Last week, CIA Director John Brennan’s personal AOL email was reportedly hacked by an anonymous teenager. According to the news stories, the hacker claimed he was able to use social engineering to get information from Verizon and AOL to access Brennan’s private email account.
What is more remarkable is that it felt normal, rather than novel. It feels like there are new national stories about data breaches, cyberattacks, and cybercrime almost every day.
Part of the challenge is the increasing ubiquity of the Internet. Moving more of our lives (and our government) online brings incredible opportunity, but also new threats, as recent hacks have revealed.
To explore this evolving landscape, the Shorenstein Center, the Ash Centerand the Center for Public Leadership at Harvard Kennedy School brought together a distinguished panel of government and cybersecurity executives last Friday to explore how security and privacy are evolving in 2015.
Brent Colburn, former Assistant to the Secretary of Defense, Ari Schwartz, former Senior Director for Cybersecurity at the White House’s National Security Council, Kimber Dowsett, a security architect for GSA’s 18F, and Jen Ellis, Vice-President of cybersecurity firm Rapid7, joined me to discuss recent attacks, approaches to risk management, encryption, trust, and much more.
The panel came on the heels of a busy week in cybersecurity, including the aforementioned hacking of the CIA director’s email, controversy over the U.S. Senate’s Cybersecurity Information Sharing Act of 2015, and a financialsettlement in the Sony hack case. The headlines made the panel particularly timely and led one Harvard student to ask: are cyberattacks becoming more prevalent?
The good news is that the tools we use to detect breaches and threats are getting more sophisticated, as panelists noted. We are more likely to learn about intrusions, and are starting to get better at fixing and remediating cyber intrusions — though we aren’t really credibly deterring or countering them, yet.
The bad news is cybercrime continues to become more profitable and easier to pursue. And cryptocurrencies like Bitcoin make cybercrime easier to monetize. Opportunities abound — as Jen Ellis pointed out, every single one of us represents an opportunity — and the more people come online, the more targets emerge. Meanwhile, barriers to entry are lowering significantly. Hackers don’t need strong technical skills so much as they need to be able to manipulate people. If a hacker needs more technical expertise, he or she can buy those services on the black market.
Defining Cybercrime and Cyberattacks
So, what is the range of cybercrime and cyberattacks? The panel suggested Harvard students think about five categories:
- Traditional espionage: stealing secrets or sensitive government information; something countries performed before computers existed.
- Commercial espionage: stealing business data and intellectual property from companies (as an example).
- Terrorism: cyber acts designed to cause terror, usually with a political aim.
- Traditional warfare: cyber intrusions to perpetuate conventional attacks against infrastructure or military forces.
- Pranks: simple offenses like defacing a website.
Government Response and Policy
While the federal government is actively detecting and combating cyberattacks, a few agencies still get the majority of the resources. Currently most of the non-classified budget for cybersecurity is going into the Department of Defense, Department of Homeland Security, and the Department of Justice. Meanwhile, at the Office of Personnel Management, which was hacked over the summer, the last major data center update happened in the mid 1990s.
Disparities like this reflect a changing reality: the lines of responsibility when it comes to cybersecurity are blurry, and our responses are only just beginning to evolve. Brent Colburn told the story of a young airman asking U.S. Secretary of Defense, Ash Carter, if he could imagine a world in which we have a fifth branch of the military that just did cyber? Brent noted that we didn’t always have a U.S. Air Force — and the creation of that branch lagged behind the Army’s use of airplanes.
The government is taking some steps already. Within 18F, a digital services unit housed within the General Services Administration, Kimber Dowsett ensures that security gets incorporated into the digital services they develop for the American people (e.g. the new College Scorecard), and that designers and developers consider it at every level.
In the wake of recent breaches, Dowsett and her government colleagues are also thinking about rebuilding trust with the American people. 18F developers and designers deploy all of their code in Github in an effort to be open and transparent about what they’re doing. Dowsett remarked that “we’ve got years, if not decades, to try to earn that trust back, and the way we start is with transparency.”
Congress is also taking up the cause of cybersecurity. The Cybersecurity Information Sharing Act landed on the floor of the Senate last week, and passed the Senate this week by a 74–21 vote. The bill makes it easier for private firms to share information about attacks they’ve experienced — such as what system was attacked, how, and who the perpetrator appears to be.
Yet, Apple, Dropbox, Twitter, and other major tech companies are speaking out against it because of privacy and surveillance concerns. The tech industry is worried that threat disclosures to government could possibly infringe on their customers’ privacy. And beyond these large companies, many organizations don’t have the resources to effectively share information.
In addition, the growing community of cybersecurity professionals is less and less convinced that information sharing is itself so crucial to combating the enduring threats to our cybersecurity. This was a significant obstacle five years ago; the threat, and the private market to address it, have significantly evolved.
While CISA is likely to become law after being reconciled with a similar House bill, Congress has been debating the idea of better information sharing between industry and government for arguably ten years, according to panelist and former White House staffer Ari Schwartz. He noted that the long-term goal of information sharing is for organizations to move to automated sharing, which would also benefit smaller and less sophistication firms.
As for protecting ourselves from cybercrime, the panel had a few recommendations for the audience: Use passphrases instead of a simple password.
- Use two-factor authentication. (Two-factor authentication is something that you know, and something that you have or are given. For example, a password that you know, and a code that you are texted when prompted.) Eventually, incorporating a third factor of authentication (something you are) should become standard practice, such as through retinal scans and fingerprint readers.
- Use a password manager (Lastpass is an example). These services generate challenging passwords for each of your accounts and manage them in one place. A word of warning though: if you go with one of these services, don’t forget the password to your password manager. Moreover, your password in that case should be long — think War and Peace.