By: Uttara Choudhury

A fireside chat during the 2018 edition of the One Globe Forum focused on how governments, companies and individuals have to consider what the Internet and their communication security means to them. Sophisticated cybercrime, criminal hackers, privacy fears and the ongoing global confusion about security have soured the Internet for many, and doing something about it won’t be easy. “How have conversations about security evolved from the days of Edward Snowden? There are signs now of manipulation of democracy itself through hackers and cyber security that challenge vulnerabilities. How has the conversation evolved?” asked panel moderator Nirmal John, Editor, Cybersecurity and Emerging Technologies, The Economic Times.

In 2013, a now-infamous American government contractor Edward Snowden shone a stark light on vulnerable communications infrastructure by leaking 10,000 classified U.S. documents to the world. One by one, the leaks detailed a mass surveillance program in which the U.S. National Security Administration (NSA) and others gathered information on American citizens — via phone tracking and tapping undersea Internet cables.

“It’s evolved from a greater appreciation of the threat in the United States all the way out to our boardrooms. Even if you don’t have a laptop or an Internet connection or a smart phone, your information is handled by tax authorities, by hospitals, and all of that routes over the Internet,” said Michael Allen, Managing Director, Beacon Global Strategies LLC. 

“You mentioned Edward Snowden and Russia’s interference in the U.S. elections. It’s hard to underscore just how profound the Russian activity has been. It’s infected the way Facebook and other social media firms regulate what’s on their platforms, and it has had a tremendous effect on how companies try and safeguard their data,” said Allen. “Data breach is a sub-set of cyber security and extremely important as virtually every month a major U.S. company has to announce and prostrate before the American people about some sloppiness in their cybersecurity system that allowed personally identifiable information (PII) to leak to criminals, nation states or manipulators.”

Allegations that Russia interfered in the 2016 U.S. presidential election have kicked off multiple investigations. Special counsel Robert Mueller is investigating Russian meddling in the U.S. elections and potential coordination with the Donald Trump campaign. Russian hackers have been blamed for stealing sensitive emails of Hillary Clinton’s campaign chairman, John Podesta, and of the DNC. These inquiries raise concerns about the security and fairness of the U.S. electoral process and fears that a rival power can influence election results.

The moderator then brought the Equifax breach into discussion, where the consumer credit reporting agency said in September last year that hackers stole personal data, including tax IDs and driver’s license details it had collected on some 143 million Americans. “Equifax was reportedly hacked months before it disclosed a massive breach that included sensitive information for millions of consumers,” pointed out John, who has authored the bestseller, “Breach,” which is full of riveting stories about hackers, espionage and data theft touching on the global fight to keep information safe.

“Equifax did a terrible job of notifying their customers of a breach,” said Allen, while adding that it was important for companies to try and mitigate the problem by offering solutions for affected users. “Companies certainly have to notify their customers expeditiously, take the breach seriously and bring in a company to do the forensics investigation. They have to accept responsibility.” Allen said that whether it was a government agency or company it was important for cybersecurity experts, the company PR machine and officials to be on the same page and adopt a “coordinated approach” in the aftermath of a breach.

“There’s a culture where companies say they are 100% secure, in the same way that the Unique Identification Authority of India (UIDAI), is verbalizing that the Aadhaar base is 100% secure. That doesn’t really help because it only challenges a guy sitting in a basement in Lithuania to come and hack you,” observed John.

“I think you are onto something, there are such sophisticated actors today. It’s not just a person as you say, “in a basement in Lithuania,” but its criminal enterprises in many cases, underground international networks working to undermine data security.”

For countries like India and the United States, China increasingly represents the most threatening actor in cyberspace. Chinese hackers penetrated India's naval computer systems in and around the city of Visakhaptnam, the headquarters of the Eastern Naval Command, and planted a bug which sent sensitive military data to IP addresses in China. In a separate hack, Chinese digital rogues infiltrated the Pentagon’s computers to steal data on the $300 billion joint strike fighter, also known as the F-35 Lightning II, the costliest and most advanced fighter jet program the Pentagon has ever attempted.

Along with the “Russian interference” in the U.S. elections, “Chinese pilferage” of U.S. intellectual property is “a tremendous issue” said Allen, who served in the George W. Bush White House for seven years in a variety of national security policy roles.

Cyber breaches continue to dominate headlines simply because it’s easy to deploy such an attack and incredibly hard to defend. “Individuals make up companies and for me, the weakest link is often the individual, but is the main issue software bugs and weakness?” asked John.

“It’s both. Let’s be honest, we are all sloppy with passwords, we all think to ourselves, why would anyone hack me? Take a small fertilizer company in the Midwest, for example, they don’t think that they are going to be targeted by Chinese hackers. They have no idea that they are particularly adept at creating a particular formula for fertilizer which the Chinese want.”

The WannaCry ransom ware attack quickly spread around the world last May, infecting systems all over the globe. The attack was indiscriminate, but the U.S. National Health Service became one of the most high-profile victims of the attack.

John pointed out tech wizards from small Indian towns and cities have dominated the Facebook Bug bounty program over the past few years. In fact, “white hat” hackers from India, have been earning millions by helping uncover security flaws in Facebook and Google sites and protecting sensitive user data. “Nearly 60 to 70% of the vulnerabilities that are found on Facebook are discovered by Indian engineers. I find it extremely distressing that the Indian government does not necessarily appreciate the power of this large group of people,” said John. “What would be your suggestion, how is the security apparatus in the US looking and engaging with their own hacker community?”

“We are undergoing a terrible struggle. The U.S. government like most governments is very bureaucratic and what the technology industry would call a late adopter.”

Still, the U.S. Department of Defense (DoD), launched a project called "Hack the Pentagon" in 2016 which offers real glimmers of hope. In the wake of numerous government agency breaches, including the devastating Office of Personnel Management hack, the DoD took the initiative to offer cash rewards to independent hackers who find and disclose software bugs. The “Hack the Pentagon” bounty program’s momentum has now spurred a “Hack the Army” and “Hack the Air Force” program. The DoD is testing a few private bug bounties on its most sensitive systems. 

According to a Verizon study, based on analyzing results from phishing simulations, 78% of people don't click on a single phishing email all year — but it only takes one person to let the attackers in. Phishing attacks are designed to steal a person’s login and password details so that the cyber criminal can assume control of the victim’s social network, email and online bank accounts.

“A high 70% Internet users choose the same password for almost every web service they use. This is why phishing is so effective, as the criminal, by using the same login details, can access multiple private accounts and manipulate them,” warned Allen. “You must do a little research about how you can secure your Wi-Fi network, use rogue-AP detection or wireless intrusion prevention and change your passwords regularly.”