Key Points
Unfortunately, most businesses today are well-aware of the dangers of cyberattacks and just how much damage they can cause. The Target hack is one situation that still comes up on a regular basis and there are new examples every day. But in addition to the more common cyberattacks in the world that typically revolve around stealing data and selling it for profit, there are new types of attacks that can only be described as acts of terror due to the sheer size and scale of them as well as their intent. And it's this new era of cyberterrorism that not just companies need to be aware of, but also individuals and even entire governments.
Similar Tactics, Different Goals
With cyberterrorism, what was once a much more physical and tangible threat has moved into the virtual world, which is where almost everything is done today. It's not just email and Web browsing anymore. There are entire companies that host their infrastructure in the cloud and if hackers were to gain access to that platform, they could wreak havoc. It would be bad enough if these groups were looking to steal data and make money, but in some cases, and especially when it comes to cyberterrorism, the ultimate goal is to take a given platform or system down completely. The goal is not to make a profit, but rather to make an example and send a message. It's a power play where the only objective is to cause damage that, in some cases, could be irreparable.
Cyberterrorism is also a matter of scale and deals in escalation. Imagine that instead of stealing the data of millions of customers from one corporation in an effort to sell it to the highest bidder, a hacker instead deleted the data entirely or made subtle changes to it that went unnoticed for an extended period of time. It's this example that Alan Berman, president of DRI (Disaster Recovery Institute) International, uses to show where cyberterrorism is going in the future and why data theft shouldn't be as much of a concern as data modification.
"If they're stealing information, that's not the worst thing in the world," says Berman. "It's modifying information that will be the worst thing in the world. So, for example, changing credit balances and transferring money electronically while they're doing it. Theft from a financial institution, credit card company, or retailer is relatively inconsequential in the big scheme of things. Modifying that information, changing it, and transferring funds out would really be a difficult thing. Everything else is relatively benign."
Still, modifying data is only the tip of the iceberg when it comes to cyberterrorism. There was a recent case near the end of 2015 where the U.S. actually brought charges against a hacker in Kosovo who gave the personally identifiable information of federal employees and U.S. service members to the Islamic State of Iraq and the Levant (ISIL). The tools hackers use are getting more common and widely available, so as terrorist groups grow in sophistication, it's not out of the realm of possibility that they might start using those tools to attack the crucial infrastructure of any countries they perceive as enemies. That means that any system with a major online component, like a U.S. stock market, could become the target of cyberterrorism.
Gaining Perspective & Overcoming Hyperbole
While cyberterrorism is certainly a scary concept and one that deserves your attention, it's still a relatively new idea in terms of actually having a major impact on the world. There are experts on both sides of the issue that say cyberterrorism is here already or that it's still years away and there's no proof that a terrorist group has actually used a cyberattack to cause any real damage. The truth may lie somewhere in between as we try to find a way to better define the terms and determine the true difference between a cyberattack and an act of cyberterrorism.
What can be agreed upon by most security experts is that although strides are being made, most companies and even entire governments aren't doing enough yet to prepare themselves for the rise of cyberterrorism. "One of the things we've seen is a lack of action from the federal government," says Berman. "If you look at the director of national intelligence, he's saying that we have no deterrence against this. We need to come up with substantial measures. The government has to do it and it's taken them almost six years to pass any meaningful cybersecurity legislation. We need a bipartisan effort to recognize what kind of threat this is and act upon it so that we do have some weapons and information sharing, and so we can discover these problems a lot sooner than we do now."
That's not to say that the government isn't making any effort at all. In fact, Berman points out that for the fiscal year of 2016, the U.S. government has budgeted $14 billion for cybersecurity, which is an increase over the $12.5 billion budget for 2015. That's unfortunately a response to the fact that the U.S. is number one in the world in terms of security breaches, accounting for 72% of the total, according to the 2014-2015 Breach Level Index. Still, it's clear that something needs to be done in order to not only prepare for the future, but also better handle the cybersecurity threats the world faces today.
Current Status
With cyberterrorism looming on the horizon as such a critical issue, it's important to get a baseline understanding of where you are right now in terms of cybersecurity and defending against cyberattacks. Unfortunately, according to Berman, cyberattacks are affecting more and more people every year and that "it seems like there are only going to be two kinds of people in the world; people who know they've been hacked and people who don't." He stresses the importance of everyone realizing they may not be as safe as they think they are from cyberattacks and to understand that there is a possibility their information has been compromised. It's only in being more vigilant that people can prevent more of these intrusions from happening or at least minimize the damage after the fact.
One of the biggest trouble areas for businesses today in terms of cybersecurity threats is the fact that around 70% of all breached or compromised credentials go undetected, and in fact, Berman thinks that estimate is too low, depending on the timeframe. "If you said to me, 'I believe that hacks go undetected for months and it's 70%,' I'd probably agree with you. If you're saying that the point of hack is going undetected, I think they all do, otherwise we'd be notifying people immediately. If you look at Target, it took six months. From my point of view, hacks happen all the time and we just don't recognize that they're happening."
Compromised credentials are particularly dangerous because it means that a user's personal information, including usernames and passwords, may be in the hands of hackers and could be used to log into one or more systems. And if that type of intrusion goes on undetected for too long, it could result in the theft of millions or even over a billion sets of user data. Berman points out that these hacks going undetected is of paramount importance when it comes to selling information on the "dark Web." He says that a hack going undetected allows for the hacker to get even more detailed information in the process, which in turn enhances the value of that data. This also ties into the idea of cyberterrorism, because if terrorist groups get their hands onto undetected, compromised credentials for government employees or military leaders, it could result in catastrophic virtual or physical attacks.
What's Being Done & What You Can Do
It's clear that there is plenty of room for improvement when it comes fighting back against cyberattacks and cyberterrorism, and it's going to take quite a few different approaches to come up with meaningful results. Some of it falls on the shoulders of legislators and some of it is just about learning from past mistakes and trying to get better. For example, Berman says that the way hackers used to verify stolen credit card information was to test it at a self-service gas station and pay at the pump. Now, to help fight that, many pumps require you to enter the billing ZIP code in order to use the card. He admits that it's something of a Band-Aid solution to the problem, but it's an example of pinpointing the behavior of hackers and putting something in place to combat it.
As for what people can do in the future to prevent cyberattacks, Berman says that it's all about vigilance for customers, which is an area where companies can actually help. "Most hacks are actually found out by customers who have been affected or by auditors who have found it," he says. "One of the things we're starting to see from the credit card companies is notifications to a customer whenever a charge is made. I have a credit card that does that and I actually like it. It's a sense of security for me. If I see a charge that looks wrong, I can act on it. That vigilance is taking place on the consumer level."
On the business and enterprise side, it's more about getting help from partners as well as improving internal security measures to make sure all bases are covered. Microsoft is one example of a company that is putting a much stronger emphasis on cybersecurity, especially in a highly mobile and cloud-based business world. The company recently established the Microsoft Enterprise Cybersecurity Group, which comprises a team of security experts that will build new security solutions and offer their expertise to all of Microsoft's customers. This initiative is one that will help consumers and businesses that use Microsoft products build a stronger security foundation and better protect data from cyberattacks.
Another area where Berman wants to see security improvements is in the supply chain. He says it's absolutely crucial for companies to not only understand their own security posture, but also the security posture of every other business and partner in the supply chain. "We are starting to see more of that," says Berman. "(At) one of the major banks in the United States, the person who does business continuity for them is also responsible for vetting all of their suppliers and vendors. He now sits in procurement so that we're going to be more proactive to make sure those people who connect to us have some security. We've seen that in real physical supply chains and we're now starting to see it in cyber supply chains."
From our Partners at CyberTrend.