In 2020, hackers threatened to release thousands of Finnish psychotherapy patients’ records to the internet unless they paid a steep ransom. Meanwhile, just last month, U.S. authorities uncovered a ‘Swiss Army Knife’ for hacking industrial control systems. “The malware toolkit, known as Pipedream, is perhaps the most versatile tool ever made to target critical infrastructure like power grids and oil refineries.” (Wired) So yes, we have a problem. Wired sums up last year’s hacking news: “As John Scott-Railton, senior researcher at University of Toronto’s Citizen Lab, puts it, ‘2021 is the year where we’re realizing that the problems we chose not to solve years or decades ago are one by one coming back to haunt us.”” (December 24, 2021)
The worst hacks of 2021 included
Colonial Pipeline: In early May, ransomware hit Colonial Pipeline, which operates a 5,500-mile pipeline that carries nearly half of the East Coast’s fuel—gasoline, diesel, and natural gas—from Texas all the way to New Jersey. As a result of the attack, the company shut down portions of the pipeline both to contain the malware and because the attack knocked its billing systems offline. As lines grew at gas stations through the southeastern US, the Department of Transportation released an emergency order to allow expanded fuel distribution by truck. The FBI also named the notorious Russia-linked ransomware gang DarkSide as the perpetrator of the attack.Lily Hay Newman, “The Worst Hacks of 2021” at Wired (December 24, 2021)
Also according to Wired JBS USA, “the world’s largest meat processing company, suffered a major ransomware attack at the end of May” in 2021.
Here’s a list of the ten worst known hacks including the FBI hack:
In November 2016, the FBI had one of the worst computer hacks in its history. After their entire data based was hacked, the identities of every undercover FBI and Homeland Security agent in the United States were released to the Dark Web. This didn’t only compromise lots of ongoing FBI operations, it also endangered the lives of many of those agents whose covers were blown.
To make the story even weirder, the person accused of this attack was a 15-year old kid from England. Apparently, in the internet age, a kid with a laptop can be more devastating than an entire armed mob.Omar, “Top 10 Computer Hacks of All Time” at All Time Lists (February 5, 2018)
We have begun to hear more and more about the state-sponsored hacker. In 2021, a decade after the event, Wired could finally tell the full story of the “stunning” 2011 RSA computer security firm hack in which Chinese spies stole the “crown jewels” of U.S.-led cybersecurity for the Chinese military:
THE RSA BREACH, when it became public days later, would redefine the cybersecurity landscape. The company’s nightmare was a wake-up call not only for the information security industry—the worst-ever hack of a cybersecurity firm to date—but also a warning to the rest of the world. Timo Hirvonen, a researcher at security firm F-Secure, which published an outside analysis of the breach, saw it as a disturbing demonstration of the growing threat posed by a new class of state-sponsored hackers.Andy Greenberg, “The Full Story of the Stunning RSA Hack Can Finally Be Told” at Wired (MAY 20, 2021)
What to do? Computer security expert David Kruger talks realistically about the reforms the industry doesn’t want to enact, which is a key part of the computer security problem. There are two reasons for not wanting better security:
The market capitalization of HDCs (human data collectors) that depend primarily on the unfettered collection of raw human data to generate advertising revenue (Google, Facebook, and others with similar business models), isn’t predicated on their technology, intellectual property, or their physical plant, it’s predicated on the value of the human data they hold and their unimpeded ability to continue collecting it. The value of their human data holdings will plummet unless it is continuously “topped up” with raw human information.David Kruger, “How software makers will push back against reforms” at Mind Matters News (May 16, 2022)
Easier security means easier theft. But that’s a price many may be prepared to pay for the greater potential for profit from selling human data that the current system allows.
Second, there’s a decades-long conflict over this issue within the law enforcement and security sector:
When it comes to cybersecurity, law enforcement and the intelligence community are divided into two camps: those responsible for keeping data safe, and those who want unfettered access to data to protect individuals and the country. The latter group will lobby hard against the root cause fix described in Part One because it requires ubiquitous strong encryption to protect data in storage and in transit. The conflict that has been going on for decades is referred to as the “crypto wars.”
Based on past experience, the intelligence and law enforcement officials who disfavor ubiquitous strong cryptography will inevitably accuse pro encryption folks, including policymakers pushing for policies listed above, of aiding child pornographers, drug cartels, human traffickers, and terrorists. Pro-encryption policymakers should expect to be smeared. The anti-encryption narrative will focus on a special class of victims, not all victims.David Kruger, “How software makers will push back against reforms” at Mind Matters News (May 16, 2022)
Divided motives are probably part of the reason government and industry efforts tend to be ineffectual. But now at least we can hold our own at the water cooler against someone who has read about the latest hack and is quite sure he knows the simple answer to all our problems…
You may also wish to read: The true cause of cybersecurity failure and how to fix it Hint: The cause and fix are not what you think. David A. Kruger, a member of the Forbes Technology Council, says it’s getting worse: We’re in a hole so stop digging! Get back to root cause analysis.