State-sponsored cyberwarriors are infiltrating nuclear power plants and blackmailing multinational companies. Hacking gangs are breaking in to ATMs. Safety advocates are hijacking cars wirelessly — taking control of steering and brakes from drivers — as a warning about onboard vulnerabilities. Has the internet ever seemed scarier? Yes, elite professionals are finding ingenious ways to gain entry to government, industrial and financial networks. Cybersecurity lapses have also left some companies shockingly exposed. Still, when it comes to everyday security — of bank accounts and credit cards — the good guys actually have the upper hand.
After a U.S. presidential election marked by leaks of hacked emails, President Donald Trump is expected to order his budget director to oversee an effort to modernize the executive branch's information technology and better secure its data. During the campaign, almost 20,000 Democratic National Committee emails were posted online, including pro-Hillary Clinton messages sent by officials who were supposed to remain neutral. U.S. intelligence agencies later concluded that Russians, hoping to influence the outcome in Trump's favor, were responsible, a charge that Russian President Vladimir Putin denies. In March 2016, hackers stole more than $100 million from Bangladesh’s foreign reserves; only $20 million has been recovered. In June 2015, U.S. officials reported that Chinese hackers had breached the computers of the Office of Personnel Management, stealing records of as many as 21.5 million current and former federal employees. China was also tied to data thefts from health-insurance providers Anthem and Premera earlier in the year. That was bad news that was really bad. Other bad news has turned out better. In November 2015, VTech Holdings Limited, a Hong Kong-based toy company, revealed it had been hacked and that the data of 6.4 million children — including names, birthdays and genders — and that of 4.9 million parents was compromised. But no credit card data appears to have been stolen. In May 2014, Target was beset by revelations about the theft of 110 million payment-card numbers. It turned out that the numbers were mostly useless to the thieves because the PIN codes were encrypted and banks swiftly cancelled most compromised accounts. Experts issued stern warnings of more mayhem to come after a security company reported in June 2014 that cyber-attackers had disrupted a hedge fund’s high-speed trading network. On closer inspection? The attack never happened.
The first famous hacker was Robert Tappan Morris, the son of a National Security Agency computer scientist, who in 1988 unleashed an Internet attack that crashed thousands of computers. He said a research project got out of control. More than 20 years later, a computer worm called Stuxnet disabled almost 1,000 centrifuges at an Iranian nuclear facility. It was traced to U.S. and Israeli intelligence. Now hackers and the governments that hunt them buy programming code on the same global black markets. Talented hackers can make hundreds of thousands of dollars or more selling a single, well-crafted attack program. Still, breaches like Stuxnet are beyond the capacity of all but the most elite specialty hacker, usually state-sponsored, and the vast majority of threats can be blocked.
Effective data security involves up-to-date technology, but also expensive human monitoring of voluminous logs and alerts. Technology can stop low- and medium-level threats. It can’t do much to neutralize inattentive people who use easy-to-steal rudimentary passwords. Hardware and software makers have added more encryption since 2013, when Edward Snowden revealed the extent of the U.S.’s ability to monitor computer data. Because some encryption techniques can make evidence impossible to retrieve with a warrant, they may not ultimately survive court tests. Even in serious breaches, such as the 2014 hacking attacks on JPMorgan, consumer protections are likely to prevent individuals from suffering financial losses. And banks can reverse or block fraudulent charges instantly so consumers can keep spending. So what’s the current state of cybersecurity? It’s both the worst it’s ever been — and the best it’s ever been.
The Reference Shelf
- Bloomberg News articles: “How Hackers Took Down a Power Grid” and “How to Hack an Election.”
- From Wired: “Hackers Remotely Kill a Jeep on the Highway — With Me in It.”
- NATO’s history of cyber-attacks.
- The New York Times traced the origin of the Stuxnet attack against Iran and the National Security Agency’s penetration of the Chinese network-equipment maker Huawei.
- The security expert Bruce Schneier blogs about cyberwar and online espionage.
First published July 10, 2014
To contact the writer of this QuickTake:
Jordan Robertson in Washington at email@example.com
To contact the editor responsible for this QuickTake:
Jonathan Landman at firstname.lastname@example.org