Protecting cyber data
Here are some ways experts suggest protecting against cyber hacking of data:
- Be careful what you open online and be suspicious of an email from someone you don't know. Some email attachments may contain computer malware.
- Create stronger passwords with letters, symbols and numbers and change them more often.
- Require more authentication to log in and operate on computer systems.
- Encrypt data, including on a disk, to make it harder to break into.
- Control who has access to certain information. "For instance, should an accountant have access to technical (intellectual property)?" asked Rusty Baldwin, a Riverside Research cyber expert. "Not likely. They probably do in some companies … so they could just download all that and walk out with it and no one will know it's been copied."
- Pay attention to news reports of cyber hacks and follow instructions from information technology officers.
In the unseen world of cyberspace, a war is waged daily.
And some people think the bad guys are winning.
Cyber hackers have stolen unprecedented amounts of personal and employment information on millions of federal employees, pilfered closely held U.S. military and trade secrets and peered into cyber data on consumers held by retailers, a dating website, and a major health insurer.
The espionage has cost the economy billions of dollars, experts say.
In the Miami Valley alone, stolen federal employee data could potentially impact tens of thousands of workers and retirees. The biggest breach, revealed in June, resulted in the theft of federal security background information on 21.5 million people, including contractors and uniformed military personnel.
The intrusion is worrisome, said Thomas C. Robinson, an executive assistant with the American Federation of Government Employees Council 214, which represents thousands of Wright-Patterson Air Force Base workers.
“It’s pretty much your life story,” he said. “It doesn’t have your bank accounts, but aside from that it has pretty much everything.”
Beyond employment and consumer data, skilled hackers could potentially take over control of drones, water treatment plants, traffic lights and other vulnerable systems, experts say.
“I would say the country is at best inadequately prepared for a concerted cyber attack,” said Rusty Baldwin, director of research at the Cyber Center of Excellence at Riverside Research in Beavercreek.
Companies need to do more to protect themselves with the growing numbers of cyber intrusions, said John S. Hermes, a Wright State Research Institute cyber systems security administrator.
“I will say the bad guys are winning right now in a big way because it is a money game and companies are not willing to spend the resources necessary to protect themselves,” he said.
Cyber attacks on military systems could have major national security consequences.
Hackers have allegedly stolen crucial design information on some of the nation’s key weapon systems — such as the F-35 Joint Strike Fighter, CV-22 and C-17 troop transports, Global Hawk drone, and advanced missile defense systems, according to Daniel Goure, a defense analyst with the Virginia-based Lexington Institute.
“There is no doubt that successful intrusion efforts by foreign countries have done extremely serious damage to U.S. and NATO security,” Goure said in an email to this newspaper.
“The situation has become so dire that a senior military officer responsible for advanced (research and development) on future weapons systems told a defense industry audience last year that if they want to protect their data they must put in stand-alone computer systems with no connections to the Internet,” he wrote.
Loren B. Thompson, a Lexington Institute senior defense analyst and defense industry consultant, said it’s hard to know exactly what hackers have stolen because the government often hasn’t disclosed details or may not know of an intrusion. Still, he said, evidence suggests “Russia and China have stolen terabytes of data from many of the nation’s most sensitive weapons programs.”
As the threats multiply, the nation’s military cyber ranks continue to grow. The United States has expanded cyber forces in each branch of the military and created U.S. Cyber Command with a target of reaching 6,200 personnel by 2018.
The military is halfway toward meeting that goal, said Lt. Col. Valerie Henderson, a Pentagon spokeswoman.
“We recognize the serious nature of evolving cyber threats and continuously bolster our cyber defenses and information technology capabilities to address increasingly sophisticated and capable adversaries,” she said in an email.
Cyber troops
The Air Force Institute of Technology at Wright-Patterson Air Force Base is training more cyber-security warriors in defensive and offensive operations.
The Air Force has directed the school to increase the number of cyber warriors it trains annually from 650 today to 950 by 2018, said Lt. Col. Joseph Wingo, AFIT director of cyberspace professional continuing education. AFIT is home to the school’s Center for Cyberspace Research and the Air Force Cyberspace Technical Center of Excellence.
“Cyberspace is a very active, active and contested domain and so that, of course, drives our need as a military to be prepared to defend ourselves and defend the nation in that domain,” Wingo said.
AFIT has minted about 3,000 cyber warriors since 2010.
“I think you can just flip on the news and see a lot of threats out there,” he said.
Cyber threats to defense contractors can have a ripple effect in the Department of Defense. “We’re so tightly knit and woven with all of our partners in industry that those are all crucial links, and weaknesses in one link in that chain can be felt by everybody in that chain,” Wingo said.
Cyber hacking of a commercial, off-the-shelf drone could potentially cause problems in the nation’s skies, Baldwin said.
That “should be a big concern because let’s imagine that someone’s parading their drone perhaps where they shouldn’t be near an airport and someone takes control of that and puts it into a flight path,” he said.
Cyber experts at Riverside Research, 2640 Hibiscus Way, demonstrated for the newspaper how a hacker can shut down a drone in mid-flight. The task was accomplished within seconds.
Baldwin said it’s “trivially easy” to take over many off-the-shelf drones with a smart phone because of unencrypted signals.
“If you can talk to the device, then you can access it and it will accept any command that anybody sends it,” he said.
Vulnerable citizens
Two disclosed cyber hacks of federal employees’ data files this year show how vulnerable personal information can be.
In one, 4.2 million federal employees’ files stored at the U.S. Office of Personnel Management were breached. In a much broader attack, security background files on 21.5 million past and current federal employees, contractors and uniform personnel were stolen.
Some congressional leaders have publicly linked the source of the cyber theft to China, which dismissed the allegation as irresponsible and said it has been subject to cyber attacks itself.
“I would say the OPM hack was probably the most dangerous to the country simply because of the number of personnel that have security clearances,” said Timothy A. Shaw, director of operations at the Advanced Technical Intelligence Center in Beavercreek and a former FBI special agent in counter-terrorism.
“The type of information that is contained in those background investigations, it opens up a wealth of information for foreign counterintelligence agencies to exploit,” he said.
Goure said the hack of millions of past and current federal employees’ employment information was “a golden opportunity for foreign espionage services to blackmail U.S. citizens, government officials and military personnel.”
Hamilton resident Mona Lisa Boettjer was notified her federal employee personnel file was among the millions stolen. The retired U.S. Environmental Protection Agency budget analyst and Army veteran worried what was lost could lead to identity theft.
“They could start a new life with your name and Social Security (number),” said Boettjer, 60. “…It’s just worrisome that stuff like this happens.”
“It seems like the government is an easy target for hackers,” she said.
Randy L. Smiley, a Wright-Patterson branch chief for Global Hawk drone international sales at the Air Force Life Cycle Management Center, remembers the “turmoil” the theft of his credit card information caused and hopes he won’t have to face problems this time with the cyber hack of employee data.
“I have not noticed anything. It’s just the fear of not knowing,” said Smiley, 60, and an Air Force veteran. “You’re going to buy a new car or something like that, and somebody will say, ‘Oh, you don’t have any credit.’ … Are we going to wake up one day and find our identity has been stolen?”
U.S. Rep. Mike Turner, R-Dayton, brought up the concern Thursday in a House intelligence subcommittee hearing on worldwide cyber threats.
“I have thousands of individuals in my community at Wright-Patterson Air Force Base that are very concerned about the data breach,” he said at the hearing.
The more than 100-page questionnaire, known as an SF-86, to obtain a security clearance “includes a significant amount of sensitive, personal information” such as mental health records, personal finances and family members’ work history, Turner has said. The trove of data includes an applicant’s fingerprints, current and past addresses, and the names and birth dates of family members.
Federal Bureau of Investigation Director James Comey told Turner authorities do not believe the data was stolen to harm employees credit status, and he questioned the effectiveness of setting up credit monitoring to ease employees’ concerns.
“I feel like that’s buying people flood insurance when their neighborhood just burned down,” Comey told the hearing audience. “The fire is what I’m worried about.”
No ‘silver bullet’
OPM and the Department of Defense this month announced a $133.2 million contract with Identity Theft Guard Solutions to protect against identity theft of the 21.5 million past and current federal employees whose data was stolen. According to OPM, each individual, and their children under age 18, will be provided credit and identity monitoring, identity theft insurance and identity restoration services under the three-year contract. Federal authorities were set to begin this month notifying people who were affected.
“Employees want to know how to minimize harm to themselves, their financial situation, their privacy and that of their families,” Robinson said.
In the midst of the massive data breaches, Congress has pending cyber security legislation that calls for strengthening protections of computer networks and voluntarily sharing information between companies and the government on cyber security threats.
One closely watched bill, known as the Cybersecurity Information Sharing Act, has stalled in the Senate over privacy concerns.
Experts say there is no perfect solution for protecting against cyber intrusions.
The best defense is a human being, said Hermes, also an ATIC cyber instructor in Springfield.
“Basically, hackers are human beings and they use tools and processes to break in,” he said. “The only way you can meet a human being with tools and processes is with another human being with their tools and processes.
Hacks occur every day “and we don’t know it,” Hermes said.
“There’s no such thing as a silver bullet,” he said. “No magic box that can protect you. You have to have human beings that understand your network and understand your need for data security and can detect the problems as they occur.”
About the Author