The White House says that the Syrian Electronic Army is not that sophisticated, but does that mean they are not a real threat and that we shouldn’t be concerned?
I just read an article on NBC Investigations about Syria and The Syrian Electronic Army (SEA) and I found a very interesting quote that is worth discussing further. The basis of their story is how the SEA is not being viewed as a serious threat to U.S. Government agencies because of the technology and techniques they use to disrupt operations recently at several news media websites and Twitter accounts including The Washington Post, NPR, CBS, Reuters, NPR, and others. The most notable attack was of The Associated Press in April 2013, when it gained access to the AP Twitter account and falsely reported that there had been an explosion at the White House. Despite these activities by supposedly not very sophisticated cybercriminals there was one thing that stood out in the article:
“There is nothing sophisticated about spearphishing,” said Roger Cressey, a former White House cybersecurity official and now an NBC News consultant. “It is a technique used by a range of actors, from state actors all the way down to activist groups. The fact that it works is a flaw in security training and awareness.” (emphasis mine)
Even if the SEA isn’t slick enough to hack into a server from half way across the world using brute force, THEY DON’T HAVE TO for two reasons:
1. There are other rogue nations and individuals both abroad and domestic who would love to use their own more sophisticated tools of cyberwarfare that Syria doesn’t have (like Iran).
2. There will always be people who work at targeted government agencies and companies who will become unwitting pawns in handing over access to sensitive data.
It is that very lack of security training and security awareness that cybercriminals will always exploit and there is no shortage of opportunities for them to attempt. This is a problem not just at Federal and State agencies but also at smaller municipal agencies who have a lot of catching up to do in addressing cyber security risks. As I have been teaching my data security risk management classes to municipal administrators since January of this year, I have noticed there are an increasing number of IT managers who are concerned about cyber attacks and the impact it could have on their infrastructure and bottom line. But the majority of municipal administrators are yet to make any serious strategies for dealing with cyber and data security risks such as employee training to identify potential spearphishing attacks, social engineering and ruses. And if enough successful attacks occur against smaller more vulnerable targets it will be as damaging as an attack against a single larger target. That’s because municipal governments often control local utilities such as water, power, and natural gas distribution as well as traffic systems, high speed Internet, prisons, public schools and colleges. Imagine the sheer chaos if Syria led cyberattacks focused on these entities as part of a surprise. It could happen. And I believe it will. Even if it’s not from the Middle East, there is every indication that a cyberwar is brewing and waiting for the right moment to launch. The question is will local government agencies be ready when it happens. I will continue to monitor this as I teach my courses and document the level of proactive agencies versus those who remain oblivious (to its own peril and that of its residents).Share