You have almost certainly been hacked

Hackers are breaking into the systems of companies, government agencies, and individuals. Is any information safe?

Beware the spear phishers.
(Image credit: iStock.)

Hackers are breaking into the systems of companies, government agencies, and individuals. Is any information safe? Here's everything you need to know:

How many people have been hacked?

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE
https://cdn.mos.cms.futurecdn.net/flexiimages/jacafc5zvs1692883516.jpg

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Are the breaches getting worse?

Yes. Almost 2 billion records were lost or stolen worldwide during the first half of this year, up 164 percent from the last half of 2016. IBM has found that the average cost of a single data breach is now $7.35 million in the U.S. The Equifax hack has already cost the company $4 billion in market value. Spending on cybersecurity is soaring as a result, and is expected to reach $90 billion this year and $113 billion by 2020, according to consulting firm Gartner. In 2015, a report by the Atlantic Council think tank and Zurich Insurance Group concluded that while the benefits of online technology will lead to an 8 percent increase in the size of the global economy between 2010 and 2030, the cost of security will start to outweigh the benefits around 2019.

Why is data so vulnerable?

Poor security practices are partly to blame. Despite the overall rise in spending on cybersecurity, many companies neglect to keep their systems regularly updated and patched. Equifax blamed a single employee for not installing a software update that would have prevented the breach. Many organizations and government agencies are reluctant to upgrade because of the cost and service disruption involved, leaving so-called legacy technology in place for years. About 7 percent of computers around the world still run 2001's Windows XP, making it the third most popular operating system. But Microsoft stopped supporting XP in 2014, leaving it highly vulnerable to hackers. Most data is also stored unencrypted. Only 4 percent of breaches since 2013 have been so-called secure breaches, in which the data involved is encrypted, rendering it useless to those who steal it.

Who's responsible?

The list of offenders includes state-sponsored hackers, criminal gangs, and "hacktivist" groups, with the lines often blurring between them. The Chinese have recruited a "hacker army" estimated at between 50,000 and 100,000 strong, including special military units, that is dedicated in part to seizing valuable data from U.S. companies and government agencies. The Russian military has focused heavily on recruiting hackers wherever it can find them, including from university programs, software companies, and even the criminal underworld. To maintain plausible deniability, the Russian government sponsors hacker collectives such as "Fancy Bear" and "Cozy Bear," which pulled off successful spear-phishing attacks against the Democratic National Committee in 2016. Experts say that the Equifax hack appears similar to recent state-sponsored attacks on the insurance company Anthem and the U.S. Office of Personnel Management, with the hackers using tools favored by Chinese intelligence. But it's also getting easier for non-state actors to pull off major attacks. Sophisticated hacking tools can be bought on the dark web for as little as $100. "It's increasingly easy for anybody to wield the kind of capability that used to be reserved for nation-states, or required nation-state level of expertise and investment," says Nate Fick, CEO of cybersecurity firm Endgame.

Is any defense possible?

Technologists are working furiously on new strategies. One idea is to use artificial intelligence to monitor networks for suspicious activity that would otherwise go unnoticed, acting as a digital "immune system." Some researchers are developing hardware that's built for security from the ground up, including computer chips that can't be fooled by bogus instructions. But even under ideal conditions, the nature of computing makes attacks inevitable. It's estimated that programmers commit about 50 errors per every 1,000 lines of code. The latest version of Windows is roughly 50 million lines long, and the Android smartphone operating system has 12 million lines of code. Even after rigorous checking, bugs get through. Then there's the potential for human error: Hillary Clinton's campaign chairman, John Podesta, made the 2016 Russian hack possible by clicking on a spear-phishing link, giving hackers access to his emails. "The attackers only have to find one weakness," says Kathleen Fisher, a computer scientist at Tufts University. "The defenders have to plug every single hole, including ones they don't know about."

Hacking the hackers

With hackers becoming more brazen, some in the security community are advocating that businesses go on the offensive, breaking into their attackers' systems to steal back or delete stolen data or even damage their computers. Earlier this year, Rep. Tom Graves (R-Ga.) proposed a bill, known as the Active Cyber Defense Certainty Act, that would exempt companies victimized by cyberattacks from laws that prohibit them from accessing ­others' systems without permission. The strategy is controversial. Many hackers commandeer other people's computers and servers to launch attacks, making it likely that counter­attacks could hit innocent systems, creating more chaos in an already chaotic cybersecurity land­scape. But hacking back is already being practiced quietly by many businesses, said Davi Ottenheimer, president of security consultancy Flying­Penguin. "Almost every large organization I consult with has some form of hack-back going on," he said.