It wouldn’t have surprised me if TIME Magazine had chosen the anonymous face of the hacker as their Person of the Year for 2011. From government agencies to electronics giants, hackers and attackers fought their way into personal information systems and websites, sometimes to make a point for a higher cause, and sometimes for a lesser cause to just steal valuable personal information.
For example, in the latest attack against Strategic Forecasting Inc. (or STRATFOR), a confidential client list was stolen, as were thousands of the clients’ credit card numbers. And some clients have reported fraudulent charges on their accounts.
However, it’s difficult to determine if the overall number of cyber incidents in 2011 was more or less significant than previous years, since the severity of such attacks is so subjective and often information is limited due to the reluctance of companies or agencies to report details. Yet the sheer volume of high-profile incidents covered heavily by news media outlets seemed significant, while at the same time, a large number of hacks were quite sophisticated and alarming from a national security perspective.
At least 58 highly-publicized hacking attacks occurred in 2011, with victim organizations worldwide ranging from law enforcement agencies, Fortune 500 companies and governments to defense agencies and military contractors.
Additionally, at least two dozen major corporations were hit, from Apple, Sony and Citigroup to Research in Motion and Google. Media outlets like NBC, FOX and PBS were hit, too. Organizations like the European Union’s carbon trading market and the Hong Kong Stock Exchange were hacked by cybercriminals, while the International Monetary Fund was hit by cyber spies looking for a leg up on global negotiations. The goal of a hack of the U.S. Chamber of Commerce seemed to be to glean tidbits of information that might help the hackers target and infiltrate U.S. companies.
Now add to those attacks a number of far more serious cyber espionage infiltrations of strategically important U.S. companies, such as RSA, a major security vendor, and Lockheed Martin, a key defense contractor. Defense ministries in Australia, the U.S., Japan, Norway and NATO were hacked too. Oak Ridge National Laboratory, which houses many U.S. nuclear secrets, was broken into as well.
Despite the existence of a global cyber-security industry whose cumulative worth is estimated to be $80 billion, the advantage is clearly with the attackers. The modern Internet was created for scientists and researchers to share information without security features. Nobody could have predicted that this Cold War technology of autonomous networks would become the singular backbone of international commerce and data exchange. Commercial enterprises and governments latched on and soared – but have never made their users accountable or identifiable. Plus, there are many ways to mask computer access. The result: near total anonymity for sophisticated hackers.
Traditional cyber defenses need to be greatly improved, because attackers in the coming years will not only increase the anonymous and virulent nature of their wares, but also improve on precision targeting that will be difficult to counter. Mobile technology, cloud computing and outsourcing all contribute to making cyber defense more complex than ever.
The one theme that pulls all this together is that Cyber Security is a very human problem, and this human bandwidth can best be addressed with effective training and education. Tackling the human side of cyber security is the first step in improving information risk management.
Note: Online Cyber Security training is available at no charge through TEEX’s National Emergency Response and Rescue Training Center (NERRTC) under a National Homeland Security Training Grant.
Other resources for training and information include:
Author: Tim Thorson is the Training Coordinator for the Cyber Security Program at the Texas Engineering Extension Service (TEEX), part of The Texas A&M University System. He assists public and private enterprises to ensure that the privacy, reliability, and integrity of the information systems that power our global economy remain intact and secure. He has developed new cyber security training and technical assistance programs for various business and government sectors.