In my last blog post, I wrote about cyber security on an individual level. This week, I’d like to expand on that topic by talking about how countries are using the digital realm not only to spy on one another, but also to physically manipulate infrastructure, earn an economic advantage and more.
Before stepping down from his position as director of the CIA in 2011, Leon Panetta warned about the dangers of cyber terrorism. In one of the last speeches he delivered as director, he said, “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyze the nation.”
Panetta continued with this grim prediction, “The collective result of these kinds of attacks could be ‘cyber Pearl Harbor’: an attack that would cause physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability.”
Panetta is not the only government official to speak out about the threat of cyber-attacks. Earlier this year, the director of National Intelligence testified in front of the Senate Armed Services Committee about the danger of such attacks and about the growing number of hacks on American entities.
“Attacks against us are increasing in frequency, scale, sophistication and severity of impact. Although we must be prepared for a catastrophic, large-scale strike, a so-called ‘cyber Armageddon,’ the reality is that we’ve been living with a constant and expanding barrage of cyber-attacks for some time. The trend I believe will continue,” Panetta said.
Hack attack: How one email can cripple a company
Already over the past few years, Americans have experienced first-hand what a hack can do to their personal finances. Major corporations are also learning what it can mean for business and trade secrets.
According to a recent report by the cyber security firm Symantec, hacks spiked by 40 percent in 2014 and hit five out of every six large companies. The company says hackers are using a corrupted software update scam more frequently these days to gain access to company computers. Essentially, an employee will get an email that says their computer software needs to be updated. The employee downloads the attached link and unknowingly uploads malicious content, or a Trojan horse, attached to it into the system.
This technique is known as a watering hole because the hackers wait for vulnerable employees to come to them like lions in the deserts of Africa. All it takes is one wrong click by one employee to put an entire company at risk.
Another CNN Money report in conjunction with the Ponemon Institute found that 47 percent of American adults, or roughly 110 million people, had their information exposed by hackers in the last 12 months alone. Even more alarmingly, 432 million accounts were hacked in that same time frame.
Last month, Target announced it would offer a $10 million settlement to its customers who had their credit and debit card information stolen as a result of a massive hack in December 2013. In this instance, cyber criminals gained access to the information of 70 million customers and 40 million debit and credit cards.
But that hack was child’s play compared to the recent Sony hack that was allegedly done by North Korea. A group of hackers that dubbed themselves the Guardians of Peace, or the GOP, completely shut down Sony, its computers, email system and phones. The GOP then stole nearly 100 terabytes of data from the company, which is the equivalent to 10 complete copies of every book in the Library of Congress. Playstation was down for days. Four yet-to-be-released movies were dumped onto the Internet. The list of damages goes on and on. It was embarrassing and damaging but not completely crippling. The company will recover.
Sony alleges that all of this was done because of the movie “The Interview” staring Seth Rogen and James Franco that portrays the death of Kim Jong Un. If hackers are willing and able to inflict that much damage over a fictional movie, imagine what they will do for something more serious.
However, it would be naïve to assume that hackers are only after credit card information or attacking major companies like Sony.
Can you hack a heart?
The medical industry faces a barrage of these attacks each and every day as it works to protect patient information. Aside from hacking the military or the federal government, this very well may be the most serious or dangerous hacking that is currently happening.
Last August, the FBI reported that Community Health Care Systems Inc. was attacked by Chinese hackers who stole the information of 4.5 million patients.
Then in February, the second largest U.S. health insurer, Anthem Inc., was hacked, exposing the information of 10 million people. The cyber thieves gained access to names, birth dates, Social Security numbers, email addresses, employment details, incomes and street addresses of customers.
Nine months before that, Premera Blue Cross was targeted and 11 million customers had their medical records exposed. Just three weeks before the breach happened, federal auditors warned the insurance company that it was vulnerable and gave the company 10 recommendations to fix the problems, according to Info Security Magazine. Premera knew it was vulnerable, it was hacked and then it didn’t report the attack to its customers for almost a year.
Now, it’s facing five class action lawsuits from angry customers who entrusted their personal information to this company. Both of these companies are part of Blue Cross Blue Shield, which provides health insurance for over 100 million people in the U.S. or essentially one-third of the country. When a company like that gets hacked, you better bet it’s serious. These have doubled since 2009 and the health care industry as a whole, which is a $3 trillion industry, is one of the most vulnerable in the entire digital realm.
So what do hackers do with this stolen patient information? They sell it on the black market for pennies on the dollar. They make fake insurance cards to buy medical equipment or prescription drugs to resell. They use it to make false insurance claims. The possibilities are endless. Don Jackson, the director of threat intelligence at PhishLabs told Reuters stolen health credentials are worth 10 to 20 times the value of stolen credit card information.
As if all of that wasn’t enough to scare your pants off, there is a theory that is growing in popularity among techies that hackers might be able to one day hack a person’s medical device or the actual equipment inside hospitals to kill people.
One well-known hacker named Barnaby Jack, who died in 2013, claimed he could hack a pacemaker and even a bedside defibrillator, taking the patient’s life out of the hands of doctors and putting it into those who can read code.
Former Vice President Dick Cheney believes it is a possibility. Cheney had a pacemaker for his heart with an implantable defibrillator and a left ventricular assist device. He was so worried about this possibility that doctors turned off the wireless function in his pacemaker in 2007. Cheney, who has had five heart attacks, now has a new heart and no need to worry about a hacker.
But others who have implanted medical devices may have something to fear in the future. In October, the Department of Homeland Security announced it was investigating nearly two dozen cases of cyber security flaws in medical devices. Sources told Reuters that the devices include everything from an infusion pump to an implantable heart device.
The DHS insists that it didn’t find a single case where someone was physically hacked, but the fact that it’s possible could set a dangerous precedent. The Food and Drug Administration is certainly afraid of this possibility. Last year, it released a set of guidelines for manufacturers to better secure and encrypt medical devices.
How hackers are helping the economy
But the medical industry isn’t the only one that is walking the tightrope of promoting technological development while working to protect itself.
Largely as a result of the Sony hack, which was the most serious cyber-attack against a U.S. company to date, the federal government and private companies are beginning to take the cyber sector seriously.
Despite the losses, believe it or not these hackers are also creating jobs. The cyber security industry is booming. Research collected by the Gartner Group shows that the cyber security industry reached somewhere in the ballpark of $71.1 billion in 2014 and is estimated to grow about 8 percent each year.
Cyber software firms like Palo Alto Network are reaping the benefits of this growing concern among companies and average Americans. According to a report by CNBC, the company’s share price on Wall Street has increased more than 140 percent in the past year and is up 89 percent year-to-date. The U.S. created jobs with the technology boom and now there are more jobs being created to protect it.
Another industry that is expanding as a result of these threats is the insurance industry. Companies now have the option to buy cyber insurance that will help with legal and forensic costs, civil fines and losses and much more. According to the insurance broker Marsh & McLennan, this insurance grew by 21 percent between 2012 and 2013 and then practically doubled in just the first six months of 2014.
Cyber insurance is still dwarfed by other types of insurance. It made up $2 billion at the end of 2014 according to CNBC, which is up $1.8 billion from 2013. Meanwhile, the insurance industry as a whole raked in $1.1 trillion in 2013. But without a doubt, cyber insurance is booming.
Could the U.S. military add a Cyber Corps?
The U.S. military is also trying to stay ahead of the changes. During a speech last month at the U.S. Cyber Command headquarters in Maryland, Defense Secretary Ash Carter suggested that a military cyber corps could become a reality one day, becoming its own service branch.
This would possibly require the military to change its recruiting standards that would otherwise eliminate younger, more tech-savvy recruits who don’t meet other military standards but who are good with a computer.
Already, the U.S. Cyber Command is working on finding the best and brightest and putting them to use for the government. It was created in 2009 with the goal of having an operational fleet of 133 teams of active-duty cyber experts by 2016 according to Military Times Magazine.
This group is responsible for protecting the U.S. from hack attacks but also searching for vulnerabilities in others.
Carter went one step further during a speech at Stanford’s Center for International Security and Cooperation. As he was speaking, the DOD released its blueprint for a new cyber strategy, calling for a 6,200-person Cyber Military Force that would be ready to go by 2018. The group will consist of both civilians and defense contractors.
Not everyone is on board with creating a full-blown cyber corps, however, since it would require billions of dollars of the Pentagon’s already strained budget and likely suck funding away from other military branches.
The U.S. military is also working with its international partners to teach them about building cyber security infrastructure. Last week, 400 computer experts gathered in Estonia to participate in NATO’s cyber games, much like war games the U.S. conducts with South Korea, but this one happens in the digital realm and not out at sea.
The experts came from 16 countries to participate in the Locked Shields 2015 exercise, which involved both the Windows 8 operating system and upcoming Windows 10 system.
Not so fun cyber games
Estonia’s government couldn’t be more happy to play host to such a large meeting of the minds. Government, media and corporate websites were taken down back in 2007 that were allegedly orchestrated by Russia, according to the Associated Press.
In typical Russian fashion, no matter the preponderance of evidence laid against the country, like what we are seeing in Ukraine where there are videos and pictures and satellite images and witnesses pointing to the fact that there are Russian soldiers on the ground in the eastern part of the country, Moscow denied responsibility.
Interestingly, the cyber games played out two scenarios: an attack launched by the militant ISIS group and one executed by Russia.
A cyber-attack from either group isn’t that far from reality. In January, ISIS supporters took control of the social media accounts of the U.S. military’s Central Command and posted propaganda videos. The military claims that no classified information was accessed but it does show the terrorist group’s potential. Then last month, the FBI announced it was investigating a hack on American and European websites like racetrack websites and crisis center homepages then proceeded to resurface the websites with more propaganda.
Meanwhile, a cyber-security firm called FireEye told CNBC that a group of Russian hackers known as the Sandworm Team targeted NATO last October to steal secrets.
The White House later admitted that Russian cyber criminals also broke into its unclassified networks while the State Department said it, too, was exposed in March.
The Russians have also been working for years to try to physically manipulate critical infrastructure in the U.S. with its Trojan Horse malware program. These attempts have been going on since 2011 and target everything from nuclear power plants to city power grids, oil and gas pipelines, wind turbines, water filtration systems and more, a source told ABC News.
These types of hacks are known as kinetic attacks and physically manipulate systems. The malware was dubbed BlackEnergy and the DHS says it has been there for years but no attempt was ever made to actually activate the malware to cause damage. Perhaps the Russians are biding their time. Perhaps not. Either way, this malware is incredibly sophisticated and can wreak havoc on the country and its citizens. Talk about a doomsday scenario.
Those are just a couple of the multitude of attacks the U.S. blames on Russia, a country that is running out of excuses.
The Chinese are also in the cyber theft game. NSA whistle-blower Edward Snowden’s massive docudrop claimed that Chinese hackers stole terabytes worth of data on the design of the F-35 stealth fighter jet. Chinese authorities deny that claim, but its military has created a shockingly similar plane known as the J-31.
The Chinese were also behind Operation Aurora, which stole information from dozens of American companies and was believed to be a counter-intelligence move to see if the U.S. had made out any of its spies. China was allegedly also trying to uncover the identities of American spies.
Battlefield modem: Why the military is turning to cyberspace to conduct covert missions
The Russians and Chinese aren’t the only ones conducting covert missions in cyberspace. The U.S. has conducted several successful campaigns that we know about and likely many more that we don’t know about.
Perhaps the most impressive cyber hack that we know about is Stuxnet. It was a malicious piece of software that infiltrated Iranian computer systems and wreaked all sorts of havoc in 2009. In January 2010, the International Atomic Energy Agency was visiting Iran to check on its one of its plants when the experts noticed that the centrifuges used to enrich uranium were constantly failing.
The malware did two things: cause the centrifuges to spin out of control without explanation and at the same time send data to the scientists monitoring them that everything was fine and dandy. It was able to do this by secretly recording what normal operations are supposed to look like and playing it back to the operators as such.
The centrifuges would speed up then slow down without explanation and then spin out of control, destroying one-fifth of them in all, according to the New York Times. Five months later, Iran began experiencing problems with its computer system. The computers would crash and reboot repeatedly throughout the day. A German programmer was the first to decode the malware and figure out exactly what was going on.
Officially, the U.S. has never claimed responsibility for the attacks. However, cyber experts and White House sources have spoken out saying that it was a joint venture between the U.S. and Israel to deter Iran’s nuclear capabilities. Some experts say we haven’t seen the full picture of this malware and there could be even more to it.
The fact that a computer virus can physically manipulate infrastructure is remarkable.
NSA whistle-blower Edward Snowden also gave us a closer look at U.S. cyber efforts. According to documents he released, the U.S. is spending tens of billions of dollars on gathering data and cyber operations. We also learned that the U.S. conducted 231 offensive online operations in 2011 alone. They included everything from spying to sabotage.
One of the biggest parts of that is a $652 million effort code-named GENIE. What it does is break into foreign computer networks and take control over them. The goal is to have it installed on tens of thousands of computers around the world to gather intelligence and physically manipulate.
So obviously the U.S. is taking the Internet age seriously and launching itself into the great unknown when it comes to crusading through cyberspace. This is what the new reality of spying looks like. No longer will Americans pass documents to one another in dark alleyways, they will infiltrate from the comfort of their cubicle. Shutting down a country’s nuclear operation doesn’t have to mean a massive bombing campaign. It could simply be malware.
The possibilities for what can be accomplished online are unprecedented and so are the threats. It’s a challenge that is diversifying by the day and the country that will come out on top is the one with the most sophisticated, forward-thinking computer programmers. They are the people who can create peace or anarchy. They are the ones who should be revered but also feared.