WASHINGTON, D.C. - Reports surfaced this week of hackers with ties to the Russian government systematically targeting Western energy companies in a wide-ranging instance of cyber espionage.
The group, known as Energetic Bear or Dragon Fly, attacked more than 1,000 organizations, including oil, gas and financial services companies, over an 18-month period in more than 84 countries, including the United States.
If that sounds like something out of a 21st century James Bond movie, you’re not far off the mark. The increasing confluence of technology and governance has made combatting cyber threats a key focus for countries around the world. President Barack Obama has said these threats are “one of the most serious economic and national security challenges we face as a nation.”
Just this past March, Secretary of Defense Chuck Hagel announced plans to increase dramatically the size of U.S. Cyber Command, the country’s cyber warfare unit, to 6,000 people by 2016. Such a move would make Cyber Command one of the largest cyber-espionage agencies in the world.
Although the danger of cyber security threats has grown, the federal government apparently is ill equipped to deal with them. In last week’s podcast, we examined a recent GAO report that said federal agencies are reporting a 30% increase in the number of cyber instances over the last three years.
But these same agencies don’t quite know how to deal with these threats or stop them from happening again. How are cyber intruders getting into some of the most advanced computer networks on Earth?
Oddly enough, big intruders such as China use the same techniques to hack into U.S. systems as a shady spammer trying to access your bank account -- by getting people to click on a link on their Facebook page or in their email account.
“China overwhelmingly uses social media and fishing emails,” Richard Andres, professor of National Security Strategy at the U.S. National War College explained to DecodeDC. “The problem is that people click on the links.”
While there are a number of factors that contribute to why the U.S. government struggles to address these threats - from budgeting to bureaucratic red tape - most experts agree that America can move a long way towards improving its defensive capabilities with just a few simple changes.
“(The Department of Defense) is awesome at some of the most complex things you can do at cyber defense … great at that stuff,” Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council told DecodeDC. “But some of the basic stuff, just patching simple systems or knowing what’s connected to your network - they’re bad at the basic stuff but awesome at the advanced things. Because doing the basic stuff isn’t sexy and the U.S. government needs to focus on that unsexy basic stuff.”
Peter W. Singer, a former consultant to the U.S. military and co-author of the book “Cybersecurity and Cyberwar: What Everyone Needs to Know” agrees with that analysis.
“As sophisticated as this all sounds, basic cyber hygiene would stop 94 percent of all attacks,” Singer told DecodeDC. “And as sophisticated as the threat might seem, the reality is they’ve consistently gotten in through low level pathways. They’re persistent, they’re advanced, they’re smart but the point is we’ve made the attackers’ job easier than it needs to be.”
While the number of attacks can sometimes be startling, there’s also a difference between most of those attacks and sophisticated cyber warfare campaigns, like the famous Stuxnet virus that state actors are capable of deploying.
“Stuxnet, the digital weapon the U.S. created, illustrates you can do physical things with digital weapons. There are real dangers here,” Singer says. “It also illustrates that it’s not as easy as it’s too often portrayed. It’s not something just a couple of teenagers sitting in their basement sipping Red Bull can do as is too often claimed.”
As scary as this all sounds, the growing number of cyber attacks is in many ways just part of the territory today in a society where everyone is constantly connected.
“There’s nothing in the GAO report that isn’t true of everyone on the Internet,” Jason Healy says. “Everyone is trying to get everything always and in all ways.”
Improving America’s ability to combat cyber threats will depend on keeping up with the change and pace of technology faster than those trying to get in.
DecodeDC's foremost aim is to be useful. That means being a reliable, honest and highly entertaining source of insight and explanation. It also means providing multimedia coverage of Washington's people, culture, policies and politics that is enlightening and enjoyable. Whether it's a podcast, a video, an interactive graphic, a short story or a long analysis, it will be based on this guiding principle: We are in DC but not OF DC.