I have a relative who has been terrified of the Internet for years. Two decades ago, he was a heavy CompuServe user. Now, he only goes online at the library. But even he can’t escape. The Internet is everywhere now. It is in cars, on TV. It connects to medical devices, to toys (Barbie). It flies on airplanes, touches the power grid.
Andy Greenberg’s automobile-hacking crash-test dummy piece gets my nod as cybersecurity story of 2015.
In reviewing the past year’s top cybersecurity stories, Lorenzo Franceschi-Bicchierai said 2015 proved that nothing, and no one, is really safe from hackers.” Children were not spared (Vtech). Nor were corporate hackers (Hacking Team). Customers of 55 U.S. health care providers were hacked, the biggest Anthem, which did not encrypt social security numbers.
Journalists and political dissidents were targeted, of course. Citizen Lab’s sleuths and the AP uncovered a South American cyber-espionage operation with all the hallmarks of state sponsorship.
Kim Zetter at Wired predicts more hacker shakedowns, break-ins in which attackers extort victims, threatening to publish pilfered data. Brian Krebs, who broke the Ashley Madison hack story, noted the opportunistic extortions that followed. (Hollywood was still smarting from the Sony hack, and celebrities led by Jennifer Lawrence are surely thinking twice now about storing nude photos on iCloud).
The proliferation of ransomware _ which holds data hostage _ is scary enough. Zetter anticipates a growing threat of cyber-attacks that compromise the integrity of data. The Stuxnet hack, of course, did so much more than that, and a robot last year killed a human at a Volkswagen plant in Germany, violating Asimov’s first law of robotics. Ted Koppel, meanwhile, sounded the alarm on the threat a cyber-attack could pose to the U.S. power grid. Ukraine’s grid was hit in December in what security researchers called the first known hacker-caused outage.
The year’s biggest hack was of the U.S. government’s Office of Personnel Management. It exposed sensitive personal information from job applications, including of intelligence and military employees with security clearances. In all, 21.5 million people were potentially affected, 5.6 million sets of fingerprints obtained. The authors were Chinese, though Beijing claimed the hack was NOT state-sponsored. They told U.S. officials the culprits were arrested, @nakashimae reported, but provided no further information.
The U.S. government has not proven itself an trustworthy bearer of data; protection efforts fall short.
On the cusp of Christmas, a major vulnerability was announced. Juniper Networks found two unauthorized backdoors in its NetScreen firewalls that would allow “a knowledgeable attacker” to gain access to encrypted traffic on virtual private networks. Major U.S. corporations, banks, universities and government agencies were affected. A looming question in this unsolved mystery is whether the GCHQ (and by extension the NSA) had a role in creating the vulnerabilities. Backdoors are exactly what U.S. and U.K. law enforcement want as theoretical tools against terrorism.
Silicon Valley has resisted the idea, and rightly so. Tim Cook of Apple emerged as its most passionate, articulate voice on how encryption and digital privacy are essential to our First Amendment rights and should not be sacrificed to satisfy the Department of Homeland Security.
“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it,” Cook said in June. Weakening encryption makes no sense, he said. “The bad guys will still encrypt; it’s easy to do and readily available.”
So all the 2015 security news isn’t bad, after all.