Last week, we learned that hackers allegedly working for the Chinese government breached personal information of some 4 million current and former federal employees. This latest episode is shocking in its scope, but security experts have long known about China’s military-level cyberoffensive capabilities, with reports of an entire division of its army being devoted to cyberattacks.
And China is not alone. Russian government-sponsored hackers were blamed for the recent breach of the White House’s email system; North Korean hackers were believed to be behind the Sony Pictures’ hack. And state actors aside, there are also nonstate criminal enterprises and a smorgasbord of “hactivists” all focused on breaching, stealing or releasing compromised information. In fact by merely cumulating the number of successful breaches since 2014 we reach a sobering conclusion: All of us, by now, have been the victims of a cyberattack of one kind or another.
How are these attacks happening?
The vast majority of these hacks utilize simple phishing attacks — hackers craft emails that appear to come from a trusted source such as the Internal Revenue Service or a company’s information technology department with an innocuous-looking hyperlink or attachment that, once clicked, opens virtual backdoors into the individual’s computer. Once compromised, requests appear to come from inside the organization’s computer networks, which make them hard to detect using security software programmed to protect networks from outside incursions, not insider requests. This is why it is virtually impossible to stop cyberattacks — because we are the ones who inadvertently open these emails and click on the links. We act as the unintentional insiders who hand over the keys to the network.
To have any chance of halting cyberattacks, we need to understand why people click on phishing links in the first place. There are two main reasons:
The first stems from how we relate to network security. Most of us who don’t work as IT administrators see network security as an impediment to getting work done. After all, our organizational performance is seldom measured in terms of how safe we are or how many rules we follow. Consequently, many of us disregard warnings, circumvent rules and connect in places we shouldn’t, oftentimes using unauthorized devices and software. Supporting such actions are mistaken beliefs about the security of certain operating systems, devices and file-formats that lead many people to be cavalier about what sites they visit and what they open on certain devices.
The second problem stems from people’s cyber habits, where many online actions such as checking emails and texting have become so routine that people are often unaware of when they perform these behaviors. As a result, many people quickly open emails or mindlessly click on links and attachments with nary a thought of its consequences. Smartphones, which the majority of us now use to connect to the Internet, have further exacerbated the problem by making it possible for people to check email frequently while simultaneously being engaged in a number of other activities. Smartphone apps and screen sizes also restrict how much information is presented, which can make it difficult to check the veracity of an email even if one is so inclined.
With all this in mind, fixing the people problem of cybersecurity is going to require a three-pronged approach.
First, we must educate people on how to protect themselves better online. Cybersecurity education must be accessible, universal and a mandatory part of K-12 education. It must focus on teaching people safe browsing habits, replace flawed cyber beliefs with objective knowledge and teach people ways to protect their information online better — in short, it must help them develop better cyber hygiene.
Second, we must train people on how to spot a fraudulent email quickly, on strategies for effectively sequestering it and on replacing poor cyber habits with better ones. Hand in hand with this, we must also work on developing a more dynamic system of according IT-access privileges to people in organizations. The current system was developed when computers were newer, software limited and devices fewer. Today we need a system that is not too restrictive, one that takes into account people’s varying device use needs but also fosters security consciousness. One solution might be to provide people access based on their cybersecurity behaviors, risk beliefs and online habits rather than merely on who they are in the organization.
Finally, we must make it easy for people to report suspected breaches and malicious emails. Efforts by President Barack Obama to make the reporting of data breaches mandatory for organizations are a good step, but there is a pressing need to establish a national clearinghouse where people can quickly report a breach and find help. The current system requires individuals to sift through a host of law enforcement agency websites to find a contact to report a breach, and oftentimes there is little to no feedback or remedial help in return, which reduces people’s motivation to report.
Instead, we need to create a single, centralized agency, similar perhaps to the Action Fraud center and specialized FALCON response team that police in London have created, where people can both report a breach and find someone who can immediately redress it.
Ultimately, this latest attack was likely successful because we are the weakest links in the nation’s cyber infrastructure. Technology alone cannot fix this problem — only we can stop the next attack. And it’s likely already underway.
*A version of this post appeared in CNN: https://edition.cnn.com/2015/06/08/opinions/vishwanath-stopping-hacking/