“On a scale of 1 to 10, with 10 being strongly defended, our preparedness to withstand a destructive cyber attack is about a three.” -General Keith Alexander In today’s world, you don’t need to be a state-sponsored actor to wreak cyber havoc on your enemies. The hardware required to perpetrate attacks is getting cheaper and easier to obtain. Moore’s Law states that the number of transistors on a computer’s central processing unit (CPU) will double every two years, meaning that machines are quickly becoming smaller, more powerful, and less expensive. And that means the number of these powerful machines will increase. For a few decades, these owners have made software, found loopholes in other programmer’s codes, and exploited those loopholes. This is hacking. Without hacking we wouldn’t have Apple or Microsoft or any video games or a lot of the apps that we use daily and never think about. Hacking in and of itself is not a bad thing. Some people hack for fun, hack to build something, or they hack to solve a problem and improve software. Others hack for less than noble reasons. A Distributed Denial of Service Attack (DDoS), the bread and butter of the hacktivist group called Anonymous, is where you flood a target website with so many requests that the server crashes and the site goes off-line. Man in the Middle Attacks (MITM), where an unauthorized party is able to intercept communications from two people as they are happening, are common occurrences and you don’t need to be the stereotypical programmer to figure out how to perform these attacks. Software is out on the commercial market that makes MITM attacks a “point and click” task. So you don’t need to have tons of money and state sponsoring to completely mess things up for someone else or hack into companies like Sony, Stratfor, or HB Gary. But what if you did have a nation-state sanctioning your activities and providing you a blank check and a team of skilled hackers? Furthermore, what if your target was a rival nation who neglected to implement the proper security measures into their sensitive systems? (The US/Israeli-engineered Stuxnet virus, first discovered in 2010, which infected Iranian nuclear sites is an example.) Or what if that target nation had hardware and software systems so convoluted, bureaucratic, inherently weak and rarely, if ever, updated, that every terminal ran a legacy operating system? (Looking at you, DoD.) These factors are part of what makes government information systems so vulnerable. From Islamist and jihadist groups in Syria and Iran, to Chinese, North Korean, and Russian state-sponsored hackers, there’s seemingly no end to the number of nefarious actors hacking into the vulnerable systems inherent in the globalized economy. According to a 2011 survey (Download PDF), 90% of companies had admitted to being hacked in the last 12 months, 50% of them admitted to being hacked two or more times, and 50% of them had little to no confidence of preventing attacks in the next 12 months. And for the government side, the US Defense Department reports 10 million cyber attack attempts each day. So with our grid’s water and power systems so vulnerable, it’s just a matter of time before a major breach occurs and affects the daily lives of potentially millions of Americans. Nothing can be perfectly secure; with enough time, money and energy adversaries could break into anything. But updating weapons systems, not running legacy or unpatched software can go a long way towards better protecting sensitive systems on which nearly all Americans rely. Cyber attacks are expected to increase through 2015 and subsequent years. As hardware gets cheaper, the amount of devastation an entity can unleash also increases. But don’t go running for the hills screaming about cyber Armageddon just yet. The fact that we are vulnerable right now does not mean that we are ruined, and it does not mean we can’t implement better safeguards in the future. Continue reading...
