Cybersecurity was in the news again this week as hackers released contact details of thousands of FBI and Homeland Security employees after claiming to have taken 200 GB of data from Department of Justice computers. But even as such breaches have started to feel almost routine, they are also taking a more troubling turn.
Imagine traffic being halted, subway trains going berserk, furnaces and cooling systems firing out of control, or worse yet, a nuclear power plant melting down — all due to a cyberattack. This is by no means a hypothetical concern. The first wave of infrastructure attacks has already demonstrated the harm that can be done as governments face the reality that the hacking threat is increasingly about more than stolen information.
Late last year, in a first of its kind, a major cyberattack crippled Ukraine’s electricity grid, freezing the computer terminals of operators trying to restart the grid and blocking the telephone lines so consumers couldn’t call in. Last month, Israel’s Public Utility Authority was reportedly attacked. And Germany reported extensive damage to an industrial plant from a hacked blast furnace that couldn’t be stopped.
Closer to home, the Department of Homeland Security received reports of close to 250 infrastructure incursions in fiscal 2014, while Iranian hackers in December 2013 reportedly infiltrated the sluice gate controllers of the Bowman Avenue Dam in Rye, New York.
The potential losses in terms of time, money and possibly even lives from increasingly sophisticated attacks are hard to calculate. But one thing is clear: These attacks can only be stopped if we enlist the help of every Internet user.
And there is a good reason to follow this approach, because although cyberattacks weave their way through computer networks in different ways, there is a common thread that runs across many of them — something that we could exploit to stop them.
First, for efficiency reasons, many cyberattacks utilize the same attack pattern. From the attack on the Justice Department to the one crippling Ukraine, most utilize spear phishing.
The hacker hides a malware payload in the attachment of an email, which when clicked opens a back door into computer networks that are then used to hijack system controllers or extract data. Some phishing attacks direct individuals to fraudulent websites that run malicious scripts or directly solicit login and other credentials by spoofing a real website. Such attacks are often repeated, with minor changes to the request; many even carry the same payload or direct people to the same phony website.
A second important aspect of cyberattacks is that not all the attacks are successful. In fact, targeted spear-phishing attacks tend to have success rates ranging from 30% to 55%. So while many people fall prey to the attack, many more don’t — and a breach could be stopped by just one person reporting it.
With that in mind, if we could provide a mechanism for the many individuals who detect an attack to report it, and if we could quickly disseminate the information to its likely targets, we could stop most attacks from spreading.
But the problem today is that there are many different agencies that collect cyberbreach reports.
For example, anyone receiving a spear-phishing email claiming to be from the IRS can report it to the IRS, to the state attorney general, the local police, and the IT department of their organization. Other entities that could be reported to include the Anti Phishing Work Group and the FBI’s Internet Crime Complaint Center. Each of these organizations allows for reporting using different forms and mechanisms, with some merely collecting reports, others providing emailed feedback, and some others having investigative authority. This is a problem for the average person, whose report is the first line of defense against the attack.
What we need instead is a simple, one-stop, city- or county-level solution: one that is well-publicized, so everyone in a region can be easily made aware of this service; one that is convenient and allows for reporting using a variety of mechanisms; and one that not only collects fraud information but also disseminates information about how to protect and, if necessary, remediate the breach, so people can get localized help.
What would such a system look like in practice? In fact, many cities throughout the nation already have one system in place that we could potentially leverage: the 311 system for reporting nonemergency municipal service issues. This system has been adopted by more than 60 cities and provides a ready platform for cyberbreach reporting. In many areas, the system allows for complaints via email, phone, and smartphone. Leveraging the existing 311 system is therefore convenient and has the added advantage that the system is already known in most areas.
Of course, the current systems would need to be strengthened by adding staff with expertise in dealing with cyberattacks. But this could be easily accomplished by transferring some resources from fighting traditional crime — which in much of the nation remains at an all-time low — toward fighting the exponentially growing problem of cybercrime.
Reports from various regional 311 systems could then be aggregated by an agency like the FBI’s IC3, providing a means for centralized tracking and attack containment. In much the same way the Centers for Disease Control and Prevention protects public health in the United States, many cyberoutbreaks could be stopped before they crippled our homes or our critical infrastructure — if people reported them early, if their likely victims were warned about them, and if law enforcement began to remedy them right away.
The democratized Internet gives everyone a voice. But it also makes just about anyone capable of inflicting massive damage. We need everyone’s help to protect this increasingly wired world we live in.
- A version of this post appeared on CNN: https://www.cnn.com/2016/02/11/opinions/cyber-infrastructure-attacks-vishwanath/