Hacking has been around as long as there have been systems used to distribute things of value. One early example was telephone hacking (referred to as phreaking) that occurred in the late 1950s. Phreaks referred to groups who had reverse engineered the system of tones used to route long-distance calls. By re-creating these tones, phreaks could switch calls from the phone handset, allowing free calls to be made around the world.
During the past 20 years, hacking attacks have resulted in numerous website defacements and embarrassments. In the early 2000s, self-propagating worms like Code Red and Nimda infected hundreds of thousands of hosts, compromising system security and causing some networks to crash due to the traffic load produced.1
In more recent times, we’ve seen attackers use political, ethical and financial reasons for their attacks. It has been alleged that a nation state-sponsored group attacked Sony Pictures Entertainment to prevent a movie release.2 Another group, called “The Impact Team,” attacked an online dating and social networking service, demanding the site shut down. In their manifesto they listed ethical (not financial) reasons as the motivator for their actions3 .
Nevertheless, financial is one of the biggest (though not new) motivators for attackers. As we mentioned, phreaking previously was used to obtain free long-distance phone calls. More recently, hacking has been used to avoid paying for costly research and development already conducted by a competitor.4 Today, attackers have gone one step further with the propagation of ransomware, which utilizes malware to encrypt data, locking out the owner and demanding payment in return for the decryption key. In most cases, the attackers are not interested in the affected data, only in securing payment for its release. In June 2015, the FBI stated that ransomware had generated greater than $18M for the cybercriminals.5
Beyond money, what else are hackers looking for? Plenty! In June 2015, attackers breached the U.S. Office of Personal Management (OPM) stealing personally identifiable information, as well as detailed security clearance background information and fingerprints on 21.5 million current and former government employees. It has been speculated that this attack was conducted by a foreign nation state for purposes of espionage.6 Likewise, criminals have been found stealing chest x-ray images. Initially, security researchers were confounded by the incentive for stealing such data, but it has been suggested, “that images are resold to Chinese nationals with infectious lung diseases, such as tuberculosis so that they can obtain visas to travel outside the country.” This makes a clean lung x-ray a valuable commodity.7
It is my opinion when cars, planes the electrical grid can be hacked, the next terrorist attack may stem from the digital, instead of the physical world. By making digital a large part of our lives, we entice the bad guys to leverage it in their quest for financial gain to further an ethical or religious agenda, or as a platform for a political statement.
With an abundance of additional access points for hackers to breach, how can you ensure that your system remains secure? Please contact a CNA representative to learn how risk controls can be tailored to your healthcare business or visit www.cna.com/cyberliability.