Last month, two social media accounts for the U.S. Central Command were hacked. Hostile messages and videos were uploaded onto their Twitter and YouTube accounts by individuals operating under the name CyberCaliphate claiming allegiance to the Islamic State. Additionally, the hackers posted various U.S. military documents, in an attempt to claim they had access to important documents, though upon review the documents were ones which Central Command claims contained no classified information.
The Washington Post wrote that though this case of “cybervandalism” was not terribly detrimental, “the incident is nevertheless embarrassing to the U.S. military” and a “public relations victory for the Islamic State”. They mention that this social media take-over should be viewed more as propaganda than a danger to national security. While hacking a Twitter account is not the most onerous task for an experienced individual, this case is part of a larger cyberwar currently looming.
Cyberwarfare and Cyber war games
Dan Lamothe recognizes that this display of cybervandalism has a higher likelihood of being from Islamic State sympathizers rather than a direct hack from ISIS. Regardless, it is known that ISIS continues to recruit and train a team of hackers with their sights set on far loftier targets than social media. Western countries are showing signs that they are ready to counter and prepare for attack.
The U.S. and U.K. have agreed to conduct cyber war games with the goal of pointing out holes in the other country’s digital armour. This is the first cooperative measure of its kind between the two countries. Dave Lee for the BBC notes that “the first war game will involve the Bank of England and commercial banks, targeting the City of London and Wall Street.” Lee’s article focuses on the difficulties of reporting on cyber war since the “battle” is largely under the radar or classified. Unlike traditional war, a cyber attack could target a company, organization and governmental institution from anywhere and from anyone.
Many large companies or organizations hire outside computer security experts to intentionally hack their systems to point out flaws, weaknesses or exposures. This is known as a “penetration test”, where the techniques of hackers are used to uncover weaknesses before they can be exploited for malicious intent.
Mark Ward for the BBC differentiates cyber war games from penetration tests by looking beyond which technology or data is being targeted to which people are potential liabilities.
“War games are a step up from these tests [penetration tests] because staff inside a firm are taking a more active role. They know they are going to come under attack and have to show how they would respond to whatever is thrown at them. Penetration tests target computers and war games test the people.”
IT Security is a People Issue
Along with the social media breach mentioned earlier, other recent hacks include a recent cyber-attack to Malaysia Airlines, the networks of Sony’s PlayStation and Microsoft’s Xbox and JP Morgan Chase. Specifically, in the case of JP Morgan, the hack was not achieved with sophisticated software, but with an employee’s stolen login credentials.
The recent events prove that during a cyber war, private companies are not removed from the government. They must be aware that they too are at risk of being targeted by hackers on the agenda of a militant group.
InfoWorld is rethinking organization security measures for the new world. In their recent article they take a similar approach to IT security as those practiced in cyberwar games with more of a focus on people than technology.
“There is no technology silver bullet for security, and automating people out of the security equation has the perverse result of making people lazy or uncaring about security. After all, IT will take care of it, and take the blame when there’s a leak or breach.
That’s why a security strategy for today must change the primary defense emphasis from devices to people. The key successful attacks today involve people, whether those using social engineering methods such as phishing to physically putting interception hardware on automated sales terminals.”
IT professionals need to be security experts that not only protect the data and technologically, but they must also educate and empower other employees on their active role in security. “In other words, stop treating your people as a problem to contain and instead begin making them part of the solution.” In this changing environment, it is essential that companies maintain the trust of their clients and employees by taking proactive measures to prepare for the increased threat of cyber attacks.