Phish ‘n’ Chips: Some Attacks Have Little Defense in Cyber Security

The notorious “hackings” that intelligence experts believe Russia perpetrated in order to push Trump into the White House brought into public consciousness the issues of cyber security. Although the bulk of the attack was carried out through bona fide hacking attempts by sophisticated Russian agents (probably), many of the most damaging attacks against campaigns have been through fairly basic phishing schemes. The distinction is not subtle: hacking attacks exploit loopholes in code, phishers try to trick victims into handing over key information voluntarily through fake emails. Victims include Hillary Clinton’s and most recently, newly elected French President Emmanuel Macron’s electoral campaigns, despite the latter’s robust countermeasures. As Germany, the UK and (maybe?) Italy gear up for elections later this year, European intelligence officials are beginning preparations against Russian espionage.

Weaknesses in cybersecurity can lead to devastating attacks, but phishing attempts are even more damaging. In 2005, the government surveyed businesses that sustained cyber attacks and found that 31% of attacks on a firm’s cyber infrastructure incurred losses of at least $10,000. However, a whopping 68% of cyber thefts (often using phishing) incurred losses of $10,000 or greater– this share accounted for 45.6% of all businesses. Cyber thefts in the form of phishing attacks have increased 270% between 2015 and 2016 and have included attacks against major financial corporations including Bangladesh’s Central Bank. Particularly in the wake of North Korea’s 2014 attack on Sony and various hacking strikes against the Play Station Network and Microsoft, industry pressure grew for the United States to improve cyber security.

For this reason, the Obama administration had made cyber security a top priority for the United States. Obama set up the Commission on Enhancing National Cybersecurity, a team of academic and industry experts to report on how to make the US’ digital infrastructure more secure. The commission emphasized the imperative for close cooperation between the public and private sectors in order to balance the former’s goal of security and the latter’s goal of expediency. Trump’s plans to improve security, by contrast, are largely unknown (not surprising given his shyness towards hard thinking). However, his choice of FCC chairperson and threats against net neutrality has pitted tech giants against the administration, putting the relationship on a bad footing.

         Cooperation and information sharing are perhaps the most crucial tools governments and corporations have for combatting cyber security threats. The global nature of the internet means that weaknesses in Bangladesh can compromise security in New York as an attack on any point along the chain comprises the whole network. In the Bangladesh heist, a team of hackers were able to obtain fake credentials through phishing and hacking attempts which allowed them to fraudulently direct deposits from the New York fed to a bank in Sri Lanka. The SWIFT network (the hacked communication firm involved in the Bangladesh Bank heist that facilitates global financial transactions) attempted to solve this dilemma by expelling the least secure of its members after warning them to get serious about cyber security. The central bank of Bangladesh, for example, lacked even a firewall. However, while this hardline response surely motivated lagging firms to get serious about bank reform, it does not create the capacity to allow smaller firms to acquire the expertise they need to counter hackers.

  To conclude, digital infrastructure is only part of the problem, at least as important to consider are the psychological weaknesses that thieves exploit to convince victims to surrender their digital information. The attacks against Bangladesh, Macron and Clinton’s campaign all used disguised, scam emails to fool users into offering passwords or digital identification information to gain initial access. Macron and Clinton both, as far as we know, possessed some internal countermeasures to prevent this kind of theft, but inevitably some slip through the cracks. These attacks are cheap and fairly easy to carry out, which means they can deluge a variety of targets with phishing emails and only one need succeed in order for the attack to be worthwhile. No matter how secure the server is, if a scammer can obtain a password, they can gain access. These kinds of attacks went relatively unaddressed by Obama’s cyber security commission — the words “phishing” and “scam” never appear in their 100-page report.

         For this reason, the classic pieces of advice that deluge internet users are often the strongest defenses against malicious attempts to seize digital information: have a secure password; get a robust spam filter; double check before giving away sensitive data; have a strong password (which really just means long) and educate yourself on the security policies of firms that have access to your data. Naturally, relying on people to simply be smarter about their actions has rarely made good policy, but there remains an as-yet ill-defined role for government to nudge folks to protect themselves a little bit more.