Fixing the Glitch: cyber security and broken systems


Remember the AP Twitter hack-and-hoax of 2013, where the Syrian Electronic Army (SEA) gained access to the Associated Press’ Twitter account and posted a fake tweet reporting explosions at the White House and the injury of the President? Within seconds, financial markets dropped by 1%. Within minutes, Twitter became a hornets’ nest of refutations and announcements. AP reporters tweeted that @AP had been hacked. Things returned to normal.

This hack proved that financial markets, which move reliably and quickly to perceived threats, can be vulnerable to manipulation by hackers; any glitch in the system causes software—and people— to react, so response before context and clarification is given usually causes damage. (A hacker’s market, @Economia, May 2013)

 

cybersecurityGlitch_blog

Why hackers hack

Causing disruption in financial markets is only one small incentive for cyberattacks. Large amounts of useful data live in networks and in the Cloud, and hackers are finding creative ways to get to it, to be used for everything from “simple” identity theft to industrial espionage.  In May 2015, The Internal Revenue Service confirmed that hackers had used stolen identity data (and shady email domains) to defraud the “Get Transcript” application to steal account information for 100,000 taxpayers.

CareFirst BlueCross Blue Shield was also hit in May 2015 with a data breach that compromised personal information on over 1 million customers. The same attack methods may have been used in earlier breaches at Anthem and Premera, which collectively involved data on more than 90 million Americans. All companies are providing credit monitoring and identity theft protection services for members while they seek solutions to provide more robust security for their networks.

Katherine Archuleta, the director of the U.S. Office of Personnel Management (OPM), is currently dealing with one of the largest government data breaches in U.S. history. The scope of this disaster is still growing, since additional reports have surfaced indicating that the breach has affected  almost 20 million background investigation forms and 1.1 million fingerprint records for Federal employees.

The theft of these forms represents a major national-security and intelligence failure, given that they contain records of past drug use, mental health and contacts with people overseas and other sensitive information that could prove useful to a foreign intelligence agency. (Wall Street Journal, July 9, 2015)

Archuleta will likely be held accountable for the current OPM breach, but the problem is systemic, and much more than any one person or committee can solve.

In April 2015,  the U.S. Government Accountability Office presented GAO-15-573T, a testimony on Cybersecurity and the need for government agencies to address cybersecurity challenges that are growing steadily each year.  “Specifically, the number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) increased from 5,503 in fiscal year 2006 to 67,168 in fiscal year 2014, an increase of 1,121 percent.

Wait. what?

Yes, you are reading that correctly. Between FY 2006 and 2014, the number of information security incidents—stolen data, malware installation, phishing or SPAM attacks, and so on—increased over ONE THOUSAND PERCENT. Here’s a visual from page 7 of the GAO report:

GAO chart showing incidents reported to the U.S. Computer Emergency Readiness Team by federal agencies, FY 2006 - 2014

Furthermore, the report details the types of threats and the purposes of the attacks. Keep in mind this is the stuff we know about.  And the government sector is expanding its cyber warfare capabilities in an attempt to meet these threats head on.

Intentional versus unintentional threats

In addition to cyber attacks, computer glitches are wreaking havoc with automated software systems worldwide. Software that runs massive systems involves millions of lines of code. Despite thorough quality checks and regular security upgrades, a tiny error—such as one misplaced string of code or a missing character—can cause programs to act erratically, or  even crash completely.

A United Airlines computer system glitch grounded flights nationwide for a few hours Wednesday morning, July 8, leaving thousands stranded and causing a domino effect of delays for almost 5,000 flights worldwide.

The glitch affected software that automates United’s operations, according to the FAA. And its failure shows just how sensitive computerized companies are nowadays. (CNNMoney)

Fears of systemwide technical vulnerability were brought to light when the New York Stock Exchange went dark from 11:32 a.m. to 3:10 p.m. on the same day of the United Airlines debacle. This outage was longer than the 2013 NASDAQ collapse, which spawned an order from the Securities and Exchange Commission to improve the vulnerable systems that form the backbone of Wall Street. According to market analysts,

… the SEC, which polices the markets, has struggled to keep up with the technological revolution that has come to dominate modern trading. It has also missed out on opportunities to address key vulnerabilities, opening the door to other damaging threats. (@WashingtonPost)

Luckily, technology kept the outage a non-crisis. The availability of alternative electronic trading platforms has resulted in the NYSE handling less than 14% of the trading in American shares. So while the NYSE’s glitch is still problematic, it wasn’t catastrophic. (Glitch Perfect, @theEconomist, July 9, 2015)

Shortly after the beginning of the NYSE computer crash, the Wall Street Journal displayed a 504 error on its site until a modified homepage could be uploaded. The full site was restored shortly thereafter.  The Wall Street Journal has not yet reported what caused their website crash, but theories abound, from the serious (bandwidth overload, virus issues, cyber attacks) to the silly (anniversary of first print issue in 1889, SkyNet waking up).

Cybersecurity: the Wall Street Journal home page indicating a 504 error.

 

Leaving the door open

United Airlines cited a faulty router for the systemwide halt; the New York Stock Exchange crash seems to have been caused by a faulty software update that was installed Wednesday morning before trading began. And the Wall Street Journal experienced a systems-overload (only on its non-mobile browsers) that was likely an effect of overload from users seeking information on the other two (my theory, at any rate).

While nothing indicates the three technical glitches are linked, speculation is causing a lot of fears about technology infrastructure and data security. With the Sony Pictures hack from late 2014, to the still-fresh nationwide OPM hack blamed on old software, cyberattacks and malfunctions are becoming part of the public awareness of our dependence on vast, vulnerable systems.

…OPM has other responsibilities, including payroll and health benefit processing for government employees. [OPM Director] Archuleta repeatedly blamed legacy systems, some of which dated back to 1985 and use outdated COBOL programming language, as part of the problem. Such legacy systems, she said, could not be encrypted, for example. Office of Management and Budget (OMB) CIO Tim Scott noted that information-security practices such as data segmentation in databases are much more difficult in legacy systems. (“OPM Blames Legacy IT Systems in Contentious Hearing,” @PrivacyTech, June 17, 2015)

Obviously, we can’t just pull the plug on old systems and start from scratch. New critical systems and enhanced, secure infrastructure is needed everywhere, but these improvements will take time. The shortage of skilled IT and cybersecurity professionals has been widely publicized; in February 2015 the White House held a summit on Cybersecurity and Consumer Protection at Stanford University, calling for “industry, tech companies, law enforcement, consumer and privacy advocates” and others to come together to work through the issues facing cybersecurity. President Barack Obama explained that the government cannot tackle this “cyber arms race” on its own due to so many systems residing in private industry (non-government) sectors. Since cybercrime is systemwide, it makes sense for both government and private industry to work together to grow our defenses against cyberattacks.


I originally wrote this article for NOVA Workforce Development Division’s blog.

Join the conversation...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s