By Rachel Marsden
A cyberattack on Community Health Systems Inc., a private hospital network, in April and June resulted in the theft of non-medical data of 4.5 million Americans, including names, addresses, birthdates, phone numbers and Social Security numbers, according to a new Securities and Exchange Commission filing. The attacks were attributed to Chinese hackers. There's justification for alarm, but not for the reasons you might think.
The good news is that none of this information allegedly stolen by the Chinese is anything that hasn't long been publicly available through information broker websites, accessible by anyone on the planet for a modest fee. What a relief, eh? If you're a skilled hacker, you could easily obtain this information yourself and "waive" the access fee entirely.
These information broker websites mine billions of records from government and professional sources each year. Apparently, no one in America much cared that anyone could access this private data -- until hackers started hacking the exact same information elsewhere. And frankly, what's the difference? If this wasn't cause for alarm a few years ago, when the broker sites came into existence, then there's hardly any more reason to freak out about it now. If cyberattacks are now drawing the attention of the American public to the fact that their personal information is accessible to other people, then maybe it's time to address the lowest-hanging fruit first: the information broker sites.
Cyberattacks happen every hour of every day and represent the status quo rather than the exception. Knowing this, why not just accept it and focus on mitigating risk rather than preventing it?
"Nobody is very good at defense," former National Security Agency Deputy Director John C. Inglis told me at the Black Hat information security conference in Las Vegas earlier this month. "If this was a soccer game, the score would be 452 to 67, twenty minutes in. And any gap in offensive capabilities closes quickly."
In most cases, cyberattackers are interested in something more lucrative than personal info.
"We're seeing fairly rapacious intellectual property theft across all sectors, because wealth and treasure is in that space and is of value to any number of parties," Inglis said. "The best defense for most of these systems is a paranoid system administrator who never rests or sleeps."
That defense effort could be bolstered by effective disinformation campaigns across all sectors. A French intelligence source told me that French and German companies have started planting disinformation on their systems to dissuade intellectual property theft via unauthorized system access. If the stolen disinformation leads to the time-consuming construction of various dud products, well, that's a pretty effective disincentive.
The more insidious threat from near-constant cyberattacks is a gradual eroding of confidence in the everyday systems on which our technologically dependent society relies.
"It's a house of cards," Inglis said. "If the infrastructure that provides the connectivity for Wall Street financial flows fails, and the failure lasts and leads to a loss of confidence, then you may have a market failure. Electrical power distribution, water distribution, air traffic control, savings in bank accounts, it's all at risk. Have we invested in such a way that we know every moment what's happening in those systems? In many cases, we have not."
It's unlikely that the Chinese hackers to whom this recent attack has been attributed much care about stealing personal information en masse. If they wanted to fake some identities or steal personal wealth, there are easier ways to do it.
A more logical goal for nation-state hackers is to subvert the confidence of the target nation's citizens by undermining the systems and infrastructure that are so crucial to daily life. There is no faster way to destroy confidence in government than for average people to be terrified of the unknown in their everyday lives and to feel that their government is powerless to protect them.
How we react to any cyberthreat can constitute either a victory or a defeat unto itself.