Our nation’s security; indeed, the security of every American, is at risk from enemies we can’t see, and often can’t find, until the damage has been done. Every American citizen, government agency, and commercial or private business that has internet connected devices and networks is a target, and can become both an unwitting predator and unsuspecting prey.
Many are thinking of new ways to defend against this threat. New approaches are being considered, such as the creation of safeguards for personally identifiable information (e.g., a potential replacement for the ubiquitous social security number); or the possible enactment of legislation that enables private companies to “hack back” cyber criminals by employing offensive countermeasures; or even applying cyber counteroffensive lessons from the recent French President Emmanuel Macron campaign that helped counter Russia’s influence into the French election.
As director of the National Counterintelligence and Security Center, I spend a significant amount of time addressing the evolving threats to our national and economic security in both the government and private sector. I am particularly concerned about the impact of cyber threats on Americans. While there are no solutions to operate with complete safety in cyberspace, we must use all available tools and safe practices to avoid identity theft or financial loss. The psychological impact of this threat also affects our nation’s well-being. Hardly a week goes by without a major cyber incident occurring in the government, private sector, or individual accounts of hard-working Americans.
Over the past few years, many of us have been victims of cyber theft and have had our personal information exposed or stolen. The most notable recent cyber breach involved the credit service Equifax, and the possible theft or exposure of personally identifiable information and credit data of approximately 145 million people, according to recent public reports. Add to this the hack of Yahoo email accounts and the Office of Personnel Management data breach, among other such incidents; we can’t afford to simply stand by and observe the problem.
In the wake of these security breaches, there is often a flurry of opportunistic criminals and con-artists seeking to exploit these incidents by offering identity theft protection, insurance, or data recovery. These incidents often generate phony websites, where scammers use legitimate looking sites or redirects to take you to an untrusted, or co-opted, site promising to provide an expensive —though ultimately phony — service. Others may engage in spear phishing to obtain credit card or personal financial information, ostensibly so they can “protect” your information.
These breaches and the follow-up scams are a great concern to all of us, and underscore the importance of extreme vigilance on the part of organizations as well as individuals.
Furthermore, with the proliferation of the Internet of Things, new and unexpected risks are starting to appear in every facet of our daily lives. Our homes are no longer private spaces. Manufacturers are now discontinuing production of electronic devices that lack integrated smart technology, and some are preventing us from disabling the smart technology within smart devices. And IoT features are appearing in unexpected places, such as light bulbs.
Such technologies are here to stay and present enduring vulnerabilities. The lack of security protocols for IoT devices often present a challenge to mitigating malicious activity. Also, manufacturers are no longer providing software updates to aging smart appliances that typically have long consumer lifespans — smart refrigerators and televisions, for example. These appliances will be targets for compromise for years to come by security crackers, malware, or Trojan applications.
At the end of the day, we are all potential targets of malicious actors, whether they are common criminals, terrorist-affiliated hackers seeking soft targets to spread fear and violence, or foreign government-sponsored hackers engaged in espionage or disruption activities. There is no doubt that China, Russia, and North Korea pose a cyber threat to U.S. industry, critical infrastructure, governmental systems and data, and our democratic way of life.
October is National Cyber Security Awareness Month and I urge everyone to participate, taking advantage of the many public and private sector resources that can better protect us every day. To become part of National Cyber Security Awareness Month and learn how to protect yourself, your family, and your workplace, visit the National Cyber Security Alliance at staysafeonline.org or the Federal Trade Commission at www.ftc.gov. You can also find out more about the National Counterintelligence and Security Center online at NCSC.gov, or you can follow us on Twitter @NCSCgov.
To combat the enduring cyber threat, I urge all of you to know the risk, and raise your shield.
William R. Evanina is the Director of the National Counterintelligence and Security Center.