As individuals and businesses alike continue to rely more on technology, cyber threats constitute a persistent threat to privacy, economy, and national security. Cybersecurity remains a complex issue: Not all cyber threats are the same, nor is there one-solution-fits-all response for them.
The incoming Administration and Congress should take cyber issues seriously by increasing support for private businesses, continuing to share threat information, and developing ways to work more closely with international partners.
Refuse to Negotiate with Ransomware
Over the past year, the cyber threat environment has seen notable shifts, at some very high financial and social costs. The threat of ransomware attacks—hackers taking control of users’ digital information and charging ransom, at the threat of having that information publicized, sold, or destroyed—has grown tremendously. In April 2016 alone, the FBI reported that 2,400 complaints of ransomware had been filed and losses to ransomware amounted to $209 million.1 Only a fraction of that—$24 million in losses—was reported in 2015.2
The San Francisco Municipal Transportation Agency’s system was taken over in early December 2016 by hackers demanding $73,000 worth of electronic currency in exchange for decrypting the data.3 Medical facilities remain a common ransomware target due to their low security and high reliance on digital records. The Hollywood Presbyterian Medical Center paid $17,000 in February to have its systems restored.4 Means of preventing ransomware are few outside of maintaining good cyber hygiene, backing up files, using strong passwords/encryption, and keeping software up to date.
The Ponemon Institute records that of the 64 companies surveyed, the average annual cost of a data breach was $7 million—an annual increase of 1 percent in every year for the past three years.5 The RAND Corporation observed from 602 selected cyber events that the average cost of a cyber breach was $5.9 million. Though RAND also concludes that after accounting for outlying major cyber events, firms may only typically experience a cost of $170,000.6 RAND’s numbers almost double (to $9.2 million and $330,000, respectively) for cybersecurity incidents such as a malicious cyber attack.7
The Dos and Don’ts of Denial of Service
A second growing threat to cybersecurity comes from distributed denial of service (DDoS) attacks, in which multiple computer or Internet-facing devices attempt to access a target’s system simultaneously to the point that it overloads and subsequently renders the victim’s system inoperable.
In September, malware known as Mirai was released to the public.8 Mirai allows hackers to scan the Internet for weakly protected devices synonymous with the Internet of Things (IoT) to be used in a botnet (a group of Internet-accessible systems that hackers can control remotely).9 At the time of its release, Mirai was capable of infecting anywhere between 380,000 and 560,000 devices worldwide.10 Another malware, known as Bashlite, is reported to be capable of infecting more than one million devices.11
A month after its public release, Mirai and possibly other botnets were used in a DDoS attack to temporary disable Dyn, a domain name service that allows Internet users to connect with popular websites such as Twitter, Netflix, and The New York Times.12
For the future of Internet and device security, businesses need to come to terms with security through voluntary standards. For Internet-facing devices, the Department of Homeland Security’s Strategic Principle for Securing the Internet of Things is one possible path forward.13
The greatest quadrennial event in U.S. politics, the presidential election, took place in 2016. Over the past year, a number of breached databases have led to the exposure of voter information. While this information typically does not contain any financial information or Social Security numbers, it may contain names, political-party affiliation, contact information, and date of birth. Individual states typically regulate whether voter information is publicly accessible. Regardless, this swath of information could potentially be used to defraud or scam voters.
In December 2015, researcher Chris Vickery came across a publicly available voter database with upwards of 191 million registered voters’ information.14 While there were only 142 million register voters in 2014, information in the database goes as far back as 2000 and could possibly contain the information of deceased registered voters. The database has since been taken offline.
In June 2016, Vickery came across another database listing 154 million U.S. voters’ information, along with proof that the information had been accessed outside the U.S.15
Also in June 2016, the Democratic National Committee (DNC) announced that its network systems had been compromised in 2015 and 2016. Private security firms first attributed this breach to the Russian intelligence agencies Main Intelligence Directorate and Federal Security Service.16 The FBI and government officials have since joined those firms in attributing the breach to Russia, with the White House announcing it will deliver a proportional response.17 While publicly naming international actors is necessary for garnering international support against perpetrators, so is exercising authorized response—such as Executive Order 13964, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”18
Because of the difficulties presented by cyber incidents, such as determining the responsible party, the risk of a successful attack or breach, and a proportional response, Congress and the Administration should:
- Increase support for private businesses. The private sector is the backbone of the U.S.’s technical infrastructure, and it is a crucial component for updating, upgrading, and strengthening the nation’s cyber infrastructure. Cyber incidents will doubtlessly occur. Instead of chiding victim companies or hindering them with conflicting regulations, the government should continue highlighting the benefits of having good cybersecurity and maintaining a secure and open Internet.
- Work with international partners. The U.S. is a key hub in connecting the world’s information technologies. Malicious actors can use the U.S.’s own systems to attack American companies without having to be physically present in the U.S. The government should work with businesses with a global presence in securing their technologies, as well as with other governments to crack down on hackers around the world.
- Continue sharing threat information. The sharing of threat information can mitigate the risk cyber threats pose to companies. The government should encourage businesses to continue using both formal and less formal threat-sharing mechanisms, through the Cybersecurity Act of 2015 or though Information Sharing and Analysis Centers, for example. Information sharing should take place not simply with regard to persistent threats, but also with regard to how such threats may come to fruition and their consequences.
Known cyber threats will continue to prey on systems without proper defense and new threats will emerge as legacy-physical and cyber systems are haphazardly connected with newer devices and network systems. Cyber attacks are on the rise and will continue to be of concern for the foreseeable future. The U.S. government and companies must remain vigilant in face of these growing threats.
—Riley Walters is a Research Associate in the Douglas and Sarah Allison Center for Foreign Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.