“We need not to be let alone. We need to be really bothered once in a while. How long is it since you were really bothered? About something important, about something real?”
Self-driving cars. Artificial intelligence. Smart home technology. Voice-activated home assistants. Virtual reality. The stuff of popular science fiction is no longer fiction. The future isn’t ahead; it’s already here.
Once again, it’s National Cybersecurity Awareness Month (NCSAM). To briefly recap:
NCSAM began in 2003 as a collaborative effort between the public and private sectors: the US Department of Homeland Security and the National Cyber Security Alliance. In a recent Presidential Proclamation, Trump notes, “Keeping our Nation secure in the face of cyber threats is our shared responsibility. Our agility and resilience in responding to these threats will improve as our collective awareness about their nature improves.”
Cybersecurity is critical in nearly every aspect of daily life. It impacts us at home, at work, surfing the internet, managing our finances, files, and assets. It is essential to individuals, businesses, government, and infrastructure.
Cyberattacks are like genetic mutations. As coding and technology gets more sophisticated and secure, the cyberattacks get more intelligent and complex, respectively. Technology is our greatest tool, but also a great weapon—one that becomes more foreboding and unpredictable with progress.
We can readily recall some of the biggest cybersecurity incidents and data breaches from 2017, both greater in magnitude and sophistication than in previous years. Can you?
A particularly damaging iteration of ransomware, WannaCry targeted nearly every type of file extension users had on their computers. The virus infected approximately 200,000 computers in 150 countries and most heavily impacted the UK’s hospital system.
Petya is ransomware. NotPetya is malware superficially masquerading at Petya ransomware. At first, cybersecurity experts though both sets of attacks were part of the same ransomware strain (like DNA). However, upon further scrutiny, they realized the code was more different than similar. The original Petya attacks were meant to extort (with cryptocurrency); the “copycat” NotPetya attacks were meant to cause chaos (and they did). The attack largely impacted Ukraine (ground zero) and radiated outwards to Russia and westward. (The Register)
Equifax—one of the three largest credit bureaus in the US—fell victim to a massive data breach. The criminal data breach exposed sensitive personal data for more than 143 million consumers. Sensitive data includes: names, addresses, Social Security numbers, dates of birth, and driver’s license numbers. In addition, the hackers stole “credit card data for 209,000 consumers and credit dispute information for 182,000 consumers.”
Deep Root Analytics, a data analytics firm, was hired by the Republican National Committee to gather information about US voters. Personal data for 198 million Americans was stored on an Amazon cloud server with no password protection – negligence on the part of Deep Root.
You’ve heard the phrase: “rebel with a cause.” In cyberspace, they’re called hacktivists – hackers who are politically or socially motivated. Hacktivism has been on the rise in recent years, as an another powerful means to spread a message.
Even Google has fallen prey to increasingly sophisticated Gmail phishing schemes.
And of course, be cautious where you dine. Popular fast food chains like Sonic Drive-In, Chipotle, and Pizza Hut were all comprised in 2017.
The general theme for 2017 is cybersecurity is Our Shared Responsibility. Each week in October has specific themes to educate and engage both public and private sectors on cybersecurity:
Week 1: Simple Steps to Online Safety
Week 2: Cybersecurity in the Workplace is Everyone’s Business
Week 3: Today’s Predictions for Tomorrow’s Internet
Week 4: The Internet Wants YOU: Consider a Career in Cybersecurity
Week 5: Protecting Critical Infrastructure from Cyber Threats
But awareness is only one piece. Action sold separately.
So, what is being done right now?
On May 11, 2017, President Trump signed his long-awaited Cybersecurity Executive Order, which “ultimately received bipartisan praise for its thoughtfulness” but has since been lacking in execution. Still in its initial planning and information-gathering phase with numerous agencies struggling to meet imposed deadlines, the Executive Order has not yet gained enough momentum to indicate potential positive impact. To be determined…
Just recently, two US representatives introduced new cybersecurity legislation: the Active Cyber Defense Certainty Act (ACDC). If passed, companies would get “legal power to chase cyber-criminals across the Internet.” It would:
[…] carve out exemptions in the Computer Fraud and Abuse Act (CFAA) of 1986 to allow companies to utilize computer and networks without authorization, but only if they are doing so to attribute or disrupt an attack, to retrieve or destroy stolen files, or to monitor attackers. (eWeek)
Currently, private companies can only act within a carefully constructed legal framework. As it stands now, businesses’ and organizations’ hands are tied when it comes to defending themselves. By the time they jump through the required legal hoops, the damage is already done. The new bill hopes to “empower individuals and companies to use new defenses” and spur “a new generation of tools and methods to level the lopsided buyer battlefield.”
How do you win a battle with both hands tied behind your back? You likely don’t. New cybersecurity policy hopes to change this.
Remember, cybersecurity awareness not a month-long commitment. Effective protection and prevention requires constant vigilance. Be safe in cyberspace!