Thursday, December 4, 2014

Hacked and Sacked

A wise man once said, “There are only two kinds of American corporations: those that know they have been hacked and those that are not aware they have been hacked.” At a recent conference, a high-profile tech law firm set out to discover how easy it would be, using a piece of software available for free on the Web, to discover the passwords for approximately 1,500 attorneys in the firm. It took two days to get all of them.
The risks to Americans and American businesses go well beyond mere financial exposure and privacy decimation. Power grids and financial clearing houses for all our banks and financial institutions can be compromised, fed false information, bled dry for intensely private data and even shut down. Sensitive military information is sucked out of the system all-too-frequently. The concept of “asymmetrical warfare” – a euphemism for terrorist and indirect hostile governmental threats, including cyber-attacks on opponents’ telecommunications and electronic interconnectivity – is combining with targeting drones to redefine warfare.
Sometimes the rational for some of these cyber-attacks would be downright silly if the results weren’t so devastating. On December 17th, Sony Pictures (through its Columbia Pictures subsidiary) is releasing a Seth Rogan/James Franco comedy (The Interview) about bumbling CIA-recruited journalists targeting North Korean leader, Kim Jong-Un, for assassination. North Korean was not amused.
“On June 20, 2014, in an interview with The Daily Telegraph, the Executive Director of CFKAP (Center for Korean-American Peace) Kim Myong-chol criticized the film about North Korea's leader Kim Jong-un and said, "There is a special irony in this storyline as it shows the desperation of the US government and American society.’ He also said, ‘A film about the assassination of a foreign leader mirrors what the US has done in Afghanistan, Iraq, Syria and Ukraine. And let us not forget who killed Kennedy – Americans. In fact, President Obamashould be careful in case the US military wants to kill him as well." He added that British films were far better and more realistic than Hollywood movies (full of assassinations and executions). Myong-chol also said the dictator (Kim Jong-un) would probably watch the film. On which director/actor Rogen replied on Twitter, ‘Apparently Kim Jong Un plans on watching The Interview. I hope he likes it!!’
“On June 25, North Korea's official Korean Central News Agency condemned the film (without naming it), promising ‘stern’ and ‘merciless’ retaliation if the film is released. ‘Making and releasing a film that portrays an attack on our top-level leadership is the most blatant act of terrorism and war and will absolutely not be tolerated,’ KCNA said, citing a government spokesman. The administration warned of a ‘decisive and merciless countermeasure’ if the release of the film went ahead. The North Korean outrage is similar to when Kim Jong-il, Kim Jong-un's father, was infuriated by Team America: World Police, a parody film by South Park creators Trey Parker and Matt Stone, in which Kim Jong-il is the primary antagonist.
“On July 11, the country's UN ambassador, Ja Song Nam, complained to the UN about the film on the grounds that ‘the production and distribution of such a film on the assassination of an incumbent head of a sovereign state should be regarded as the most undisguised sponsoring of terrorism as well as an act of war.’ On July 17, North Korea requested President Obama to halt the film's release. A statement by state-run news agency KCNA: ‘Our military and our people regard the supreme leader as more precious than their own lives.’
“On November 24, Sony Pictures Entertainment company computers were infected by Shamoon malware. The attack shut down the company's entire computer network, with massive deletion of files and corruption of master boot records, described as ‘computer killing.’ On November 27 several Sony Pictures movies were leaked, including Fury and the yet-to-be released Annie, Mr. Turner, Still Alice, and To Write Love on Her Arms; The Interview was not leaked. The investigation is looking into all possibilities, including a possible North Korea connection related to the content of The Interview. On December 1, the FBI joined the investigation.” Wikipedia. Unofficial reports suggest that Sony has been in fact able to trace these intrusions back to North Korea. A relatively isolated incident or a reflection of what can happen at any time to any one of us or our companies?
We are woefully unprepared for the cyber-threats out there. Routinely, Russian-based criminals hack into personal files for economic gain. Governments are also prying planting and searching locked-down governmental sites but also vulnerable Web links that could cripple our economic and turn off our power grid. OK, our government does it too. Yes, it would help our national security to decentralize power generation through site-specific green power, but big energy is fighting that for mercenary reasons. Vulnerability accelerates in a technically advanced/dependent society… like us!
Computer security is not well regulated, even as enormous amounts of private, medical and financial data and the nation’s computerized critical infrastructure — oil pipelines, railroad tracks, water treatment facilities and the power grid — move online… In a speech two years ago, Leon E. Panetta, the former defense secretary, predicted it would take a “cyber-Pearl Harbor” — a crippling attack that would cause physical destruction and loss of life — to wake up the nation to the vulnerabilities in its computer systems.
“No such attack has occurred. Nonetheless, at every level, there has been an awakening that the threats are real and growing worse, and that the prevailing “patch and pray” approach to computer security simply will not do… So what happened?...
“A bleak recap: In the last two years, breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers and even the Postal Service. In nearly every case, by the time the victims noticed that hackers were inside their systems, their most sensitive government secrets, trade secrets and customer data had already left the building. And in just the last week Sony Pictures Entertainment had to take computer systems offline because of an aggressive attack on its network.
“The impact on consumers has been vast. Last year, over 552 million people had their identities stolen, according to Symantec, and nearly 25,000 Americans had sensitive health information compromised — every day — according to the Department of Health and Human Services. Over half of Americans, including President Obama, had to have their credit cards replaced at least once because of a breach, according to the Ponemon Group, an independent research organization…
“Corporations are elevating security experts to senior roles and increasing their budgets. At Facebook, the former mantra ‘move fast and break things’ has been replaced. It is now ‘move slowly and fix things.’ Companies in various sectors have started informal information-sharing groups for computer security. And President Obama recently called on Congress to pass a national data breach law to provide “one clear national standard” rather than the current patchwork of state laws that dictate how companies should respond to data breaches.
“There is growing recognition that there is no silver bullet. Firewalls and antivirus software alone cannot keep hackers out, so corporations are beginning to take a more layered approach to data protection. Major retailers have pledged to adopt more secure payment schemes by the end of next year. Banks are making it easier for customers to monitor their monthly statements for identity theft. And suddenly, pie-in-the-sky ideas that languished in research labs for years are being evaluated by American hardware makers for use in future products.” New York Times, December 2nd.
As Congress debates the defense budget, the deployment of new weapon systems and allocation of combat personnel, there is a disappointing failure to appreciate the magnitude of our vulnerability to cyber-attacks… that our very way of life, our vital systems, could be altered forever through mounting threats. If there is a single national security priority, it is definitely not reinforcing one of our two borders and spending more money on offensive weapons. It is challenging and curtailing those who are attacking or who could attack the United States rather directly electronically.

I’m Peter Dekom, and having elected representatives making decisions on old-world assumptions is terrifying.

No comments: