Cyberattacks are disrupting critical infrastructure. This expert says we can all fight back
Download mp3 (11.38 MB)
The Biden administration has warned states that cyber criminals are targeting energy, water and sewer systems. We’ve also seen hacks of health care and educational institutions, among others.
Katina Michael says it’s likely the list of targeted — and potentially affected — organizations will only grow.
Michael is a professor in the School for the Future of Innovation in Society and the School of Computing and Augmented Intelligence at ASU. She joined The Show she joins me to talk more about this.
Full interview
MARK BRODIE: Katina, how is cyber crime evolving – what kinds of things are we seeing now, relative to what we’ve seen in the past?
KATINA MICHAEL: I think the attacks are evolving in multiple ways. We still have emergent technical ways that hackers are trying to penetrate systems. But the age-old hacking method of social engineering is still rife. Consumers are still being duped by people masquerading as members of organizations. And we need to be privy that it’s almost a two-pronged attack: a technical attack to begin with and then a duping through social engineering.
BRODIE: Is the technology making it harder to detect? Like is it less obvious that that something might be a scam now?
MICHAEL: I think it is less obvious to citizens because of the volume of scams that are being attempted. So we are trying to use credentials and passwords and usernames and email addresses that are linked to our organizations. And so while we’re looking at things regarding our workplaces and demands on services, we are also intermingling this with scamster-style emails.
So we’re trying to use our mobile phone to get through all the traffic on our SMS, all the traffic on our voice communications and all the traffic on our email and not really distinguishing that they possibly could be socially engineered hacking attempts called phishing.
So people either phish — as in terms of hackers — phish to penetrate systems by getting citizen personal information credentials. And so they get into an organization through those credentials that they’ve lured people to provide, and then they go on with their technical attacks.
BRODIE: Are there different types of organizations or entities that are being targeted now than we’ve seen in the past?
MICHAEL: Yes, I would say increasingly we’re seeing ransomware attacks holding organizations through extortion attempts. The hackers encrypt large amounts of customer data, disallowing organizations to go about their everyday practices because the data is encrypted and hidden, and users are increasingly being blocked out of critical services.
And so we’re seeing a greater number of attacks away from large scale, for example, entertainment services towards critical infrastructure like hospitals, health insurance providers that people rely on for prescriptions, for instance.
And so now perhaps the stakes are rising with these ransomware attacks. Either organizations have to forfeit tens of millions of dollars or higher to the hackers so they could unencrypt or decrypt that hidden information. But increasingly, we’re seeing this may well be a life and death situation for those people who can’t gain access to prescriptions or other critical services.
BRODIE: So is there anything that individuals can do? I mean, obviously, like if your hospital gets hacked or if you’re a health care provider gets hacked, there’s not much I would think that an individual can do. But is there anything that we as sort of regular people can do to at least keep ourselves safe?
MICHAEL: We’re growing that capability among citizenry. It’s really important that we look at this from a micro perspective of individuals and what we can do to protect ourselves. And there are common things like don’t read messages on the fly and respond quickly. If you think it’s a scam, it probably is.
Don’t believe everything you read. If someone is saying to you, “Your sister is asking for money” or “I’ve lost my mobile phone, please help” — don’t do it.
If somebody targets you through a scam call, and you detect that it may well be — don't answer the phone.
If you are unsure whether somebody is calling from an organization, call them back. Do not believe someone who calls you.
Don’t use the same password more than once. Don’t use passwords like “1234” or your name or commonly other used passwords like “password” or variants of the word.
Use two-factor authentication. If you’re given the option to put in your mobile phone as a second point of protection, do so.
Use password managers, the most secure ones on the market.
So I would ensure that when someone is asking you for personal information and credentials, don’t just hand it over. Say, “Do you really need to store that Social Security number or that passport or that driver’s license?” And actually hold organizations accountable.
BRODIE: Do you find that people are more savvy about this now? We’ve been hearing about some of these tips for quite a while now. And obviously, folks have been targets of these phishing attempts and scams before. Are we any better at detecting them than we have been?
MICHAEL: I think we are. But again, we’re at the mercy of volume. And as you gloss over your email or you gloss over your SMSes and you are increasingly waiting for that Amazon Prime package or that Postal Service package or waiting for a message from a provider, you can easily be duped.
And so we’re seeing spear phishing attacks that are targeted to individuals or targeted to organizations. We’re seeing distributed denial of service attacks that are overwhelming traffic and servers and CPUs. And people are reading about this in the paper.
These are now common things that people understand. But, you know, we are trying to do something online on a website. We are not always thinking, “What am I doing? Why am I doing this? What’s being asked of me and what am I handing over? Is this really a real website?”
I’ll give you one example. Most people go to public access points like cafes, and the first thing they want to do is connect to the internet or the shopping mall. So they’re not paying rates or they have better service. And they give away information to actually gain access to that public access point. But you don’t know if that’s a true shopping mall access point or is a hacker’s haven to lure you to giving over credentials.
BRODIE: Yeah. Going forward, do you have reason to believe that there might be fewer of these hacks and scams as opposed to more?
MICHAEL: I think over time, as more users enter the market globally and we have organizations sprouting up all over the world with great reach, given the internet, we’re just going to see more of these attacks. The stakes will get higher as citizens hand over biometrics.
So on the one hand, we’re trying to make more secure systems, but organizations are collecting voice prints, facial prints, fingerprints. They’re gaining access to and requesting health data. We’re storing our even mental health records at our general practitioner’s office and health network and insurance provider.
But these kinds of things are incredibly complicated when they’ve been hacked. Can you replace your facial print? The answer is no. Can you replace your voice print? The answer is no. So on the one hand, these are great protection mechanisms. And on the other, if they are breached, deepfakes entering the market now with artificial intelligence can make us sound like someone else and can dupe systems and gain access in that way.
