UD expert: Cybersecurity has bumpy year ahead

Remember public enemies Bonnie and Clyde, the Great Depression-era robbers who traveled the country with their hardscrabble gang, ticking off felonies like a bucket list?

They can't hold a candle to modern-day hacktivists, who can steal from hundreds of thousands of people while sitting at home in their pajamas.

Pres. Barack Obama has warned that cyberattacks are among the most serious economic and national security challenges facing the nation. Cybersecurity is a top priority of the Senate Committee on Homeland Security and Governmental Affairs, previously chaired by Democratic Sen. Tom Carper of Delaware.

"Cybercrime is becoming everything in crime," FBI Director James Comey said in a recent interview with CBS' "60 Minutes." Comey estimated national losses in the billions each year.

Last week, a hacker group believed to be associated with ISIS took control of the Twitter accounts and website services of the Albuquerque Journal newspaper in New Mexico and WBOC 16 TV station in Maryland. Calling itself "Cyber Caliphate," the group posted several confidential documents, including driver's licenses, corrections records and addresses.

The high-profile hack against Sony Pictures Entertainment in November resulted in massive dumps of employees' personal information and the brief cancellation of the theatrical release of "The Interview." The FBI has blamed the North Korean government for the data breach.

Many cyber attacks are related to vulnerabilities in three areas: "Computing and software, networked communications, such as the Internet and cell phones, and last, fooling humans into making mistakes," according to Chase Cotton, director of the University of Delaware's Center for Information and Communications Sciences.

Cotton, a professor of electrical and computer engineering, is one of several experts involved in a new cybersecurity initiative at UD, which seeks to train the next generation of specialists to meet a critical need. The U.S. faces a severe cyber workforce shortage, according to national statistics, with more than 30,000 jobs available and only 1,000 skilled specialists who can design secure computing systems and write secure code.

Last year, UD named Starnes Walker, a physicist and national cyber defense expert, to lead the regional initiative, funded by $3 million in state aid and a research grant from the National Science Foundation. UD is one of only nine universities involved in the first federally funded research and development center solely dedicated to enhancing cybersecurity and protecting national information systems.

The university itself fell victim to a cyberattack in 2013, when hackers stole the names, addresses and social security numbers of more than 72,000 current and past employees.

UD has since introduced five new cybersecurity courses for undergraduate and graduate students. Last fall, the university began offering a minor in Cybersecurity, and administrators are planning graduate degree and certificate programs in the near future.

The educational programs at UD are being developed in collaboration with other local universities and cybersecurity employers, along with the U.S. Army and Delaware National Guard.

Experts are increasingly concerned that sophisticated cyber attackers are focused on taking out critical infrastructure – like the systems controlling the pipelines of America's energy sector – instead of consumer data breaches like the ones reported at Target, Staples and Home Depot.

Interviewed by e-mail Friday, Cotton discussed the cybersecurity landscape for 2015 and beyond.

Q: The extremist militant group ISIS has deftly handled social media in recruiting new members and spreading its message. Some experts have claimed that ISIS' social media savvy doesn't translate into a real cybersecurity threat. Do you believe that ISIS has the manpower/resources to launch a grand attack on U.S. infrastructure?

Currently no, and probably not alone, but possibly in collaboration with others now or in the future. The technology to make these types of attacks on major infrastructure exist today, though mainly in the hands of nation states. But the skills, much like physical weapons, are increasingly available to groups worldwide.

Q: Can we expect to see more frequent and more dramatic attacks?

Unfortunately yes. Most attacks that non-government organizations and individuals will see are primarily financially motivated. Exposure, unfortunately, is heightened by our increasing reliance on our wired electronic infrastructure.

As for governments, and similarly for critical public infrastructure (e.g., the electrical grid, transportation, manufacturing, etc.), attacks will also continue ...We are in a race to stay ahead and protect these assets in both the public and private sectors...

For each [vulnerability], there is a method of attack.

A software application may have a flaw that allows an attacker to modify what the program does, or access data held on the computer where the application is running. This is an attack often used against Internet websites.

A large system, like a wireless network, may have a design weakness that allows an attacker to listen in on your communications. An attacker may be able to use a technically sophisticated attack to take advantage of these weaknesses and listen in on your calls or see your Internet activities.

Very motivated attackers will do detailed research using the Internet and social media and identify key individuals in an organization, (e.g. computer administrators). They will then try to fool those individuals and try to infect their personal computers in order to get access to business systems they manage. We call this "spear phishing."

Q: What can the average citizen do to better protect himself/herself?

• Keep your computers, tablets, smartphones, operating systems and application software up to date. Also update home-networked devices like Wi-Fi access points, cloud drives, sound systems, security systems/cameras, etc., and always set up strong non-default passwords on these devices.

• Run an antivirus program on your computers.

• Don't click on links from someone you don't know. And use care about links even when sent from your friends. Make sure the underlying link (URL) is a real company or organization you recognize.

• Choose strong passwords (eight or more characters mixing upper and lower case letters, numbers, special characters). Or, better yet, use long pass-phrases, (e.g. "my dog eats RED shoes on wednesdays!"). And don't reuse passwords across different accounts.

• Use two-factor authentication, [two separate forms of identification to verify identity], on critical accounts (banking, email, cloud storage).

• You and your family members should normally try to use non-administrator accounts on your computers for day-to-day activities. This will minimize damage and ease recovery when you eventually get infected with computer malware.

Q: Apart from getting off the Internet completely, can we ever truly be safe from such attacks?

Unfortunately, security will never be 100 percent, but we should eventually be able to get to where successful attacks are rare, like having the occasional fender bender.

Contact Margie Fishman at 302-324-2882 or mfishman@delawareonline.com.