Tipsheet

The Wild Cyber West

The Bonnie and Clyde of cybercrime, Russia and China, are stepping up their game. In the May issue of Townhall Magazine, where this article originally appeared, Cortney O’Brien explains how U.S. businesses and the federal government are going to have to play better defense.

Did you know your routine trip to the grocery store is now a safety concern? No, there’s probably not a sniper waiting for you in the dairy aisle. The threat actually exists in the distant realm of cyberspace, where hacking has become an all too common trend.

In December, headlines revealed hackers had breached the Target Corporation’s system, affecting millions of everyday consumers whose personal data had been breached or stolen. Neiman Marcus followed shortly after, reporting that a cyber attack had affected 77 of their 85 luxury department stores. Because of this very real concern, one would think our government is on top of plugging up any security holes in their systems, right? Not exactly.

If you thought you were safe surfing the Web or even just picking up a carton of milk, you’re about to get a rude awakening to the very real danger of cyber warfare, and the government oversight, which is only exacerbating the problem.

The Threat

Top defense leaders voted cyber warfare as the biggest threat facing our nation today, beating out terrorism in a Defense News poll in January. Former-Defense Secretary Leon Panetta, who knows a thing or two about national defense, has even likened the technological danger to a “cyber Pearl Harbor.”

To many, Panetta’s comparative warning may seem like an exaggeration. Can vulnerable computers really be a serious danger to our national security?

The short answer: yes.

Rep. Mike Pompeo (R-KS), a member of the House Intelligence Committee who is on the frontlines of cyber warfare, gave a more in depth response to Townhall.

“It’s one of the most significant threats to America’s security, national security, and economic security. Wrapped up together and increasing. The cyber threat will continue to grow in relevance as we continue to move more of our economy into this electronic space. It presents a bigger target for the bad guys, hack for fun or hack for profit, so that’s a threat that’s gonna continue to grow.”

Since stepping foot in Washington, Pompeo has been working tirelessly to raise awareness about these technological threats and to champion legislation such as the common sense Cyber Intelligence Sharing and Protection Act.

One reason experts cite to explain why cyber attacks are so common is the environment that seems to invite criminals into our computer systems. James Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies, refers to this vulnerable cyberspace as the “Wild Wild West.”

“There aren’t any rules that govern states’ behavior internationally,” Lewis explained. “People say of course there’s rules, we have national laws that apply to cybercrime and economic espionage which is true, but they don’t apply across the border.”

Lewis said this criminal strategy mirrors that of a famous American on-screen duo:

“If you think back to Bonnie and Clyde, they would rob a bank and then drive across the county line and the police would have to stop. That’s kind of what happens in cyberspace.”

The growing threat to our cybersecurity, at both the federal and national level, primarily comes from our foreign adversaries. Lewis pointed the finger at two in particular.

“You’ve got two countries that are very powerful and very active in criminal terms and they basically act as sanctuaries for cyber criminals,” Lewis continued. “They benefit from it, but if Russia and China drop out of the equation, the threat level would go down by probably about 80 percent. They’re responsible for most of these actions.”

Lewis’ numbers are unfortunately pretty accurate. China, for instance, seems to thrive on cyberespionage. The cybersecurity firm Mandiant released a report accusing a secret Chinese military unit in Shanghai of years of cyberattacks against more than 140 U.S. companies, one of those being last year’s breach at The New York Times, which has a circulation of nearly 2 million.

According to media reports, the Chinese hackers targeted the personal computers of 53 Times employees, including Shanghai bureau chief David Barboza, who had recently published a devastating expose on Premier Wen Jiabao’s personal fortune.

The U.S.-China Economic and Security Review Commission concluded the Asian country is fixated on collecting computer data in order to obtain economic and military dominance. One doesn’t have to be a national security expert to understand the consequences of China gaining possession of our military secrets.

And China isn’t our only cyber concern. Russia has a long established history of using cyber warfare to weaken its adversaries before a physical invasion. In 2008 they used cyber attacks to disrupt Georgian communications and dismantle the country’s infrastructure before they invaded South Ossetia. And they followed the same playbook this February against Ukraine before they invaded Crimea, too.

Russia’s neighbors are not the only ones who need to protect themselves from Russian cyber attacks. According to the Homeland Security Institute, “Russia’s slice of the 2011 global cybercrime market has been pegged at $2.3 billion, and there are indications that the forces of Russian organized crime have begun to join up ‘by sharing data and tools’ to increase their take.”

Russia and China’s misuse of technological information is indicative of what can happen when sensitive computer data ends up in the wrong hands. With our enemies constantly on the prowl for cyber information, it’s urgent we be prepared.

Failed Government Protection

In early February, Sen. Tom Coburn (R-OK), released a report titled, “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure” to grade several agencies on their cyber security levels.

They failed.

Among the alarming findings: out-of-date antivirus software, missing patches on computers, and unlocked laptops. Other pages detailed “general sloppiness,” and oversight on “basic security measures just about any American with a computer has performed.” What’s more, the words “weak,” “vulnerable” and “unsecure” appeared a combined 56 times in the report.

Reassuring, huh?

The Department of Homeland Security’s Inspector General recently wrote, “The IG found hundreds of vulnerabilities on the DHS cyber team’s systems, including failures to update basic software like Microsoft applications, Adobe Acrobat and Java, the sort of basic security measure just about any American with a computer has performed.”

The report only got worse from there. The IG further found that DHS failed in its goal to send at least 95 percent of its Internet traffic through secure gateways known as Trusted Internet Connections, it didn’t install necessary software updates, and it left sensitive databases vulnerable by “protecting” them with weak or default passwords.

Unfortunately, this embarrassing level of oversight isn’t limited to DHS. The Internal Revenue Service, which holds “more sensitive data on more Americans than those of perhaps any other federal component,” according to Coburn’s report, is rife with plenty of errors itself. Take, for instance, its “failure to encrypt sensitive data,” “lousy user passwords” and, like DHS, its “dangerously slow” progress in updating its software.

Now millions of Americans are left with the question: What’s worse? The government taking your money, or your information?

These revelations are painful enough. But, it wouldn’t be a discussion on cybersecurity if the ubiquitous errors at Health and Human Services weren’t part of the conversation. The government’s technological vulnerabilities were perhaps no more in the spotlight than during the rocky rollout of healthcare.gov. The Affordable Care Act’s health insurance marketplace, Pompeo remarked, was a prime example of the government’s weak computer systems.

“The health care security system also fell outside of the defense intelligence world, fell to non-national security folks protecting the system,” Pompeo said. “So you’ve got a software program online that’s never been tested against a serious attack. No private company of any size would put a system with the security problems of healthcare.gov online, because if they did, they’d risk massive lawsuits from consumers who are using their site. It was literally never checked end-to-end.”

Regardless of the risks, however, the Obama administration went “forward” with the marketplace and exposed Americans to faulty technology.

A few more dishonorable mentions in Coburn’s report include the Nuclear Regulatory Commission storing sensitive nuclear plant data on an unprotected shared drive, hackers gaining access to U.S. Army Corps of Engineers computers, downloading a complete non-public database about the nation’s 85,000 dams, and other cyber sneaks breaking into the FCC’s Emergency Broadcast System to warn listeners of a “zombie attack.” This last breach would be humorous, if creating a fake national emergency didn’t have the potential to create a national emergency.

A Vulnerable Private Sector

The federal government isn’t hackers’ only target. The private sector is fresh meat as well. “The number that I just heard from the White House,” CSIS’ Lewis told Townhall, “was that last year 3,000 American companies had been notified that they’d been breached. The FBI found out that someone had broken in. That works out to be about 10 a day. The technology isn’t secure.”

One recent example of this bungled handling of information is the data breach at the Target Corporation. In December, the superstore suffered the largest retail security breach in history when 40 million debit and credit cards had reportedly been hacked. Target tried to ensure customers they were working to alleviate the damage, but not everyone was impressed. On the corporation’s Facebook page, for instance, angry consumers voiced their frustration that Target could not protect their credit data, declared they were closing their bank accounts, and “taking their business elsewhere.”

OK, so neither the government nor our private companies have quite figured out how to attain “fireproof ” status. Where do we go from here?

Few Real Solutions

In February, the Obama administration released the final version of its “cybersecurity framework” executive order, outlining voluntary guidelines for companies to improve their critical technological infrastructure. The procedures are listed in five groups—Identify, Protect, Detect, Respond, Recover—that provide a high-level view of an organization’s management of cyber risks, according to whitehouse.gov.

Lewis was skeptical of the president’s proposal, yet saw potential for improvement.

“They’re maybe not as clear as you would hope but, buried in the dozens of pages the government put out are some useful ideas.”

But these “useful” ideas become useless if businesses simply choose to ignore them.

“You’d have to find some way to get at least critical infrastructure companies to follow basic security guidelines. I don’t care what that way is, it can be voluntary, it can be through incentives, it can be regulatory, but you’ve got to get people to clean up their act. We know about three-fourths of the successful attacks require only the most basic techniques.”

If only the implementation could be as basic.

As referenced above, Pompeo and his congressional colleagues have proposed their own solution to help improve government oversight, the Cyber Intelligence Sharing and Protection Act.

“It’s a really simple concept. If you’re a utility or business in the United States, and you’re trying to protect your system, part of America’s infrastructure, it is very difficult to expect them to protect from attacks from nation-state actors. We don’t ask 7-Eleven to defend itself against the Soviet Union or from Russia, so the federal government has a role there. The appropriate role for the federal government is to take these cyber attacks and help share the information.”

This information sharing, Pompeo claims, will help prepare vulnerable companies to put up firewalls and other barriers to prevent attacks. Although he and his colleagues have not yet convinced the Senate to pass the bill, Pompeo is hopeful CISPA will soon become reality and stop cyber hackers in their invisible tracks.

“These are at the minimum crimes, and when conducted by a nation-state actor, these are acts of war,” Pompeo explained. “It is no different to breach America’s shores and attack a piece of critical infrastructure, or blow up an American utility as example. Whether you do that electronically, or you do that with a kinetic attack, steel on target, it’s an act of war. So the federal government has an enormous responsibility to be a part of protecting that.”

Lewis agreed, explaining how technological advances have taken cybersecurity from “important” to “imperative.”

“When the Internet first was made commercial, it was kind of a toy. It sat on people’s desk and they used it to look at funny pictures. Now it’s become the core infrastructure for the global economy. And a lot of people don’t realize how many things depend on the Internet, on cyberspace. Your gas pump, your grocery store, your bank, your telephone, your heat, your gas. All of these things depend on IT Internet protocol devices. It’s moved from being a toy to the core infrastructure of the world and that’s why it’s so important.”

Maybe government agencies will take Coburn’s report seriously and private businesses will employ the strategies laid out in the president’s cybersecurity framework, realizing that cybersecurity is not a game. Or, hackers will continue seizing the controls.