01 March 2024

The Hacking of Organizational Systems

"There are only two types of organizations. Those that have been hacked and those that don't know it yet."

--John Chambers

(C) Contract Works

Comcast said nearly 36 million U.S. Xfinity accounts were compromised after hackers accessed its systems through a vulnerability in third-party cloud-computing software. The breach occurred between October 16 and October 19, 2023.

On Sunday, February 18, 2024, at the Munich Security Conference, FBI Director Christopher Wray said China's cyberattacks on U.S. infrastructure are "unprecedented." 

AT&T announced that the cause of its 12-hour nationwide outage on February 22, 2024, was the "execution of an incorrect process," not a cyberattack. In simpler terms, the company admitted to human error.

What's the difference between cyberattacks and hacking?

Cybercriminals hack and infiltrate computer systems with malicious intent, while hackers supposedly seek new and innovative ways to use a system, good or bad. (Micro Trend)

According to Security Magazine, there are over 2,200 attacks daily, which breaks down to nearly 1 cyberattack every 39 seconds.

On average, 1.4 billion social media accounts are hacked every month.

All systems are vulnerable

In A Hacker's Mind--How the Powerful Bend Society's Rules, and How to Bend Them Back (Norton), a book worth your time, Bruce Schneier defines hacking as "an activity allowed by the system that subverts the goal or interest of the system." 

Anything from medical records to the U.S. tax code can be hacked.

"Hacking is how the rich and powerful subvert the rules to increase their wealth and power. It's not that the wealthy and powerful are better at their hacks; they're less likely to be punished for doing so," adds Schneier, a fellow at the Berkman Center for Internet and Society at Harvard. 

As F. Scott Fitzgerald observed, "The rich are different from you and me." 

Schneier says that hacking is not the same as cheating. "Hacking targets a system and turns it against itself without breaking it. It's gaming the system and occupies a middle ground between cheating and innovation. A hack follows the letter of the system's rules but violates their spirit and intent," he concludes.

Systems evolve through hacking, especially when less critical and on a smaller scale. They might actually benefit from hacking as a way to improve their functionality and security. A breach shows where to patch, as it's impossible to think of every susceptibility when designing a system. 

Here are three stories illustrating different types of hacking--

-Johann Tetzel, a 16th-century Dominican friar, hacked the Catholic system of indulgences, intended to promote charitable giving by offering sinners the chance to buy forgiveness from the church. 

-In 1729, Voltaire got together with close friends to hack a French lottery. Since the payout exceeded the value of all the available tickets, he and his cohorts bought up the whole supply.

-A decade ago, Goldman Sachs was accused of manipulating the price of aluminum, calculated in part by its availability. The firm shifted its aluminum supply to different warehouses, trucking it around to other locations every day for years. Because it was moving, it was harder to get--a ruse that cost consumers an estimated $5 billion. After years of legal battles and appeals, the case against Goldman--and J.P. Morgan Chase--was settled in 2022. 

Who has access?

The focus in A Hacker's Mind moves from IT to organizational systems. For hacking to occur, a system of rules, such as corporate policies, must be hacked. And policies are plentiful.

The author explains that it's "one short step from hacking computers to hacking economics, politics, and social systems," as they are just as vulnerable to hacking as technology. 

Protecting the integrity of any system is rooted in the character and values of those in charge. Hiring decisions, which are extremely important but imperfect, are often a door ajar. To quote one observer, "People are honest most of the time but become dishonest in some situations when they perceive there is an advantage to be gained from it."

The book's critical point is that not all systems are equally hackable. Complex systems with many rules are the most vulnerable because there are more possibilities for unanticipated and unintended consequences.

Schneier makes clear: "Complexity is the worst enemy of security."

Questions to ask--
  • What are the non-technological vulnerabilities in your system? 
  • Who has access to the system? 
  • What is at risk if the system is hacked? 
  • How to patch a system?
If you are responsible for an enterprise, know it can and will be hacked (rules bent or ignored, boundaries stretched, goals subverted). Therefore, keep policies and procedures simple to reduce security risks. 

Cognitive hacking is powerful

Schneier wants everyone to know that any time something can alter information, choice, and agency, it represents a danger to the human mind.

"If you can hack a mind, you can hack any system governed by human action," he writes.

Can AI machines think?

AI, or artificial intelligence, is defined in A Hacker's Mind as (a) computers that can generally sense, think, or act and (b) as an umbrella term encompassing a broad array of decision-making technologies that stimulate human thinking.

An example of that last point is how specialized AI is designed for a specific task, like controlling a self-driving car. 

Tech writer Andy Kessler says, "Computers win in realms with defined rules, but humans have free will and make choices."

The AI insight:
  • Data goes in one end, and an answer comes out the other. It is challenging to understand how the system reached its conclusion. 
  • Human decisions could be more explainable. While offered, they're more after-the-fact justifications than actual explanations. 
  • AIs don't solve problems like humans do. Their limitations are different than ours. They'll consider more possible solutions than we might.
  • Remember that humans control AIs. All AI systems are designed and bankrolled by humans who want to manipulate other humans in a particular way for a specific purpose.

A corporate plan 

Steve Durbin, Chief Executive of the Information Security Forum, recommends that AI be viewed from the lens of corporate strategy and risk. 

"Before you can chart an AI strategy, develop a thorough understanding of its potential, its current usage across the organization, and the security challenges and threats that lie ahead," he emphasizes. 

At the corporate level, there is a need to integrate ethical considerations into policy and procedures. "Fairness, transparency, accountability, and privacy are the most ethical considerations surrounding AI," Durbin concludes. 

In the AI gold rush (Nvidia and OpenAI), programming and security are the next frontiers. Bringing untold financial gain, higher-than-average risk, and opportunities for hacking systems previously unconceived.  


(C) Bredholt & Co.