People get ready: The better institutions protect themselves from cyber attacks, the more individuals will be targeted

By Patrick Hanlon
Best Defense guest correspondent

Now that the general public is beginning to recognize the cyber threats posed by state and non-state actors, it’s difficult to read the news and not come across some mention of a cyber 9/11. The term refers to a cyber attack carried out against American infrastructure that could result in anything from trains colliding to stock markets crashing. Similar to traditional terror attacks, a cyber 9/11 would target civilians as well as traditional military targets. Fears of the impending cyber apocalypse have prompted the U.S. Military to spend billions to fortify its networks and institutions. But in spite of the massive investment, too little is being done to protect the digital health of service members.

Last month, ISIS published a target list of Americans, and many pundits were quick to criticize the compilation of the list as the work of amateurs. But few acknowledged how easy it would be for ISIS to outsource a cyber campaign against those targets to a much more sophisticated actor. For example, ISIS might recruit an eager agent on the deep web to sabotage social media accounts or siphon funds from bank accounts, perhaps even posing as a criminal or disgruntled ex-spouse. Overall, the list is significant because it demonstrates the intent of our enemies to target individuals, in addition to organizations.

Unlike an organizational network, our personal network lacks systems of monitoring and threat protection. When an adversary drains your bank account or hijacks your email, there’s no team of cyber geeks on standby to conduct damage control. Instead, we rely on institutions — the same institutions that are being hacked with increasing frequency — to protect our personally identifiable information.

Some might ask, so what? Who cares if (insert foreign enemy) hacks into my Yahoo account? It’s a criminal matter, not a national security matter. Imagine if a foreign adversary, and not a U.S. investigator, had been the first to discover Director Petraeus’s emails. He would have been a prime target for ransomware, which is designed to grab sensitive information and threaten to publish or destroy that information unless the victim pays a ransom. As the lines between our personal and professional accounts blur, we must not neglect the importance of securing the entirety of our digital presence.

Once a year, soldiers fill out a lengthy questionnaire known as the global assessment tool to assess their mental, physical, social, and spiritual health. This tool, if completed accurately, can pinpoint potential areas of concern and suggest resources to assist. So how about a cyber assessment tool? A simple survey of a soldier’s cyber health would go a long way towards pinpointing vulnerabilities.

A next step would include specific recommendations on how a user can fortify their cyber defenses and mitigate risk across their digital accounts. It’s often as easy as setting up two-step verification, which combines a knowledge factor with a possession factor to prevent remote intrusion. Another step can be as complex as simulating advanced cyber attacks.

The DoD Defense Media Activity recently published a useful guide to protecting social media accounts, but much more is needed. And that one hour cyber awareness training we all take once a year doesn’t cut it either. The military should adopt a continuous approach to training service members to employ strong cyber defenses. We must abandon the mindset that cyber security is best left to the professionals. Because as traditional targets become more secure, we — as individuals — become more attractive targets.

Patrick Hanlon is an Army reservist and management consultant. This essay contains his own personal views and does not necessarily represent those of his employers, including the U.S. Army.

Flickr