Security experts warn that the recent cyberattacks on Apple and the New York
Times are only the highest-profile examples of an escalating problem that
threatens American businesses and undermines national security.
"A new frontier for people who are not our friends is attacking our
infrastructure and disrupting our day-to-day lives and our economy," said Jay
Kesan, a University of Illinois professor of law and computer engineering.
"It's not traditional warfare, but it should be a matter of very high
priority."
Last week, the Obama administration announced a new effort to fight the
growing theft of American trade secrets after Apple's and Facebook's
revelations that they had been hacked, and new evidence linking years of
cyberattacks against more than 140 U.S. companies to the Chinese military. The
administration's plan includes a new diplomatic push and better coordination
at home to help companies protect themselves. The next meeting of NATO defense
ministers will include a major focus on cybersecurity.
While the theft of online banking information and payroll credentials is
among the most common types of attacks, some of the greatest threats, Kesan
said, are to industrial control systems such as those of airlines, railways
and utilities.
"Once you get ahold of them, you can cause a lot of havoc," he said. "The
threat is real. The only way to address this is to have the public and private
sectors work together."
The most costly cybercrimes are those caused by denial of service,
malicious insiders and Web-based attacks, according to the Ponemon Institute,
a Michigan cybersecurity think tank.
A 2012 study of 56 companies by the institute found that the average
annualized cost of cybercrime was $8.9 million, a 6 percent increase from the
previous year, and the companies experienced a total of 102 successful attacks
per week, up 42 percent from 2011.
Some attacks involve the way companies have implemented their systems.
Ian Abreu, a consultant at Core Security in Boston, gave the example of an
online retailer that puts its sales database on the same server as its
business analytics database.
"This created a big problem when we found a certain type of attack aimed
at the e-commerce platform allowed us to access company financial records and
information as well," Abreu said.
Other attacks involve "spear phishing," carefully targeted strikes on
specific employees to gain access to sensitive internal communications and
trade secrets, said Richard Wang, manager of SophosLabs U.S. in Burlington.
To guard against such attacks, many companies now require employees to
log into their computers using not only a password, which must be changed
periodically, but also some other form of identification, such as a
fingerprint, said Srini Devadas, a professor of electrical engineering and
computer science at MIT.
"It's all about armor and ammunition," he said. "You have to double-lock
everything."
Devadas also recommends that companies update their operating systems and
software frequently, and train employees in basic self-defense, such as
knowing not to click on links without knowing where they lead.
Still, there is no fool-proof way for businesses and their employees to
protect themselves, said Sven Dietrich, assistant professor of computer
science at Stevens Institute of Technology in Hoboken, N.J.
"There are lots of things you can do, but in the end, software is written
by humans and will always have vulnerabilities," Dietrich said. "You just have
to be careful. It's dangerous out there. It's not a cozy neighborhood."
