Unsuspicious citizens are soft targets for social engineers, and America has a huge attack surface. To enemy hackers, ‘We the People’ represent millions of unprotected end-points. Foreign nations and non-state actors have successfully exploited our human vulnerability time and time again.
In 2016, spear-phishing led to damaging email leaks just before the election, when the Russian hacking group “Fancy Bear” compromised email accounts belonging to the Clinton campaign and the Democratic National Committee. In 2017, the same group used the same social-engineering techniques against three US senators up for re-election, including Democrat Claire McCaskill, a vocal critic of Russian President Vladimir Putin. And in summer 2018, another phishing attack targeted Republicans critical of Russia via fake conservative think-tank websites.
Headline-grabbing attacks on high-profile American political targets are the tip of the iceberg. Attacks on lower-profile targets typically go unreported, if they are even detected at all. For every big-name politician, countless ordinary Americans are also targeted by hackers. Many of these regular folks are well-placed employees in critical industries. Their companies supply goods, services, and technologies to governments, militaries, and law-enforcement agencies. They are trustees in airports, hospitals, and power plants.
"Employees need detailed knowledge of deception techniques to reliably resist social engineering attacks"
Our nation’s critical infrastructure grows more connected to the internet and more deeply dependent on computers every day. Trusted human beings have privileged access to those computers, and humans are a species known to routinely hand over their passwords when phished. Data breaches are hardly the worst-case scenario.
It’s not mere speculation to observe that a foreign actor could remotely commit a terrorist act or targeted assassination using stolen credentials as the murder weapon. For example, passwords harvested via spear-phishing might be leveraged to cut off power to a hospital and disable its backup generator. Patients on life support or undergoing major surgery would quickly die without electricity. On a very hot day, merely disabling a hospital’s HVAC system could be enough to kill some patients.
If this sounds like Hollywood fiction, consider Stuxnet, the computer worm used between 2007-2010 to cripple Iran’s nuclear program. Its discovery proved that major powers can and do conduct remote, computer-enabled sabotage. Russia, China, and others certainly have the means, even if they don’t currently have a motive, to murder Americans via the internet. Social engineering can easily provide the third ingredient: opportunity.
Fortunately, it is possible to mitigate such threats by hardening Americans against social engineering. Organizations that have a strong information security culture are far less vulnerable to phishing and similar deceptions. Security-awareness training is a key ingredient in building such a culture, and it has become one of the fastest-growing areas of IT security spending.
Many small and mid-sized organizations still don’t offer any such training to their members. Large organizations are more likely to have a formal security-awareness training program. Among organizations that do offer training, many view it as a compliance issue. This is not surprising, given that laws and standards like HIPAA and PCI-DSS require it. However, organizations that mandate training merely to check a box on their audit form are missing the point. Annual training doesn’t stop social-engineering attacks. Vigilant, skilled, and well-practiced people do.
Anyone who has sat through a canned security-awareness video can define phishing, but there’s a huge gap between knowing what phishing is and being able to resist a clever spear-phish. There are three things that even organizations with formal training programs often fail to do:
1) Foster a culture of vigilance. If the threat is imaginary, we call constant fear paranoia. If the threat is real, we call it healthy vigilance. With executives setting the tone, and the help of key influencers, vigilance can go viral.
2) Build practical expertise. In the interest of brevity, trainers often give superficial treatment to complex topics like social engineering. Shallow content is fine for generating awareness, but employees need detailed knowledge of deception techniques to reliably resist social engineering attacks. Deconstructed, real-world phishing examples are powerful learning aids. Depth matters.
3) Drill the skill. Even people who know better can still fall for phishing if they are busy or distracted. In the heat of the moment, thinking twice is too slow. We must develop employees’ ability to recognize threats without thinking. Checking for red flags in an email before opening the attachment must become as natural and automatic as fastening your seatbelt before starting the car. This kind of muscle memory is built only through constant repetition. Frequent attack simulations are key.
In the past, deception and disinformation were espionage tools. Now they can be primary weapons of war. Ordinary citizens, instead of trained soldiers, are the first line of defense. Right now, our citizens are ill-equipped to hold the line. All CIOs, especially those of us responsible for our nation’s critical infrastructure, need to step up and commit to patching America’s biggest vulnerability: ourselves.