Cyberattacks: President Obama last Friday, October 17th, signed an Executive Order (Improving the Security of Consumer Financial Transactions) to help combat the ongoing huge cybercrime risk. Recent estimates suggesting 100 million cards have been compromised this past year alone at a cost of up to $575 billion. JPMorgan Chase had 83 million compromised accounts in their recent attack despite that organization being one of the highest spenders on information security.
The Executive Order initiative, BuySecure, will lead by example via requiring "Chip and Pin" technology on all Federal financial transactions where citizens are conducting business with the Government, executive departments and agencies. All payment processing terminals acquired by agencies through the Department of the Treasury no later then January 1, 2015 will include hardware necessary to support the enhanced security features. By the same date the Department will have developed a plan to install software to support the enhanced security features.
The order also includes 'Improved Identity Theft Remediation' to reduce the amount of time necessary to remediate incidents of identity theft via the Internet Fraud Alert Center. The last requirement in the new Executive Order is 'Securing Federal Transactions Online' by developing a plan, within 90 days, to ensure sensitive data shared is protected "consistent with the guidance set forth in the 2011 National Strategy for Trusted Identities in Cyberspace." This will require multiple factors of authentication and an effective identity proofing process, as appropriate, with any necessary implementations to achieve this goal within 18 months.
Several retail companies are joining this effort, including Home Depot and Target victims of recent large-scale breaches, by rolling out Chip and Pin capabilities with their stores - most by January 2015. Chip and PIN has been used widely in Europe for some years with success although there are known albeit esoteric so called "man-in-the-middle" hardware attacks which can theoretically defeat the technology.
This is all well and good and certainly a step in the right direction. However, of the $575 billion in cybercrime loss estimates, up to a third of that amount, according to McAfee and the Center for Strategic and International Studies, is attributed to Intellectual Property (IP) theft. Yes, Identity Theft to be sure is a real heartache for consumers and to financial services firms who have to bear the cost, but the flow of critical IP from defense contractors and the Federal Government to Nation States is where a huge impact to National Security might come into play.
Sensitive design data for the outrageously expensive ($1 trillion) F-35 Joint Strike Fighter has known to be targeted by hackers on several occasions - likely from aggressive Nation States seeking to shorten their design cycles for their own next-generation fighters. China's J-31 visually bears a striking resemblance to the F-35.
Why bring this up now? Because the US and rest of the world is massively distracted with many unrelated events - military action in the Middle East, Ebola, Ukraine just to mention a few and when no one is paying attention to critical infrastructure it is the perfect time to attempt to penetrate critical US infrastructure and key defense contractors. Maybe that is the reason for the recent spate of attacks. There have been theories Russia might have been involved as retaliation for recent scansions levied against that country.
The US must be vigilant in areas containing key IP as well as the resilience of the Internet upon which the US and its allies requires to wage war. ISIS certainly has sufficient funds to hire mercenary cybercriminals who would be delighted to wage attacks as simple as Denial-of-Service to disrupt and hamper US defense and communication networks let alone deploying custom malware to exfiltrate military secrets or attack plans.
Where's the Executive Order focusing on those elements of our defenses? The White House did announce they would host a Summit on Cybersecurity and Consumer Protection. How about DHS hosting a Summit on protecting the National Critical Infrastructure? It has been some years to my recollection since one of those has been held. SCADA attacks are known to exist " there' is the 'somebody' who created one against Iran's nuclear enrichment centrifuges. SCADA is the Supervisory Control and Data Acquisition system and protocol via which through remote network communications enables many industrial plants, transportation facilities, water treatment, and power plants to monitor and send command instructions to a variety of machine and devices.
What happens if one is launched against Nuclear Power Plants? I shudder to think. Hopefully someone is paying attention to those networks as most of the recent attacks on Home Depot and Target were due to lack of network segmentation and the insistence on running Point of Sale systems on the known to be vulnerable Microsoft Operating Systems. A number of US cyberdepartments do use Apple based machines, but I'm guessing there is a lot of very important data in the government residing on Microsoft based machines.