Yahoo. The Democratic National Committee. San Francisco’s public transit system. Your home Internet router. It seems as though every day brings news of cyberattacks against U.S. institutions, companies and regular people. Experts say that there are ways to fight back, and that we need to do more — as individuals and a nation — to protect ourselves from cyber criminals and tech-savvy despots in the first place.
Some measures require Congress to appropriate taxpayer money, such as the $3.1 billion that President Obama requested earlier this year to upgrade the federal government’s outdated computer systems with new hardware and software. It’s just one aspect of a $19 billion cybersecurity overhaul across federal agencies that’s part of the budget that Congress still hasn’t approved.
Other initiatives are far simpler, such as educating people to not download unknown files, respond to unusual Facebook messages, or fall prey to deceptive “spear-phishing” emails that steal passwords and personal data.
“You have to teach people to wash their hands in cyberspace,” said Herbert Lin, senior research scholar for cyber policy and security at Stanford University’s Hoover Institution. “That’s a hard thing to do. Saying: ‘Don’t use your technology for what it was designed to, or just don’t use computers’ — that’s not useful.”
Enforcing “cyber hygiene” would cut down on more than 80 percent of cyber attacks and cyber thefts, according to Lin. In fact, it was just that kind of mistake that a staffer at the Democratic National Committee made last year that allowed Russian hackers to infiltrate the DNC’s servers in 2015, steal emails from Clinton aides, and then sow political mischief throughout the 2016 election, according to a recent New York Times report.
In October, malware embedded in residential internet routers and DVRs helped orchestrate a large-scale distributed denial of service (DDOS) attack on the East Coast that shut down Amazon, Netflix, Twitter and other major websites. The following month, a ransomware hack shut down San Francisco’s public transit ticketing system for a few days after Thanksgiving.
As a member of President Obama’s cybersecurity task force, Lin helped craft recommendations to prevent these kinds of attacks in a report released Dec. 1. These included a labeling system to help consumers assess the security of computer products and services, and potentially making companies liable for internet-connected devices that can be hacked and made to cause damage.
“There’s no silver bullet,” Lin said of the task force’s work, which its members hope to present to President-elect Donald Trump’s transition team.
The report states that the federal government needs to develop a roadmap for sharing information about threats with the tech industry and developing computer networks with better security, as well as imposing standards for internet-connected components in automobiles, houses, cameras and other devices that make up the “internet of things.”
The task force spent eight months on the 100-page report, but with new allegations about Russia’s intervention in the U.S. presidential election, some observers are wondering whether Trump or his team will even read the document. On Wednesday, intelligence officials told NBC News that Russian President Vladimir Putin was personally involved in the operation against Hillary Clinton’s campaign in an attempt to help elect Trump.
Trump has repeatedly said that he doesn’t believe the C.I.A.’s conclusion that Russia’s government hacked the Democratic National Committee to bolster Trump. The White House and members of Congress have pledged to investigate the matter.
Could Europe be next? Germany and France will both elect new leaders in 2017, and there’s concern that those nations may face a similar pattern of Russian-directed cyber thefts followed by the spreading of leaks, false news stories and rumor mongering on social media.
“One thing we will have to see is whether Russia feels emboldened and hasn’t suffered major consequences, at least in public,” said Ben Buchanan, a postdoctoral fellow at Harvard University’s Cyber Defense Project. “Maybe they will use that first round in the U.S. as a springboard for activities in Europe. That’s why deterrence is such a key part. It’s not just a question of defending, but establishing consequences if this kind of behavior continues.”
The cybersecurity commission hopes to meet with Trump’s transition team before Christmas, but no such meeting has yet been announced. It’s not clear whether President Obama will act on the commission’s recommendations before leaving office next month.
Instead of trying to punish Putin in some kind of cyber-based counterattack, perhaps it might be better to push Russia off the world stage until it behaves. That’s an idea floated by Scott Borg, director of the U.S. Cyber-Consequences Unit, a think tank that advises federal agencies and corporate partners about ways to protect computer systems.
“We don’t bribe countries to make them behave in the markets, we don’t punish countries by attacking them if they behave badly in the markets,” said Borg, an economist. “The main thing that keeps international economics honest is that if you aren’t playing by the rules, you get shut out.”
Borg suggested that Western nations consider blocking Russia from taking part in international trade pacts, meetings or treaties.
“We need to change the game,” Borg said. “Otherwise the problem will get worse.”
WATCH VIDEO: Will Putin’s Political Party Ever Lose an Election?