The Real Enemy

Morgan O'Rourke


April 1, 2010

"If we were in a cyberwar today, the United States would lose," said former Director of National Intelligence Michael McConnell in a recent hearing before the U.S. Senate Committee on Commerce, Science and Transportation. "This is not because we do not have talented people or cutting-edge technology; it is because we are simply the most dependent and the most vulnerable. It is also because we have not made the national commitment to understanding and securing cyberspace."

Such concerns are not unique. A simulated cyberattack conducted in February by the Bipartisan Policy Center with a host of former senior administration officials and national security experts, also determined that the government was unprepared for cyberthreats. The scenario, dubbed "Cyber ShockWave," proposed a crisis resulting from the mass download of a "March Madness" basketball bracket application containing a malware program. The program halts phone service for millions and eventually cripples the power grid on the Eastern seaboard. The "attack," while dramatic, is not even that far-fetched.

The problem is that while pronouncements of doom and worst-case scenarios should grab our attention, they don't. When it comes to cybersecurity, warnings fall on deaf, or at least uninterested, ears. Recently, 75,000 computer systems at nearly 2,500 companies around the world were found to have been hacked in a complex attack that targeted the login credentials of online financial systems, social networking sites and e-mail accounts. It was one of the largest attacks ever discovered, but it barely made the news.

And in January, Google threatened to pull out of China because of cyberattacks, allegedly sponsored by the Chinese government, that targeted not only the e-mail accounts of Chinese human rights activists, but the corporate infrastructure of 34 other companies, including Dow Chemical, Northrop Grumman and Adobe. Despite the cybersecurity implications, much of the ensuing debate centered around what the move would mean for Google's business model and for companies looking to do business in or with China.

Perhaps the reason why cybersecurity is such an overlooked topic is because it seems like old news. Every story essentially sounds the same with one hacker or another getting a hold of someone's information or some company compromising its data with a misplaced laptop or an unsecured file. As long as it doesn't happen to you, there isn't much reason to pay attention. After all, you're not a security risk. You have antivirus software, your company has a great firewall and you would never open an e-mail attachment from any Nigerian princes. Cybersecurity is not a problem for you.

Unless, of course, it is. The fact is that the biggest security problem is not genius hackers but the habits of the end user. You. Case in point: late last year a hacker stole 32.6 million passwords from RockYou, a company that makes applications to help people spruce up their Facebook and MySpace pages. The hacker posted the password list online, giving researchers access to a kind of field study of the password habits of a large group of modern-day internet users. The trends they discovered were telling.

Back in 1990, a Unix password study revealed that the most popular password was "12345." Today, even with the proliferation of hacking and data security warnings, the most popular password, chosen by 320,000 of all users on RockYou, was "123456"-an entire digit longer. This was followed by the 1990 favorite "12345" and then, creatively enough, "123456789" and "password." About 20% of the people on the site picked from a relatively small pool of only 5,000 passwords. According to the data security firm Imperva, these poor passwords mean that "with only minimal effort, a hacker can gain access to one new account every second or 1,000 accounts every 17 minutes."

What this sample shows is that, contrary to popular opinion, people have learned very little about data security in the past 20 years. Considering the scope of today's vulnerabilities, such a basic security flaw could have dire consequences. So perhaps we need to stop rolling our eyes every time we hear about a new cyberattack. Because if we cannot do the simple things like choose decent passwords, how can we expect to protect ourselves against more sophisticated cyberthreats? What if the problem isn't really hackers at all? What if the problem is us?

Morgan O’Rourke is editor in chief of Risk Management and director of publications for the Risk & Insurance Management Society, Inc. (RIMS)