One year away from the third decade of the 21st century and technology has finally caught up with science fiction. In 2019, we’re going to hear more news about driverless cars, revolutions in artificial intelligence and commercial applications for drones. One thing is for sure: it’s an exciting time to be alive.
Unfortunately, advances in technology bring about advances in public threats; 2019 is not an exception. Last year we saw a startling number of security breaches, ransomware attacks and data leaks from Fortune 500 organizations. Hackers are getting smarter all the time, and – with increased incentive to profit from booming digital black markets – they haven’t rested yet.
It’s Getting Political
Things are going to be a little different this year. Hacking culture has always been entangled with a certain political ethos (hence the connection between Anonymous and the anarchist thriller V for Vendetta), but in recent years money has dominated as the end game in a majority of highly publicized attacks.
With rising political unrest around the world, cyber attacks are becoming more about nations, countries and governments than ever before. Take several examples:
- In March of last year, the FBI and Department of Homeland Security (DHS) filed a joint report disclosing that Russian hackers had been tied to attacks on U.S infrastructure, including energy, water and aviation. The attackers stole sensitive information for unknown purposes, spreading widespread alarm.
- For some time, different departments of the U.S government dealt with information security, including the FBI, CISA and NSA. In November of 2018, Congress approved the formation of a ‘Cybersecurity Agency,’ signaling a unified bipartisan emphasis on the threat of cyberattacks against the U.S.
- Last December, Chinese nationals Zhu Hua and Zhang Shilong were indicted for stealing vast amounts of sensitive data related to American industries and technologies. The attackers also stole social security numbers and other personal information from over 100,000 U.S Navy personnel, officially ending a three-year agreement between the U.S and China not to engage in cyberattacks or espionage.
While the threat of cyberwarfare has existed since cyberattacks became a technological possibility, it was once – for the most part – an intrigue of science fiction and futurism. Now that key government resources are increasingly digitized, the threat has become a palpable reality.
As former DHS Under Secretary Suzanne Spaulding observes, “Until recently the US did not publicly attribute various cyber incidents to specific nations, despite public pressure to do so.” The country’s attitude has finally changed: when it comes to international relationships, cyberwarfare is no longer a weird exception to the rule.
New Technology, New Threats
In addition to the new temperature that has raised cybersecurity stakes for world powers, 2019 will likely witness the rise of new threats that experts are only just coming to terms with.
Here are a few that will pose a risk for domestic security:
- Attacks Fueled by IoT Botnets
In order to manage incoming traffic from visitors, websites must be hosted on servers with enough bandwidth. One common way to attack a server is to send a large amount of fake traffic from multiple computers, thus exceeding the server’s bandwidth and taking it offline.
These Distributed Denial of Service (DDoS) attacks are hardly new, but in recent years, the Internet of Things (IoT) has made them dramatically more powerful.
Here’s the basic script: a hacker discretely accesses thousands of Internet connected devices – from phones to smart thermostats – and links them altogether in a “botnet”. Then the hacker instructs the devices to target a server, overwhelming it with traffic.
Three years ago, this kind of attack took large portions of the Internet offline along the U.S east coast. Now, Symantec predicts that IoT botnets will be used to conduct much more sophisticated attacks giving attackers unprecedented power.
- Critical Infrastructure Attacks
We’ve already mentioned that in 2018, the U.S acknowledged cyber attacks against critical infrastructure. This event wasn’t a proof-of-concept: in 2015, attackers successfully targeted the Ukrainian power grid, and managed to leave 230,000 citizens without electricity.
While it’s not a brand-new idea, infrastructure attacks are becoming more common for a simple reason: more of it is connected to the web. This vulnerability goes to show that IoT isn’t just a tool for attackers to use; it’s a weakness for them to exploit.
As Brian NeSmith of Forbes Council points out,
“With digital technology wherever we look and the explosion of the internet of things (IoT), the possibilities of cyber-mayhem are limitless. Think of nuclear reactors, chemical plants and satellites in space — all are potentially vulnerable targets.”
The possibility that hackers could cripple the U.S power grid was so concerning to U.S Senators that last year, they proposed a bill that would have banned digital control systems sometimes used by power stations.
- Spear Phishing and APT Groups
Most organizations are aware of phishing threats: an attacker can use false login portals, domains and forms to dupe employees into sharing sensitive information that can be used to further sabotage a business.
Phishing attacks have been common from the beginning of the Internet, but spear phishing is an entirely different animal. Also known as “targeted phishing,” spear phishers single out an organization or business and tailor the attack to ensnare a target.
Much like social engineering, spearfishing is effective because it exploits intimate knowledge of an organization or insider. They are both more dangerous and more convincing than traditional phishing attacks and present an active threat to government agencies.
The Chinese attackers who targeted NASA last year employed spear phishing to access sensitive information, and it’s a favorite tactic of organizations deemed Advanced Persistent Threats (APTs) by the U.S government.
In December of last year, the U.S. House of Representatives passed a bill requiring the White House to maintain an active list of APTs and the individuals who work for them. It is but one step on the long road to America’s national security in the wake of new cyber threats.
Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!