In the popular imagination, major cybersecurity events involve an elite hacker (or a group of them) employing a singular genius to crack complex computer codes and steal vital secrets or millions of dollars. The reality is that most hackers use a set of tools available for sale for shockingly small amounts of money. “Hacker schools” in places like Brazil and Russia can train someone who is relatively computer illiterate to use those simple tools to exploit vulnerabilities and gain access to sensitive information, whether it be trade secrets or personally identifiable information useful for committing identity theft.
Recent information has made public what many in the cybersecurity industry have known or suspected for some time - some of these tools were created by the American government, specifically within the National Security Agency (more commonly known as the NSA). The NSA has an operations group, known as Tailored Access Operations, tasked with creating cyber weapons to deploy against foreign enemies, whether they be terrorist organizations, hostile nation-states, or entities in charge of vital infrastructure assisting either of the above. TAO finds vulnerabilities within computer systems and networks and creates programs to exploit those vulnerabilities. Apparently, though, the operations group was less adept at protecting their own system.
An organization or loose affiliation of hackers calling themselves the Shadow Brokers has obtained the programs and codes created by TAO and made them publicly available. Hackers in North Korea and Russia have then used those tools to orchestrate incredibly damaging attacks on global businesses. The recent PETYA ransomware attack is just one example of such an exploit created by the NSA only to be used against American companies. Government officials are investigating whether the breach occurred as a result of a leak from an NSA insider or a breach of the NSA’s computer systems by foreign hackers.
Regardless of the actual source of the breach, many experts believe the United States government has focused too much of its energy on attacking its enemies using cyber tools and not enough resources on shoring up its defenses. Leaks and hacks of government entities and government contractors have become shockingly common over the past decade.
These leaks and hacks stem from the same vulnerabilities that impact private American entities: failures of the human firewall (constituting both deliberate breaches by government employees and breaches caused by employees failing to take sufficient safety precautions), failures to protect physical systems (government data has been leaked as a result of a work laptop left on the subway system), and failures of the systems themselves by the exploitation of insufficient redundancies and the failure to patch known vulnerabilities. READ MORE: When The Weak Link Is People Clicking Bad Links
That even the US government struggles to protect vital systems from cyber attacks should highlight the importance of a strong cybersecurity focus for United States companies. Charlie E. Bernier Principal Consultant and Cyber Insurance Expert at ECBM says, "American businesses may not have the resources to rely on an army of computer experts to protect themselves... Still, individuals and organizations can go a long way to protect their data and their networks using foresight, training, and adherence to basic cybersecurity principles." He advises that " Companies must make cyber self-defense a vital part of their planning and strategies moving forward."