Charlie Mitchell - Hacked: the inside story of Americas struggle to secure cyberspace

Hacked

ROWMAN & LITTLEFIELD

Lanham Boulder New York London

Library of Congress Cataloging-in-Publication Data

Names: Mitchell, Charlie, 1962- author.

Title: Hacked : The inside story of America's struggle to secure cyberspace / Charlie Mitchell.

Description: Lanham : Rowman & Littlefield, 2016. | Includes bibliographical references and index.

Identifiers: LCCN 2016006180 (print) | LCCN 2016016849 (ebook) | ISBN 9781442255210 (cloth : alk. paper) | ISBN 9781442255227 (electronic)

Subjects: LCSH: Internet--Government policy--United States. | Computer security--Government policy--United States. | Cyber intelligence (Computer security).

Classification: LCC TK5105.875.157 M575 2016 (print) | LCC TK5105.875.157 (ebook) | DDC 384.30973--dc23. LC record available at http://lccn.loc.gov/2016006180

TM The paper used in this publication meets the minimum requirements of American National Standard for Information Sciences Permanence of Paper for Printed Library Materials, ANSI/NISO Z39.48-1992.

Printed in the United States of America

For Andrew, Benjamin and Joaquin.
May their futures be cyber-secure.

In October 2015, as the Senate prepared to take a historic step on cybersecurity, news broke that a teenager had hacked the private e-mail account of the Central Intelligence Agencys director. Like many Americans, John Brennan stored a collection of sensitive documents in his e-mail account that provided a virtual users guide to his personal life as well as sensitive government documents. The hacker revealed his actions, though not his identity, to the New York Post, which broke the story.

The hacker said he used a tactic called social engineering that involved tricking workers at Verizon into providing Brennans personal information and duping AOL into resetting his password, the paper reported. The hacker said he got into Homeland Security Secretary Jeh Johnsons Comcast account as well.

Anyone and everyone is at risk in cyberspace. The risk rises exponentially if you use common passwords across sites and services. Cyber crooks and hackers employed by foreign intelligence services make fast work of passwords that use proper names, birth years, or other easily obtainable personal information. Once in, hackers can silently bleed funds from bank accounts or cause any number of personal headaches.

But thats the lower end of the cybersecurity threat facing the United States and the rest of the world. At the upper end, youll find the destruction of industrial control systems, fried computer networks, and disabled electric power grids. All of those types of cyber attacks have already taken place. Much worse could be in store.

The effort to secure cyberspace, by government and industry, remains in the embryonic stages.

Cybersecurity is about the vulnerability of the computers and cyber networks that run every aspect of life in the United States and other technology-based countries. Its about potential threats on a grand scale to the global economy.

The U.S. government defines cybersecurity as The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.

The extended definition puts it fully in a policy context:

Strategy, policy, and standards regarding the security of and operations in cyberspace, and encompass[ing] the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.

The federal government identifies sixteen critical infrastructure sectors within the U.S. economy. Each one touches every American in some way. The information technology sector, the telecommunications industry, the financial sector, and gas and electric utilities are obvious targets for cyber attacks and cyber theft. But each of the other critical infrastructure sectorstransportation, water works, chemical facilities, the healthcare system, seaports, nuclear power plants, the emergency services system, the so-called defense industrial base and even smart buildings, dams, and agriculturehas its own vulnerabilities in cyberspace.

As the first decade of the twenty-first century ended and the second decade began, the political class was beginning to get it. But political leaders and government policymakers had barely scratched the surface on any of the policy elements described above.

Cyber is deeply ingrained in virtually every facet of our lives, Rep. Mac Thornberry of Texas said in 2011, after chairing a congressional Republican task force on the subject. We are very dependent upon it, which means that we are very vulnerable to disruptions and attacks. Cyber threats pose a significant risk to our national security as well as to our economy and jobs.

Thornberry pointed to the policy rub: At least 85 percent of what must be protected is owned and operated by the private sector. Government must tread carefully in this area or risk damaging one of our greatest strengthsdynamic, innovate companies and businesses that are the key to our economy and to cybersecurity advances.

But tread it must. Republican and Democratic politicians alike were realizing that cybersecurity was an issue that couldnt be avoided, and that sculpting answers would be an arduous and frequently thankless task.

A glance at the statistics told the story.

The FBIs Internet Crime Complaint Center received 269,422 complaints in 2014. Those cyber crimes came with a price tag of over $800 million. Social media platforms were an increasingly popular entry point for crooks, according to the bureau.

Every stolen electronic record carried an average cost of $154, IBM and the Ponemon Institute declared in the tenth annual Cost of Data Breach Study released in 2015. Millions upon millions of records were being stolen at lightning speed. Do the math, and the potential economic cost shoots way over FBI estimates based on formal complaints. PricewaterhouseCoopers did the math in 2015 and found 1 billion compromised records.

And that was just the garden-variety criminal side of the cybersecurity equation. The Department of Homeland Securitys center for monitoring computer networks for cyber attacks would record 350,000 attacks or intrusions in a six-month period between October 2013 and May 2014. That was 120,000 more incidents than in the entire previous twelve-month period. Intruders remained on infected systems for months or even years.