On an almost weekly basis, another organization or government agency owns up to having been “hacked” – admitting that its systems have been breached. For every company that discloses an issue, there are likely 20 – 30 more that keep it under wraps. We know this because more than half of all U.S. businesses have been hacked. The attacker may have removed sensitive personal data or trade secrets for later sale on the dark web, or sought to disrupt operations, causing negative reputational and financial impact. But regardless of attacker motivation, cybercrime damages are predicted to cost the world $6 trillion dollars in damages annually by 2021.
George Santayana gave us the great quote, “Those who cannot remember the past are condemned to repeat it.” Unfortunately, we haven’t been particularly good students of history – at least in terms of protecting our critical infrastructure from hackers.
AN AUSPICIOUS PRECEDENT FROM THE OLD WORLD
During the 1790’s, France built what could be considered the first national data network – a mechanical telegraph system, reserved for government use, and comprised of a chain of towers with a system of moveable wooden arms. These arms were configured to correspond to letters, numbers and other characters.
Operators would view an adjacent tower through a telescope and match its configuration, allowing messages to be relayed faster than mail. The first network attack occurred when a telegraph operator in Tours, France, was bribed by bankers Francois and Joseph Blanc in 1834. He introduced errors into government messages, surreptitiously indicating the previous day’s market movement. This scheme allowed the brothers to profit from their knowledge ahead of others
COMPUTER NERDS RULE
The minutes of a 1955 meeting of MIT’s Tech Model Railroad Club, state “Mr. Eccles requests that anyone working or hacking on the electrical system turn the power off to avoid fuse blowing.” Since then, a hack has been associated with a type of shortcut, or a way to rework the operation of a system. The Club members then moved to apply their engineering know-how to the new computers on campus (IBM 704’s). Many of these students and other early hackers were programmers who wanted to optimize, customize and/or just learn. The most elegant hack from the late 1960’s was that of Thompson and Ritchie, who worked on a “little used PDP-7 in a corner of Bell Labs” and developed what became the UNIX operating system.
PHONES CAN BE HACKED, TOO
In the 1970s, phone hackers also known as “phreakers” exploited operational characteristics of the newly all-electronic telephone switching system to make long-distance calls free of charge. One of the hacks was the use of a toy whistle found in Cap’n Crunch cereal boxes that produced the 2600 hertz tone which fooled the network. Apple founders Steve Jobs and Steve Wozniak were phreakers who built blue boxes with digital circuits emulating network tones before they went on to found their wildly successful company.
HACKING GAINS A PLACE IN POPULAR CULTURE AND LAW
In 1981, IBM introduced “personal computers” as standalone machines complete with CPU, software, memory, and storage. The wider availability of PCs led to an uptick in hacking, helped along by the movie “War Games.” The film follows a young hacker who changes his grades after breaking into his school district’s computer. He winds up finding a backdoor to a military supercomputer and runs a nuclear war simulation, thinking it’s a computer game, and almost starts World War III. During this era, a different strain of hackers more focused on pirating code, breaking into systems, and stealing data, came to the fore. Congress responded in 1986 with the Computer Fraud and Abuse Act, intended to reduce the hacking of government or other sensitive institutional computer systems, with punishment ranging from fines to imprisonment. Several high-profile hackers were prosecuted in the 1990’s for crimes including stealing proprietary software from corporations, launching the first computer worm, and leading the first digital bank heist.
IT’S THE WILD WEST ALL OVER AGAIN
Since then, the practice of hacking continues to thrive in our worldwide ecosystem of connected networks, virtual machines, embedded systems, smart devices, and cloud computing. The data breaches at Yahoo!, Equifax, eBay, and Target, among other big names, are well known. What may be more alarming is the fact that, according to experts, cybercriminals made more than $1 billion from ransomware (a particularly nasty form of malware) in 2016. Consider the mayhem caused when hackers set their sights on government and critical infrastructure. Exhibit A is the digital extortion that brought down the city of Atlanta for days this past March. During the same month, the Department of Homeland Security and the FBI warned that Russian operatives had infiltrated the U.S. electric power grid. At a DefCon conference in Las Vegas earlier this month, an 11-year-old needed only ten minutes to hack into a replica of the Florida Secretary of State website used to report election results, and change them.
CRITICAL INFRASTRUCTURE MUST ASSUME HACKERS WILL GET IN
It’s time to learn from the both the long-ago and recent past: suppliers, manufacturers, and operators of critical infrastructure need to protect their organizations to maintain customer safety and loyalty, as well as business continuity. Vulnerabilities in software, large attack surfaces, and unverified supply chains are present in virtually all organizations.
One of the best ways to guard against the damage and disruption wrought by hackers is to transform software binaries within devices and systems in a way that denies malware the ability to change commands and spread. Known as “cyberhardening,” this method prevents a single exploit from propagating across multiple systems. It shrinks attack surfaces, eliminates vulnerabilities, and stops malware from being executed. Read more about this transformation process here.