Get news updates from WGBH
30 ISSUES IN 30 DAYS
Mon September 24, 2012
30 Issues: Why You Should Care About ... Cybersecurity
The town of Sandwich on Cape Cod is on the map for tourists. But for international cyber attacks?
Three years ago, hackers from Russia broke into the Sandwich computer network to steal more than $30,000 through wire transfers.
"Something happened many years ago and the town was able to immediately step in," said assistant town manager Doug Lapp.
Lapp said Sandwich officials significantly beefed up security and hired a full-time information technology director after the theft. But Lapp said cities and towns aren't required to to protect their network infrastructures. They just do the best they can.
"Some towns have IT staff," he said, "some towns have more IT staff, some towns don't have any at all. Some have what they call I-nets, you know, fiber optic cables that connect buildings, some towns don't. So it varies a lot from town to town, depending on the size and the budget."
Cybercrimes are on the uptick far beyond Sandwich. They impact more than 500 million people every year. And they're not just affecting consumers.
The Internet has changed the face of national security. Foreign, government-sponsored hackers commonly use the internet to steal private technology and government secrets. Cyberespionage is apparently so easy to conduct, the greatest challenge facing foreign governments may be sifting through all of the information they steal from abroad.
James Lewis is a senior fellow at the nonpartisan Center for Strategic and International Studies in Washington, D.C. Lewis keeps a list of what he considers the world's most significant cyber attacks. He's noted 108 incidents since May 2006, when the U.S. State Department's networks were hacked and terabytes of information were downloaded to someone outside the country.
"My favorite still has to be the CENTCOMM hack of December 2008," he said, "because this was the classified military system of the command running the wars in Afghanistan and Iraq. And a foreign intelligence service was able to get in and we couldn't dislodge them."
How dangerous was this incident?
"If that had happened in a war, it could have cost us the outcome; it could have led to defeat," Lewis said.
It's not just government and military computer hacks that make Lewis' list. Included are fairly destructive system break-ins at private colleges, banks and companies of all kind.
"My second favorite has to be Nortel. Nortel doesn't exist anymore. It's a Canadian phone company. And for 7 years they had a Chinese espionage ring siphoning out their technology, their business plans, everything. And that probably contributed to the collapse of a strategic industry in the U.S. and Canada."
In recent years, the debate to protect the nation's military and industrial secrets, as well as its infrastructure, has centered on placing mandates on private industry — essentially requiring businesses to take specific security steps. But business interests have fought any new federal regulations, saying security should be voluntary.
For his part, Lewis said private industry had its chance.
"The private sector has been in charge of cybersecurity since the dawn of time," he said. "And you know what? They've completely failed."
It's been 10 years since Congress tackled cybersecurity. In August, a bill supported by the Obama Administration that would have created new network security regulations was blocked in the Senate. The law was watered down with compromises, and the Beltway debate didn't seem to infiltrate the presidential campaign.
"It really should be a nonpartisan issue," said Larry Walsh, president of the 2112 Group, a business services company that deals a lot with information security issues.
Government doesn't have the knowledge to regulate security protection, Walsh said, because it takes in copious amounts of advice and guidance from a myriad of sources, which oftentimes conflict with one another.
"There's a lot of problems when it comes to this stuff," he said, "and they're not easy to solve, which is the reason why I think you see some of the people in the security community and the technology community cringe when they hear the government trying to create legislation built on compromises."
Compromise on Capitol Hill doesn't come easy these days. With legislation dead, Democrats are betting on President Obama issuing an executive order to force private industry to act. Republicans are against more cyber regulations, and call for voluntary cooperation between industry and the government.
Unlike the Capitol Hill logjam, here in Massachusetts there are indications that cooperation is happening organically.
"The security game has really changed," said Rick Welch, the executive director of the Advanced Cyber Security Center, hosted at MITRE Corp. in Bedford.
The ACSC is somewhat unique. It's been forming for 3 years, and it brings together security experts from area nonprofits, universities and financial services companies — places like Fidelity, John Hancock and State Street Bank.
"Companies typically have been very closed-mouthed about their security issues — understandably," Welch said. "But that prevents us from sharing great ideas on how to protect ourselves also. So the premise here is that we need to take a more open approach to share with each other, so we're better together, so to speak, and we need to do a better job to protect ourselves."
The ACSC members meet twice a month to discuss emerging security thefts, and sometimes included in those meetings are representatives from the FBI and the Department of Homeland Security. The companies have signed a binding legal document to protect the information they share with each other.
"I think that many of our members have a point of view that mirrors the U.S. Chamber of Commerce," Welch said, "in that regulation has to be implemented very carefully or it becomes burdensome and does not necessarily accomplish the goals."
Larry Walsh of the 2112 Group said he does see hints of the cybersecurity debate in this presidential campaign. Led by Chinese and Russian hackers, massive amounts of data is being stolen from overseas, and that impacts American business and technology interests.
"It really is a sideshow when it comes to who is going to do it better, Romney or Obama," Walsh said. "It's really cloaked inside of the entire, 'Blame China.' And when it comes to cybersecurity, it's kind of hard not to."
So far, the states have been the most successful in requiring large and small businesses to create security plans and report network breaches. But with industry and military secrets regularly being siphoned away, and with private companies controlling the nation's vulnerable infrastructure networks, cybersecurity has become a legitimate national security issue — a complicated and technical one, but an issue nonetheless.
30 ISSUES IN 30 DAYS
BOSTON PUBLIC RADIO