insight
www.internationalinnovation.com
1
In the time it takes you to read this sentence, approximately 60 new pieces of malware will start surfing for Cyber and Homeland Security at cybercriminal activities, as well as the
two.
This was the number of people whose lives were originally torn apart by the recent hack of the infidelity dating website, Ashley Madison. On 20 July 2015, these two users woke up to discover that in the night someone, somewhere had captured private information about them from Ashley Madison’s database. Their names, dates of birth, where they live, payment transaction details, sexually explicit activities – these were only some of the pair’s private and extremely personal details that the hackers leaked back to Ashley Madison staff as proof of their successful attack. Within a month, 30 million other users of the site fell victim to the same fate – and to a hack that will likely go down as one of the largest data breaches in human history. On 18 August the hackers, who call themselves the Impact Team, dumped nearly 10 Gb of data into the dark web where anyone with a Tor browser and desire to venture down the cyber equivalent of a dangerous neighbourhood can download the lot. Forevermore these people will live in fear that the information they posted on Ashley Madison will come back to haunt them. “There is no doubt that because of this hack and information being released that there is going to be a lot of distraught people,” Toronto Police Services Staff Superintendent Bryce Evans – who is taking a leading role in an international law enforcement task force – stated in interview with CBC News in August.
A VA5T AND FAST-P4CED SECURITY PRO8L3M Evans’ statement could not be closer to the truth. Since the hack and release of data, there has been a flurry of folks taking to internet forums pleading for ways to erase their information and an uptick in individuals across the world filing for divorce. There have even been suicides accredited to the attack.
relevant research and analysis on homeland security, counterterrorism and cybersecurity issues. According to Cilluffo, these threats run the gamut from cybercrime to hacktivism to cyber espionage and warfare, and they happen frequently. “We are dealing with attacks on a daily occurrence,” Cilluffo shares. As a small example, Utah Government’s computer systems fend off upwards of 300 million assaults per day since the NSA built its data centre in Bluffdale. Almost as endless as the rate at which these attacks occur are the forms they take – malware, pharming and phishing attempts, distributed denial-ofservice and breach of access, just to name a few. Parsing data collected by the Symantec Global Intelligence Network, the 2015 Internet Security Threat Report points out that in 2014 cyberdeviants released more than 317 million new pieces of malware into the cyber world – that equates to nearly 10 pieces of malware every second. “The reality is that we are dealing with thinking adversaries that adapt their techniques, tactics, tools and procedures in order to evade whatever the latest prevention and incident response measures are,” Cilluffo underscores.
A CYB3R B4TTLE 0F EC0N0M1C PR0PORT1ONS With this barrage of assaults knocking on the doors of firewalls and other security measures, perhaps it is not surprising that every day many of these cyberattacks take down their intended target. According to Net Losses: Estimating the Global Cost of Cybercrime – a report from the Center for Strategic and International Studies and McAfee – the economic cost of all of this cybercrime is nothing less than huge. Between US $375-575 billion is lost globally every year. As the report points out: “Even the smallest of these figures is more than the national income of most countries”.
the Sony Pictures Entertainment hack as well as the breach of security in the US’s Office of Personnel Management (which compromised the data of 4.2-18 million Government employees), the assault on Ashley Madison may seem to just be one in long line of cyberattack stories that have hit the headlines in the last 12 months.
According to Cilluffo, the brunt of this economic burden is falling squarely on the shoulders of the private sector. “Companies are on the frontline of this war,” he states. “Ultimately, they have a lot at stake.” Findings in Net Losses back this statement up – in 2013, approximately 3,000 US companies fell victim to a successful hack, and PwC’s The Global State of Information Security Survey 2015 goes on to point out that incidents costing organisations $20 million or more increased by 92 per cent from 2013 to 2014.
In some senses, it is. “The US faces a dizzying array of cyber threats,” notes Frank J Cilluffo, the Director of the Center for Cyber and Homeland Security at The George Washington University, which carries out policy-
Within the private sector, cybercrime rears its ugly head largely in the form of financial crime, with banks and retailers being two of the biggest players with targets on their backs. One of the main reasons for this,
In the wake of
2
INTERNATIONAL INNOVATION
the internet with the intention of infecting your computer. Frank J Cilluffo, the Director of the Center The George Washington University, US, sheds light on the scope of cyberattacks and other efforts that society can take to improve cybersecurity according to Net Losses, is that the payoffs are enormous – Mexican banks lose $93 million to online fraud annually, and in the UK retailers lost more than $850 million in 2013.
needs to be part of that equation, and the government needs to lead by example,” he states. “It cannot ask the private sector to do more if it is not doing its own job.”
In addition to having big rewards, the attacks are relatively easy to do. “The vast majority of the successful cyber breaches are not due to overly sophisticated attacks or zero-day exploits, but often due to phishing exploitations or social engineering techniques,” states Cilluffo. “People are getting duped by them and handing over their credentials, which then gives the hackers/criminals/ nation states insider access.” Moreover, organisations are not doing enough to prevent their staff from falling prey to these techniques. PwC’s report shows that from 2013 to 2014, of the financial organisations surveyed, employee awareness and training programmes fell by an average of 13.6 per cent. More worryingly, this year’s report showed security erosion in all 12 areas it used to measure organisations’ cyber safeguards.
Finally, he wants people to be aware that it is never going to be possible to prevent all cyberattacks, especially given the technical foundation upon which the internet was created. When the idea for the internet was dreamed up by scientists in the 1970s, it was invented as a way for networked computers to communicate; they never envisaged that it would connect the world as it does today or that its users would intentionally attack each other. Therefore, there are significant holes in its foundation. “One-hundred per cent security is not an option, but there are steps we can and should take to bifurcate our so-called ‘family jewels’ of information and minimise the impact of successful attacks,” Cilluffo shares. As for these steps, his advice to governments and private organisations alike almost sounds simple – “Look inside your own systems and have a sense of awareness of how the data is stored,” he concludes. “From there, having identified and isolated the most important information, you can look at what steps can be taken to manage risk in a more robust way.”
TRU5T M4KES TH3 W0RLD G0
R0UND
According to Cilluffo, the impact that cybercrime has on damaging trust could have a significantly larger impact on the economy than the attacks themselves. “The worst case scenario in my eyes is not the cyber equivalent of the drive-by shooting. Yes, you can have disruptive attacks, but at what point are they so sustained, so significant that they could actually undermine confidence and trust in our systems?” he asks. “We need to be thinking about this. It’s not these one-off incidences alone, as much as a sustained campaign that could undermine confidence in our economies.” These concerns hold a lot of water; according to Net Losses, approximately 200,000 jobs drop out of the US’s economy annually due to cybercrime’s effect on growth domestic product (GDP) via reduced export growth, and this grim statistic is similarly affecting Europe, too. So what policy actions can governments take to stem the tide of these cyberattacks and ensure that all trust is not lost? “Firstly, we have to articulate a deterrence strategy,” Cilluffo states. “It is hard to dissuade if we have not articulated in concrete and clear ways what attacks are unacceptable and if an attack should occur, what the consequences would be to the perpetrator.” To make a deterrence strategy successful, Cilluffo points out that it should be tailored to the actors behind the attacks. For example, the actions that may deter China may not deter Iran or North Korea. He also believes that countries need to come together and agree on basic principles underlying a strategy, as the internet does not recognise geographical boundaries. “We have to do this in a multilateral sense,” he expands. Finally, countries also need to determine how they would apply such a strategy to non-State actors given the fact that quite often it is an ideology bringing these people together, and it may not fall within the jurisdiction of any one government or region.
http://cchs.gwu.edu
Frank J Cilluffo is an Associate Vice President at The George Washington University where he directs the Center for Cyber and Homeland Security, is co-director of the Cyber Center for National and Economic Security and along with the School of Business, launched the university’s World Executive MBA in Cybersecurity programme. Cilluffo is routinely called upon to advise senior officials in the Executive Branch, US Armed Services and State and Local governments on an array of national and homeland security strategy and policy matters. He also frequently briefs Congressional committees and their staffs and has testified before Congress over 25 times. He also works with US allies and organisations such as NATO and Europol.
In addition to coming to a consensus amongst each other, countries must also work to strengthen the relationship with organisations under their legal jurisdiction considering the fact that many attacks fall directly upon them. “A public-private partnership
www.internationalinnovation.com
3