Benign to Scary

Computers and networks touch every facet of modern life. We are increasingly dependent on computer/network technology for communication, funds transfers, utility management, government services, military action, and maintaining confidential information. We use technology to provide energy, water supplies, emergency services, defense systems, electronic banking, and public health services. At the same time, this technology is being abused to perform illegal or malicious activities, such as to steal credit card numbers, use telephone systems fraudulently, illegally transmit trade secrets and intellectual property, deface web sites for political reasons, disrupt communications, reveal critical national secrets and strategies, and even commit extortion.

The term “information warfare” covers many different activities that pertain to individuals, organizations, and nations. Information warfare can be defined as any action to deny, exploit, corrupt, or destroy the enemy’s information and its function, while at the same time protecting oneself against those same actions. Governments have used information warfare techniques to gather tactical information for years. Organizations have stolen competitors’ trade secrets and plans for new products before they were released. Individuals have also used computers to steal money, access personal financial information, steal individual identification information, deface web sites, and cause destruction to draw attention to a particular cause.

There once was a time when hacking activities, viruses, and malware incidents were relatively benign. Many hackers carried out such activities to impress their peers and show they were clever enough to disrupt some businesses here and there, but overall their intent was not to inflict massive damages to an entity.

But where once the developer of a worm or virus received only the self-satisfaction of overcoming a challenge, things today have changed dramatically. The trend of hacking for “fun” is disappearing, to be quickly replaced by hacking with profit-driven motives. There is an old saying that goes, “Why did the thief rob the bank?” Answer: “Because that was where the money was kept.” If we apply that to today’s world, it may go more like this: “Why are the thieves hacking computers?” Answer: “Because today that is where the financial information and critical data are kept.”

Today, security breaches, malware, and hacking often target specific victims and have specific goals. Viruses used to spread via users opening attachments, followed by the virus sending copies of itself to the victim’s contact list. Thus, it simply replicated itself—big deal. Now, hackers work together to steal data used for identity theft, they raid funds from online accounts, and carry out extortion when holes are discovered in a company’s security program. Some individuals are even being hired by organized crime rings for just such objectives.

In short, hacking is constantly evolving. In an industry driven by continual technological innovation, hackers remain abreast of these changes and often are a step ahead of the good guys who are trying to protect company assets. The level of sophistication has increased as well because the stakes are now that much higher. It is not unheard of for organizations to secretly employ hackers to perpetrate all kinds of maliciousness against their competitors. Everything from business contracts, customer lists, industrial secrets, product blueprints, and financial data can be culled from an organization’s computer systems by those with the necessary technological skills if aided by security weaknesses at the target organization. Routinely, news stories arise about international crime rings targeting banks and credit card companies through cyberattacks, the results of which are the loss of millions of dollars, through identity fraud and outright theft of funds. In many cases, the greatest damage done to these companies is to their reputations and the confidence consumers have in the organizations.

Evidence of the Evolution of Hacking

Several incidents indicate that not only is hacking activity on the rise, but the sophistication of the attacks is advancing rapidly. Alarmingly, a majority of attacks are using methods that have been understood for quite some time and for which fixes have been readily available. This proves that not enough network maintainers have kept up-to-date on security changes and installed the necessary patches or configurations.

It is an unfortunate, but common occurrence to see hackers exploiting the various computer vulnerabilities in order to steal millions of credit card and account numbers from systems associated with e-commerce, online banking, or the retail sector. Some hackers will extort the organization with the threat of releasing the sensitive data to others. The hackers will offer a “security service” to fix the systems they have attacked for a fee, and if the institutions do not agree to pay, the attackers will threaten to do even more damage by posting the customers’ credit card numbers on web sites available to the public. Some organizations call the hacker’s bluff and refuse to pay, while some organizations pay the “hush money” and get the FBI involved.

The public is often very much in the dark about the kinds of damages worms, viruses, and hacks have done to companies. Unless these events make the news, the attacked organization usually only notifies their customers when absolutely necessary, or just sends them new cards and account numbers without any real explanation as to why they are being issued. It is usually only when more and more people are affected by attacks that they make the news and the general public becomes aware of them. Because of this common secrecy of security breaches, a majority of the states in America have privacy laws that require customers to be told of these issues that could directly affect them.

Organizations have their own motivation behind keeping the news about these kinds of attacks as quiet as possible. First, they don’t want to lose their customers due to a lack of confidence and thereby lose their revenue. Secondly, they don’t want to announce to the world that they have holes in their enterprises that lead right to the company jewels. Public knowledge of these vulnerabilities can bring about a storm of new attackers. It is similar to being attacked by a shark in the ocean only to have more sharks appear for their afternoon snack. It is not pretty.

Most of us know about Paris Hilton’s stint in jail; yet we are not aware of the continuous computer crimes that are taking place around us. The following sections show just some examples of activities that take place. Visit www.cybercrime.gov to see other convictions that have taken place.

There have been many reported and unreported financially motivated attacks. It was reported on February 2, 2007 that a former state contractor allegedly accessed a workers’ compensation data file at the Massachusetts Department of Industrial Accidents and stole personal information, including Social Security numbers. The thief is known to have used that information to commit identity theft on at least three of the individuals whose information was stolen. It is believed that as many as 1200 people have been affected by this theft.

On February 28, 2006, Kenneth J. Flury, a 41-year-old man from Cleveland, Ohio was sentenced to 32 months in prison and three years of supervised release as a result of his convictions for bank fraud and conspiracy. Flury was ordered to pay CitiBank $300,748.64 in restitution after having been found guilty of trying to defraud CitiBank between April 15, 2004 and May 4, 2004. He had obtained stolen CitiBank debit card numbers and PINs and then used them to encode blank ATM cards. He then used the counterfeit ATM cards to obtain cash advances totaling over $384,000 from ATM machines located in the Cleveland area during a three-week period. To pay off his accomplices, $167,000 of the stolen funds was transferred by Flury to the criminals who provided him with the stolen CitiBank account information. These individuals were later located in Europe and Asia. An additional $32,345 was seized by law enforcement officials before it could be transferred to accomplices in Russia.

Though company-to-company espionage usually flies under the public’s radar, there is nonetheless a great deal of activity in this area also. On August 25, 2006, a man in Michigan was sentenced to 30 months in prison for conducting computer attacks upon a competitor of his online sportswear business. Jason Salah Arabo, 19, of Southfield, Michigan was ordered to make restitutions of $504,495 to his victim. Arabo and an accomplice remotely controlled some 2000 personal computers they had infected with malware to conduct distributed Denial-of-Service attacks upon their competitor’s servers and web sites, thus completely disrupting the victim’s business.

Early in 2005, the MyDoom virus infected hundreds of thousands of computers, which were then used to launch an attack on the SCO Group. The attack was successful and kept the Utah-based Unix vendor from conducting business for several days. Although no official reason for the attack was ever uncovered, it is believed to have something to do with the fact that IBM was being sued by SCO for $5 billion.

One of the most frustrating aspects of these kinds of extortion attacks is that they aren’t limited to what are considered traditional borders. On Valentine’s Day of 2006, a group of animal activists organized an event where they encouraged people to log in to their chat room. Every word typed during this “chat” then triggered an e-mail to a list of predetermined organizations in the fur industry, and other companies that conducted animal vivisection. Such examples demonstrate that cyber-extortion isn’t solely motivated by money, and can arise for any number of reasons.

In June of 2006, the Department of Justice (“DOJ”) (in an operation appropriately named “Operation French Fry”) arrested eight persons (a ninth was indicted and declared a fugitive) in an identity theft ring where waiters had “skimmed” debit card information from more than 150 customers at restaurants in the Los Angeles area. The thieves had used access device-making equipment to re-stripe their own cards with the stolen account information, thus creating counterfeit debit cards. After requesting new PIN numbers for the compromised accounts, they would proceed to withdraw money from the accounts and use the funds to purchase postal money orders. Through this scheme, the group was allegedly able to steal over $1 million in cash and money orders.

A recent attack in Louisiana shows how worms can cause damage to users, but not in the typical e-mail attachment delivery system we’re used to. The case, United States v. Jeansonne, involved users who subscribed to WebTV services, which allow Internet capabilities to be executed over normal television connections.

The hacker sent an e-mail to these subscribers that contained a malicious worm. When users opened the e-mail, the worm reset their Internet dial-in number to 911, the emergency services number. As a result, several areas, from New York to Los Angeles, experienced false 911 calls whenever a user attempted to connect to their web services. The trick the hacker used was an executable worm. When launched, the users thought a simple display change was being made to their monitor, such as a color setting. In reality, however, the dial-in configuration setting was altered.

In some cases, the loss of information that can have a detrimental effect upon an organization and its customers is done accidentally. On January 26, 2007, a woman in Bossier purchased a used desk from a furniture store. Once the desk was delivered, she discovered a 165-page spreadsheet in one of the drawers, containing the names and Social Security numbers of current and former employees of Chase Bank in Shreveport, Louisiana. Although the document was returned immediately, the information on these 4100 individuals could have been used for illegal, and perhaps devastating, undertakings had the finder of the list been less honest.

In early 2005, Choicepoint, a data gathering company, allowed individuals, who they thought were representing legitimate companies, access to 145,000 records within their database. The records held extensive private information on American citizens that could easily be used for identify theft. These individuals created several phony companies and used Choicepoint’s information service to gather personal data. Each phony company collected the data over a period of time, thus keeping the whole operation under Choicepoint’s radar. The individuals pieced together the information and compiled essentially full financial information on the victims, from credit reports to Social Security numbers. Only one person was arrested and received 16 months in jail.

In March 2005, hackers obtained 1.4 million credit card numbers by carrying out an attack on DSW Shoe Warehouse’s database. In addition to obtaining credit card information, the attackers gained driver’s license numbers and checking account numbers from 96,000 accounts.

In 2005, LexisNexis notified around 280,000 people that their passwords and IDs may have been accessed and stolen, and Bank of America lost their data backup tapes, which contained credit card account information for at least 1.2 million federal employees, many of whom worked at the Pentagon.

Examples of attempts to gain personal information are rampant. After discovering that fraudulent e-mail messages purporting to be from the Internal Revenue Service were being sent in an attempt to gain personal information, the IRS issued a notice that it does not use e-mail to contact taxpayers about issues related to their accounts. Yahoo.com issued warnings to its members to be careful about which web page they attempt to sign in on. Yahoo cautioned that the http://mail.yahoo.com/ address must include the trailing slash after the yahoo.com designation, otherwise the address that appears in the browser page could be bogus, an attempt to impersonate the official web site’s sign-in page—as in the following, which was cited by Yahoo: http://www.yahoo.com:login&mode=secure&i=b35870c196e2fd4a&q=1@16909060.

The nonprofit organization Identity Theft Resource Center (www.idtheftcenter.org) issues notices about the latest scams and consumer alerts and states that identity theft is the fastest growing crime in America today. Many of the compromises come from fraudulent e-mails (scams) and carelessly developed online shopping and online banking software. A variation of the scams includes the account verification schemes in which the thief attempts to obtain information from unsuspecting e-mail recipients by sending a mass e-mail message, purporting to be from eBay, PayPal, a bank, or some other legitimate organization, with an “Urgent” request for account verification and a warning that their account is about to expire. A link is provided that, when clicked, leads the victim to a web page that looks legitimate and asks for account information. These are known as phisher scams.

These examples sadly represent only a small percentage of the hacking activity going on. These attacks were identified and reported. Most are not. Many organizations do not report hacking activity because they are afraid of damaging their reputation, losing the faith of their customer base, and adversely affecting their shareholders and stock prices. Other attacks go unnoticed or unidentified, and thus are not reported, while international attacks against military and government systems typically go unreported to the public. So, even though computers and networks remain great tools and have brought society much advancement, like many other tools, they are often used for sinister purposes.

How Are Nations Affected?

The art of war requires soldiers to outmaneuver the enemy and strike them down if necessary. In traditional warfare, the enemy was usually easily detectable. They were driving a tank, bombing from an airplane, attacking from a submarine, or shooting missiles. Today, the enemy may be harder to find, some attacks are harder to track, and the objectives of the attacker are at times more nebulous. Many governments’ military intelligence agencies have had to develop new methods of collecting information on potential foreign enemy movement, conducting surveillance, and proving guilt in criminal activities.

Although militaries still train most soldiers how to shoot, fight in combat, and practice evasive maneuvers, a new type of training is being incorporated. Because a majority of the military vehicles, weapons systems, and communication systems are controlled by technology, new soldiers must know how to use these technological tools to achieve the same goal of the soldier of the past—to win in war. Today’s soldiers not only need to know how to operate the new technology-driven weapons systems, but how to defend these systems from attacks and possibly use them to attack the enemy’s defense systems.

Disrupting communication has always been an important tactic in war because it impedes proper planning and warnings of imminent attacks. Knocking out communication lines is one of the first steps in the recipe of a successful attack. Today, most military communication is handled through computer-based systems, and the tools to disrupt communication of the enemy have changed. For example, the CIA reported to a U.S. congressional committee that foreign nations include information warfare in their military arsenal and provide defensive and offensive attack methods. These nations are devising documentation, strategic plans, and tools to carry out information warfare on other nations.

During the Persian Gulf War in 1991, it was reported that hackers from the Netherlands penetrated 34 American military sites that supported Operation Desert Storm activities. They extracted information about the exact location of military troops, weapon details, and movement of American warships. It could have been a different war if Saddam Hussein had actually bought this information when it was offered to him, but he did not—he thought it was a trick.

In another example, it was reported that the Irish Republican Army stole telephone bills to determine the addresses of potential targets in their political attacks. Authorities seized a batch of computer disks in Belfast and were able to decrypt the information after months of effort. This information was most likely gained by successfully hacking into the telephone company’s database.

A report declassified in May 1995 stated that prior to the August 1991 coup attempt in the Soviet Union, the KGB had been writing and developing viruses to disrupt computer systems during times of war. Another report, by the U.S. Defense Intelligence Agency, indicated that Cuba had developed viruses to infect and damage U.S. civilian computers. There is no proof these viruses were released and actually caused damage, but there is no proof they weren’t released either. It has also been reported that during the 1999 Kosovo Air Campaign, fake messages were injected into Yugoslavia’s computer-integrated air defense systems to point the weapons at false targets. Examples like these make it clear that military use of computer-based tools and attacks is growing in sophistication and utilization.

Critical to the function of the Internet are the 13 root DNS servers that participate in managing Internet traffic. If some of these go down, some web sites may become unreachable and some e-mail may not delivered. If they all came down, the Internet would basically stop functioning. On February 6, 2007, another cyberattack occurred that targeted the 13 root DNS servers. Three computers used in this capacity were overwhelmed, but to the great relief of many, the attack went largely unnoticed by most computer users around the globe. Computer scientists involved claim this is due to the increased resiliency of the Internet and the sharing of duties that has taken place since the last major attack upon these computers in 2002.

Today, reports indicate that many terrorists groups are now using propaganda on the Internet to find prospective recruits. Luckily, these tactics have also spawned their cyber opposites, such as the cyber-antiterrorist group, Internet Haganah, founded by Aaron Weisburd. Weisburd, and others like him, now track down terrorist-related web sites and pose as individuals sympathetic to the web sites’ creators. They then gather as much information as they can and pass it along to various law enforcement agencies in order to shut down the web sites and, when possible, prosecute those responsible.

In another aspect of cyberterrorism, the U.S. Department of Defense believes at least 20-some countries have now established Cyber War organizations in an effort to create and develop the tools and techniques needed to attack other national militaries and civilian targets via the Internet. Possible Cyber Wars like this are already a reality. The number of attacks and intrusion attempts on the Department of Defense (DoD) has continued to rise in recent years. In some cases, the DoD has endured more than 500 cyberattacks a day. Fortunately, the number of successful attempts has declined due to a strategic effort to train personnel and implement the best security measures available.

Almost every task in an individual’s day interrelates with a technology that is controlled or monitored by a computer-based system. Turning on the lights, paying a gas bill, flying on a plane, talking on the telephone, and receiving medical treatment are all events that depend on large computer systems monitoring and providing a flow of service. Even sophisticated military defense systems rely on commercial power, communication, transportation, and monitoring capabilities that are computer-based. A country’s strength depends on its privately owned critical infrastructures and industries. These private-sector infrastructures have already been victimized by computer attacks, and a concerted attack on any of these key economic sectors or governmental services could have widespread ramifications. Most governments have recognized this vulnerability and have started taking the necessary defense steps because it is very likely that in future wars a country’s entire infrastructure could be targeted via these new methods—computer-generated attacks.

How Are Companies Affected?

Many companies fail to understand how security implementations help their bottom line. After all, businesses are created to turn a profit, and if there is no direct correlation for an item—tying it in neatly to the linear concept of cost and profit—that item is often given low priority. Thankfully, more companies today are discovering how security affects their bottom line in ways they never expected.

If a company suffers a security breach, it must deal with a wide range of issues it likely wasn’t prepared for. Several companies recently had their databases attacked and their customers’ information compromised. Once customers find out that a company is not protecting their confidential and financial information properly, they will often take their business elsewhere. If the number of customers affected is in the range witnessed over the last year (10,000 to 1.4 million credit cards stolen at a time), and if the company loses a similar number of customers at one time, the company could go out of business. Of course, these events also affect the reputation of the company, its shareholders, and its stock price. In addition, the customers can sue the company, which could result in punitive damages and court fees. This would definitely impact the bottom line.

Organizations have had trade secrets and intellectual property stolen by employees who left to work for a competitor. In such instances, unless the original company has taken the proper steps to protect this data and inform its employees that this action is wrong, the company has no legal recourse. The company must practice due care both inside and outside its walls to protect its intellectual property from competitors. (For more information on legal issues, see Chapter 10.)

The industry is seeing more and more cases of employees being fired for improper use of computer systems. Many large companies have instituted policies of zero tolerance with respect to unauthorized or improper computer and Internet usage. However, if companies do not take the proper steps by having a comprehensive security policy in place and providing security awareness to the employees, they are often successfully sued for unfairly ending employment.

Companies and organizations are increasingly finding themselves responsible for compliance with more and more regulations pertaining to how they handle their data and personal information. The following is a short list of different privacy and confidentiality regulations:

• Electronic Communications Policy (ECP)

• Health Insurance Portability and Accountability Act (HIPAA)

• Public Records Act (PRA)

• Information Practices Act (IPA)

• Family Educational Rights and Privacy Act (FERPA)

• Children’s Online Privacy Protection Act (COPPA)

• Fair Credit Reporting Act (FCRA)

• Gramm-Leach-Bliley Act

• Sarbanes-Oxley Act of 2002

Many other regulations are imposed at the state and federal levels, which companies need to comply with in how they conduct their business. It is important to know that many of these regulations go much further than to just dictate the levels of protection a company must provide for the data they are responsible for. It is becoming more common to see these newer regulations requiring that CEOs and CFOs of organizations be held personally responsible, and perhaps criminally negligent, if anything untoward occurred in regards to the data they have been entrusted with. Long gone are the days where upper management can claim they didn’t realize what was going on at lower levels of their organization. These regulations and laws can hold them directly accountable, and require them to sign off on regular reports and audits pertaining to the financial health and security of their organizations.

Another way a company can lose money and time is by being ill-prepared to react to a situation. If a network does not have properly configured security mechanisms, the company’s IT staff usually spends unnecessary time and resources putting out fires. In addition, when they are racing in a chaotic manner to find a solution, they may be creating more open doors into the network without realizing it. Without proper security planning, a lot of money, staff productivity, and time are wasted that could be used for other tasks. As discussed in subsequent chapters in this book, companies that have a solid incident response plan or disaster recovery plan in place will know what to do in the event of a physical intrusion or cyberattack.

Many companies are covered by insurance in case of a natural disaster or a major security breach. However, to get a good insurance rate, companies must prove they have a solid security program and that they are doing all they can to protect their own investments. In some cases, insurance providers refused to pay for a company’s loss because the company failed to have the correct security measures in place. A recent legal case involved a company that did not have a security policy, proper security mechanisms, and an updated disaster recovery plan in place. When disaster struck, the insurance company refused to pay. The case went to court and the insurance company won; however, the greater loss to the company was not the court case.

Every business market is full of competition. If a company endures a security compromise that makes the press—which has been happening almost every month over the last year—it will have an even harder time attracting new business. A company wants to be in a position where all the customers come to it when another company suffers a security compromise, not the other way around.

The U.S. Government’s Actions

One of the U.S. government’s responsibilities is to protect American resources, people, and their way of life. One complex task the government has been faced with recently is protecting several critical infrastructures from computer-based attacks. Because computer technology is relatively young and changing rapidly, and because security has only come into real focus over the last few years, all these core infrastructures contain their own vulnerabilities. If attackers disrupt these infrastructures, the ramifications may be far reaching. For example, if attackers were able to take down electrical grids, thus forcing the government to concentrate on that crisis, they could then launch military strikes on other fronts. This might sound like a John Grisham novel, but the U.S. government must consider such scenarios and devise defensive plans to respond. One of the biggest threats the United States faces is that terrorists or a hostile nation will attempt to inflict economic damage, disrupt business or productivity, and degrade our defense response by attacking the critical infrastructures.

On July 15, 1996, President Clinton approved the establishment of the President’s Commission on Critical Infrastructure Protection (PCCIP). The responsibility of this commission was to investigate the types of attacks that were happening, extrapolate how attacks could evolve in the future, determine how they could affect the nation’s computer infrastructures, and assess how vulnerable these structures were to such attacks at that time.

The PCCIP published its sobering report, “Critical Foundations: Protecting America’s Infrastructures,” in 1997. The report outlined the current vulnerability level of critical U.S. infrastructures pertaining to criminal activity, natural disasters, international terrorists, hackers, foreign national intelligence, and information warfare. Longstanding security weaknesses, placing federal operations at serious risk, were identified and reported. In response to this report, President Clinton signed two orders, Presidential Decision Directives (PDDs) 62 and 63, to improve the nation’s defenses against terrorism, other computer-based attacks, and information warfare activities. The focus of these directives was to address cyberattacks at a national level.

The report recognized that many of the nation’s critical infrastructures were privately owned and operated. It was obvious the government and the private sector had to work together to properly and successfully defend against cyberattacks. In fact, it was recognized that these government departments could not provide this level of protection without the help and sharing of information with the public sector. The position of National Coordinator was created within the Executive Office of the President to facilitate a partnership between the government and the private sector. The goal was for the government and the private sector to work together to strengthen the nation’s defenses against cyberterrorism, theft, fraud, and other criminal activity. Out of this came the Critical Infrastructure Assurance Office (CIAO) under the Department of Commerce, Information Sharing and Analysis Centers (ISACs), and the National Infrastructure Protection Center (NIPC) under the sponsorship of the FBI. Recently, the NIPC was fully integrated into the Information Analysis and Infrastructure Protection Directorate of the Department of Homeland Security (DHS). Thus, the former NIPC’s responsibilities of physical and cyber-critical infrastructure assessment are now being addressed by two new divisions.

ISACs provide a mechanism that enables information sharing among members of a particular industry sector. The information comes from public-sector organizations and government agencies, and is shared by both. Sources of information can be authenticated or anonymous, and the information can pertain to vulnerabilities, incidents, threats, and solutions. Submitted information is directed to the appropriate team members, who then investigate each submittal, quantify the seriousness of the vulnerability, and perform a trend analysis to identify steps that might thwart this type of attack. The intent is to enhance the security of individual organizations, as well as the entire nation, one industry sector at a time.

In 2002, President Bush created the Office of Homeland Security in response to the attack on the United States on September 11, 2001. Departments of information technology and cybersecurity were included, and specific committees and roles were developed to protect against attacks that could negatively affect the nation’s infrastructure. The bill was signed November 25, 2002, and allocated $2.12 billion for technology and cybersecurity.

Much like the position of Drug Czar in the War on Drugs, in many countries in recent years there has also been a call for the appointment of a Cyber Czar—that is, a government official responsible for keeping the critical infrastructure of a country’s cyberworld secure and protected. In the U.S., it has proved to be a revolving-door post at the White House, with no real worth. The position is part of the Department of Home-land Security and actually oversees two other divisions: the National Communications System division and the National Cyber Security division. Many experts in the security industry feel that ever since President Bush issued his national strategy to secure cyberspace in February of 2003, nothing has really been done, and that those policies that have been created have been non-starters. Since 2001, more than four people have held the position of Cyber Czar, and in one instance (Howard Schmitt), for only two months. Many of the Cyber Czars have quit due to a lack of support or a feeling that the position and its division weren’t being taken seriously by other government agencies. Late into 2006, the position still remained open (and had remained open for more than a year), with the Bush Administration claiming they were whittling down the list of possible candidates. The position was eventually filled, but why should there be such difficulty in filling what, in reality, is such an important and essential job?

Critics and industry insiders claim it is tough to fill this position for several reasons. The first is the strong perception that the job holds no real power or influence in government circles. Critics cite that the Bush Administration talks a big game, but in reality does very little—if nothing at all—in regards to fighting cyberterrorism. The second reason is the need to find people who are properly qualified to hold the position. This is difficult due to the specific requirements of the job, such as having a strong understanding, not only of the nature of current threats and the technology involved, but also in having the foresight to implement strategies that will protect the nation’s computer infrastructure in the future as well. Such undertakings require both active and proactive planning, and a forceful implementation of policies. The third reason for the difficulties in hiring is that the private sector at this time pays more, and offers more, to those individuals best suited for the position.

Government leadership also often claims that the private sector is doing enough to secure the nation’s infrastructure. To this, though, the private sector usually responds that the government still must do more, and take their own initiatives, and claims that the government is doing little, if anything at all, in these areas. Many criticisms of this type focus on the lack of leadership and cohesive policies coming from the Department of Homeland Security. Audits of both the DHS and the Department of Defense’s security procedures have given failing scores in recent evaluations, leaving the private sector questioning the government’s leadership abilities. The government, in turn, criticizes the evaluation process they’ve undergone. At the end of the day, however, both the public and government sectors must work together and grow stronger in these areas because the threats to the nation’s cyber-infrastructure are becoming more dangerous all the time.

So What Does This Mean to Us?

Evidence and trend analyses show that people, businesses, and countries are becoming increasingly dependent on computer/network technology for communication, funds transfers, utility management, government services, and military action. If any of these experienced a major disruption, millions of people could be affected. As our dependence grows, so should our protective measures.

The reality of the world today is that the majority of computer attacks, hacks, and cracks are no longer done for kicks and thrills. It’s no longer about the measure of skills. Greed and financial gain are the greatest motivators for most attacks these days. The perpetrators are no longer just individuals trying to make a name for themselves; instead, there is more organized crime and financial motivation behind these attacks. The gambit runs from botnets to spammers to identity theft. The lure of fast money through anonymous means brings all kinds of malicious elements out of the woodwork to take a crack at hacking and cybercrime. The fact that many organizations don’t want to report these kinds of crimes and have the public know about these attacks occurring against them only sweetens the lure for criminals to steal and extort every possible dime out of their victims.

Militaries are quietly growing their information warfare units. This growth is a response to the computer-related military actions that have already occurred and reflects an awareness of the need to plan for the future. Computer networks, communication systems, and other resources not only are prime targets to reconfigure or destroy in the time of war or crisis, they are also good tools to use to watch other nations’ movements and estimate their intentions during peacetime.

The antes are being raised, security issues are becoming more serious, and the effects are more detrimental. Take the necessary steps to protect yourself, your company, and your country.