many other respected agencies. Hayes also manages the computer forensics laboratory at Pace, conducting research with computer science and information systems students.

---