It appears that White House emails are the latest target to be hacked. According to today's New York Times, hackers -- believed to be linked with the Russian government -- did not get a hold of classified information, but they were able to gain access to some of President Obama's email correspondence. It is another cyberattack that has many on edge. Our Cover Story is reported by David Pogue of Yahoo Tech:
In Huntsville, Alabama, they're training the next generation of cyberwarriors. Here, high-school students can take Cyber Security the way other kids might take Geometry or English.
And they have no problems being called nerds.
"I am definitely a nerd," said senior James Brahm.
"Yeah. All of us would definitely be classified as nerds," added fellow student Matthew Rogers.
Cailin Simpson laughed, "I think nerds seem to have jobs!"
She's not kidding. These kids already have after-school jobs, and it's not flipping burgers. "Some of us work at a local engineering firm," said Brahm. "And we're developing an experimental form of malware detection."
"And sometimes they forget we're in high school," he laughed.
"They're calling us at, like, 1:30, and it's like, 'I'm in the middle of my fifth period!'" Morgan Wagner laughed.
Just listen to these kids talk and you can see why it's so easy to forget they're still only in high school.
"Cyber warfare is really attractive to other countries because it's affordable and allows them to strike at other countries and whatever political interests they don't like with relative impunity, and cause damage without having it traced back to them," Brahm said.
Rogers said, "It's really easy to attack, but it's very difficult to defend. Which is why teaching cyber security's very important."
All the experts agree: America needs a lot more kids like the ones in Huntsville, because hacker attacks aren't just occasional headlines anymore -- they've become routine.
- As Target hacking fallout continues, incidents of fraud emerge (CBS Moneywatch, 01/22/14)
- 56 million accounts at risk in Home Depot hack (CBS Moneywatch, 09/18/14)
- JPMorgan Chase attack shows growing threat of hacking ("CBS Evening News," 10/03/14)
- Anthem hack highlights desirability of stolen health records ("CBS Evening News," 02/05/15)
- Sony Pictures email hack causing "big trouble," may lead to big change ("CBS Evening News," 12/13/14)
Pogue asked Frank Heidt, co-founder of the Seattle-based security company Leviathan, "Suppose I pick 100 American companies at random. How many of the 100 could you get into?"
"Nearly all of them," he said. "And it's not just me."
Heidt employs hackers, but Leviathan's hackers are good guys. Companies hire them to help secure their computer networks.
A few years ago Heidt's team figured out a way to break into the computers of a huge oil company -- not to do damage, just to show that it could be done. They started with a Google search, where they found a press release from one of the oil company's subcontractors, which had sold networking gear to the oil company.
"They published a press release, because they were very proud to supply all this excellent equipment to this very, very large project for this truly amazingly big company!" Heidt laughed.
Heidt's team found the user manual for that equipment, and in that manual, they found the factory setting for its owner name and password: "admin admin." "It's the most famous username and password," said Heidt.
Which you're supposed to change once you buy the equipment, right? "You are supposed to," he said.
But the oil company hadn't change that password -- and Heidt could have taken control of its phone and data systems.
How big a team, and how long was involved, in unearthing this information that could have targeted an enormous gas company?
"A single intern, one engineer, and one week of effort," Heidt laughed.
Lisa Monaco, President Obama's top homeland security and counterterrorism advisor, told Pogue, "What we're seeing increasingly is a range of breaches -- credit card theft, theft of trade secrets, economic espionage. All of these things combine to form what we've described as one of the most serious national security and economic threats that we face."
Monaco meets with President Obama every morning. And increasingly, she said, "those meetings are featuring discussions about cyber threats, discussions about breaches to companies around the country, breaches to our own federal networks."
She says that last November's attack on Sony Pictures was especially troubling. The hackers took control of Sony's computers, deleted millions of files, and made public Social Security numbers, salaries, and embarrassing emails. And the fallout continues: Just this past week, one of those emails revealed something about Ben Affleck didn't want public: He had asked the producers of the PBS program "Finding Your Roots" not to mention that his ancestor had been a slave-owner.
- Did they or didn't they? Experts weigh in on North Korea, Sony hack (CBS News, 12/18/14)
- Why the U.S. was sure North Korea hacked Sony ("CBS Evening News," 01/19/15)
- The attack on Sony ("60 Minutes," 04/12/15)
Back in January, in his State of the Union address, President Obama had this call to action:
"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families."
Which is why this month the President signed a new executive order. It lets the Treasury Decretary freeze the assets of hackers who disrupt networks or steal trade secrets. And to better coordinate the government's response to attacks, he's creating a new office in the White House: the Cyber Threat Intelligence Integration Center.
"It will be one center, one place in the government, that synthesizes this information, analyzes it, understands who are the range of threat actors that we face, and -- very, very importantly -- have a place that can identify the information that can be shared with the private sector," said Monaco, who will oversee the new effort.
"Pretend I'm a non-technical American," said Pogue, "and all I know is movies, where bad guys remotely take control of traffic lights and dams and nuclear power plants. Is that realistic?"
"The danger or the risk of a catastrophic cyberattack of the type that you just described is fairly remote," said Monaco. "Nevertheless, I think it's very important to remember that we are an increasingly interconnected world. And that means we are increasingly vulnerable."
The White House isn't the only outfit preparing for more cyber attacks.
Ed Skoudis built "CyberCity" for the Sans Institute, a cybersecurity training firm. It may look like something out of Mr. Rogers' neighborhood, but Skoudis says it's one of the military's premier cyberwar simulators.
"Everything under the table is the actual same equipment that is used to control a power grid or a water reservoir or the other kinds of equipment we have," said Skoudis.
"So, when people are learning to hack, they're interacting with the actual commercial computer systems that control real-world power grids, dams?" asked Pogue.
At this facility, cyberwarrors practice defending real-world networks from hacker attacks. Seated at remote computers, they're challenged with stopping pretend hackers from causing a blackout, poisoning the reservoir, or even derailing the train.
"Cybersecurity's in our medical systems; it is in the military; it is in government. It controls our air traffic control systems -- and if we don't get this right, we lose," said retired Air Force Brigadier General Bernie Skoch. "We lose our place as the dominant economy in the world."
Gen. Skoch runs the Air Force Association's National Cyber Patriot Competition, a tournament where young teams from all over the country compete to see who can best defend their computer networks against attacks from security pros.
"This is an area of the economy that has negative unemployment," said General Skoch. "We can't hire enough of these people. and that's because cybersecurity transcends everything that we do."
Which brings us back to the kids from Alabama. A team from Huntsville won first place in the Cyber Defense nationals. An encouraging sign, but experts say we're going to need a lot more like them.
Pogue asked Leviathan's Frank Heidt, "Are we outgunned? Are there enough security people to handle the hackers who are trying to fight them?"
"No. No, and there won't be for quite a while," he replied.
According to Heidt, preparing for the new era of cyber war is a job that may never end: "Will it be an arms race forever? My intuition is to say 'yes.'"
"So what's the reality of these headlines? Is it really terrifying, or is it just business?"
"It's terrifyingly normal business," Heidt said. "Unfortunately, this is a problem that takes years to address. And we're only now beginning to address it."
- 5 counterintuitive ways to protect against hackers (CBS Moneywatch, 12/23/14)
- How hackers might use your stolen Anthem data (CBS Moneywatch, 02/06/15)
- Anthem data breach: Steps you need to take (CBS Moneywatch, 02/05/15)
- How a password manager can help you stay more secure online (CBS News, 08/15/14)
- Protect your laptop from theft and hackers (CBS Moneywatch, 02/04/13)
For more info:
- Leviathan Security Group, Seattle
- Sans Institute, Bethesda, Md.
- Fact Sheet: Cyber Threat Intelligence Integration Center (whitehouse.gov)
- Air Force Association's National Cyber Patriot Competition