The hack on the US Military’s Central Command Twitter accounts by IS this week illustrates the increasing ability of non-state cyber criminals to disrupt official government and corporate accounts.
The Islamic State’s (IS’) hack is only the latest in a series of incidents including the disruption for several days of Microsoft’s Xbox live and Sony’s Playstation network by a new hacking outfit calling itself the Lizard Squad, which is now offering its services to the highest bidder.
The technical proficiency of IS and its complex organization structure is well documented. IS releases detailed annual reports of its activities and has an effective propaganda arm, including three different media foundations producing CDs, DVDs, posters, pamphlets, and web-related propaganda products. IS also has a large and active social media presence, with highly coordinated publicity campaigns on Tumblr and Twitter. Thus, it should not come as a surprise that IS would have the capability to pull off a relatively uncomplicated takeover of some of the US military’s Twitter accounts.
What this hack demonstrates, once again, is the growing risk and vulnerability of corporate and government online data. The internet has become a digital public square and a political battleground that a bewildering number of organizations and individuals utilize to make a statement, garner illicit funds, or simply demonstrate their technical skills. Large institutions with an online presence have largely failed to keep pace with the speed of these developments and are still behaving as if they have sole control over the narrative and perception of their activities. An effort to improve online intelligence should be undertaken by government and business to improve their awareness of how they are actually perceived in cyberspace. This will allow for the more accurate identification of potential threats to infrastructure and services and allow for more effective security measures to be put in place.
This is finally beginning to occur in a systemic manner, as government and business are starting to move in a coordinated fashion in the interest of achieving greater online security with President Obama’s Cybersecurity Framework. Developed after a yearlong consultation with businesses in a variety of sectors, the Cybersecurity Framework provides a detailed list of best practices and guidelines to improve the security of critical digital infrastructure. Information is organized based upon a range of profiles based upon the activities that a particular business is engaged in and a number of scalable tiers are provided depending upon the degree of rigor and strength of risk management practices that the business wishes to adopt.
While most of the provided information and measures promoted by the Framework are not new, the existence of a central repository where information is organized in a coherent manner and further resources are provided by the US Federal government to assist in the upgrading of cybersecurity defenses is a considerable advance over the present state of affairs. The Cybersecurity Framework is a positive step, and businesses with a significant online presence seeking to quantify and manage the risk they face should make every effort to engage with this new initiative.