It should be harder to bring down the nation’s most critical computer systems than by just finding a single weakness, a top Carnegie Mellon University computer security researcher plans to tell Congress on Tuesday.
Americans can take some simple short-term steps to protect their computer information, says Greg Shannon, chief scientist for the CERT division of Carnegie Mellon’s Software Engineering Institute. But eventually, the United States must develop a coordinated national strategy to build trust in computer networks while making it harder for hackers to attack, he says.
“Today, it takes only modest energy (computing and human) to find and execute economy-threatening attacks,” Shannon says in the prepared testimony he plans to deliver to a House Energy and Commerce subcommittee. “This creates an environment that favors the adversary by orders of magnitude.”
The Oversight and Investigations subcommittee chaired by Rep. Tim Murphy, R-Upper St. Clair, plans to hold a series of hearings focusing on computer threats and their impact on businesses and consumers. The first hearing Tuesday seeks to provide an overview of the history, present and future of cybersecurity.
The gap between hackers’ abilities to break into systems and cybersecurity experts’ abilities to protect them continues to widen, Murphy said.
“It does affect every family and will continue to do this,” Murphy said. “Our job is to make sure we provide the assets to stay on top of this. It continues to change and morph with time.”
The Tribune-Review’s ongoing Cyber Rattling series has examined how computer hackers could attempt to bring down the nation’s systems for energy, banking, transportation and other critical infrastructure and commerce. The newspaper reviewed advance copies of prepared statements experts are expected to present to Murphy’s subcommittee.
“No sector is immune,” warns Richard Bejtlich, chief security strategist for FireEye, a Milpitas, Calif.-based cybersecurity company, in his prepared statement. “… The time to find and remove intruders is now. There is no point in planning for theoretical, future breaches until you know your own current security posture.”
Most recently, hackers have started using more so-called “phishing” emails that appear to come from computer technology workers within the victim’s company, Bejtlich says. Criminals use them to steal passwords and eventually empty bank accounts.
In many cases, victims go for months without realizing their computers have been breached, he says. The median time to discover an attack is 205 days after the hackers have broken into the victim’s systems.
“Unfortunately, it means that for nearly seven months after gaining initial entry, intruders are free to roam within victim networks,” Bejtlich says.
For retailers and other consumer-based companies, it can be hard to balance cybersecurity and convenience, Herbert Lin, senior research scholar at Stanford University’s Center for International Security and Cooperation, says in his statement.
Computer users have better ways to secure their systems than easily guessed passwords — such as two-factor authentication that requires a second piece of information. But most of those other tools are a bigger hassle or cost more, Lin says.
“Cybersecurity measures are the antithesis of convenience,” he says. “Mostly, cybersecurity gets in the way of doing useful work.”
Shannon at Carnegie Mellon’s CERT wants companies to share more information about computer breaches so researchers can start identifying more efficient ways of preventing attacks, he says. Hackers take advantage of victims’ unwillingness to talk about being attacked.
“Science or technology are only as good as the data it is created from,” Shannon says, “and currently, researchers and developers have limited access to data, resulting in sub-par solutions and slower innovation.”
Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or [email protected]