March, 2016 | Arun Vishwanath, Ph.D., MBA

his week, a hospital in western Kentucky was the latest organization to fall victim to a “ransomware” attack — a class of malware that encrypts all the files on a computer, only releasing them when a ransom is paid to the hacker holding the encryption key.

In this case, the hospital did not pay up. However, other hospitals, law firms, small businesses and everyday citizens have already paid anywhere from $200 to $10,000 in ransoms. Indeed, based on complaints received between April 2014 and June 2015, the FBI estimated that losses for victims from just one of these malware strains were close to $18 million.

Sadly, this year could well be worse.

Ransomware has existed for some time, the earliest dating back to the late 1980s. Back then, most was developed by enthusiasts — individuals testing out their skills. In contrast, today’s ransomware is often developed by global software teams that are constantly updating their codes to evade anti-virus software and selling them as off-the-shelf products.

Already, newer strains appear capable of infecting mobile devices, of encrypting files stored on cloud servers through mapped, virtual drives on computers, and of transitioning to the “Internet of Things” — infecting gadgets like watches and smart TVs that are going online. In the near future, the likelihood of an attack locking us out of our car, or worse yet in it, while we drive, demanding an immediate ransom, is becoming increasingly possible.

Thanks to the Internet, this malware-for-hire is available to virtually anyone, anywhere with criminal intent. Making things easier for hackers is the availability of Bitcoins, the online currency that makes monetary transactions untraceable. And making things even easier for them is our inability to stop spear phishing — those innocuous looking emails whose attachments and hyperlinks conceal the malware.

All this makes anyone with minimal programming skills and a free email account capable of inflicting significant damage, and with everyone from presidents to pensioners using emails today, the virtual pool of potential victims is limitless. No surprise then that cybersecurity experts believe that 2016 could well be the “Year of Online Extortion.”

But we can stop these insidious attacks, if everyone — individuals, organizations and policy makers — works towards a solution.

First, everyone must be taught to spot, sequester, and deal with spear phishing emails. This requires cybersecurity education that is free and widely available, which is presently not the case. While different training programs exist, most cater to large organizations, and are outside the reach of households, senior citizens and small businesses, who remain vulnerable.

What we also need is training that helps people develop better “cyber hygiene.” This includes teaching people to frequently update anti-virus software, appropriately program firewalls, and routinely back up their computers on discs that are then disconnected from the network. In addition, people should be taught how to deal with a ransomware attack and stop its spread by quickly removing connected drives and disconnecting from the Internet.

Second, organizations must do more to protect computer networks and employees. Many organizations continue to run legacy software, often on unsupported operating systems that are less secure and far easier for hackers to infiltrate. Nowhere is this problem more pressing than in small businesses, health care facilities, and state and federal government institutions, which is why they are the sought-after targets of ransomware.

Besides updating systems, organizations need to overhaul the system of awarding network privileges to employees. The present system is mostly binary, giving access to employees based on their function or status in the organization. Instead, what we need is a dynamic network-access system that takes into account the employees’ cyberrisk behaviors, meaning only employees who demonstrate good cyber hygiene are rewarded with access to various servers, networks, and programs through their devices.

Finally, policy makers must work to create a cyber crime reporting and remediation system. Most local law enforcement today is ill-equipped to handle ransomware requests, and harried victims usually have limited time to comply with a hacker’s demand. Many, therefore, turn to their family and friends, who themselves have limited expertise. Worse yet, some have no choice but to turn to the hacker, who in many cases provides a chat window to guide the victim through the “remediation” process.

What we urgently need is a reporting portal that is locally available and staffed by cybersecurity professionals, so people can quickly report a breach and get immediate support. Such a system currently exists, in the form of the existing 311 system for reporting nonemergency municipal service issues. It’s a system that has already been adopted by many cities in the nation, and allows for reporting via email, telephone, and smartphone apps. Strengthening this system by providing it the necessary resources to hire and train cyber security professionals, could go a long way towards stopping ransomware attacks that are now making their way past Main Street to everyone’s homes.

Perhaps the best way to look at the problem is this: How safe would we feel in a city where people are routinely being held hostage? Well, cyberspace is our space. And we have to make it safe.

A version this post appeared on CNN: https://www.cnn.com/2016/03/25/opinions/preventing-ransomware-attacks-vishwanath/

Tuesday at the first congressional hearing on the issue of iPhone encryption, Apple’s general counsel argued against the FBI’s call for creating a backdoor into the company’s technology, a door that could allow the government — and hackers — to intrude on our privacy in the future.

Apple CEO Tim Cook’s position — supported by everyone from Google to Facebook, Microsoft, and Amazon — resonates with us because of we worry about “Big Brother” and “government surveillance.” But while many users are expressing solidarity with Apple’s apparently principled stance, they might also be asking a serious, related question for themselves: Does Apple really do enough to protect users from hackers?

Apple’s App Store Terms and Conditions clearly absolves it from any responsibility for a hack, breach, or data loss stemming from the use of any apps you purchase from it.

Imagine one of the apps you used to say, edit pictures, store passwords, or track your health was breached and the information was made public — similar to how hacked pictures from celebrity iCloud accounts were released. Only this time, imagine that it was due to an app in the Apple store being compromised — something that we know is probable after the recent discovery of hundreds of malware infected apps on Apple’s app store. If this happens, we the users have literally no one we can hold responsible.

In light of this, it’s hard to make a case then that Apple is always looking out us. Can’t Apple do better in protecting us from hackers?

Before we discuss that, let’s pause to recognize that this is a problem not just with Apple but also every other major technology company, from Google to Facebook to Amazon, each of which is vying to become your gateway to the Internet.

And the problem is likely to get worse as more and more everyday products become part of the “Internet of Things” (IoT) — that is, cyberspace connecting every “thing” (like clothes, thermostats, watches, and cars) to each other — all managed and controlled by devices like Apple’s iPhone, Amazon’s Echo, or Google’s Android platform.

Already the so-called sandboxed ecosystems of mobile operating systems — where only approved apps are given limited access to their respective operating system resources — have been shown to be susceptible to hacks by other apps that do not have the same access authorizations.

Such issues are only likely to get worse as more IoT gadgets come online and as more information is shared by “situationally aware,” decision engines like Siri, Alexa, and Google Now, which need to know everything we do on different apps throughout the platform in order to belt-out those smart responses to our queries.

Further complicating this is that most IoT gadgets are created by companies that have little to no information security experience, or that are simply negligent. Many have been shown to have serious vulnerabilities, and we have already seen successful breaches into everything from “smart” toys to thermostats.

In between all this, we, the users, are left to fend for ourselves. Often breaches remain unreported, or even undetected. Many security flaws are found by security enthusiasts or accidentally stumbled upon by affected consumers, sometimes months after a breach. Worse yet, many users are oblivious to the problem and continue to use these gadgets. Why? Because there exists no single gateway to learn about the security of new products outside of the online feedback from other users, most of who have little technical understanding of security.

But there is something that companies like Apple and Amazon can do. And they could do it now.

First, iOS and Android operating systems have specific technical guidelines for app developers, but these are designed to protect their operating systems, not our data, from being “exfiltrated” — taken without our consent — out of a gadget that connects through the app. Here, technology companies like Apple and Amazon act as mere intermediaries that provide their platforms for exchanging products. Instead, such technology companies should create and mandate security standards that gadget makers must adhere to, providing standards of protection for all of us.

Second, app stores today function merely as software purchasing outlets. All they present is user feedback about an app’s functionality without communicating its security flaws or those of gadgets connected to or controlled by the app. This could be easily altered if companies like Amazon actively solicited more pointed feedback from users about apps and the products they connect to and about the types of security issues they have considered or encountered. Not only would this help all of us purchase safer technologies, but it would also shape our expectations about what we should be looking for when we purchase IoT gadgets and apps.

Third, a consortium of technology companies, including Apple, Facebook, and Amazon must develop a security rating system and a standardized system for displaying this information, much like we have star-rating systems for automobiles and warning labels on products. The system should be easy for the end user to understand, should proactively rate new gadgets and apps as they are introduced, and these ratings should be prominently displayed on the app stores and product packages. All technology users, no matter their technical competency, should have this quick way to assess the security implications of the devices they plan to purchase.

It is one thing for Apple to take a stance against government intrusions into our privacy, but it is another to do something to better protect our data from hackers.

A version of this post appeared on CNN: https://www.cnn.com/2016/03/02/opinions/can-apple-protect-us-from-hacking-vishwanath/index.html

Sign Up for Arun’s Newsletter

MonthMarch 2016

Is 2016 the year of online extortion?[Published in CNN]

Apple, want to show you really care? Protect us from everyday hacking [Published in CNN]