Hiding data breaches will not help cyber awareness efforts
Yavuz Yener*When the United States Office of Personnel Management (OPM) announced in June that hackers had stolen the personal data of 4.2 million current and former Federal government employees, the whole world was shocked.
The information that was compromised included full names, birth dates, home addresses and Social Security Numbers. Of all 321 million U.S. citizens, around 4.1 million work in the federal government. This means that the U.S. federal government failed to protect the most critical data of nearly all its employees.
This intrusion was discovered in April and made public by the OPM only 2 months after the initial discovery. Meanwhile, the OPM has informed all those who had been affected by these attacks.
Later investigations revealed an even greater intrusion. Hacking into the U.S. government’s background investigation databases, hackers stole critical personal information of 21.5 million U.S. citizens, including those who applied for a background investigation and their relatives. This number indicates that the U.S. lost the critical information of around 6.25 percent of all American citizens, and in the end, it still insisted on informing them.
It must be remembered that these numbers may not be final. In fact, even achieving the above estimates required a thorough investigation by the OPM and an interagency team from the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Further investigations may reveal new intrusions, and hence greater numbers.
This was not the first time a major cyber intrusion threatened U.S. national security. In fact, some actors allegedly backed by China and Russia were conducting large-scale cyber operations against the U.S.’s critical infrastructure. The targets of the groups included military bases, nuclear facilities, power plants, technology centers, large enterprises, firms, universities and several government agencies. What is fascinating about these attacks is that the U.S. government and security firms, either directly or indirectly, informed the American people of the scope and impact of these intrusions.
In contrast to the efforts for transparency in the U.S., Turkey has been very reluctant to reveal information about previous cyber attacks it has faced. For instance, we, the citizens of Turkey, do not have any idea of what is happening to our personal information that is collected and stored in cyberspace. Also, recently, the electric shortages that were experienced in 79 cities around Turkey were said to have been caused by cyber attacks. Likewise, some newspapers reported that several Turkish government institutions encountered cyber attacks in May. Nonetheless, we have still not received any convincing public announcements about these attacks. There is not even a single report published by the Turkish government or a private company providing detailed information about any cyber attack against Turkey. This causes one to ask, “Have we even been hacked at all?”
I believe it would be completely unrealistic to imagine that Turkey has never experienced a cyber attack. Here, not only the Turkish government, but also the private companies in Turkey are reluctant to inform the public about stolen data.
There are mainly two reasons why we are never informed about cyber intrusions against government agencies and private companies in Turkey. Such executives and officials either do not know that their respective establishment has been attacked or they are reluctant to estimate the real scope of an intrusion.
The companies or individuals that have not even realized that they have been attacked remain in the dark mainly as a result of negligence and a lack of awareness. A report published by McAfee in 2011 on the effect of Advanced Persistent Threats (APTs) warns about this problem. Dmitri Alperovitch, the author of the report known as Shady RAT, says, “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”
Alternately, those individuals and organizations in the second group are not eager to take the necessary steps for further investigation of an attack. This actually stems from a psychological barrier as this group understands all too well that it has experienced an attack. Nonetheless, once a cyber attack has been discovered, they are reluctant to take further steps such as digital forensics investigations to uncover the real scale of the intrusion.
Turkey, in fact, has taken some very critical steps to solidify its cyber security base over the last 3-5 years.
Some governmental and non-governmental agencies started to emerge over the last decade with the aim of increasing cyber awareness and technologies that would defend against cyber attacks, as well as provide an effective cyber security umbrella. However, these efforts still remain very limited. People in Turkey still do not take cyber security seriously. Hiding data breaches from the public is also undermining the efforts to increase cyber security awareness. Mobilizing the people in an effective cyber security strategy depends on how well the people themselves understand the dangers of this new phenomenon. To this end, it is essential for the government and the private sector to start telling the people of Turkey when they have been hacked.
*Yavuz Yener is a researcher at the International Strategic Research Organization (USAK).