STOPPING CYBERCRIME AT THE PERSONAL, ORGANIZATIONAL, AND GOVERNMENTAL LEVELS
Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.
This is the first of my final two posts (out of nine total) on computer hacking and cyberwarfare. These two posts discuss steps that can be taken to counter cybercrime at the personal, organizational, and governmental levels, as well as efforts to stop cyberwarfare from harming civilians. This series of posts presents my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] These posts have summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; shared a number of examples; and the previous post provided an overview of Russia’s continuing attacks on the U.S., including on the 2018 and 2020 elections.
It is clear today that passwords, antivirus software, and firewalls will not protect a computer from reasonably sophisticated cyber hacking. With entities willing to pay over a million dollars for a vulnerability in a widespread piece of basic software, such as Microsoft Windows, Apple operating systems, Adobe, Java, and countless others, cybersecurity needs to be designed into these basic pieces of software and to have many layers of protection. Traditionally, basic software has only been tested to make sure it works, not to identify and eliminate vulnerabilities that hackers could use. This needs to change. When complex software is everywhere, even in cars, software vulnerabilities are ubiquitous and our whole mindset about cybersecurity must change to include preventing vulnerabilities, as well as protecting computers when they are attacked.
Individuals and businesses should assume that passwords alone are no longer effective protection from serious hackers because passwords are likely to have been stolen in one of the hacks of a large customer database or some other way. Two-factor or multi-factor authorization (2FA or MFA) is the best basic defense against cyber hacking and cybercrime. This is the process where when one logs into a system, a one-time code is sent by phone text or email that has to be entered to gain access. Turn on 2FA wherever it’s available and for any function where security is important, such as banking and financial transactions.
Voting simply cannot be safely conducted on-line according to Perlroth. She notes that as-of the date of her book, there was not a single on-line voting system that hackers had not been able to penetrate – often quite quickly and easily. [2] Voter registration databases and other election support systems need to be rigorously protected and audited to ensure their security.
While the Trump Administration largely ignored cybercrime and civilian harm from cyberwarfare, the Biden Administration has already been aggressive in tackling them. The U.S. Cybersecurity and Infrastructure Security Agency has recently announced that it is working to develop a national cybersecurity strategy. It noted that public-private collaboration will be essential as critical infrastructure must be secured whether it is in private or public hands.
The U.S. needs to establish strong mandates for cybersecurity for public entities and private companies that are part of critical infrastructure. The U.S. lags far behind other countries in doing this. Norway in 2003 and Japan in 2005, for example, implemented national cybersecurity strategies that have made them among the safest countries in the world in terms of cyberattacks. [3]
However, Congress has repeatedly failed to pass legislation that would establish even basic standards for companies operating critical infrastructure such as hospitals, fuel pipelines, the electric power grid, dams, and nuclear power plants. Such standards would, for instance, require operators of critical infrastructure to use up-to-date, well-maintained software; to change passwords regularly; to use two-factor authorization for system access; and to conduct regular, sophisticated tests of their protections against hackers.
The U.S. Chamber of Commerce and other business leaders have argued against even voluntary standards, claiming they are too onerous. Current events are proving that NOT having such standards and NOT having solid cybersecurity in place are far too dangerous and too costly for businesses and customers.
The Biden Administration is urging all companies to enhance their cybersecurity practices, including requiring two-factor authorization for employees to log in to computer systems. [4] It also needs to educate the American public about cybersecurity and about on-line disinformation campaigns; these need to be part of our national consciousness.
Public and private entities should be required to report and make public successful cyberattacks so:
· Customers and the public can be appropriately warned and protected,
· The entities have an incentive to fix problems and prevent successful future attacks, and
· Appropriate law enforcement and national security responses can occur.
On the flip side, when U.S. intelligence agencies become aware of a vulnerability in computer software or hardware, they should be required to inform the product’s vendor and work with it to eliminate the vulnerability.
The private sector is not only stepping up its defensive measures against hacking but also going after hackers directly, rather than leaving this work to law enforcement as has been the practice. Google is suing two Russia-based individuals for using a massive network of hacked computers for a range of criminal activity. It is also working with other private companies to disable the computers used by the hackers. The hacked network has been tracked by law enforcement and cybersecurity experts for years and is estimated to include about a million Microsoft Windows-based computers around the globe. In cleaning up the damage that has been done and the vehicles the hackers used to spread their harmful software, Google has removed from the Internet about 63 million Google Docs, more than 1,000 Google accounts, and over 900 Google Cloud projects. Microsoft has also been active in this direct action, deleting from the Internet websites used by a China-based hacking group. [5]
I urge you to contact President Biden and thank him for his work to improve cybersecurity, including his efforts to create and implement a national cybersecurity plan. Ask him to continue this work and to do more to require private entities operating critical infrastructure to strengthen their cybersecurity. You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.
I also urge you to let your U.S. Representative and Senators know that you support strong steps to improve cybersecurity, including requiring private businesses, especially those operating critical infrastructure or large aggregations of consumer data, to take meaningful steps to improve their cybersecurity. You can find contact information for your U.S. Representative at http://www.house.gov/representatives/find/ and for your U.S. Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.
My next post will provide an overview of the Biden Administration’s efforts to combat ransomware attacks, address cybersecurity internationally, and protect civilians from harm from cyberwarfare.
[1] Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.
[2] Perlroth, N., 2021, see above, page 397
[3] Perlroth, N., 2021, see above, page 398-399
[4] De Vynck, G., 9/22/21, “Treasury’s fight against hackers targets crypto payments,” The Boston Globe from the Washington Post
[5] De Vynck, G., 12/8/21, “Google sues hackers tied to vast ring of infected devices,” The Boston Globe from the Washington Post