BY JONATHAN H. HILL
It is hard not to feel helpless in the face of the latest news from the war on our digital privacy. Facebook, the place where we share our vacation photos and receive reminders about our best friends’ birthdays, has been “mined” for personal data on millions of individuals, some of which was used to send “fake news” to vulnerable users.
The list of attacks on major consumer sites and major businesses continues to grow unabated. 2018 is not even halfway through and we have already learned of major attacks on the likes of travel search site Orbitz. Attacks are not limited to corporate victims: hospitals, like St. Peter’s Surgery and Endoscopy Center in Albany, which was hit with a major malware attack, are also under threat. Even the Department of Homeland Security was breached by an insider who lifted Personally Identifiable Information (PII) on more than 240,000 staffers and contractors.
Westchester County, one of the nation’s wealthiest counties with its concentration of major corporate headquarters, is seen as a particularly rich target by cyber hackers around the world. The county was the target of a high-profile cyberattack on an industrial control system (ICS) — the Bowman Avenue Dam in Rye Brook — by Iranian hackers, and was also the scene of a sophisticated identity theft ring that allegedly defrauded ride-sharing drivers of millions of dollars.
New technologies, despite being developed in this era when the risk of cyber vulnerability is well known, are under just as much pressure and are, likewise, in danger of being overwhelmed by cyberattacks. Cryptocurrency platforms like Ethereum have suffered ongoing attacks and substantial financial losses. The threats to software-controlled technologies like driverless cars and drones is a significant concern. In addition, the emergence of a variety of “internet of things” devices like home security systems, many of which run on outdated and therefore more vulnerable, software, represents a new opportunity for cyberhackers to attack individuals directly. IBM predicts that more than 11 billion devices will be connected to the internet this year.
While the first generation of cyberhackers were often “script kiddies”’ whose motivations were often just the thrill of breaking in to a closed system, today we grapple with much more sophisticated professional hackers whose motivations are either financial, or destructive in the military offensive context. As such, they are either employed by organized crime rings, or are part of an official or quasi-official national security apparatus from a government that is competing with, or hostile to, the United States. These people are motivated and they are good technologists operating in a world where the stakes for the theft of personal information, the opportunity to take control of an industrial controlling device, or to influence the outcome of an election are the highest that they have ever been. We know that these attacks will continue and that they will increase in number and in sophistication.
Short of turning off our computers and leaving our cellphones in a basket by the door, what solutions do we have? The most powerful tool that we have at our disposal is education. We must teach people both the tools to defend their businesses and homes from cyberattacks, and the open sharing of information, because in that way we can learn from each other and be resilient in the face of ongoing attacks.
At Pace University’s Seidenberg School of Computer Science and Information Systems, a National Security Agency-certified Center of Academic Excellence in Cyber Defense Education, we bring government, law enforcement, industry and academic leaders together on a regular basis to share their tools, tactics, successes and failures to ensure that the community is fully aware of the current state of the cybersecurity threat. In this way, we also learn from one another and can build a substantial database of the techniques that have worked in cybersecurity, as well as those that have not worked.
It is unfortunate that, as with any crime, those who have been victimized are often reticent to share their experiences and to admit to their peers that they were attacked. The growing movement to hold corporate officers, including the board of directors and executives, liable for cybersecurity break-ins can make them even less willing to share. This needs to change: the need for open sharing of vulnerabilities, attacks, responses and successful recovery plans is a way to get actionable information into the hands of the chief information security officers, law enforcement professionals and technologists who can employ them as part of a broader national strategy to make the internet safe for business transactions — as well as safe place to wish your best friends an enthusiastic
Jonathan Hill is the dean of the Seidenberg School of Computer Science and Information Systems at Pace University.