This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.
March 28 is historically noteworthy for many reasons. One that stands out: In 1979, the worst accident in the history of the U.S. nuclear power industry began to unfold on March 28th when a pressure valve in the Unit-2 reactor at Three Mile Island failed to close. People living around Harrisonburg, Pennsylvania fled, as did people living in the nation’s capital. If the accident didn’t cause full out panic, it certainly induced a general uneasiness (and set the nuclear power industry back for generations). Although no one’s leaving for the exits yet, today a less drastic yet verifiable sense of uneasiness exists in another power industry… the cybersphere.
Around the cyber world we go…
WikiLeaks’ release on Tuesday of a massive cache of data describing CIA hacking tools has renewed a debate over how well the U.S. government balances the protection of Americans’ cybersecurity against the need to protect national security. Some of the tools, the anti-secrecy group said, are based on “zero-day” flaws — or previously unknown software bugs — for targeting iPhone and Android devices. “At a time of increasingly damaging hacking by cybercriminals and governments, it’s essential that U.S. agencies not undermine the security of our digital systems,” said Ben Wizner, director of the American Civil Liberties Union’s Speech, Privacy and Technology Project. “These documents, which appear to be authentic, show that the intelligence community has deliberately maintained vulnerabilities in the most common devices used by hundreds of millions of people.” He added, “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”
It’s almost impossible these days to avoid media coverage of Russia’s role in hacking the 2016 election. So it was in 2015, when news broke that Chinese hackers had breached the U.S. Office of Personnel Management. Likewise for big cyberattacks the year in 2014 (Sony Pictures, Home Depot) and the year before that (Target). For the public, it’s usually these kinds of incidents that come to mind when they hear the term “cybersecurity.” They are complex and costly, and cast doubt on the trustworthiness of our major institutions—from government to banks to the electric grid. Yet multiple surveys show that Americans tend to ignore even the most basic security measures with their own digital devices. How to account for our public interest but our personal … well … meh? We should be concerned that, as a society, our minds go mushy when it comes to “digital literacy,” “information security,” “online safety,” or whichever name we choose. In fact, that mushiness is a major reason why America’s current approach to cybersecurity is so dangerous. We’re ignoring the behaviors of the overwhelming majority of actual users, and therefore leaving the largest attack surface undefended.
The Justice Department announced charges Wednesday against four suspects in the massive 2014 Yahoo data breach, including two Russian security service officers. According to DOJ allegations, the hackers targeted high-profile government and military officials as well as commercial entities such as investment banks. A grand jury indicted the four men “for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts,” a Justice Department press release says. A DOJ official noted that the activity continued through 2016, but declined to comment on whether the suspects had any relation to the 2013 hack. Officials also noted that they had no reason to believe the hack was connected to the cyber attack on the Democratic National Convention allegedly carried about Russians.
The US and China have significant differences on the legitimate uses and preferred shape of cyberspace. The 2011 White House International Strategy for Cyberspace, for example, states that the US will work toward an “open, interoperable, secure, and reliable information and communications infrastructure.” In contrast, Beijing has argued for a norm of cybersovereignty, the idea that states have the right to control their own cyberspace much like they do any other domain or territory. While China has become increasingly more vocal and assertive about how cyberspace should be governed, it has yet to offer any justifications on how and why a state may conduct computer network attacks or espionage. Still, even in the absence of any official Chinese policies, it is possible to identify the motivations of state-backed hackers. Chinese leaders view cyberspace as essential to fostering economic growth, protecting and preserving the rule of the Chinese Communist Party, and maintaining domestic stability and national security.
Which leads to…
Addressing an exploding number of nation-state cyberattacks is sapping the resources of companies, cybersecurity professionals say. Nation-state attacks on corporate assets used to be infrequent, but now companies sometimes feel like they are on the front lines of a cyberwar, panelists at the Global Cyberspace Cooperation Summit at the University of California, Berkeley said.
A preview of coming attractions…
The non-profit consumer ratings group Consumer Reports plans to evaluate cybersecurity and privacy when ranking products, Reuters says. It is currently working with organizations to create methodologies for doing this. An early draft of standards is available here. This decision was made following a recent increase in cyberattacks on IoT devices, many of which contain vulnerabilities easily exploited by hackers. Researchers believe these attacks are unlikely to cease because manufacturers do not want to spend on securing connected products.
Security experts point to the growing cybersecurity threats from the proliferation of smart, connected devices known as the Internet of Things. For example, last year’s Dyn attacks, initiated by about 100,000 endpoints using IOT devices, was viewed as the largest DDoS attack to date and interrupted service to a number of large websites. “We must wake up to the cyber risks posed by the billions of IOT devices,” said Thomas K. Billington, Chairman and Founder of Billington CyberSecurity, the host of the conference. “The Internet of Things therefore will be a key topic at our International summit.” “The rate at which these connected devices are proliferating is staggering, eluding attempts to harness or tame them within appropriate security protocols. We’ve long accepted the fact that no institution in the cyber age is any stronger than its weakest connected link, and the number of those weak links just got exponentially greater,” pointed out John McClurg, Vice President and Ambassador-At-Large, Cylance
And a caveat – protect yourself…
Knowing about cybersecurity risks isn’t the same as protecting against them. For instance, a recent survey from the Pew Research Center found that just 12 percent of Americans use a password manager, and only 3 percent use it regularly – even though that’s how security pros recommend everyone keep track of passwords. It takes time and effort to stay on top of best security practices, so all too often, people cut corners. That’s why we’ve put together a short guide to cybersecurity essentials. It will walk you through some of the most common risks, and the specific ways to protect yourself when it comes to three critical areas: Privacy: How someone else can see what you’re doing online or on your device. Security: How someone can intercept data. Control: How someone can take over your smartphone or computer. These scenarios illustrate the kinds of risks to watch out for, and how to protect yourself.
How much do you know about keeping your data and information safe? A new study from Pew Research Center finds that even amid high profile hacks on businesses and institutions that affect millions, many Americans don’t have a comprehensive understanding about what precautions need to be taken to prevent cybersecurity breaches. And perhaps it is unsurprising, but Pew says that “those with higher levels of education and younger internet users are more likely to answer cybersecurity questions correctly.”
By Tom Davis, SDI Cyber Risk Practice
March 28, 2017