With disturbing frequency, cyberattacks on government institutions, infrastructure and commercial firms are being reported.
Attacks on government agencies seem to emanate from nation-state rivals such as Russia, China, and Iran. The attacks are usually probes for intelligence on military strength or for design data on advanced military technologies. Russia used this strategy to monitor Ukrainian government departments and China copies information from US government departments and defense contractors.
Cyberattacks directed at our physical infrastructure are less common, but there have been recent attacks against power plants and transmission lines, where the goal was to disable transformers and cause power outages. Energy pipelines, dams and drawbridges, air traffic control, and communications networks are similar high value targets for cyberattacks. The control valves that empty dams or petroleum tanks or which vent natural gas are typically actuated through a communications system that in the wrong hands can be “hacked” to create floods and fires whenever the hackers wish. Infrastructure attacks are usually the province of nation-state rivals, but domestic criminals practicing extortion could also be an explanation.
Cyberattacks on infrastructure can work quickly, widely, without “fingerprints” and at far less cost than conventional bombardment or invasion. Furthermore, military-grade cyber-skills development pays off as both a defensive and offensive investment.
Distributed denial-of-service (DDoS) attacks on the Internet are an attack that overloads a computer, router, or communications path with so many requests that it cannot perform properly. DDoS attacks would be of interest to nation-state actors in time of conflict, but they are also used by hackers with a political agenda (so-called “hacktivists”).
Commercial firms are often targeted by commercial hackers due to the massive databases of customer identity and financial information they hold. In two well-reported events, hackers viewed 145 million eBay customer records and 70 million Target customer records. When hackers break through the access protections, customer identities and financial information can be sold off, one “person” at a time to low level thieves who then practice identity theft or buy merchandise with the victim’s credentials.
In the black market, the value of a stolen credit card is believed to be between $3 and $40. The value is higher in the US because credit cards typically do not have the “chip” component that makes in-store use of a stolen credit card more difficult. Sam’s Club is rushing to incorporate the “chip” into its credit cards for that reason. The prosecution of a few high profile political hackers has drawn media attention, but apprehension and prison time for money-motivated crooks remains too uncommon.
Military and commercial hackers don’t stay at arm’s length. While hackers employed by nation-states create the most sophisticated attack tools, over time we can expect them to share some of their work with the private sector, especially when the commercial outfit interacts with targets of interest to the military. The US National Security Agency (NSA) gave RSA (a security software producer) a system called Dual Elliptic Curve, code for sophisticated encryption – decryption that worked very well and which RSA was encouraged to sell to clients. Unfortunately, the code had a “backdoor” that allowed NSA to quickly crack and monitor whatever RSA’s clients were encrypting. RSA may not recover from that gaffe.
In the near future, encryption and decryption of emails is likely to become standard practice. Shortly thereafter, encryption of passwords, account numbers, pictures and private documents is likely to be in demand. If a hacker steals your encrypted data but does not have the key, he’s wasted his time.
There are encrypt-decrypt strategies that are theoretically foolproof, and converting the theory into actual hardware and software is straightforward. But trusting in the exchange and decrypt of cypher-texts among different vendors will be very difficult. You don’t want any decryption software that surreptitiously sends a copy of the plaintext to a hacker, to NSA, or to your rival.
Conferences leading to certification standards for encrypt-decrypt vendors will be where hacker and other malevolent interests are exposed. If hackers miss the opportunity for embedding a backdoor, they may be out of business permanently. More than ever before, for retail customers “who can you trust” will be the central question.
Alan Daley writes for The American Consumer Institute Center for Citizen Research, a nonprofit educational and research organization. For more information, visit www.theamericanconsumer.org.