Monday, November 16, 2015

Paris Attacks Tighten US Cyber Options

James McFarlin

The drums of war are sounding closer.

The barbaric ISIS Paris attacks of November 13th, preceded by the bombings in Lebanon and take down of the Russian airliner over Egypt on top of more than 770 reported ISIS terrorist attacks from 2013 to the present are the latest acts aimed at destabilizing and ultimately destroying Western civilization.

More attacks are coming. A US security official remarked today that Paris was certainly "not the only action in the ISIS pipeline." In confirmation of that belief, a video released by Islamic State threatens attacks against Germany, London, Washington DC and other US cities,

America faces threats from 'lone wolf' Islamic extremists and - coming soon - threats from attackers arriving in the waves of Syrian refugees scheduled to hit the nation's shores.

But such threats are dwarfed by the potential damage and massive loss of life from cyberattacks against US power and other critical national infrastructure targets.

There is a growing consensus that ISIS cyber threats to the US are increasing and becoming more immediate. Admiral Michael Rogers, director of the National Security Agency and US Cyber Command, believes such attacks are "much more a matter of 'when' rather than 'if'' during his time in command."

ISIS has been widely recognized for its social media prowess in recruiting, radicalization, training and fundraising. But those actions are just the beginning. John Cohen, a former counter-terrorism coordinator at the Department of Homeland Security, believes that "It is only a matter of time until we start seeing ISIS-type organizations using cyber warfare techniques in a more expanded way."

And with America's near-total dependence on computer networks, it has much more at risk than many other nations, and certainly more than extremist groups, which have little to lose.

What is the US to do to deter such actions? Based on the success of cyberattacks throughout the breadth of America's institutions, from banks and retailers to defense contractors and government agencies, it is evident that existing cyber defense capabilities are not adequately effective.

In a sign of recognition that defensive measures must be supplanted or supported by more aggressive tactics, the US has recently accelerated its move toward increasing its offensive cyber weapons capabilities.

But more than a battle of technologies, cyber defenses are evolving into a battle of wills. With the exception of its Stuxnet computer virus targeting Iran's nuclear program, the US has been reluctant to deploy offensive cyber weapons, citing the possibility of such actions triggering counterattacks.

During such indecision, the risks mount. And for America's future, they are huge. Let's hope it does not take a cyber-9/11 attack to trigger America's resolve to deploy offensive cyber weapons to prevent what can be a major calamity.

Wednesday, October 21, 2015

Smaller Businesses Under Increasing Cyberattack

The latest data breach investigations study by Verizon showed that 71% occurred in businesses with fewer than 100 employees.

Ensuring data security for smaller firms is increasingly a game of 'risk and consequences.' Cyber criminals want personal and financial data and will strike when they want and how they want to get it. The most common consequences for small firms are financial loss, customer disruption and extensive recovery efforts.

Cybercriminals will take customer or financial records, donor or client information and proprietary business information critical to the success of the business.

Their goal may be schemes such as data theft, extorting payment for returning a computing network to a working state or submitting fake invoices for payment.

The question for many businesses is what to do about these threats. Turning the problem over to IT does not solve the problem. Cybersecurity is a team sport involving technicians, management and employees.

The largest proportion of data breaches occur because employees are either not following established data security procedures or lack such procedures to follow. Both of these vulnerabilities are addressable.

Steps as basic as providing employee training can limit cyber risks substantially. Excellent training courses are available via the Homeland Security website, where vendors such as SANS Institute offer their products.

Training will not be enough to tame cybersecurity exposure unless security becomes part of the culture of the organization, i.e., "This is how we do business."

Risk and consequences. Limit the former or expect the latter.

Saturday, July 18, 2015

Cyberattacks Have Consequences

James McFarlin

Whether it involves the Office of Personnel Management, the IRS or Department of the Navy, few days go by without news of new cyberattacks against the United States.

Perhaps because there are few examples, little is said about the consequences to the assailants from such attacks.

The Preface of "Aftershock, A Novel" [see image on right] previews a possible scenario of consequences which occur at the highest levels when cyberattack response spins out of control. In today's ever-present cyber-threat environment, this description is worth reading, particularly the foreshadowing presented in the final paragraph. An adaptation:

The early rays of the weak winter sun have yet to seep through the dense morning fog as the first attacks strike San Francisco.

     Power is the first to go, stilling electrical equipment and draping the city in a carpet of darkness. Electric Muni buses stall in the streets. Lacking control signals with which to operate, Southern Pacific trains sit motionless on their tracks. The Bank of America tower, Transamerica Pyramid and other skyscrapers hang over the city like shadowed spires, towering monuments from an age past.

     Attempts to use smart phones yield only the wailing cadence of circuits-busy signals. Land lines, cable and Internet transmissions have vanished as though they never existed, reducing television and computer screens to blank, darkened slates of glass. Only battery-powered devices cling on to their electronic lives, although without connection. It is a world where Internet connections no longer exist.

     Anxious residents cluster in small groups in the streets outside their homes, hands stuffed in jacket pockets for warmth. As to whether they had experienced an earthquake - they thought not. Nor were there claims of having heard explosions. Many clutch laptops, iPads and smart phones, anxiously searching for answers. But answers were not to come.

     The absence of sound envelopes them like a cloak. Conversations turn from nervous banter to speculation, whispers of possibilities, but to no result except to feed a spreading dread of events imagined but not known, growing fears felt but not spoken.

     Residents toss personal belongings into their vehicles and rush to leave the city, only to find bridges and arteries out of San Francisco barricaded by armed squads of National Guardsmen. 

     Growing anxieties are fueled by the sounds of military helicopters and accompanying drones clawing their way over the city like massive birds of prey. Something big, something bad, is happening in the City by the Bay.

     As residents recoil from the shock of the morning's events, 3,000 miles away in the nation's capital an aftershock of infinitely greater magnitude threatens to trigger massive worldwide repercussions in the days to come.

Monday, July 6, 2015

Exploring America's Lack of Cyber Strategy

James McFarlin

The emperor's clothes are coming off. A series of high-profile cyberattacks against government agencies are blasting open the true seriousness of the internal weaknesses in America's lack of cyber preparedness.

And the world is watching the undressing. Articles and commentary in traditional print media to professional journals and blogs are increasingly critical of not only America's cyber weaknesses but its lack of seriousness in addressing the issue.

The recent Wall Street Journal article "We're Losing the Cyber War" addresses years of Obama administration passivity in the face of repeated digital attacks. The Office of Personnel Management attack, in which 18 million or more federal employee employment records, including security clearances, is a case in point. While the data loss is calamitous in its own right, the lack of responsibility shown by the agency's management can only be viewed as arrogant, and lacking responsibility.

OPM director Katherine Archuleta, in a Senate hearing investigating this loss, stated "I don't believe anyone is personally responsible. If there is anyone to blame it is the perpetrators." This display of self-defiance was offered with a straight face in spite of the fact that the OPM Inspector General's office had warned the agency for more than three years of its widespread cyber defense weakness, warnings that largely went unheeded.

Perhaps feeling pressured by this attack as well as network breaches in the Internal Revenue Service, Department of State, US Army, and others, the White House then issued a directive for agencies to plug their gaping holes in cybersecurity. A "30-day "cyber sprint" was initiated, where agencies were ordered to shore up their defenses. This in spite of the fact that they had largely failed to do so for years.

At least two thoughts come to mind here. The first is the absolute naivete of this exercise, which has been described as everything from a smokescreen to hype to a hail Mary. The second: Where have these priorities been? House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah), stated "The cyber race started fifteen years ago," and that this action was "coming too late" to be effective.

We face a serious national security threat from the cyber realm. When will this be taken seriously? Lee Hamilton, co-author of the 9/11 Commission Report, perhaps stated our problem best. In an update to that report issued on September 11, 2014, he said: "One of the problems in 9/11 was the lack of imagination of the terrorist threat facing us. Let's not make that same mistake in the cyber realm."

Seems as though we did that undressing some time ago.

Friday, June 26, 2015

OPM Data Breach Symptomatic of US Cyber Weaknesses

James D. McFarlin

The list of recent breaches of U.S. government agencies is long and includes organizations such as the Department of Defense, US Army, Securities Exchange Commission, Postal Service, IRS, even the White House.

Reported reasons for the success of these breaches vary but follow repeatable patterns which include unheeded warnings. antiquated legacy software, management denial, lack of accountability and lax cybersecurity operating procedures.

Protecting critical data such as taxpayer records should be a primary priority. Yet in the IRS - which recently had more than 100,000 personal tax returns stolen - employees have been allowed to follow weak security practices, including using passwords such as "password."

Einstein, the Department of Homeland Security cyber defense system, over a decade and $529 million in the making, has been ineffective in stopping breaches and is already considered outdated technology according to former DHS lawyer Gus Colebella.

The government agency cybersecurity failures are widespread. According to Sen. John Boozman (R., Ark.) at a recent hearing, "Office of Personnel Management is just the most recent example of the government's systemic failure to protect itself."

The OPM breach, in which at least 18 million personnel records of former and current government employees, including their security clearance applications, were stolen is a prime example of cyber security gone missing.

According to the New York Times, the OPM inspector general has issued warnings to the agency since 2010 over its lax cybersecurity, even describing the organization's computer security as a "Chinese hacker's dream."

But in a stunning display of bravado, OPM director Katherine Archuleta declined to take any responsibility for the breaches, instead laying the blame totally on China. In spite of calls by congressional committee members for her dismissal, Obama stood behind her, making it clear her job was secure no matter what.

Retired Gen. Michael Hayden, who served both as director of the CIA and of the National Security Agency, knows a thing or two about cybersecurity. Hayden recently said this about the OPM breach: "This is not shame on China. This is shame on us for not protecting that kind of information. This is a tremendously big deal. And my deepest emotion is embarrassment."

In a typical 'lead from behind' response, on June 12th the White House directed all federal agencies to take a series of swift measures to "lock down" government systems against cyberattack. U.S. chief information officer Tony Scott even launched what he is calling a "30-day cybersecurity sprint."

To comply with this directive, agencies will reportedly be undertaking steps that many - including OPM chief Archuleta - have said have not been possible over even a period of years. Such efforts, besides being ludicrous at their very core are merely more administration window dressing and doomed to failure.

Until cybersecurity is taken seriously by this administration, the embarrassment expressed by Gen. Hayden will continue for us all. Except those in the White House, of course, where deniability and lack of accountability reign supreme.

Sunday, May 31, 2015

America's Passive-Aggressive Cyber Stance

James D. McFarlin

In the years since WWII, America has protected its national interests and supported its allies through projecting power across the globe in the four domains of land, sea, air and space.

But in today's newer, fifth domain of cyberspace, America projects a confusing passive-aggressive posture that neither deters its aggressors or comforts its allies.

The picture of U.S. proactive cyber intelligence posture has been stripped and hung out in full disclosure via the National Security Agency documents misappropriated by Edward Snowden, currently encamped and employed in Russia. In terms of setting the U.S. on its heels in cyberspace, president Vladimir Putin could not have created a more savory scenario had he designed it himself. Or perhaps he did.

Snowden's headline-grabbing depiction of America's cyber information-gathering activities was a gift to Islamic terrorist regimes of monumental proportions. New communications codes and channels were set. Revised methods for avoiding U.S. intelligence surveillance were put into effect. All flashed into immediate use, most likely via U.S. social media tools such as Instagram and Twitter.

News of U.S. intelligence actions enraged some of America's European allies, in particular those who felt they were on the receiving end of espionage activities best designed for use against potential assailants. Additionally, U.S. tech firms rushed to distance themselves from involvement, seeking to protect their own global business interests,

However, in protecting its own interests, the level of U.S. inaction is a paradox. 

Each year, hundreds of billions of dollars of intellectual property, including advanced weapons systems plans, are stolen by China's cyber military groups. In 2014, nearly 525 million personal and financial records were stolen from U.S. institutions by Russian and other cyber crime syndicates. More than 80 million personal records were appropriated from Anthem Health alone.

The latest heist? From the files of the Internal Revenue Service. This theft is in spite of the fact that the IRS has been warned for years over their lax and ineffective cyber security procedures. The IRS response? Those American citizens who had their tax records stolen were offered a free year of credit monitoring, so they could be informed - after the fact - when their identities were used to establish lines of credit, obtain loans, or perhaps open credit and debit card accounts.

The U.S. inexplicably allows attacks on American corporate, military and government networks to occur without retribution. Further, this posture is not expected to change. In a presentation at Stanford University in April on the Department of Defense 2015 National Cyber Strategy, defense secretary Ashton Carter informed private enterprise that as far as cyber security is concerned, "You are on their own."

This lack of commitment to cyber defense is poised to take a further fall. On June 1, the provisions of the post-9/11 Patriot Act setting up the monitoring of telephone call metadata for tracking terrorist activity are expiring. These protections do not appear to have the support in congress or the White House for renewal.

The lapse of these measures places America's intelligence agencies in the defensive position of relying on third party telephone companies and a panel of judges to provide information on potential threats against the United States. According to national security experts, such limitations seriously degrade U.S. national defense capabilities.

Where can this path lead? Although the security of the post-WW II world has vanished from current view, our future may already be written.

Following 9/11, U.S. intelligence agencies were widely faulted for not collecting the proper information, "not connecting the dots," to prevent the attacks. Thomas Keane and Lee Hamilton, co-chairs of the 9/11 Commission, published an update to their original report, fittingly, on September 11, 2014. They stated the following:

       "One lesson from 9/11 is that we didn't awaken to the gravity of the 
        terrorist threat until it was too late. We must not repeat that mistake 
        in the cyber realm."

How short must our memories be?

Monday, May 4, 2015

EMP and Cyber: Twin Threats but Not Twin Risks

It has been an enlightening but disturbing two weeks on the subject of threats posed by electromagnetic-pulse (EMP) and cyber attacks to America's critical national infrastructure.

In the case of cyber, Defense secretary Ash Carter's April 22nd release of the "DOD CYBER STRATEGY" for 2015 outlines the DoD priorities and responsibilities to the American homeland in the case of cyber conflict.

The stated strategy makes clear that the DoD's primary duty is to defend its own networks, with the objective of keeping its communications necessary for warfare operations intact.

Protection of critical U.S. infrastructure, ninety percent of which is operated by the private sector, receives secondary importance and little detail in the report, which states: "The majority of [private sector] intrusions can be stopped through cybersecurity investments that companies can and must make themselves."

In other words, in case of a crippling national cyber attack, the private sector must plan on fending for itself.

The threats posed by an EMP attack were well chronicled in a Wall Street Journal opinion piece on May 1st by Amb. Henry Cooper, former director of the Strategic Defense Initiative and Peter Pry, executive director of the EMP Task Force on National and Homeland Security.

The article describes that "An EMP attack, most likely from the detonation of a nuclear weapon in space, would destroy unprotected military and private sector electronics nationwide, blacking out the electric grid for months or years."

The authors point out that such an event would cause widespread death from hunger, disease and social disruption that by some estimates could reach ninety percent of the U.S. population.

Society would crash to a halt. No highways filled with speeding automobiles; no jet trails arching across the morning sky; no brightly-lit skyscrapers, just dark, towering hulks of glass and steel.

In examining this threat, it is important to keep in mind that desire does not equal capability. North Korea or Iran, for example, may have the desire to inflict widespread damage to the U.S., but neither reportedly holds the missile or miniaturized nuclear weapons capability to conduct such an attack.

Nor does capability equal action. U.S.satellites would know the source of any nuclear-caused EMP attack on the United States. Retribution would be expected to be harsh and immediate, likely critically injuring or destroying the assailant.

In contrast, cyber attacks present a different and arguably even more dangerous level of risk.

Due to inherent attribution difficulties, 'false flag' attack capabilities, increasingly-procurable cyber weapons and an inherently larger universe of potential assailants, mounting a counterattack on the true offending party can be a tricky and imprecise exercise. Counterattacking the wrong party would only amplify and worsen an already dangerous global conflict.

EMP and cyber threats are potentially so damaging that both should be treated with the utmost urgency. But it could be argued that cyber threats present the greatest immediate risk.

Looking ahead, one can hope that a cyber-era deterrent like that between the U.S. and Russia during the Cold War will help avoid the consequences either threat.

Tuesday, April 21, 2015

Will Cyberwarfare Trump Aerospace Power?

By James McFarlin

Congress meets this month to consider the 2016 National Defense Authorization Act and appropriations bill.

Members will debate how to ensure America is prepared to meet tomorrow's national security challenges.

Given the accelerating rate of growth in military power across the globe, this is no easy task. China has a growing ballistic and cruise missile inventory possessing the capability to strike over long ranges. Iran fields a ballistic missiles arsenal able to strike across the Middle East and Europe. Russia has long possessed sophisticated ballistic and cruise missiles.

The cost of defending against such growing threats with traditional aerospace satellite surveillance and anti-missile systems has accelerated to the point where some congressional members of the House Armed Services Committee are suggesting a reevaluation of U.S. defense capabilities before 2016 spending commitments are made.

Such deliberations will be incomplete and perhaps near-obsolete unless a looming threat filling the horizon is addressed.

Cyber attacks against U.S. institutions are not a new phenomenon, Private and government networks have long been the target of cyber espionage, theft and disruption. Moreover, such attacks are becoming increasingly sophisticated and more frequent. Recent reports show a 2015 acceleration in attacks of 42% over 2014 levels.

At the same time, advancements in cyber technology are propelling increased use of cloud computing and mobile devices, making U.S. networks even more vulnerable to intrusions by state-sponsored organizations, hackers and terrorists.

In the December 2014 attack against Sony Pictures Entertainment, assailants stole films and internal records and destroyed data files and computer networks. Physical violence was threatened against Americans if the studio released its upcoming film "The Interview" depicting the assassination of N. Korea dictator Kim Jong-un. The confused, conflicting, and oft-reversed Sony and U.S. response to such threats showcased America's unpreparedness for cyber events for the world to see.

Admiral Michael Rogers, director of the National Security Agency and US Cyber Command, recently warned the house Intelligence Committee of even more dramatic cyber risks. He emphasized that assaults against the networks of industrial-controls systems - the electronic brains behind operation of infrastructure such as the electrical grid, nuclear power plants and air traffic control systems - would cause widespread damage and civilian deaths.

"There shouldn't be any doubt in our minds that there are nation-states and groups with the capability to do this," Adm. Rogers said.

Congress will no doubt give the priorities for future defense spending its serious attention. One can hope lawmakers are aware of the near-geometric expansion of cyber weapons and the increased threats such capabilities contribute to the vulnerability of U.S. networks and critical infrastructure.

Are ever-more advanced generations of existing weapons systems the path to America's future security or are they missing the mark in the cyber age?

Today's technology-fueled global environment suggests that cyber warfare trumping aerospace power may be more a matter of 'whenthan 'if,' and sooner rather than later. A new era has begun.

Monday, April 13, 2015

ISIS vs. Silicon Valley Cyber Wars

By James McFarlin

Terrorist groups such as ISIS are increasingly using social media tools as means of recruitment, training, fundraising and radicalization.  Some estimates place ISIS's volume of Twitter posts alone at 90,000 per day.

Facebook, YouTube, Instagram and other tools also form the basis for the radicals' command and control systems, providing ideal communication and planning tools with which to coordinate attacks.

ISIS and other groups' adept use of social media has attracted an estimated 3,000 Westerners to come to Syria and join the fight.  ISIS also produces a slick monthly English-language magazine named Dabiq.  This professionally-produced publication spreads messages of jihad and hate as well as instructions for terrorist actions such as bomb building and law enforcement avoidance.

Countering such messages is an increasingly difficult task for U.S. security agencies. Terrorist websites can and do pop up in alternative form if taken down, continuing their work.

Frustrated with its lack of social media reach against the terrorists, U.S. authorities have recently turned to America's tech titans to help counter the militants.  Foreign governments have also joined the fray.  French Interior Minister Bernard Cazeneuve recently visited Silicon Valley, urging U.S. tech firms to do more to rid their services of extremist postings.

This awkward relationship has also been aggravated as foreign governments recently assailed American social media companies as being too complicit with the U.S. National Security Agency.

Being drawn into a global war is a foreign experience for tech firms, and leaves them increasingly struggling with uncomfortable requests obliging them to spy on their own users.  Not complying places the firms in the position of being accused of supporting the broadcasting of hateful images that incite terrorism and facilitate radicalization.

Companies such as Apple which have pushed encryption in their products have produced cries of protest from U.S. security agencies.  The FBI, for example, suddenly finds itself less able to tap into the firm's public communications streams.

Other unintended consequences await U.S. firms.  Twitter employees recently received death threats from ISIS groups when the company removed online terrorist content from its data streams.  ISIS has also called out for the assassination of two American imams who have spoken out against the terrorist group's ideology using social media.

Where will these conflicting interests and needs lead?  No one knows for certain.  But the battlefields of the "Twitter wars" as they are sometimes called are clearly in their infancy.  Such conflicts will most certainly be played out in vigorous, unexpected ways over the coming months and years.

Friday, April 3, 2015

Obama Cyber Sanctions: Reality or Illusion?

By James McFarlin

Affirming that cyber threats "pose one of the most serious economic and national security challenges to the United States," President Barack Obama on April 1 announced the intent to level sanctions against hackers, foreign state-owned corporations and nation-states that harmfully attack U.S. critical information networks.

Serious questions remain, however, as to whether such sanctions will have the intended deterrent effect.  Or even take place at all.  Let's look at three major questions on the viability of such actions:

Attribution.  Affirmatively placing blame for attacks is a tricky, many times inconclusive and in all cases elusive endeavor.  Many remember the wide discussion, even heated arguments, over who was actually responsible for the Sony Pictures hack.  The government claimed it was North Korea.  I have been in presentations where impressive evidence was presented that the real attackers were, in one case, Russian, and in a second case, Sony insiders.  This is not an unusual circumstance.

Without confirmation of attacker's identity, how can sanctions or retaliatory action of any type be launched?  They can't.

Type of Response.  What level of sanctions are warranted by specific cyber theft, espionage, or other attacks? What is the process of determination and which government body makes such decisions?  It is widely believed, for example, that the U.S. fumbled the handling of the Sony attacks.

Who is to say future government cyberattack responses under Obama's sanctions order will be any different?  This is unproven territory where it is best to tread carefully.

Foreign Retaliation.  We are living in a world where unintended consequences abound. What if foreign hackers sanctioned for cyber attacks decide to change identities (easily done, in many ways) and make additional, even more damaging attacks on the U.S., such as to our power grid or transportation systems?  What if a nation-state sanctioned for espionage against the U.S. retaliates by stopping all trade with specific American technology firms?

It is not too hard to see that Pandora's Box, once opened by tenuous and perhaps unproven sanctions actions, can rain even more harmful cyber dangers on the U.S.

The point is, the problems of attribution, lack of response definition and the level of potential  'what ifs' may very well checkmate the U.S.-levied sanctions in many, unintended ways, severely limiting the implementation of such actions.

If such sanctions occur at all.  In which case, we have an illusion and a few headlines, nothing more.

Thursday, March 12, 2015

CIA Plays Catch-up to Fight Cyberterrorism

By Jim McFarlin

Cyberterrorism is the number one threat facing the U.S.

The Director of National Intelligence ranked cyberterrorism as the top threat to our country – even more so than threats such as Islamic terrorist groups – in the just-released analysis, “Worldwide Threat Assessment of the US Intelligence Community.”

In a 2014 report, the General Accounting Office found that the FAA as having “ weaknesses which threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace.”

The recent cyberattacks against Sony Pictures Entertainment have raised the stakes even higher, creating what cybersecurity professionals have deemed “the dawn of a new age” for cyberattacks. Now, cyberterrorism not only aims for destruction, but to influence behavior.

Where does the nation’s preeminent intelligence agency fit amidst such an array of new cyberthreats facing the United States?

Oddly, out of step.

Wednesday, January 28, 2015

2015 Marks a Critical Juncture for America's Cyber Security

By Jim McFarlin

2014 was a challenging year for America’s cyber security. Like falling dominos, a wave of corporate, government and military organizations succumbed to damaging, expensive and–in many cases–embarrassing breaches of their information networks.

2015 promises to be even more challenging. The Department of Homeland Security estimated a 215% increase in reported cyberattacks over the past three years, with similar acceleration projected into the foreseeable future.

Last year’s attacks offered many lessons, most notably these:

      It was repeatedly demonstrated that when cyber assailants come to call, the U.S. is vulnerable, unaware, and open to attack. 

      It was also apparent that the safety of personal financial and investment accounts is effectively in the hands of those with malicious intent, not the institutions that hold our assets.

The only positive claim any of those attacked could make was that the damage was contained--and eventually stopped. However, it’s important to keep in mind that these are the institutions that were unaware of their network intrusions for weeks or even months.

Further, in a reported 71% of cases, those being breached only became aware of the attacks once informed by an outside party or government agency.

The list of compromised businesses includes retailer Target, which somehow managed to miss or ignore alerts they were under cyberattack despite 24/7 outside monitoring and the installation of a brand new $1.6 million cybersecurity system just three months before the attacks. The assault swept across the land throughout the year, ravaging the likes of Neiman-Marcus, Michael’s Stores, PF Changs, Home Depot, JPMorgan, and many others.   

JPMorgan, considered the “gold standard” for cyber security in the financial services industry, boasts a staff of 3,000 cybersecurity professionals backed by an annual cybersecurity budget of $250 million. Even this was not enough to stop cyberattackers from hacking account information. In fact, the banking giant realized that up to 83 million accounts had been compromised only after an incidental tip from a third party.

The Sony Pictures attacks in November went beyond data theft, involving not only misappropriation of intellectual property (films), but also destruction of computer systems, extortion, and threats of 9/11-style violence. 

The confused, conflicting, and oft-reversed response from Sony and involved U.S. agencies clearly illustrate yet another lesson from 2014: the U.S. is woefully unprepared to respond to serious cyberattacks in a coherent, effective manner.

With such examples of successful attacks against major institutions, can the organizations that produce and distribute our electrical power be far behind?

The answer is that no such safety, perceived or otherwise, can be taken for granted. In a serious cyberattack against U.S. power generation or distribution facilities, power outages impacting large swaths of the country could continue for weeks, months or longer, rendering traditional preparedness actions ineffective, and in the end, only delaying the inevitable chaos, loss of life and lack of social order.

When considered against the deadly combination of escalating global instability, the growing black market availability of cyber weaponry, and the startling propensity for Islamic extremists to take their war to the home turf of Western democracies in Europe and beyond, cyber insecurity appears to describe America’s future for the coming year.

("Global Networking" Image by bluebay/