So what's been happening to all of these agencies over the last couple months? They've been hacked. And some of them, hacked badly. In fact, 2014 might go down as the year of the black hat hacker. Cyber attacks aren't anything new, but the scope of the intrusions and the coverage of the issue reflects a new frontier opening in this battle.
Record numbers of daringly gigantic cyber attacks have been peppering the media all year long, leaving the digital community searching for better answers. Why these attacks are happening, and what government can do to stop them are now central issues for every government CIO office.
Scope of the problem
Attacks like the ones mentioned above are just the ones that make the headlines, but the problem is pervasive. The Heritage Foundation, a conservative think tank in Washington, has pulled together a list of the most recent gov-centric hacks over the last three years (they also have a great list on the corporate side as well). It's pretty much a who's who of government agencies: Nuclear Regulatory Commission, Department of Energy, Army Corps of Engineers, IRS, NASA, and DHS have all been hacked recently.
But people shouldn't just blame the bureaucratic pace of government. Consider what's been happening the private sector as well. The infamous Target and Home Depot hacks have both happened in the last 12 months, affecting nearly 100 million Americans (myself included). JP Morgan Chase's much less publicized data breach affected 76 million households and seven million small business, according to the New York Times. Sony was hacked so badly last week that the LA Times reported Sony's internal teams started using pencil and paper to communicate internally, because Sony was forced to shut down all its IT systems!
Lapses in cyber security sometimes stretch beyond the scope of every organization. Popular application stacks like LAMP and MEAN, which underlie the modern Web, leverage large quantities of open source software that are subject to the vagaries of widely distributed teams. Security faux-pas can lie dormant deep in these stacks, sometimes for years unnoticed. The Heartbleed and Shellshock vulnerabilities, discovered in the last couple years, affected half of all internet enabled devices. Conversations around security have to shift from "will" we get hacked to "when" we get hacked.
Rationale for the hacks
Reasons for the largest attacks remain locked away in FBI case files for the most part, which prevents government IT staff from learning through other's mistakes. Why these attacks happen is often tied to American foreign policy actions, according to a number of sources [1, 2].
Both state and non-state actors are taking part. Kuwaiti Islamist preacher Tareq Al Suwaidan, an active voice on Twitter, goads followers with cyber terrorism platitudes:
I strongly encourage young people to undertake electronic Jihad… I view this as better than 20 Jihad operations
Countries not allied with America also complicate matters with asymmetric attacks and obfuscating responsibility. Sony's massive attack may have come at the hands of the North Koreans, who have been reported to have the third largest cyber terrorism capability in the world. As with most cyber attacks, no one is quite sure during the initial stages and North Korea has denied responsibility.
But political context is key, yet another element that can make preventing these attacks exceedingly difficult for front line government IT staff. The self-annointed "Supreme Leader" of North Korea, Kim Jong-Un, who recently announced that there will be only one Jong-Un in ALL of North Korea henceforth, is also mad that Sony is distributing this new film called The Interview. In the movie, assassins take out his highness (or a likeness of Jong-Un), according to Re/code. It's hard for frontline IT staff, public or private industry, to grok context this detailed while maintaining hybrid clouds or email servers.
Other hackers just want to make money. Syndicate FIN4 was outed publicly last week for trying to game Big Pharma by phishing top executive emails. That phishing was a successful strategy against people who are in charge of multi-billion dollar firms speaks to the difficulty controlling this problem.
Vigilance in a world of ambiguity
Right now, it's the Wild West in the land of ones and zeros. Government IT pros have been outgunned. Maybe a careless contractor brings some malware on a USB drive or maybe it's a team of 100 black hats delicately prying at your digital doorstep. The attacks are asymmetrical and sometimes, even funny. Recently, The University of Florida's roadside emergency displays were modified to read, "Zombie Attack, Evacuate!!"
More than strategizing about service packs and patching servers (which are super important, don't get me wrong), government IT pros need to pick up Sun Tzu's The Art of War (only $3.99 at Amazon right now!). Speed, agility and surprise have long been known as powerful tools in war and that type of thinking needs to be brought into the world of government IT security.
And in many way, this revolution is already underway. The next post in this cyber security review will outline best-practices being used by government and the private sector as pro-active defense strategies against cyber attacks.
This article is published as part of the IDG Contributor Network. Want to Join?