Our growing cyber vulnerabilities manifest that one month of national awareness a year has done little to alert Americans to the tremendous vulnerabilities of cyber systems used by the government, businesses, and social media.
On October 5, on ”60 Minutes,” the Director of the Federal Bureau of Investigation (FBI) James Comey, all but gave up to China’s massive hacking that causes untold billions of dollars in damages to the U.S. economy.
“There are two kinds of big companies in the United States,” he said. “There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.”
But the Chinese are not alone. Nor does hacking end with banks and the financial industry. In March the computers of the U.S. government’s Office of Personnel Management were compromised. Last July the database of the contractor that does background security investigations for the Department of Homeland Security (DHS) was breached.
Yet, the President and Congress have failed to create a legal framework to allow the private sector actions that would strengthen our mostly defenseless cyber systems.
The Department of Homeland Security complains that budget cuts do not allow the hiring of top cybersecurity experts. What is JPMorgan Chase’s excuse?
The October 2nd regulatory filing by JPMorgan Chase, following earlier news of the bank’s hacking, revealed that 76 million “households” and 7 million small businesses were affected. Since a “household” may have more than one account holder, and “small business” involves unknown numbers of clients and suppliers, the real figure of those affected is surely much larger.
The bank gives assurances that there is “no evidence” that their customers’ “account information, account numbers, passwords, user IDs, dates of birth or Social Security numbers” were compromised. However, the hacking went on for some three months before the bank noticed something was wrong.
According to Bloomberg, the hacker(s) exploited a defect in one of the bank’s websites that “unleashed malicious programs designed to penetrate the corporate network…the intruders reached deep into the bank’s infrastructure, siphoning gigabytes of information.” This includes names, addresses, phone numbers, email addresses, as well as credit cards, and investments of more than 83 million customers, as well as an unknown number of the bank’s former account holders.
Despite the huge loss suffered by U.S. businesses, there is a strange reluctance to invest in cyber defense in the absence of government leadership. Such an attitude is common not only among U.S. businesses. Earlier this week, PwC together with CIO and CSO magazines released the “Global State of Information Security Survey 2015,” which surveyed some “10,000 executives and IT, directors in 154 countries… [and] reveals that global corporate security budgets have fallen at a time when cybersecurity breaches are rising dramatically. Of even greater concern is the fact that corporate boardrooms seem determined to adopt ostrich-like behavior and ignore the problem.”
This, despite innovative cybersecurity technology that has been already developed by American scientists at national laboratories, with American taxpayers’ money. Last month, Sandia National Laboratories in Albuquerque announced a new partnership with the Department of Homeland Security. Sandia will use its innovative testing technology to assist with DHS Transition to Practice (TTP) program to help move federally funded cybersecurity technology over the government’s bureaucracy (aka “valley of death”) into broader use,
In 2012, Los Alamos National Laboratory has announced the development of a “revolutionary technology entitled “QKarD” that implements the quantum mechanical laws of physics rather than complex mathematical problems to encrypt information.” A year later, the portable, wireless, easy to use QKarD Quantum Smart Card was announced.
The Card can be used to secure data and communication in electric grids, wireless communication and Internet, banking, and much more. The group that developed the technology has obtained private funding to commercialize it, but apparently, not to advertise it. Otherwise, it would be reasonable to assume that the President would have boasted about this homegrown innovation, or at least order DHS to use it to better secure the country’s critical infrastructure.
Similarly, innovative technologies to counter cyber and other attacks have been developed, but without redundancy, the move to wireless technologies seems to have weakened our ability to withstand a massive cyberattack that could devastate the country’s economy and jeopardize the U.S. national security.
Clearly, one month of national awareness a year is not enough.