National Association of Attorneys General
Cyber Threats: The Bottom Line
Since the title promised “The Bottom Line,” let me make this even easier for the audience. If you are younger than 30 years of age, stop reading and go to the next article. If you are between 30 and 40 years of age, quickly glance through it and maybe note an unfamiliar reference link. If you are between 40 and 50 years of age, read the article and check out the reference links. If you are over 50 years of age, read the article carefully, go to the reference links and put them in your “Favorites” folder, set the article aside and read it again next week, and the next week, and the next week and so on. Full disclosure: I am in the last category of readers and speak a version of Information Technology (IT) language that is pretty simple and basic. If you are with me in that category, you understand. If you are in one of the other categories and have decided to continue reading out of either curiosity or amazement, please be patient. My goal in this article is to go about one inch deep in the vast and bottomless ocean of information known as “cyber threats” and provide some very simple facts on the subject and a few basic references for further reading, if you are so inclined.
Just a few months ago, we heard U.S. Secretary of Defense Leon Panetta utter a most ominous warning that the United States faces a “cyber Pearl Harbor” aimed at America’s critical infrastructure. Pause for just a moment and reflect that nearly everything you come into physical contact everyday is run by a computer system: electrical power systems - from generation of electrical power to what happens when you move the on/off switch on your desk lamp, computer, space heater, or air conditioner; communication systems such as your smart phone, iPad, and Blackberry; the financial world such as all your banking and credit card charges; transportation such as airlines, railways, buses, and even your car; and water systems (both drinking water and wastewater) – to name just a few. Shortly after Secretary Panetta’s dire prediction, U.S. Sens. Susan Collins of Maine and Joseph Lieberman of Connecticut wrote in a December New York Times op-ed, a cyber attack “is not matter of if, but when.” It is a fact of everyday life that our banking records, medical records, personal files stored on our computers, confidential information we work with constantly in our profession is being hacked daily by a rogue’s gallery of bad actors including individuals, criminal gangs, and nation states. And as you might imagine, the federal government is poised to wade into these waters through both legislation and an Executive Order pending in the White House. At the conclusion of the 112th Congress in December, there were 16 bills pending in the Senate and 10 in the House all dealing with some aspect of cyber security. Whether the computer system you work on is government owned and operated (.gov) or privately-owned and operated (.com) it is all frighteningly vulnerable and has likely already been hacked. So what can I, an IT “cave person,” do about this? How can I find some simple, easy-to-understand explanation of what I am facing and how to protect myself and my computer? The purpose of the next few paragraphs is to answer those two questions.
The amount of information which exists about cyber security is as plentiful as the number of sites on the Internet itself. Anyone, particularly if “anyone” fits the age demographic of those who are still reading this article, can become quickly mired in all that information and throw their hands up in frustration. Or, more likely, quickly “surf” to their favorite news, sports, or hobby Internet site. I have found two sources which are easy to “navigate to” and provide very basic information about the subject of cyber security and provide very helpful ideas on how to protect yourself and your computer. The first is sponsored by the U.S. Department of Homeland Security (DHS). I know, I know. These are the same folks who give us the Transportation Security Administration (TSA). One of DHS’s many missions is to oversee the protection of the .gov “domain” and assist the private sector in securing all the other domains (such as .com, .edu, and .org to name just a familiar few). Trust me, you will find it worth your time and energy to surf on over to http://www.dhs.gov/cybersecurity and spend a few minutes there. You will discover not only very simple to understand explanations of cyber threats but also links to some very helpful sites on such topics as “what can you do.”
The second very helpful source comes from industry and is titled “Verizon Data Breach Report.” The report for 2011 can be found at http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf. The report for 2012 will be released in April 2013 and can be easily found on the Verizon general website at http://www.verizonbusiness.com/Resources/.
Each year Verizon produces an annual report examining cyber attacks from data gathered by them and a wide variety of sources including the U.S. Secret Service, Dutch National High Tech Crime Unit, Australian Federal Police, the Irish Reporting & Information Security Service, and the London Metropolitan Police. The list of partners who provide data is expected to grow significantly for the 2012 report. While the report is lengthy, the Executive Summary is about 10 pages and provides a very useful overview of the report giving the reader the ability to focus on areas of interest. Not only is the report a collection of very interesting data but it also includes tips on effective ways to protect your computer and organization’s (both large and small) IT from cyber attack.
Most experts claim that you have already been the victim of a cyber attack and may not know it. While your personal information which a cyber “bad guy” obtained may only be a few items in hundreds or even thousands of records and may never be used to your detriment, you owe it to yourself to be aware of the threat and mitigate your potential exposure as much as possible. The above sources will provide you with basic information you can use to protect yourself.