Putting up a firewall and being done with cybersecurity is so 2005.
“Things are moving so quickly, keeping up has become overwhelming,” said Chris Bronk, a cybersecurity expert at the University of Houston. “I have students working on a report out of the Department of Homeland Security from three months ago. It’s ancient history.”
Industry, academia and governments are addressing the issue, but there is no silver bullet. Nor, in the public sector, is there much available funding for updated infrastructure and other safeguards.
“No one says cybersecurity isn’t important, but if you ask what they have done, most likely the answer is ‘Nothing,’” said Larry Shi, a computer science associate professor and principal investigator on a project to limit cyber threats to 911 systems. “There is no money.”
And in some ways, even the basic questions have changed.
Managing a moving target like cybersecurity isn’t easy, as threats multiply.
While investigations into Russia’s role in the 2016 U.S. presidential election are on-going, the issue mushroomed when Wikileaks released documents describing sophisticated tools used by the Central Intelligence Agency to break into smartphones, computers and Internet-connected televisions as part of its espionage operations.
Emergency 911 call centers in a dozen states were overwhelmed over a 12-hour period last fall in what investigators say was the largest-ever cyberattack on the U.S. emergency response system.
More than 220,000 people in Ukraine lost power in December 2015 in the first cyberattack to knock a power grid offline. Attacks on Ukrainian infrastructure continue.
Today, cybersecurity is at the center of the global political stage – concerns about Russian interference in the U.S. presidential election, its electronic theft of confidential documents from Hillary Clinton’s presidential campaign and from the Democratic National Committee, disclosures about U.S. surveillance overseas and at home – but experts say the real issue isn’t what happened, but how that influences society.
Information security used to be more about check-the-box safeguards, but the focus now is on figuring out how hackers can use the purloined data, said Art Conklin, director of the Center for Information Security Research and Education at UH.
“A bigger question is not, was it Russia, how was it done or why, but rather, how has it affected us and what can we do about it after the fact,” Conklin said. “Disinformation has been around forever, but it has taken a much different form today. The gatekeepers are gone.”
Indeed, the whole idea of “gatekeepers” and “truth” are in flux.
“The idea now is that if information is hacked and stolen, it must be true,” said Bronk, who worked for the U.S. State Department before moving to academia. “And if it is being said by a government official, it must be a lie.”
In this new up-is-down reality, the focus is on protecting what Bronk calls “the crown jewels of the organization. What would be embarrassing if it were leaked?”
Cyberattacks challenge the long-held military theory of deterrence – our stockpile of weapons deters our enemies from using their own.
Now, Bronk said, many con icts play out in cyberspace, whether that is accusations that China has stolen intellectual property or against the United States regarding its use of cyberespionage.
“ISIS has a cyberwing,” he said. “It’s the way things are headed. Countries still matter, but less than they used to. Who’s more powerful, Belgium or Google?”
And what if, Conklin asked, the real purpose of the Russian hacking wasn’t to elect Donald Trump as president but to plant the idea that the average person’s vote doesn’t matter.
“They’re playing the long game,” he said.
Thinking about hackers’ motivations helps experts hone in on the most vulnerable targets. And emergency communication systems rank near the top.
That was illustrated last fall when thousands of 911 calls – triggered by a link spread through Twitter and YouTube – flooded the emergency system, overwhelming operators from California to Florida and leaving them unable to answer legitimate calls.
Shi said there is no one reason behind attacks on 911 and other public systems. Teenagers exploiting a bug in the iPhone triggered the fall 2016 attacks. “Teenagers hack without much thought about the consequences,” he said. “They think it sounds cool. Social media amplifies the risk.”
Ransomware, in which critical data is encrypted and released only after a ransom is paid, is an increasing threat, and hospitals and other healthcare facilities are a common target.
Healthcare systems often feel they have no choice but to pay up – being locked out of their electronic health records can be a matter of life or death for critically ill patients. Other ransomware attacks have targeted public computer systems, affecting 911 call centers and other operations.
Even if not every target pays up, FBI estimates peg ransomware as a $1 billion a year global business. Safeguarding 911 systems is complicated by the fact that there are about 6,500 separate call centers, each answering to local authorities and often using outdated technologies.
Most have no cybersecurity strategy. “They’re different from a commercial enterprise,” said Shi, who is leading a $2.6 million effort funded by the Department of Homeland Security Science and Technology Directorate, working with fellow computer science faculty Stephen Huang and Omprakash Gnawali to develop a ordable strategies to prevent attacks and hasten recovery if prevention fails. “They don’t have the money, manpower or expertise to protect against cybercrimes.”
It’s not enough to create a new technology, which local centers may or may not adopt. And the stakes are high – disrupting a commercial call center can result in lost sales. Disrupting 911 can mean lost lives. (Officials reported no deaths attributed to the attack on 911 last fall.)
University researchers work with industry and consultants who understand call center operations and procedures. Great technology won’t help if the centers don’t adopt it, Shi said, so part of the task will be devising strategies to boost adoption.
For call centers that ignore the risk because it hasn’t happened to them, Shi has a few words of caution.
“It hasn’t happened yet,” he said. “The risk grows over time. Everything is connected.”
Researchers are on the case, searching for solutions to lower the risk while keeping the benefits of that interconnectivity, which Conklin said has changed the world, even beyond the spread of disinformation, or “fake news.”
And just as understanding the motivation behind geopolitical cyber conflict is key to both prevention and managing the fallout, people fighting cyberattacks on energy infrastructure – utility plants, the electric grid, pipelines – have to understand the why, as well as the how.
“For years, we’ve been very good at figuring out what happened and how,” Bronk said. “The smart money in our field now is asking, Why? Why was the electricity grid in Ukraine hacked?”
One reason, he and Conklin suggest, is similar to those behind geopolitical and emergency systems hacking – to plant uncertainty.
Not knowing if you will have electricity is in some ways more unsettling than not having it at all.
A 2015 DHS report found that the energy sector topped the list of U.S. industries facing cyberattacks.
Conklin, principal investigator for a $1.1 million DHS grant to improve security for critical energy infrastructure, has testified before state and federal regulators. He said it’s unclear how these threats will change the nation’s energy policies and infrastructure.
“We’re in the middle of the transformation,” he said. “Five years ago, security was about data. Today it’s about, can I trust the system to do what I need it to do.”
And as with 911 emergency call centers, the stakes for energy can literally be those of life or death.
Victims of identity the or cyber bank fraud can get restitution, Conklin noted. “If I blow up a pipeline and kill people, there’s no backup that can bring them back.”
Researchers are working to develop safeguards. But the old goal of absolute security doesn’t fit in today’s world of 24-7 connectivity.
Bronk notes that there are now as many as 20 billion connected devices in the world, from internet-enabled refrigerators to Fitbits and “smart” thermostats. at’s more devices than people. All make us more vulnerable, as well as providing unprecedented power.
The demand for cybersecurity workers is unprecedented, as well.
Rakesh Verma, a professor of computer science whose research focuses on risks from phishing and malware emails, said the demand has grown over the past decade. “That’s both because of cyberattacks – on Sony, Chase Bank and Target, among others – that have reverberated in the news media and around the world, and two, because nation-states are getting involved in a big way.”
The curriculum is constantly evolving, with new courses and efforts to adapt data science techniques for security challenges. Bronk, like Verma, says demand for graduates with strong cyber skills is booming.
“It’s the most important revolution in human history,” Bronk said. “And we’re living through it.”