Breaching critical systems a simple task for today's hackers

Breaching critical systems a simple task for today's hackers
© Getty Images

While most of Capitol Hill was focused on Mark ZuckerbergMark Elliot ZuckerbergTech giants head down 'dangerous' censorship path Tech giants head down 'dangerous' censorship path The Hill's Morning Report - Trump and House Democrats resume battle MORE’s testimony last week regarding privacy settings and his business model, the other key policy priority of our technological era went unaddressed: cybersecurity and the threat posed by hackers, cybercriminals and cyberterrorists.

Government information systems are of considerable concern to the welfare of the country. With significant breaches including the U.S. Voter Database, National Archives and Records Administration, and Office of Personnel Management (OPM) over the past decade — not to mention many breaches at the state and local level — it’s safe to say that the public has moved beyond surprise when a new attack hits the news.

ADVERTISEMENT

Nearly everyone (including this writer) was intimately impacted by the OPM breach; it goes without saying how a compromise to voting records and technology could affect the nation. Because of these concerns, I tend to view cybersecurity research with keen interest in how the government stacks up against other industries.

 

As congressional leaders in both chambers review and rethink America’s cyber defense posture, it’s critical that we know what we are up against. It’s not hyperbole to say that we are at war with bad actors in our connected world, and we need to follow Sun Tzu’s timeless military philosophy and know our enemy.

To do this, I led an extensive research study called “The Black Report” where we asked over a hundred hackers, penetration testers and incident responders about their capabilities and motivations.

The top finding should trouble all of us: half of our respondents said they can breach a federal or state target, locate critical value data, and exfiltrate it in under 15 hours.

You read that correctly, but I’ll reiterate. If a determined attacker decides they want your critical value data — whatever that term means to your organization — at 7 a.m., they’ll most likely get it by 10 p.m. the same day. As many industry-standard reports tell us, breached organizations normally don’t detect a breach for anywhere between 200-300 days. That’s an awful long time to go without acting, especially when the nation’s security is potentially at stake.

As policymakers, as participants in the workforce, as members of a thriving democracy, this situation is unacceptable. The reasons for this are manifold and require a complete shift in the way we defend our critical systems and data. As I read through the results, however, I began to wonder how our respondents felt about attacking the government compared with, for example, retail organizations. This was one of the differences between our 2018 research and what we produced in our inaugural report — a breakdown of responses by industry.

In something that passes for good news in this report, governments — federal, state and municipal — are ahead of the curve compared to other industries. While "only" half of our respondents could cause serious damage to the public sector within 15 hours, some in the private sector fared far worse. Networks within the retail and restaurant industries were lower-hanging fruit for bad actors.

These numbers bear scrutiny. Why are government targets more difficult to breach and steal information from? Are they “doing security” better than the other industries? That might be the case, and there’s evidence in the form of the 2017 Personal Data Notification and Protection Act, that our defense posture from a networked, IT perspective on the path of stronger and robust solutions.

Hopefully someday we’re writing another article and talking about how attackers need days and weeks to break into our systems, and detection is happening before they make off with our critical data. It won’t happen overnight, but it could become reality if we truly listen to the signals and craft responsible, agile policy that addresses today’s solutions and creates avenues to pursue answers to tomorrow’s.

Chris Pogue is a member of the U.S. Secret Service Electronic Crimes Task Force, the International Association of Chiefs of Police, and the International Association of Financial Crimes Investigators. He is also the head of services, security and partner Integrations at Nuix.