Forget suicide bombers, cyber hacks could be much more dangerous

BY EMILY NELSON
JUNE 4, 2014

 

WASHINGTON — Devastating mall shootings, terrorist groups kidnapping young girls and the suicide bomber wiping out a city block seem to be almost weekly headlines, reminders of catastrophic threats to our safety and security. But other headlines, perhaps less poignant, gruesome or distressing, could pose an even greater risk to our livelihoods.

 

Those headlines involve U.S. accusations against Chinese military officers for allegedly breaking into computers of major American companies to steal competitive secrets, and they underscore what many experts say is the biggest silent threat facing U.S. national security: cyber-terrorism.

 

The Council on Foreign Relations estimates that global cyber crime costs more than $1 trillion annually. Moreover, U.S. intelligence agencies have ranked cyber-attacks and cyber-espionage as the number one national security threat for the last few years. But what does a cyber-attack look like and why should the U.S. be worried?

 

Dr. Steven Bucci is the director of The Douglas and Sarah Allison Center for Foreign and National Security Policy at The Heritage Foundation. He previously served as an Army Special Forces officer and top Pentagon official before joining Heritage to focus on cyber security issues in 2012.

 

“The goal of terrorism is to terrorize,” Bucci told me in an interview Monday. “To instill that kind fear, you don’t have to do that by blowing somebody up. You can do it by causing a lack of confidence in the systems we rely on in everyday life.”

 

The infamous cyber attack on Target’s computer systems that exposed millions of customers’ credit card information to identity theft was a wake-up call to companies. But why should national security advisors also be concerned? While stealing company secrets could cost millions in lost sales to Chinese competitors and fraudulent purchases on consumer credit cards, how it is considered a threat to the security of the American people is more complicated.

 

“One of the biggest threats is that someone could hack the 9-1-1 systems,” Bucci said. “Could you imagine if no one had confidence in that 9-1-1 system? That lack of confidence would be totally disruptive and damaging.”

 

Perhaps most alarming is that the culprits don’t have to be very sophisticated to pull off something like hacking our 9-1-1 systems, according to Bucci. “The bar for entry into this field is pretty low,” Bucci said. “You only need a couple of smart kids who are able to write code. And you don’t even have to be that smart.”

 

But while the U.S. can help minimize threats of suicide bombers through the use of security tools like metal detectors and terrorist profiling techniques to catch dangerous offenders before they act, cyber criminals are much more difficult to find.

 

In his 2010 report “Internet Governance in an Age of Cyber Insecurity”, Robert Knake, an international affairs fellow at the Council on Foreign Relations, said there is a fine line between under and over-reacting to the security threats on the Internet. Knake said the Internet has made tremendous gains in economic productivity possible, and too much governance could stifle those gains. Yet, targeted cyber monitoring is necessary to prevent losing all of those gains and then some.

 

“While stronger governance is necessary, that governance should be tailored to specifically address a narrow set of security concerns surrounding crime and warfare,” Knake said in his report.

 

Many cyber experts like Knake agree that Congress should act to put some kind of laws in place to help defend against cyber-attacks, but more complex is how those laws should work and the risk that the law will be obsolete before it is even passed.

 

Heritage Foundation President Edwin Feulner points out several issues with a cyber security program plagued with regulations. “Consider the fact that the processing power of computers tends to double every 18 to 24 months or so. Now consider the fact that it takes at least 24 to 36 months to write and implement a major regulation. Any cyber security regulations that legislators come up with will be outdated the day they’re issued, and easily circumvented by savvy hackers,” Feulner said in his March blog post on the Heritage website.

 

Feulner outlines three recommendations for cyber policy including promoting careful information-sharing between organizations and government agencies, clarifying boundaries for self-defense in cyberspace and a U.S.-led international cyberspace engagement to “name and shame” nations using malicious cyber practices.

 

In the latest cyber scandal, it seems perhaps Feulner’s third point has already been put into practice: was China was one of the first to be “named and shamed”? China is refuting the U.S. allegations that it engaged in cyber-spying but the U.S. has put those accusations out there in a very public way.

 

Bucci said this technique works “imperfectly” because the U.S. and the international community have yet to tie in sanctions that make the cost a little higher for cyber crimes, allowing the public “naming and shaming” to have little effect.

 

So, what is the best way for the U.S. to protect against cyber-attacks? Bucci said that the defense strategy is much more simple than one might think.

 

“The first line of defense is to get people to have good cyber hygiene. Using malware protective software and be leery of suspicious emails, etc.,” Bucci said. He added that 80 percent of cyber attacks could be prevented if consumers were more careful online.

 

While preventing the other 20 percent of cyber attacks is a little less simple, what is clear is that the threat of cyber insecurity is not going away anytime soon, especially as the digital world continues to be ingrained in our everyday lives.

 

“Right now the bad guys are a lot more agile, and because we have to play by rules and they don’t it’s a pretty tough stuff set of problems to deal with,” Bucci said.