What happens next Where's my refund? Best CD rates this month Shop and save 🤑
MONEY
Alcoa Inc.

The hacking of OPM: Is it our cyber 9/11?

Steve Weisman
for USA TODAY
This wanted poster is displayed at the Justice Department in Washington. Cyber crimes allegedly committed by Chinese hackers have put American's digital records at risk.

The recent hacking of the federal Office of Personnel Management (OPM) by hackers apparently tied to the Chinese government may well be our country's cyber 9/11. Just as the attack on the World Trade Center and the Pentagon on September 11, 2001 both exposed vulnerabilities in our national security programs and served as a wake-up call for reorganizing our conventional efforts against national enemies so should this attack alert our country's leaders to the critical need to work together to fight a cyberthreat to our country that cannot be overestimated. And just as we were complacent before the attacks on the World Trade Center and Pentagon in 2001 despite warnings of growing danger so have we failed to heed warnings regarding our vulnerability to cybercrime. The OPM's own Inspector General issued a report in November of 2014 decrying the lack of security at the agency.

Although the announcement of the hacking into the computers of the OPM and the stealing of personal data on more than four million present and former federal employees was made in late May, the data breach had been discovered a month earlier and had been going on undiscovered for more than a year.

An obvious question about this latest data breach is why were the hackers seeking this information and the answer at this time is that we do not know. This type of information could be used for purposes of identity theft for profit, for gathering information to be used by the Chinese government to enhance their spying capabilities or even as part of their ongoing worldwide corporate espionage efforts by which they steal corporate and military secrets, such as the theft of secret plans of our most advanced F-35 Stealth Fighter Jet which was accomplished by hacking into computers at the Pentagon and at Lockheed Martin, the builder of the plane. Evidence of the hacking of the F-35 was leaked to the public by NSA whistleblower Edward Snowden.

In May of 2014, the Justice Department indicted five Chinese military personnel on charge of hacking into six American companies to steal corporate secrets, however this type of activity has gone on for years. According to security company Mandiant, Chinese hackers have stolen corporate secrets from 115 American companies since 2014 and it is not just the Chinese who do this type of corporate espionage. Russia has also been particularly active in corporate cybercrime. It was estimated by cybersecurity company CrowdStrike that the Russian government has hacked hundreds of companies around the world in order to steal trade secrets and corporate information they can exploit.

Despite the great sophistication of the specific types of malware used to steal data from companies and government agencies, the manner in which that malware is downloaded on to the computers of the targeted company or agency is generally through spear phishing where someone at the targeted company or agency receives an email with the malware included as a link or an attachment that the victim is lured into clicking on or downloading because the email appears to be legitimate. In the case of the Chinese hacking of Alcoa, one of the six companies that were hacked by the indicted Chinese hackers, an email was sent to 19 Alcoa employees that appeared to have come from Nissan CEO Carlos Ghosn, who was at the time a member of the Alcoa Board of Directors. The email purported to inform them about an upcoming shareholder meeting and contained an attachment with the meeting agenda. However, the attachment contained malware that when downloaded by unwary Alcoa employee enabled the hacking of Alcoa's computers.

The risks of state sponsored, criminal or terrorist cybercrime are huge and the consequences potentially devastating. The world's financial system is in jeopardy as evidenced by the hacking of 100 banks around the world by a consortium of Russian, Chinese and European hackers who have stolen more than a billion dollars from targeted banks over the past two years. Sophisticated hackers have stolen data from more than 100 pharmaceutical and biotechnology companies to gain secret information that they used to make profits by trading on this insider information. Already, estimates of the financial damage to the world economy due to cybercrime exceed 575 billion dollars, which is more than the GDP of many countries and the problem is only getting worse.

The danger posed to our critical infrastructure including gas pipelines and the electrical grid by hackers was shown by the 2014 cyberattack on a German steel mill by which hackers gained control of the steel mill's blast furnace and manipulated it to cause massive damage to the facility. Once again, the malware was downloaded through spear phishing.

North Korea has already managed to hack into a nuclear power plant in South Korea and its dedicated cyberarmy, which receives 20% of its defense budget, continues to pose a threat to the world. And what of the danger posed by ISIS and other terrorist groups as they start to show the ability to exploit our cyber vulnerabilities?

To date, the response by Congress has been minimal. President Obama has urged Congressional action and has issued Executive Orders related to cybersecurity and although they represent a good start, they are far too limited in scope. What is needed is for laws to be passed to facilitate businesses and the government to work together to defeat a common enemy. New security measures such as increased used of dual factor authentication, education of employees about the dangers of phishing, greater encryption of data and limiting Internet access of certain material must be implemented across the board. Cybersecurity has got to become a primary concern. We have been warned.

Steve Weisman is a lawyer, a professor at Bentley University and one of the country's leading experts in scams and identity theft. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.

Featured Weekly Ad