In 2007, Michael Levin retired from the United States Department of Homeland Security after a distinguished thirty-year career in law enforcement. Michael served at the Department of Homeland Security as the Deputy Director of the National Cyber Security Division. Michael previously served as the Branch Chief of the U.S. Secret Service Electronic Crimes Task Force program in Washington DC. Michael was a member of the Secret Service Electronic Crimes Special Agent program and worked around computer forensics and cybercrime investigations for over fifteen years. After this distinguished career and seeing the need, Michael founded the Center for Information Security Awareness. The CFISA (cfisa.org) brought together a group of leading academics, security and fraud experts to explore ways to increase security awareness among many audiences, including consumers, employees, businesses and law enforcement.
As security professionals, whether we know it or not, we all have a role to play in protecting the critical infrastructure. We see almost daily in the news that ordinary people around the world are being targeted in cyberattacks by terrorist groups, nation states, and organized crime groups. These groups use cybercrime to advance their goals and attack our critical infrastructure. Everyone has a role to play to protect against cybercrime and identity theft.
I started my law enforcement career in 1978 in the heart of Silicon Valley in California. I watched the law enforcement and our governments’ evolution as computers went from an unproven concept to a way of life.
One of my many assignments with the US Secret Service included the USSS computer section in Washington DC in 1991. As a gun-carrying agent among the mainframe computer programmers, I was certainly an anomaly. After that assignment, I moved on to a USSS protection assignment and worked in the White House.
For over thirty years, I have felt like Paul Revere trying to tell everyone to get prepared for the pending cyberattacks. For many years, no one listened, but in the last few years, things are finally starting to change. We all need to work together to protect our critical infrastructure.
A nation's critical infrastructure provides the essential services that underpin society and serve as the backbone of our economy, security, and health. It provides the power we use in our homes, the water we drink, the transportation that moves us, the stores we shop in, and the communication systems we rely on to stay in touch with friends and family.
It’s been calculated that 85% of US critical infrastructure is owned by the private sector.1 President Clinton issued Presidential Decision Directive PDD-632 in May 1998 to kick off a critical infrastructure protection program that spawned the FBI Infragard program3 as well as many new cybersecurity standards from NIST.4
Our friends in Europe also have worked on securing their critical infrastructure. In 2006, the EU launched the European Programme for Critical Infrastructure Protection (EPCIP)5 to defend energy, transportation, and finance sectors from multiple threats, including cyberattack.
No matter where we live, we all have a role in protecting the critical infrastructure and our community. We all have many things we need to look after, such as:
We all need to stick together and defend cyberspace. One of the first and easiest things we can do is to get the word out when attacks happen. You may be familiar with the Department of Homeland Security’s concept “see something, say something”6 or perhaps the UK's Action Counters Terrorism (ACT) campaign.7 This extends to you and your role in preventing cybercrime. When we are victimized by cybercrime or see something suspicious, we should report it. It not only helps prevent the next big attack but also helps the police prosecute and punish criminals. One of the biggest problems in cybercrime prosecution is underreporting.8
I happen to be a US citizen and as such, I know I can report cybercrimes and incidents at the Internet Crime Complaint Center (IC3)9 as well as to local or federal law enforcement. However, nearly every country in the world has mechanisms for reporting cybercrime and critical infrastructure threats.
If you are a security professional, consider joining your local or industry critical infrastructure information sharing organizations. In the US, we have Information Sharing and Analysis Centers (ISACs) or organizations in critical infrastructure sectors10 and the previously mentioned FBI InfraGard for individuals involved in critical infrastructure work.
Beyond reporting, what can you do to protect and educate those you care about so they don’t fall victim to these crimes? We all have a role in protecting our critical infrastructure, and security awareness training can help to reduce risk. Being aware of new crimes and scams in the news is a fundamental part of security awareness training. Sharing new scams and crimes you hear about in the news with others is important to ensure that the people you care about do not fall victim to these types of crimes. You can reach out to your family, schools, and community to help tell them about cyber threats such as ransomware, phishing, and malware. You can also help non-technical people understand how their devices connect to the Internet, what information they are sharing, and how to check the security setting for all devices, including smart watches and fitness bands.
There’s a lot to be done, and we all need to work together to keep each other safe. What are you and your organization doing to protect our critical infrastructure?
8 https://www.forbes.com/sites/dinamedland/2016/03/02/u-k-study-reveals-serious-under-reporting-of-cyber-attacks-by-business/#3e34ef756cce and https://www.cyberscoop.com/ransomware-fbi-ic3-2016-report/
To read more from Michael Levin, please visit The Center for Information Security Awareness blog at cfisa.org/security-blog.html.
MODIFIED: Nov 10, 2017