National Cybersecurity Framework Calls Attention to Ever-Growing Threat
February 20th, 2014 by CHHS RAs
By R. Justin Morris, CHHS Research Assistant
On Thursday, February 13, 2014 the National Institute of Standards and Technology (NIST) released its highly-anticipated Framework for Improving Critical Infrastructure Cybersecurity. The framework is a national, voluntary set of standards to help both private and public organizations manage cybersecurity risks. As the discussion on this framework ensues, it’s important for us to sit back and take notice of the severity of cyber threats in the world today, and the variety in which they come that makes it so difficult to defend against them. The motives of cyber-attacks are surprisingly varied, and include economic, political, socio-political, and purely entertainment purposes.
Given the recent news of the Target credit card scheme, Americans for the most part have become aware of point-of-sale (PoS) attacks, or those that target credit card swiping machines at in-store registers. These types of schemes fall under the category of economically-motivated. This category includes your general, run-of-the-mill phishing, spear-phishing, and malicious software (malware) attacks, which have been around for years but show no sign of slowing down. For example, an international malware attack targeting small retail stores in eleven countries, including the U.S., was just shut down in late January after it allowed unknown perpetrators to steal data from 49,000 payment cards. Another, unique example of an economically motivated cyber-attack is that from the creators of needapassword.com. The two men, each charged in federal court with one count of unauthorized access to a protected computer this January, used their website to take requests, in exchange for money, to hack into personal email accounts and obtain passwords for third parties.
Politically motivated cyber-attacks are unsurprisingly the most dangerous and nefarious cyber threats to our nation’s security as a whole, as they are designed to gather information related to our nation’s critical infrastructure, defense mechanisms, or other essential governmental functions with the purpose of aiding foreign governments such as China, Russia, and Syria. Examples of such cyber-attacks include the China-based attacks on the U.S. Department of Labor and the U.S. Council on Foreign Relations last year. These types of attacks primarily come from highly-organized groups within foreign nations, and unfortunately these organizations are beginning to use more cunning tactics in an effort to hide their intentions. Chinese groups like the one that attacked the U.S. Department of Labor are more often targeting third-party vendors or organizations that have strong affiliations with government officials, but less security measures, and then using those vendors as a way to gain access to government officials’ personal data. These organizations search for and exploit what are called strategic web compromises, and will use legitimate event websites, such as that of the G20 Summit, as ploys to gain personal data from government officials.
While not as dangerous as politically motivated and some economically-motivated attacks, cyber-attacks for socio-political or sheer entertainment purposes are becoming more frequent and problematic. Socio-political hackers, or “hactivists”, target government agencies or private businesses in response to certain social or business policies that they feel are unjustified. For example, the infamous group Anonymous initiated its cyber-attack operation in 2010 in support of Julian Assange’s WikiLeaks. In addition to government agency attacks, Anonymous has launched devastating cyber-attacks on credit card giants Mastercard and Visa, and on internet giant PayPal, believing to have cost these companies several millions over time. Each of these attacks, which included the stealing of credit card information on a large scale, was for socially-motivated purposes and not actually for financial gain.
Similar to Anonymous, other groups have targeted government agencies or large companies with cyber-attacks for seemingly entertainment purposes. For example, The group LulzSec (short for Laugh-out-Loud Security in internet jargon), targeted companies such as Sony, Nintendo, and Maryland-based software company Bethesda Softworks with malware attacks, and posted the acquired credit card information from these attacks on public websites. Also, for extra kicks, LulzSec engaged in denial of service attacks on the FBI, the CIA, and Senate.gov. Two of the attacks were affectionately titled “F*** FBI Friday”, and “Wipeout Wednesday,” respectively. In addition to LulzSec, many other unknown groups have conducted cyber-attacks for entertainment purposes on both federal and state government systems, some of which have revealed alarming issues. In January, the federal court system website, uscourts.gov, fell victim to a denial of service attack from an unknown source, which prohibited public access to the site and prevented attorneys from e-filing legal documents on time. Also, in Michigan, Montana, and New Mexico, unknown perpetrators were able to hijack the federal Emergency Alert System, allowing them to display on TV screens in citizens’ homes throughout those states an emergency message report of zombies rising from their graves who were attacking the living everywhere. While this antic may have been humorous, it exposed a serious reality that the emergency alert system in this country is exploitable, and such information in the hands of say, a terrorist, could be dangerous.
For its part, the State of Maryland in recent years has been pushing to increase cybersecurity standards and awareness. In 2011, Governor O’Malley established the Maryland Commission on Cybersecurity Innovation and Excellence, of which CHHS Founder and Director Michael Greenberger is an appointed member. Additionally, just last week, Maryland industry executives and government officials met for a cybersecurity roundtable to help develop business models and increase educational outreach on the issue.
However, as evidenced by the cyber-attacks mentioned above, there remains much to be done in this nation as a whole with respect to cybersecurity, which is why it is important that both government officials AND the private sector take the NIST’s voluntary cybersecurity framework seriously. It provides a minimum, national standard of security and responsibility on this matter that is sorely needed. Despite the f
act that legislation on this issue may not pass in Congress for some time, it is important that leaders in both the public and private sector begin implementing this voluntary framework as a means to protect the American public’s safety and wealth.