By The #CyberAvengers
Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma, and Christophe Veltsos
Originally Published on Levick on May 8th, 2017
Let us take a headcount of recent events: the attack on the Ukraine’s electric grid, a LinkedIn data dump as a result of a 2012 breach, the information warfare campaign surrounding the US Elections, a peculiar “Google Docs” app involved in a massive spear-phishing campaign, and most recently, another information warfare campaign aimed at the French Elections. Do not forget our ”good ole friends” – North Korea, Iran, and Syria, just to mention a few – are well into the cyber game and ready to pounce on the next database which has been left unguarded, unencrypted, and unprepared to thwart an attack.
As the disc jockey says, “and the hits keep on playing!”
Despite increased “cybersecurity talk” since the Office of Personnel Management (OPM) breach, great strides in Federal IT security improvement are not apparent.
Despite loads of Congressional attention, there is only one piece of credible legislation to show for, the Cybersecurity Information Sharing Act (CISA).
And despite the billions spent on cyber defense measures, we seem to wake up every morning to news of some type of new breach, making it feel like Groundhog Day.
With each new breach, some nation state, cybercriminal, or terrorist group has gotten their hands on our personal information (and that of our spouses, kids, and parents) all in an effort to exploit us further, whether it is a wire transfer scam or an attempted run at the crown jewels of whoever employs us. Coupled with publicly available information that we – and our family, friends, and co-workers, and businesses, services, and not-for-profits – post online, and that which is available through workplace and government listings, seemingly tiny and unrelated pieces of information, once collated, become a powerful weapon for the adversary.
The adversary will not hesitate for one moment to use this information against us should it meet their interests.
We cannot overemphasize this issue enough: spear-phishing and pretexting tactics work and they work extremely well. And government employees are by no means exempt or necessarily protected from these social engineering attacks. Once that email makes it past the firewalls, the spam filters, the anti-virus and the artificial intelligence onto your device (which it can and does), you – and you alone – are the last line of defense.
So why have we been so completely unsuccessful in defending our data? There are enough reasons to numb you:
Silo mentalities of various agencies, groups, and companies;
- Unsubstantiated hype of vendor strategies designed to work together, but in practice are disjointed;
- Never-ending shortage of skilled cyber professionals;
- Perpetual lack of money, time, and attention the issue truly needs;
- Basic naivety of the user; and
- A fundamental misunderstanding of issues and terms.
Do people really understand the intricacies and complexities the cybersecurity challenge presents? How much do the US House and Senate really care to understand these intricacies and complexities?
We do not need to spend another year, or election cycle, or decade debating across party lines or through political filters when there are actionable steps that support a unified American interest, regardless of party or ideology.
The country’s most important secrets are at stake. The country’s ability to function relies on these backbone networks. And the country’s inability to find common ground or develop a basic understanding of the challenges – for decades – has gotten us into this mess.
For these reasons, we offer practical and actionable steps to help defend the nation. We offer a five-point plan, much of it easy to implement, but will require effort. We are not asking anyone to move mountains. Rather, we ask those responsible to take the necessary and sufficient steps to move some of the valuables to higher ground.