It may be nearly impossible to prevent every potential cyber-attack, but there are credible measures that could be enacted, Marc Kosciejew says.
Hacking is a serious scourge in cyberworld. Everything online is hackable. If something is connected to the internet, it can be hacked. There is no digital security measure that provides full security and protection. Regardless of the digital security measure’s level of sophistication or degree of difficulty, it would not be impossible to hack. Indeed, hackers will find a way in.
The default assumption for all individuals and institutions should be that every device, computer, and network they have connected to the internet, and every database, repository, and bit of data that they have online, is vulnerable to being hacked.
Hacking attacks are reported on nearly daily. In 2016 alone, for example, hackers successfully attacked, compromised information, and stole assets, money, or data from targets as diverse as Bangladesh’s central bank, the US National Security Agency, the US Democratic Party’s National Committee, the University of Central Florida, Verizon Communications, and the popular web-hosting service Weebly.
A recent example is the hacking attack against Equifax Inc., the global consumer credit reporting agency – the attack compromised the personal information of 143 million American customers and hundreds of thousands of British and Canadian customers. Hackers exploited a vulnerability in one of the company’s website applications providing access to the company’s systems and, in turn, the personal Social Security numbers, birth dates, and addresses of millions of people.
These malicious attacks seem to be increasing not only in efficacy, but also in frequency, turning from common occurrences to continuous problems. They continue to grow in size, scope, and impact, especially with the emerging Internet of Things. The Internet of Things is the increasing computerisation of everything – from cars to houses, furniture to footwear, clothes to medical devices – that is unlocking information and communication capabilities from computers and digital devices into the material world of physical things. But the Internet of Things will be particularly vulnerable to hacking attacks and other cybercriminal activities. In 2015, for example, computer security researchers demonstrated how to remotely commander internet-connect Jeep cars. As another example, in 2014, cybercriminals hacked into over 100,000 internet-enabled household appliances and bombarded the owners with thousands of spam e-mails in addition to surveilling their home activities.
As these hacking attacks continue to grow, so too do the costs. According to Juniper Research, a market analysis firm, by 2020 the annual cost of data breaches at the global level will rise to over $2 trillion, with the average cost of a single data breach surpassing $150 million. The insurance market for cybersecurity is growing in tandem with these risks and costs. According to Jeremiah Grossman of SentinelOne, a cybersecurity firm, “the cyberinsurance market is worth something like $3-4 billion a year, and it’s growing at 60 per cent a year.”
One of the major reasons for the successful growth and spread of hacking attacks rests with various vulnerabilities in the supply chain of computer and internet companies. Computers, digital devices, and software programs are created, designed, or developed by a dizzying array of different companies that present many complicated difficulties in overseeing, monitoring, and even tracing issues that arise.
In a recent report on cybersecurity, The Economist described how “computer chips are typically designed by one company, manufactured by another and then mounted on circuit boards built by third parties next to other chips from yet more firms. A further firm writes the lowest-level software necessary for the computer to function at all. The operating system that lets the machine run particular programs comes from someone else. The programs themselves from someone else again.”
These difficulties mean that a mistake, oversight, or threat in any part of the supply chain can jeopardise the functioning, effectiveness, and ultimately security of the entire system.
The source code for computers, digital devices, and software programs are further undermined by computing errors. According to The Economist report, much of the source code – that is, the instructions that are compiled into executable programs – has between 10 and 50 errors in every 1,000 lines of code. When these errors are significantly reduced, down to 0.5 errors in every 1,000 lines of code, there nevertheless remains thousands of vulnerabilities ripe for possible exploitation.
By 2020 the annual cost of data breaches at the global level will rise to over $2 trillion
It is estimated, for instance, that the average smartphone app has 14 vulnerabilities. Hackers only need to find one of these bugs to base or focus their attack; however, the defenders have to catch all of these bugs, including ones they do not even know exist. As The Economist notes, “shutting down every risk of abuse in millions of lines of code before people start to use that code is nigh-on impossible”.
Although it may be nearly impossible to prevent every potential attack, there are credible measures that could be enacted to help counter them whilst building a more robust security culture, especially in organizations. The first thing to be done, however, is to acknowledge that everything is hackable. But some organizations can be in denial that they are vulnerable to hacking or other cyber-attacks. But everyone is vulnerable. At this year’s international cybersecurity conference, Cybercon 2017, the CEO of the cybersecurity firm Forty Two, Menny Barzilay, argued that “truly accepting and understanding that everything is hackable is the first and most important step towards creating a super effective cyber security strategy.”
Organisations, and in fact everyone, should stop denying and instead start accepting that some kind of cyber-attack is inevitable. This proactive approach helps direct focus on assessing the amount of time it takes to detect an attack and then if and how sensitive information can be protected.
But the traditional approach to cybersecurity is limited because of its overreliance on both preventative and responsive measures and a lack of information-sharing between and within organizations. First, the traditional approach tends to only involve preventative and responsive measures. Preventative measures concentrate mainly on the possibilities of being hacked and then responding with preventative measures such as firewalls and other security controls. Many organisations, moreover, tend to evaluate their responsive measures only after they experience their first cyber-attack. It is only once the damage is done (or is ongoing) that many organisations actively respond. Second, the traditional approach does not typically involve information-sharing.
While hackers and other cyber-attackers are effective collaborators, sharing strategies, tactics, tools, and information, most organisations tend not to work together in countering cybersecurity threats.
This traditional approach could be strengthened by a multidimensional strategy that continues to focus on prevention and response but also on detection and information-sharing.
First, although important, prevention alone is not enough. A balance between prevention and detection is needed.
According to FortyTwo’s Barzilay, this traditional “approach leads to asymmetry in the balance of power because attackers are bound by no rules and only have to succeed once at a single attack point, but defenders are bound by so many rules and have to be successful all the time across all possible attack points.”
Detection can help create reverse asymmetry to help make it “easier for the defenders and harder for the attackers”.
Detection, moreover, also helps serve as pre-responsive tactics, ensuring that the processes, methods, tools, and people are in place to monitor cybersecurity and be immediately prepared to deal with any threat, preferably even before it fully emerges.
As Brazilay cautions, “you don’t want to be in a position of having to find someone to help you and get to know your company and people only after you discover something bad has happened.”
Second, information-sharing between and within organizations is crucial in order to help stymie hackers and other cybercriminals. Defenders need to better collaborate with each other to learn from their common risks, threats, and attackers by sharing appropriate methods, tools, and information. They would also be adopting hackers own collaborative approach to their activities and attacks.
As Brazilay notes, “attackers are good at working together. They share information and tools. We have to get much better at doing the same to become more secure.” Joining forces can mean improved security.
Everything connected to the internet is hackable. From governments to universities, from corporations to homes, from industries to individuals, hacking is a serious issue for everyone and everything online. This threat is growing in frequency, intensity, and cost.
The traditional approach to cybersecurity needs to become more multidimensional by including detection measures and greater collaboration. It is time we all acknowledge that we are all vulnerable to hacking and other cyber-attacks and start working together towards a more secure cyberworld.
Marc Kosciejew is a lecturer and former head of department of Library Information and Archive Sciences at the University of Malta.