2015 was the year cyber security went mainstream with headless worms, jailbreaking, ghostware and data breach all joining the daily headline lexicon. Tens of millions of Americans were directly impacted. We learned; Iran had breached our critical infrastructure; of the most massive and catastrophic cyber attack in U.S. history; and of an unrepentant Secretary of State transmitting classified material via personal email. The hydra-headed cyber criminals adopted increasingly innovative tactics, state-sponsored actors such as Iran become bolder, and social media became a terrorism story. Here’s but a snapshot of our cyber insecurity in 2015.
NY Dam Breach by Iran — Perhaps one of the most troubling breaches of 2015 actually occurred two years ago – but has only just come to light. Revealed, not coincidently, after Tehran snared a nuclear deal with Washington. Iranian hackers infiltrated the infrastructure of a small dam in New York, ringing alarm bells at the White House. The breach came amid a separate surge of attacks by Iran on U.S. banks. Despite these concerns the Iran Nuclear Deal stands. Our power grid, pipelines and dams are essentially unprotected on the Internet. The dam breach remains classified, but will serve as a blueprint for Islamic terrorists. It seems legacy is more important than national security.
Office of Personnel Management — What could possibly go wrong when a government agency outsources its sensitive data management to … China? The actual scope of the attack remains abstruse. Suffice to say, the OPM breach was devastating for the United States, and has cost our intelligence services a generation of spies. More than 21 million Americans were excruciatingly exposed, I regrettably count among them. Six months later, OPM still has the personal data of all federal employees and our sensitive resources continue to be targeted. OPM remains a very plump, slow moving target for state actors and criminals alike.
Hillary Clinton Email — The lurching scandal surrounding the former Secretary of State’s flagrant abuse of national security data is the political cyber hit of the year. Quite simply, if an enlisted soldier transmitted Top Secret information via personal email servers, they would be in jail. Evidently aides routinely took screen shots of Top Secret documents and emailed the pictures to Mrs. Clinton’s private account. The FBI has ramped up inquiries into the security of Mrs. Clinton’s jerry-rigged email system and how her aides communicated over email. This is nothing less than a criminal breach of national security. Then there is Secretary of Defense Ashton Carter, but that’s another story.
Social Media and Islamic Terrorism — Since the Islamist terror attacks on San Bernardino and Paris, social media companies, most notably Twitter and Facebook are under intense pressure to help identify Islamic extremists that use their networks to fund, recruit, promote and plan terrorism. They are resisting, so Congress is stepping in – which of course seldom works. Just as they do with child pornography, Twitter and Facebook have the technology to stop Islamic terrorists exploiting their platforms – what they lack is the will.
Health Insurance Providers — Cyber criminals compromised over 100 million health insurance records in 2015. An annus horribilis for the cyber heart of the health insurance industry. The breaches included names, social security numbers and birth dates. The biggest hit was on Anthem exposing 80 million customers. To put the cherry on top, the Department of Health and Human Services says that coupled with Premera Blue Cross, Excellus Health Plan and others the medical information of more than 100 million Americans was put under the hackers knife in 2015.
Internal Revenue Service — Hackers hit the IRS again this year and stole data from 330,000 taxpayer accounts. Two taxpayers filed a class action suit against the IRS, over the loss of social security numbers, and completed tax returns. The suit claims that the IRS knew its website was vulnerable, but did nothing. The criminals were able to file bogus tax returns, and net $50 million in federal funds.
CIA Director John Brennan – In a blast from the past, Director Brennan considered it sound practice to stick with his AOL account – remember AOL? Despite his unique insight into the dark edges of cyber security, he believed his trusty AOL email was immune from hacking. Teen hackers took control of his account via the weakest link — a Verizon employee – to gain access to Director Brennan’s personal account and bleed his account of sensitive data. I can hear the dial tone at Langley now.
Ashley Madison – This was the “made for the tabloids” breach. The attack was brazen and anything but stealthy. More than 30 gigabytes of data exposing 32 million Ashley Madison accounts. That’s a lot of pictures, predilections and sordid affairs – even for D.C. The data included names, passwords, addresses, and phone numbers. Incredibly, AshleyMadison.com claims their membership has grown by four million users since the hack.
Juniper NetScreen Firewalls — Wrapping up the year in a Christmas bow, was the December 2015 revelation that Juniper Networks had suffered a long term, potentially calamitous breach exposing countless classified communications. Federal officials believe a nation state – likely Iran or China — used a backdoor, to spy on the encrypted communications of the U.S. government for more than three years. This breach is the hacking equivalent to stealing a master key, which opens every door, in every government building.
What of the coming year? It’s hard to predict, but there will certainly be an arms race in information security with state actors like Iran. Cyber terrorists and criminals will launch beguilingly sophisticated attacks on everything from U.S. national security infrastructure to IOT connected medical devices. Lets hope we are not quite as surprised by events as 2015.