“There are only two types of companies: Those that know they’ve been hacked and those that don’t.”
That quote came from the same man who updated the President in daily terrorism briefings between 2011 and 2014. Addressing the 2015 Cyber Security Summit last fall, former National Counterterrorism Center Director Matthew Olsen reviewed a chilling litany of cyberterrorist attacks on America’s largest corporations and the federal government. Risks on the cyber landscape are burgeoning, he said, confronting American entities with ever-changing waves of digital assaults on key data assets and critical infrastructure. Many stealthy invasions are especially damaging because they operate unrecognized.
“From breach to detection in commercial enterprises (averages) 200 days,” he noted.
Olsen cited serious breaches at Target Corporation, eBay, JP Morgan, the U.S. Postal Service and the White House. He called for a systematic strategy of heightened information-sharing between private companies and governmental security agencies to identify attackers and their destructive actions.
Now president of consulting at a private cyber security company in Maryland, Olsen told Summit attendees that nation-states account for a growing volume of digital invasions. He mentioned several high-profile victims and the authors of those incidents:
- Sony Pictures, damaged by North Korean hackers over release of a comedy depicting that country’s leader in an unflattering role
- Sands Casino properties, target of attacks from Iran that Bloomberg News claimed was personal, to punish the outspoken Jewish owner of Las Vegas Sands Corporation
- The Federal Office of Personnel Management, keeper of federal employee records, including identities and other personal data on employees working covertly, hacked by China
Nation-State Hackers, Gangs and Ideological Terrorists
The problem has erupted into a national security issue, Olsen said. Russian and Chinese hackers disrupt business operations and steal product and systems designs, resulting in “the greatest transfer of money in history.” For example, an assault on JP Morgan netted “information on 1,000 employees and cost the firm $500 million.” Another attack on Home Depot cost $62 million. In some cases hackers have penetrated security barriers to steal highly secret national defense plans.
China has embraced cyber hacking as an economic development tool to steal trade secrets as a shortcut to gain market advances, and China employs thousands of dedicated hackers, Olsen said. Other attacks “are designed to destroy data and create damage. Cyber threats are coming to the fore, on the rise and increasing.”
Other perpetrators are criminal gangs intent on malicious mischief and ideological terrorists such as the “cyber caliphate in Syria,” a pro-ISIS collective. The latter advocate brutality and violence, and online channels drive small-scale, localized attacks that have extended the reach of terrorism. Assaults are fragmented and dynamic and attackers use encrypted platforms to prevent detection as they work to recruit vulnerable individuals.
Propaganda and lone-wolf recruitment have been very effective on social media, where malevolent actors search out isolated, disaffected individuals who are open to terrorists’ overtures. The terrorists’ message is, “Kill wherever you are – get a knife or a gun,” Olsen said. “It’s small-scale, home-grown terrorism.”
Defense Strategies to Protect America’s Critical Infrastructure
There must be a team effort supported by a cadre of cyber experts accessible to businesses, and businesses seeking help must be assured that reporting cyber incidents will not heighten company liability, Olsen said. The answer is to build trust between government and business to foster information-sharing. He noted that the private sector needs protection but can’t do it alone.
“We face incredible challenges and threats,” he said. “Can we work together to find solutions? It has to be our shared mission.”
Olsen fielded several questions from the Summit audience. Eran Kahana, attorney with Maslon LLP, asked why the hacking of Sony Entertainment, a business, had become a federal case. Olsen responded that because the destructive assault was attributed to a nation-state, North Korea, the government had entered.
Olsen also responded to a question from Dr. Massoud Amin, Director of the Technological Leadership Institute at the University of Minnesota. Amin asked, “What can we do better to protect out power grid?”
Against the backdrop of expanding terrorism represented by ISIS and Al Qaeda, “security must be baked in at the beginning,” Olsen replied. “Libya, Iraq, Syria, Yemen are four failed states with no governance, no security. Terrorists move in. We must help them build up security and governance.”
Another questioner posed what is likely a common dilemma for security professionals: “How do we sell bad intelligence news to the boss?”
Olsen replied that dealing with cyber security “is a key job responsibility – they must do it.”