3Qs: Analyzing the cybersecurity threat posed by hackers

Themis Papageorge, Associate Clinical Professor in the College of Computer and Information Science, examines the cybersecurity threat posed by al-Qaida and Anonymous, a global group of hackers. Photo by Mary Knox Merrill.

Last week, Anony­mous, a global group of hackers, suc­cess­fully infil­trated the Depart­ment of Justice’s system and released stolen data. At the same time, al-Qaida, the inter­na­tional ter­rorist orga­ni­za­tion, released a video calling for an “elec­tronic jihad” on the United States. We asked Themis Papa­george, an asso­ciate clin­ical pro­fessor in the Col­lege of Com­puter and Infor­ma­tion Sci­ence, and the director of the college’s infor­ma­tion assur­ance pro­gram, to ana­lyze the threat posed by rogue hacker groups and what the U.S. gov­ern­ment can do to pro­tect itself against future attacks.

This isn’t the first time the Department of Justice was hacked. What do groups such as Anonymous accomplish by hacking into these networks and releasing data? What is the motivation behind their attacks?

Groups like Anony­mous are becoming a crit­ical threat to society and national secu­rity: They attack gov­ern­ment, public and pri­vate com­pa­nies, and indi­vid­uals’ net­works and com­puter sys­tems mul­tiple times every day. When they breach a com­puter system they steal data and many times install mali­cious soft­ware pro­grams that, unbe­knownst to the sys­tems’ owners, allow for future access by the hackers and con­tin­uous leaking of con­fi­den­tial data.

Stolen data can vary from pro­pri­etary product infor­ma­tion and other intel­lec­tual prop­erty to national-security data. Anony­mous and sim­ilar groups can embar­rass a gov­ern­ment or a com­pany by breaching its net­works and com­puter sys­tems and can also gain finan­cially by selling the stolen data.

The moti­va­tion of hacker groups such as Anony­mous is a key com­po­nent of the threat analysis that we teach in infor­ma­tion assur­ance courses at North­eastern. Threat agents, such as Anony­mous group mem­bers, are moti­vated by many fac­tors, ranging from per­sonal gain to revenge, peer recog­ni­tion, curiosity, and crime; to polit­ical, reli­gious and sec­ular influ­ence; and poten­tially to ter­rorism and national mil­i­tary objec­tives. We train our stu­dents to assess the cyber­se­cu­rity risk posed by each group by ranking these moti­va­tion factors.

What can government do to thwart future breaches? What challenges do federal entities face in protecting themselves from hackers?

We need to defend more effec­tively against such groups, both from a tech­nical capa­bil­i­ties per­spec­tive as well from a con­tex­tual per­spec­tive. Gov­ern­ment and public orga­ni­za­tions need to con­sis­tently imple­ment risk-based tech­nical coun­ter­mea­sures and con­trols for net­works and com­puter sys­tems, along with poli­cies and user awareness.

Many times a cyber­se­cu­rity con­trol, such as a soft­ware patch, may be avail­able for months before it is imple­mented. People can be our most capable fire­wall by training employees to defend against social engi­neering. It is impor­tant to know not to click on a mali­cious attach­ment in an email and not to pro­vide con­fi­den­tial infor­ma­tion to an uniden­ti­fied tele­phone caller. User training and aware­ness are some of the valu­able com­po­nents in secu­rity risk management.

The greatest chal­lenges facing fed­eral enti­ties come from a lim­ited knowl­edge of the threat agents’ modus operandi.

Since the attackers have the advan­tage of choosing the method and time of attack, fed­eral agen­cies could make risk-based deci­sions by defending against the most dam­aging attacks only by having access to a com­pre­hen­sive and cur­rent data set of attacks and methods. This can be accom­plished by sharing attack and method data and sce­narios across fed­eral agen­cies and public com­pa­nies. This strategy would help build effec­tive net­work and com­puter system secu­rity con­trols, coun­ter­mea­sures, poli­cies and inci­dent response strategies.

Al-Qaida has called for an “electronic jihad,” promoting attacks on a range of online targets. Is there evidence that a network of al-Qaida operatives could plan coordinated attacks?

Al-Qaida has a well-documented record as a ter­rorist group with mul­tiple phys­ical attacks. In terms of orga­ni­za­tional struc­ture, hacker groups have been a col­lec­tion of indi­vidual threat agents with net­working abil­i­ties (ini­tially using the Internet and also later tech­nolo­gies such as Peer-to-Peer and Bit­Tor­rent) to talk about their exploits and share mali­cious tools. Al-Qaida is reported to have a hier­archy but seems to operate as a net­work of semi­au­tonomous cells of threat agents whose actions are thus even more dif­fi­cult to pre­dict and stop.

There­fore, if al-Qaida were to acquire the tech­nical capa­bil­i­ties of a hacker group such as Anony­mous, they would be a very cred­ible and high-risk cyber­se­cu­rity threat. Plan­ning and exe­cuting coor­di­nated attacks in the cyber­se­cu­rity domain is very dif­ferent from exe­cuting attacks in the phys­ical secu­rity domain, because the space and time con­straints of phys­ical attacks are con­sid­er­ably reduced in the cyber domain. It may take weeks or months to plan a cyber­se­cu­rity attack, but it could only take a few min­utes to launch a denial-of-service attack, using a botnet of com­puters belonging to unsus­pecting com­pa­nies and indi­vid­uals, and poten­tially bring down a com­po­nent of crit­ical infrastructure.