The week of August 2, 2015

Welcome to the hackable planet

By Jesse Hicks

If you’re looking for an exercise that will make your head spin, try contemplating the number and enormity of recent data breaches. Without thinking too hard, there’s the United States Office of Personnel Management (OPM) hack, which resulted in the personnel data of an estimated 21.5 million government employees and their families being stolen, including Social Security numbers and, in some cases, fingerprints. Recent reports suggest the same China-backed group behind the OPM hack may also have breached computers at United Airlines, stealing flight manifests, including information on passengers and their origins and destinations; it’s also likely to be the group that cracked the U.S.’s second-largest insurance company, Anthem, exposing the information of 80 million users.

Trying a little harder, you’d cast your mind back to the hazy mists of late 2013 and the Target hack that exposed 40 million credit and debit cards. Then there was Home Depot (September 2014, 56 million credit and debit card numbers stolen), JPMorgan Chase (customer data affecting a combined 83 million households and small businesses), and the Hollywood hacks: Sony’s massive pwning meant leaked employee emails and personal data, while the apparently long-running Celebgate hacks spread across the Internet stolen, intimate photos of dozens of famous women.

Obviously, we have a hacking problem. Or, really, we have many, many hacking problems—the litany of new hacks seems an almost daily ritual.

Today, someone (or millions of people) somewhere is being hacked. Why haven’t we been better about stopping these massive data breaches?

In this issue, Marcy Wheeler looks at how Congress has responded to the OPM hack and suggests the legislative branch hasn’t done enough to push actual cybersecurity regulations. Instead, it’s focused on “information-sharing” with private companies—information that can include private customer data—while immunizing those same companies from any sanctions in the event of wrongdoing. Meanwhile, the government has failed to secure its own networks, leading to debacles like the OPM hack. Wheeler sees in Congress a disturbing lack of urgency on the issue, paired with its seeming notion that ineffectual half-attempts will at least give the appearance of doing something.

All of these hacks have consequences: They can out spies (the OPM data included personnel info on undercover operatives), destroy finances, and ruin lives (as in the recent hack of infidelity broker Ashley Madison). Those consequences are the result of leaked information—someone coming to know something they otherwise might not. But as Jonathan Keane details in his story about penetration-testing smart cities, we may soon become familiar with another kind of hack: the cyberattack that targets physical infrastructure, from traffic signals to power grids. Information technology is making our cities increasingly complex, yet there’s so far been little concerted effort to make sure that complex technology is also reliable, robust, and hacker-proof.

Keane talked to experts in the field, who suggested we need to start treating our cities the way we would vulnerable computer networks; in part, that means trying to attack them, find potential weaknesses, and repair them. But like Congress, cash-strapped municipalities are unlikely to devote resources to an invisible threat. Until, of course, it’s too late—and sometimes not even then. The lesson here might be that until we collectively get serious about cybersecurity in every applicable arena, the hacker will always get through.

Hopefully knowing that helps you sleep a little better at night.

Photo via Sneakers/Universal Studios | GIF remix by Jason Reed