Cybersecurity and the fight against cyber-badness have been mentioned by the president of the United States more times in the last 30 days than in the previous 12 months; at least that’s the way it seems from where I sit (behind a desk in sunny San Diego, California, the state that has already passed more data privacy and cybersecurity laws than many countries). So what are we to make of this new push to “do something” about the all too obvious lack of security in cyberspace. (Hint: if it is not obvious, just Google the word “hack” plus any one of the following: Target, Home Depot, JPMorgan Chase, Sony, eBay, Adobe, Apple, Community Health Systems.)
On the one hand, I am impressed by some aspects of President Obama’s recipe for beefing up cybersecurity and getting tough on cybercrime (I will offer more detailed analysis in a coming article). On the other hand, I’ve been watching this space for more than 25 years so I know that one vital ingredient is apt to go missing: commitment, the determination to follow through on a recommended and endorsed course of action. Consider this statement from a 2013 Government Accountability Office report:
“Until the administration and executive branch agencies implement the hundreds of recommendations made by GAO and agency inspectors general to address cyber challenges, resolve identified deficiencies, and fully implement effective security programs, a broad array of federal assets and operations will remain at risk of fraud, misuse, and disruption, and the nation’s most critical federal and private sector infrastructure systems will remain at increased risk of attack from adversaries.”
So, that’s how well cybersecurity was going in 2013 in the private sector infrastructure and federal government spaces; in other words, not well at all. The commitment to do the things that needed to be done was found lacking, and not for just a few years. Consider this urgent warning from 1997:
“We did find widespread capability to exploit infrastructure vulnerabilities. The capability to do harm—particularly through information networks—is real; it is growing at an alarming rate; and we have little defense against it.”
That is from the cover letter delivering the Report of the President’s Commission on Critical Infrastructure Protection to the President in 1997. You can see that warnings were still being unheeded 16 years later.
Have things improved since 2013? Well, according to the 2014 the Ponemon Institute study, Critical Infrastructure: Security Preparedness and Maturity, commissioned by Unisys, security was compromised at least once during the last 12 months at more than two thirds of companies in this sector that were surveyed. Only 17 percent were found to have a mature cybersecurity posture, defined as “having most of their IT security programs deployed”. Security was considered a “top five” priority at only 28 percent of responding organizations and only 16 percent said they were “fully aware of SCADA (supervisory control and data acquisition) vulnerabilities.” Despite two decades of calls to action, evidence of strong commitment to protect the cybersecurity of America’s infrastructure remains lacking.
Warning signs not seen
The lack of commitment in the fight against cybercrime is a lot broader than infrastructure sector. When security failures come to light they are often described as a teaching moment. The “lessons to be learned” from specific incidents are widely published. Sadly, the lessons don't seem to be learned well enough by enough people; the same mistakes endure. For example, the weaknesses of passwords for authentication, notably their vulnerability to phishing attacks, were well documented in mainstream media in 2005. Ten years later, most American financial institutions still rely on passwords for customer account access over the Internet, and customer passwords are frequently and successfully targeted by phishing attacks. In 2014, the main attack vector in one of the largest cyber attacks on a U.S. bank was failure to enable two-factor authentication. Despite the warning signs, companies apparently choose to live with the risk.
Deciding to roll the dice and live with risk was apparently the policy at Sony Pictures, according to several current and former employees. Evidence of this was supplied, ironically, by the people who hacked Sony Pictures late last year. An unencrypted copy of an auditors' report was found in an executive inbox and it details a firewall and more than 100 devices that were not being monitored by the corporate security team. The auditors noted: "Security incidents impacting these network or infrastructure devices many not be detected or resolved timely."
And warning signs keep coming. The Internet of Things was a hot topic in 2014 and at CES 2015. The IoT has also been the subject of many warning signs. For example, a large percentage of these things will be networked with potentially hackable wireless technologies including Wi-Fi, Bluetooth, ZigBee, Z-wave, and NFC. If you were at DEF CON 2013 you would know that there was intense interest in sessions on NFC hacking and Cognitive Radio vulnerabilities. I think it is fair to call that a warning sign (I was at DEF CON in 1995 when hackers discussed changes to credit card technology which, if implemented by banks, would have forestalled a lot of current card hacking).
In 2014, both Blackhat and DEF CON featured oversubscribed sessions on Software Defined Radio (SDR) hacking tools. SDR has the potential to disrupt, intercept, and otherwise abuse all of the wireless technologies currently used or posited for use in the IoT. Sadly, I must predict that the first time SDR technology is used to criminally hack Internet connected devices, the reaction of the victim(s) will be to express surprise, declare the attack sophisticated, and suggest that the culprit is a nation state (a strategy employed last year by JP Morgan Chase and Sony Pictures, for the purposes, a cynic might suggest, of masking their lack of commitment).
Another set of data points provides evidence that many organizations lack a commitment to security to such an extent that they are prepared to proceed with the rollout of network technologies even as they observe them eroding security posture. When the Ponemon Institute surveyed over 600 IT and IT security practitioners in 2014 for its Security in the New Mobile Ecosystem report, more than half of the respondents said, “security practices on mobile devices have been sacrificed in order to improve employee productivity”. In addition, 60 percent said they believed “employees have become less diligent in practicing good mobile security”. These are telling numbers when you bear in mind that, in the organizations surveyed, “one third of employees use mobile devices exclusively to do their work, and this is expected to increase to an average of 47 percent of employees in the next 12 months”.
In other words, security degrading technology is being rolled out in the interested of perceived gains in productivity. In some ways, this is how things have always happened, since the walls around the mainframe started to come down in the late 1980s. And there has always been a price to pay. The failure of efforts to adequately secure network technology, despite serious warning signs, predates the commercialization of the Internet.
Three decades ago, many companies that were using internal computer networks found that they came with ample opportunities for crime. In 1994, the U.K. Audit Commission analyzed incidents of computer abuse described by 1,073 U.K. organizations responding to a 1993 survey. The resulting report, Opportunity Makes a Thief, noted that over one third of organizations surveyed had suffered some form of computer abuse, losses from which totaled £3.8 million, a 183 percent increase from a similar survey conducted in 1990.
The question we now face is whether or not the deployment of network technology can continue to expand without faltering under the weight of criminal abuse, which is likely to continue to increase, given the low level of commitment to improve matters which the historical record suggests.
Audit Commission. (1994). Opportunity makes a thief: an analysis of computer abuse. HMSO. Available: http://archive.audit-commission.gov.uk/auditcommission/subwebs/publications/studies/studyPDF/1102.pdf
United States of America. (1997). President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s infrastructures. Available: http://www.fas.org/sgp/library/pccip.pdf