By Jim McFarlin
2014 was a challenging year for America’s cyber security. Like falling dominos, a wave of corporate, government and military organizations succumbed to damaging, expensive and–in many cases–embarrassing breaches of their information networks.
2015 promises to be even more challenging. The Department of Homeland Security estimated a 215% increase in reported cyberattacks over the past three years, with similar acceleration projected into the foreseeable future.
Last year’s attacks offered many lessons, most notably these:
● It was repeatedly demonstrated that when cyber assailants come to call, the U.S. is vulnerable, unaware, and open to attack.
● It was also apparent that the safety of personal financial and investment accounts is effectively in the hands of those with malicious intent, not the institutions that hold our assets.
The only positive claim any of those attacked could make was that the damage was contained--and eventually stopped. However, it’s important to keep in mind that these are the institutions that were unaware of their network intrusions for weeks or even months.
Further, in a reported 71% of cases, those being breached only became aware of the attacks once informed by an outside party or government agency.
The list of compromised businesses includes retailer Target, which somehow managed to miss or ignore alerts they were under cyberattack despite 24/7 outside monitoring and the installation of a brand new $1.6 million cybersecurity system just three months before the attacks. The assault swept across the land throughout the year, ravaging the likes of Neiman-Marcus, Michael’s Stores, PF Changs, Home Depot, JPMorgan, and many others.
JPMorgan, considered the “gold standard” for cyber security in the financial services industry, boasts a staff of 3,000 cybersecurity professionals backed by an annual cybersecurity budget of $250 million. Even this was not enough to stop cyberattackers from hacking account information. In fact, the banking giant realized that up to 83 million accounts had been compromised only after an incidental tip from a third party.
The Sony Pictures attacks in November went beyond data theft, involving not only misappropriation of intellectual property (films), but also destruction of computer systems, extortion, and threats of 9/11-style violence.
The confused, conflicting, and oft-reversed response from Sony and involved U.S. agencies clearly illustrate yet another lesson from 2014: the U.S. is woefully unprepared to respond to serious cyberattacks in a coherent, effective manner.
With such examples of successful attacks against major institutions, can the organizations that produce and distribute our electrical power be far behind?
The answer is that no such safety, perceived or otherwise, can be taken for granted. In a serious cyberattack against U.S. power generation or distribution facilities, power outages impacting large swaths of the country could continue for weeks, months or longer, rendering traditional preparedness actions ineffective, and in the end, only delaying the inevitable chaos, loss of life and lack of social order.
When considered against the deadly combination of escalating global instability, the growing black market availability of cyber weaponry, and the startling propensity for Islamic extremists to take their war to the home turf of Western democracies in Europe and beyond, cyber insecurity appears to describe America’s future for the coming year.