October is National Cyber Security Awareness month and a good time to consider what the threats to our cybersecurity are and what we can and should be doing about them. Sometimes it seems like the problems of cybersecurity are overwhelming, but with concerted efforts by individuals, businesses and governments we can dramatically reduce the level of this threat to merely “whelming,” which isn’t a word, but should be.
Part of the problem is technology itself. Computers and computer networks are involved with nearly every aspect of our lives. We have seen the concern in recent days as to the potential vulnerability of our voting system where already voters’ registration lists have been subject to cyberattacks.
The plain, hard fact is that if something is connected to the Internet, it is vulnerable to hacking and data breaches. The computers, smartphones and other electronic devices used by everyone connected to the Internet are vulnerable to hacking — by which data can be stolen and used for a variety of criminal purposes such as identity theft, fraud, extortion, commercial espionage, insider trading and more. In addition, hackers can take over computer operated systems and wreak havoc.
The Internet of Things by which devices that previously would not have been connected to the Internet are going online by the billions provides tremendous advantages, but also brings new vulnerabilities for determined cybercriminals to either control these devices or use these devices as a less protected point to gain access to data and information to be used for criminal purposes.
The list of objects that make up the Internet of Things is huge and increasing every day. By 2020 it is predicted that there will be 5.4 billion devices connected to the Internet. Among the devices that make up the Internet of Things are cars, refrigerators, coffee makers, televisions, wearable technology, webcams, copy machines and medical devices.
In 2007, former Vice President Dick Cheney was so concerned about hackers that he had the Internet connection on his pacemaker disabled. Earlier this month, Johnson & Johnson issued a warning that its OneTouch Ping insulin pump could be hacked through the unencrypted radio signal used in the device and last August, St. Jude Medical saw its stock value drop after a cybersecurity firm announced that it had found security vulnerabilities in the company’s pacemakers and implantable defibrillators.
In the United States and throughout the world, critical infrastructure essential to our lives are connected to the Internet and vulnerable to hackers be they cybercriminals, terrorists or foreign states. The damage that a successful attack on any of these areas of our infrastructure could be extensive.
Among our critical infrastructure operated by computers and networks of computers as noted by the Government Accountability Office (GAO) are “financial institutions, telecommunications networks, and energy production and transmission facilities.” Our water supply and even nuclear power plants are also part of our infrastructure controlled by computers. As noted by the GAO, “ as these critical infrastructures have become increasingly dependent on computer systems and networks, the interconnectivity between information systems, the Internet and other infrastructures creates opportunities for attackers to disrupt critical systems, with potentially harmful effects.”
In 2014, a German steel mill had the computers which operated its smelting furnace hacked causing it to overheat and resulting in tremendous damage.
The Government Accountability Office issued a report in 2015 in which it concluded that the computers that make up the National Air Traffic Control System are vulnerable to hacking. The report issued 17 recommendations and 168 specific actions to address security weaknesses in security controls including – what should have been obvious – the need to encrypt sensitive data. That glaring flaw is one that is found throughout the Internet which was never developed with security in mind. Too often security has been built in as an afterthought rather than incorporated into the systems using the Internet as a part of their initial development.
The banking industry has already suffered major attacks throughout the world as evidenced by the Carbanak gang cyberattacks on banks in the United States, Russia, Germany, China and Ukraine in which a billion dollars was stolen. As so often has been the case, the manner by which the malware necessary to accomplish these attacks were downloaded was through phishing emails that lured employees into clicking on links in tainted emails that downloaded the malware.
Technology has created dangers unprecedented in human history. However, just as technology may be part of the problem, it may be part of the solution as well. A common thread in so many major data breaches and cybercrimes is the use of phishing and spear phishing emails to lure people into downloading dangerous malware that enables the cybercriminal to gain access to data or even control entire systems. Computer programs called analytics that can recognize and protect computer users from phishing emails are available. Better training of employees in safe computing, increased use of encryption and enhanced security software are among the tools that can help protect our security. Fighting cybercrime is going to be a never ending battle, but we have the tools to win this war. We just need to commit to using them.
Steve Weisman is a lawyer, a professor at Bentley University and one of the country’s leading experts in scams and identity theft. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.