Editor’s Note: James Lewis is director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies. The opinions expressed in this commentary are solely those of the author.
Story highlights
James Lewis: The theft of more than 100,000 tax records from the IRS was clever
He says we can make the Internet safer, but it won't be easy and it will take time
The Internet wasn’t secure when it went public two decades ago, and despite much effort, it’s still not secure. A good hacker – and there are many of them – can get into most computer networks without much trouble and has little fear of getting caught and punished.
The theft of more than 100,000 tax records from the IRS was clever.
The perpetrators used one crime to enable another. They appear to have gotten personal information – addresses, Social Security numbers and dates of birth – from another source and used that data to impersonate taxpayers and claim $50 million in refunds.
The data might have come from some hack, or the criminals may have bought it in the black markets where personal information for millions of people is available for purchase.
On the scale of security lapses, this wasn’t enormous. In 2014, Target experienced a hack that affected over 100 million customers. In 2013, 850 million people had personal data stolen, according to one estimate.
Getting cybercrime under control is difficult.
The technology of the Internet is so complex that even well-intentioned companies have a hard time figuring out where they are vulnerable. Security is still an afterthought in many information technology products – and this will get worse when we move to the “Internet of things,” where everyday devices such as cars or refrigerators will use tiny computers to connect to the Internet.
Computers were once giant machines kept in air-conditioned, glass-walled rooms, surrounded by technicians and guards. They were isolated and inaccessible. Cybersecurity wasn’t a problem.
When the Internet was created, these isolated boxes were suddenly easy to get to without requiring physical access. You did not have to get past guards, technicians or glass walls to use a computer and all the data it held.
This heritage of inaccessible computers helps explain why we still use passwords as the primary tool to authenticate identity and authorize transactions. But passwords are easily guessed and quickly broken. The 1995 movie “Hackers” shows a teenage character played by Angelina Jolie breaking a password in seconds. It is still too easy to hack passwords or impersonate people on the Internet.
Some new technology might help fix this. For example, there are products in development that will check your location when you try to log in and stop the transaction if you are logging in from, say, Russia.
In the IRS data leak, the perpetrators did not need to break passwords. Nor did they fill out 200,000 forms; that’s way too much work. It’s more likely that they wrote a specialized program that used stolen personal data to automatically fill out online IRS forms to generate refund claims. This was an automated crime that shows a sophisticated level of programming skills.
Cybercrime is almost risk-free if you live outside of places where there is a strong law enforcement. Russia, in particular, is a sanctuary for cybercriminals.
The Russians have no interest in arresting their hackers as long as they commit their crimes in another country. Intelligence sources say there may as many as 30 Russian hacker groups who are highly skilled. A group like this was responsible for last year’s Target hack. Only a handful have ever been arrested. The only time Russian hackers get caught is when they take a trip outside of Russia, such as a vacation to Thailand. The smart ones face zero risk. Why should they stop?
China is the other big sanctuary for cybercrime. But unlike Russia, many of China’s hackers are government employees. And unlike the Russians, they focus on stealing intellectual property – plans for jet fighters, computer chips or even house painter.
China is responsible for the recent hacks on health insurance companies, probably to collect personal data they can use to identify U.S. government officials and intelligence agents. The United States has indicted PLA officers for cyberspying, but no one expects them to ever come to trial. The Chinese want to find ways to cooperate with the United States, but they are not ready to give up cyberespionage.
Cybercrime is not going to go away any time soon.
The technologies we use aren’t secure and will become even less secure when we move to the Internet of things. While the odds of being a victim are low, cybercriminals are nimble and inventive. We can make it harder for them, but not impossible. If the financial rewards are big enough, they will probably find a way to hack.
We can’t imagine a world without the Internet. There are things we can do to make the Internet safer, but it won’t be easy and it will take time.
The first cars were wildly unsafe, with wooden wheels, cloth doors and no safety glass, but despite this, people wanted to buy them. The Internet will eventually be less risky and crime will not be routine, but the pace of change will depend on smart decisions from governments and better technologies.
It took more than 40 years for safety to be built into autos. We are at year 20 for the Internet, so it could be a long wait.
Follow us on Twitter @CNNOpinion.