A Better Offense and Defense Against Hacking

Is any computer network safe?

Apparently not. Last week saw yet another example of how vulnerable U.S. government computer networks are to cyber-attacks, underscoring the need for an overarching and comprehensive cyber-policy on both how to defend against such attacks and how to apply punitive measures in response.

The latest attack which, according to intelligence officials, was perpetrated by Chinese hackers, was on the U.S. Office of Personnel Management. Approximately 4 million private records of federal employees were compromised, providing hackers with a treasure trove of social-security numbers, birth dates and other information that could be used to commit identify theft. Now, every federal employee will have to worry that s/he could become a victim of fraud.

The OPM attack comes on the heels of attacks on the state department and the White House. Although the attack on the White House didn’t penetrate the most secure networks, it did expose sensitive information, such as the president’s schedule, to hackers.

Bear in mind that these are U.S. government computer networks that are supposed to be the safest from attack; yet, they appear to be as hackable as banks and retailers. It’s not a matter of if your personal information will be lifted by a hacker in China, North Korea or Russia, but when.

In an attempt to appear tough, the U.S. issued indictments against five Chinese military hackers in May 2014, but exactly what will those charges amount to? Does the justice department truly expect the Chinese to extradite them for trial here in the U.S.?

In order to send the Chinese and the Russians a strong message that such attacks will not be tolerated, the U.S. needs to embark on strong counter-offensive cyber-attacks of its own. That means that Russian and Chinese government agencies should have the expectation that any cyber-strike of theirs will met by an overwhelming wave of assaults on their networks from U.S. cyber-warfare teams. The threat of retaliation will give government-sponsored hackers second thoughts before they decide to launch a cyber-attack on U.S. networks.

Many of China’s attacks on U.S. networks are carried out for the purpose of stealing industrial secrets from corporations. Chinese state-sponsored companies then use this stolen information to develop competitive products and services. Instead of indicting the hackers, who will never face trial here anyway, the companies that profit from Chinese industrial espionage should be banned from doing business in the U.S. and executives of those firms should be denied visas for entering the U.S. Chinese officials will start to realize that the theft of industrial secrets will not be good for the bottom line of their businesses in the long run.

The internet isn’t going away, but that doesn’t mean that all computer networks have to be connected to the public network. The way many hackers penetrate secure networks is first through a public server. Once that server is compromised, it’s used as a staging area to conduct hacks into the network. U.S. government agencies and corporations have to ask themselves whether all their networks have to have a gateway into the wider internet. U.S. government agencies have been using computer networks for decades, but it’s only during the last decade and a half that they have been wired up to the world-wide web.

Corporations have to also do more to protect their customers and clients. The same way banks have had to pass a financial stress test ever since the economy meltdown in 2008, companies should be regularly subjected to simulated cyber-attacks that would demonstrate their level of vulnerability to hackers. Banks and other financial institutions should be taken offline if they fail to show adequate monitoring and prevention of such attacks. Retailers should receive a rating from either the federal government or from cyber-security firms that will provide transparency to consumers as to the safety of their personal and credit card information. Without some form of security standards, consumers will be increasingly wary of performing any kind of electronic transaction.

Unfortunately, the theft of industrial secrets and personal information is likely only the beginning of the damage hackers will inflict on the lives of millions. As the Internet of Things becomes a reality, with everything from automobiles to traffic lights linked to a public world-wide network, hackers can throw an electronic monkey wrench into networks, wreaking the same havoc on our infrastructure as if bombs had been dropped on it. Cyber-strikes are a kind of warfare that have the potential to create as much damage and chaos as conventional war. It’s time to treat such attacks with the same kind of serious offensive and defensive measures that a military attack on the U.S. would provoke.