During the U.S. presidential debate on September 26, the moderator asked the two candidates to address the following topic: Our institutions are under cyber attack, and our secrets are being stolen. So my question is, who’s behind it? And how do we fight it?
The very fact that this topic has moved beyond IT whiteboards and corporate boardrooms and into the national Situation Room indicates that we have entered an era of a new Cyber Reality. Hacking and counter-hacking is the new way of life—whether it is for financial gains or fueled by national interests.
Not long after, we learned that Yahoo had suffered a massive data breach dated back to 2014. Arguably the largest breach ever, the incident exposed over 500 million Yahoo user’s personal information. Though many question its claim, Yahoo insists that nation-state sponsors were behind the breach.
Remember the OPM hack? In 2015 a massive breach occurred at the U.S. Office of Personnel Management (OPM) in which background investigation records of current, former, and prospective Federal employees and contractors were stolen. Chinese intelligence agents are strongly suspected to be behind this attack. The stolen data includes 5.6 million sets of fingerprints, which, unlike passwords, can't be reset. This has implications beyond OPM, when you consider how many systems, both within the government and otherwise, use fingerprints as an additional factor of authentication.
As disturbing as that news is, it gets even worse. The October 10 issue of Time magazine features a detailed story about Russia attempting to influence the outcome of the 2016 U.S. presidential election through cyber hacking and tampering. According to the article, U.S. intelligence and law enforcement agencies have seen mounting evidence of an active Russian influence operation. (Sorry, Mr. Trump. The digital forensic evidence really does point to Russian intelligence agents and not to a 400-pound lone wolf hacker sitting on his bed.)
The theft and subsequent release of emails from the computers of the Democratic National Committee (DNC) are only the tip of the iceberg. The FBI has warned state election officials to watch for cyber intrusions, and in fact at least 20 states have delivered evidence of a significant number of new intrusions into their election systems. There is genuine concern that state-sanctioned Russian hackers are attempting to manipulate election results.
The U.S. government, of course, has its own capabilities to launch cyber offenses. Recently a group called ShadowBrokers offered for auction hacking code that was developed by the National Security Agency (NSA). The code is said to play a role in the ability to implant malware in millions of computers around the world.
It is not too far fetched then to assume that foreign governments would have comparable capabilities and would wield similar tools when serving their own interests. The implications of this are massive—if we cannot trust the validity of electronic records (e.g., voting records), or if data is made to selectively favor one candidate vs. another, then it could very well threaten the very foundation of our everyday lives—democracy.
As tensions escalate, the question must be asked: “Are we ready for this new cyber reality, and what do we need to do to get ready?” In a world in which every record is breached and every piece of data is accessible by the highest bidder, how do we go about normal business and establish trust?
While there is no silver-bullet answer to this question, we have to look to technical innovations to strengthen our defense posture.
- If fingerprints can’t be trusted, add context. An authentication does not succeed unless the user submits the right fingerprints, her location data suggests the correct vicinity, and her digital crumb matches up with her profile.
- If email accounts are at risk, add second verification and identity alert sharing. Two-step verification and identity alert sharing can add additional layers of defense and turn indications of compromises into timely defense.
- Kill or devalue your data. Reduce your data exposure surface by eradicating superfluous data—if you don’t have it, no one can steal it. Find ways to devalue the data that you do have. Use encryption, masking, tokenization, and secret-sharing to fragment and devalue your data.
- When securing an entire app seems frightfully impossible, move to microservices and secure smaller components. Monolithic applications are the root cause of complexity and help foster deeply-buried vulnerabilities. Adopting a microservices architecture will allow you to more effectively and systematically manage, update and monitor your applications. So you can run fast without running blind.
- When in doubt, use end-to-end encryption. Encryption is now cheap enough and reliable enough to use for everyday applications. Anyone who is still not using end-to-end encryption is plainly asking for it.
In a world where even the NSA can be hacked and exposed, it's natural that organizations may pause and hesitate to embrace new technologies for fear that they may introduce risks the companies are not prepared for. But that is exactly the wrong thing to do—being technologically stagnant is neither the solution nor the answer.
When buildings collapse in an earthquake, structural engineers learn the weaknesses and make adjustments to build new buildings that can adapt to the unusual forces of the earth moving. When car accidents result in excessive injuries and deaths, automotive engineers incorporate new designs and safety features to have the vehicles absorb the impact rather than the people. Security engineers, too, must use innovation to build more robust defense and address risks with this new “Cyber Reality.”