On a Friday afternoon in late September, Facebook announced that it had been the subject of a major security breach. Hackers had infiltrated the social network, gaining access to around 50 million personal accounts, the worst attack in the the company’s history. Later reports speculated that the perpetrator might have been a foreign power, sparking further concerns about the state of cybersecurity in the United States.
In recent years, the issue of cybersecurity has garnered significant attention in the national conversation. Attacks like those on Facebook as well as others have caused Americans to worry about the security of their personal information and whether or not they are sufficiently protected from such potential threats. Recent reports have shown a significant increase in the number of cyber attacks, many perpetrated against large banks and other institutions with highly sensitive information. The contrast to a decade ago, when cyber attacks were much less prevalent, is stark.
The Intent of the Hacker
The question of what motivates hackers is a complicated one. While it is commonly assumed that cyber crime is fueled by the desire for financial gain, there are many instances in which the motives are also socially, ideologically, or politically based. One kind of internet activism, hacktivism, operates on all of these principles. This is when hackers commit cyber crime to promote some form of social change, whether that be freedom of speech, freedom of information, or human rights. Take the case of Anonymous, a group which publishes classified information obtained from hacks under the ideological goal of transparency. In light of this, it could be argued that not all cybercrime is necessarily harmful. As precedent shows, hacking has the ability to effect social change. At the start of the Arab Spring, Anonymous worked to bring media attention to the protests in Tunisia, restore access to websites censored by the government, and write code allowing activists to avoid government surveillance.
Experts say that hackers have become more emboldened as a result of new technologies that allow them to infiltrate systems with relative ease. These developments, while impressive and exciting from a technological standpoint, also pose a significant threat to many sectors of the U.S. economy — energy, healthcare, and transportation, to name a few. In addition, financial gain is almost guaranteed with the use of tools such as distributed denial-of-service attacks, which flood networks with uncontrolled traffic, preventing the system from operating. A ransom is then demanded in return for ending the attack. In an age where digital networks are critical for normal operations, companies are often more than willing to hand over the ransom if it means getting their systems back.
The State of Cybersecurity
Unfortunately, the United States is an epicenter for this sort of activity. As Ross Rustici, the Director of Intelligence Services for cybersecurity firm Cybereason, said in a recent interview with the HPR: “America is probably in the upper 25 percent in terms of defense, but for the most part that is woefully inadequate.” The former Department of Defense cyber analyst also added that while the U.S. government has made a “good effort” in addressing the issue, it lacks “the authority to enforce change” as there are no legal obligations for companies to have high standards of cybersecurity.
The general consensus of experts in the industry is that there will never be 100 percent protection and hackers will always be able to find a way into systems. As new defenses are constructed, so are new openings and points of vulnerability waiting to be exploited. Brian Park, co-founder of Sparklabs Cyber+Blockchain, a D.C. based cyber startup accelerator, equated this phenomenon with a game of “cat and mouse” in an interview with the HPR. Even as developers invent new cyber defense technology, attackers are one step ahead, already designing ways to circumvent these new obstacles. However, as pointed out by Park, not all defenses are completely cyber-based. Hackers also choose to take advantage of the weakest point of any security system: humans. Many companies use people as their first line of defense, whether that be an over the phone customer representative for a bank or a security guard at a data storage site. In many cases, individuals can easily be tricked into granting access, as seen in the case of the popular IRS scams, where people are persuaded to hand over their social security number to avoid fines.
Offense Is the New Defense
In light of these threats, many have argued that companies and the government need to start going after these hackers, attacking them before they attack us. In a September 2018 op-ed for the Ripon Forum, Senator Mike Rounds (R-S.D.), chairman of the Armed Services Subcommittee on Cybersecurity, argued in favor of a more attack-minded approach: “We have played defense long enough when it comes to cybersecurity. It is time to go on offense.” Although the government is able to act on this strategy, it is illegal for companies according to the Computer Fraud and Abuse Act of 1986. The law, which was passed during the Reagan Administration, was in response to the movie WarGames, in which a high school student hacks into a military supercomputer and nearly starts a nuclear war with the Soviet Union. The movie, albeit fictional, was enough to convince President Reagan and the U.S. government that companies could not be trusted when it came to hacking, especially in the off chance that it might lead to conflict with a foreign state.
President Trump appears to agree with Rounds. This past August he issued a directive — the National Security Presidential Memorandum 13 — which allows the Department of Defense more freedom in launching cyber operations against adversaries of the United States. The policy, a strong shift from the that of the Obama administration, has been criticized for its recklessness in that it might lead to an escalation of cyber conflicts and diplomatic tension abroad.
The Public and Private Reaction
In response to the increasing threat of cyber attacks, both the private and public sectors have devoted more attention and resources to the issue. The cybersecurity industry, in particular, has seen rapid expansion with projected year-to-year growth rates of 10 to 12 percent through 2021. A Business Insider report estimates that over $655 billion will be spent on security services by 2020. Furthermore, research conducted by Morgan Stanley shows that the global average cost of cybercrime increased by 62 percent between 2013 and 2017. Despite the increased investment in security technology and services, the continued rise of cybercrime demonstrates the need for more efficient and effective solutions. In step with the private sector, the government has begun to allocate more resources towards mitigating cyber threats. The Trump administration’s 2019 budget proposal requests $14.983 billion for total cybersecurity funding, up from $13.1 and $14.4 billion in 2017 and 2018, respectively. However, many have found this budget increase perplexing given the president’s decision to eliminate the role of cyber coordinator on the National Security Council, the top cyber official of the U.S. government.
Congress has also taken measures to improve the nation’s cyber capabilities, with some lawmakers calling for legislation similar to the General Data Protection Regulations of the European Union, enacted in May 2018. The GDPR is designed to protect the personal data of consumers processed or held by companies within the European Union. It guarantees consumers the right to access their data, the right to have their data deleted, and the right to withdraw their data at any time. Additionally, it also requires companies to have a chief data protection officer, notify users of a security breach within 72 hours, and comply with a number of other conditions. If a company fails to meet any of these standards, they are subjected to a fine of up to 4 percent of their global annual turnover. Proponents of the law argue that, given recent cyber attacks, the implementation of legislation like the GDPR in the United States is necessary, as it gives consumers more access and ability to protect their data, an important aspect of cybersecurity. In an emailed statement to the HPR, Dimitri Sirota, the CEO of BigID, a cybersecurity firm based in New York City, described the GDPR as a “winning issue for all political parties” and that “all aspects of the regulation would benefit the U.S.” That said, not everyone agrees. Some opponents have argued that the cost of these requirements places an unneeded burden on companies.
While the future of legislation like GDPR in the United States is uncertain, Congress has already made tangible changes to face cyber threats. On October 3, Congress passed the Cybersecurity and Infrastructure Security Agency Act, which will establish a standalone cybersecurity agency under the Department of Homeland Security. The policy is significant in that it essentially names DHS as the main authority in addressing cyber threats. Moreover, it also centralizes much of the government’s cyber resources under one entity, a much-needed improvement. Prior to the law, the United States had large cyber programs housed under multiple departments, a situation which allowed for miscommunications, confusion over authority, and general inefficiencies. Although this is a step in the right direction, there are also concerns as to how successful the agency will be. Many experts in the cyber industry believe that a significant amount of additional funding and personnel is still needed to properly address the threat of cyber attacks, especially if this agency is expected to be the country’s main line of cyber defense.
Additional Plans and Proposals
Going forward, it is clear that the U.S. government needs to do much more to secure the country from evolving forms of cyber attacks. In recent years, Congress has made many improvements and finally begun allocating more resources towards addressing this threat. However, more funding and research is required. One option for the future is to increase the cooperation between the public and private sectors, as cyber experts and analysts in the industry have the most up-to-date knowledge on today’s threats and could be of significant benefit to lawmakers. Another is the establishment of a body similar to President Obama’s Commission on Enhancing National Cybersecurity. Such a project would allow the government and its agencies to reassess the current state of cybersecurity in the United States, identifying the main vulnerabilities in our cyberinfrastructure. Lastly, public education programs on cybersecurity could also prove to be useful.
America and its companies are not fully aware of the threat that cyber attacks pose. People need to be better informed about the threats they face, how to limit exposure, and what resources they have access to in the event of a cyber attack. “We need to take this threat seriously and prepare for it,” said Senator Bill Nelson (D-Fla.) in a recent interview with the HPR. “The next cyber attack is coming — it’s not a matter of if, but when.”