Over the last few months, cybersecurity (and specifically “hacking”) has been at the epicenter of the national conversation. These issues have been in the news now more than ever primarily as a result of our recent presidential election and allegations by intelligence officials and others that Russian hacking of the Democratic National Committee (DNC) (and others) altered (or tried to alter) the outcome of our presidential election. It seems like almost every day, especially in late December and early January, there was an article, update or new revelation about Russian hacking, the DNC, calls for congressional hearings, Fancy Bear or sanctions.
The President Elect has tweeted repeatedly about Russian hacking, keeping the cybersecurity issue front and center in the minds of Americans.
Now usually, when there is a major cybersecurity story in the news (think Target, Home Depot, Yahoo!) cybersecurity professionals welcome the exposure (if not the incident), because the result of the attendant media attention often drives cybersecurity awareness leading to folks to be more concerned about how to protect themselves and their companies, as they should be.
The allegations of Russian hacking of our elections might mark a significant departure from this typical, cybersecurity incident silver lining, however. Here’s two reasons why:
- According to a new CNN/ORC poll, while nearly 2 in 3 democrats believe Russian hacking “ruined Democratic candidate Hillary Clinton’s chances,” only 10 percent of Republicans agree. (Source: theblaze, “Poll: Majority of Americans believe Russian hacking did not impact election outcome,” January 17, 2017, citing CNN/ORC poll). Party affiliation is influencing views on this particular cybersecurity incident. Republicans want to “move on” and blame the DNC for operating insecurely. Democrats want hearings and sanctions. Ultimately, a cyberattack is a criminal action. What we want in a post attack “lessons learned” analysis is an open discussion about how to prevent such attacks in the future. With Americans so divided over the Russian cyberattack, it seems highly unlikely that will happen. It seems this incident makes it actually more likely that future cyberattacks will produce similar arguments on effect, attribution and fault, further limiting any positive outcome for the good of the country or any community.
- Over exposure. Every day, another Russian hacking story. There is every indication that this Russian hacking conversation is simply too much for people to digest and make sense of, especially in any detail. Honestly, how many Americans have read deeply into any of the stories or reports to understand who Crowdstrike is, who Fancy Bear or Cozy Bear are, what a SeaDaddy tool is, what operation “GRIZZLY STEPPE” was, or, in the case of John Podesta’s email hack, how multi-factor authentication might have prevented the incident in the first place (or what MFA is, anyway)? When something is overwhelming, like this story has been, folks don’t embrace and learn from it, they run the other way.
Cybersecurity is a life and death matter, as shown by a recent Hamas operative cyberattack aimed at Israeli troops to learn their whereabouts and movements.
All of this presents a real problem in terms of increasing cybersecurity awareness and motivating people to act securely and responsibly in their personal and professional lives, especially considering what’s at stake and what lies ahead.
In the very near future, the Internet of Things will create for us a world of Internet-connected devices. Projections vary, but conservative estimates indicate there will be as many as 24 billion connect devices by 2020 (think shoes, TVs, clothes, cars, crock pots, refrigerators as well as factories and the machines in our power plants and water treatment facilities) (Source: Business Insider, “The IoT 101 Report: Your essential guide to the Internet of Things, January 12, 2017). With so much of who we are and what we do on the ‘Net, we need people to be more concerned and more united around resisting cybercrime, not less.
As for what’s at stake? Consider a recent story about Hamas’ use of a cyberattack on Israeli soldiers. Hamas operatives posed as cute girls in texts with the soldiers. The goal was to get the soldiers interested, get them to agree to a video chat, and then have the soldiers download what they were told was a video chat program that would let them connect. In reality, the chat app, called WoWo Messenger, was a delivery method for malware, the intent of which was to provide information on troop location and movements to Hamas for military operations. (Source: BleepingComputer, “Israeli Military Tricked Into Installing Malware by Hamas Agents Posing as Women,” January 16, 2017). The lesson is clear: cybersecurity is no longer about hacking enthusiasts “messing with” companies or the government just to show they can. Cybersecurity, very often about money, theft and fraud, is also about life and death, and as such should be addressed deliberately, carefully, intellectually and ultimately with a united front to be successful.
Will the recent Russian hacking incident make Americans care less about cybersecurity? It may be too early to tell. But the lessons for savvy business and organizational leaders couldn’t be more clear. Stay focused. Hacking is very real, and it is increasingly being done in more sophisticated ways by foes near and far. Put politics aside, understand the criminal intent of those that would do you or your organization harm, understand the environment and what’s at stake, and then act accordingly. It’s only going get tougher from here on in – let smarts, vision and courage be your guide.