Cyberhacking: A Threat That Won’t Go Away
Share this article
ADVERTISEMENT
(comments below)
Comments
Comments
15 responses to “Cyberhacking: A Threat That Won’t Go Away”
-
I’m always curious about the other side of this story, what our wunderkind are doing to their systems. This whole area seems ripe for a cyber disarmament treaty….I suspect we won’t do that because as badass as they are, we’re worse.
-
Great and important post, Peter. Thank you.
Also, of course, it’s growing ever more likely that our next major international war will be decided over the internet, instead of across traditional battlefields. And in this new cyber battlefield space, who strikes first effectively might well decide the winner.
Are we well prepared defensively? Obviously not, one must conclude. Given our enormous reliance on cyberspace, we are by definition extremely vulnerable, most particularly our civilian population. Particular in our large urban and suburban centers.
-
This is extremely important and timely. For a deeper dive:
“The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age” by David E. Sanger. Just read it! You will not sleep well for many nights after. -
A business where some friends of mine work used a cloud provider for its documents and systems. The cloud provider was hacked and documents encrypted by ransomware. The business’ insurer paid a ransom and the business is getting access to its records and documents after about a two-month period without them.
Investigation showed the cloud provider had failed to update its server software for a considerable period of time and also keep its customers’ documents/records/systems and their back-ups on the same server. Basic negligence. I wonder whether many governments, businesses, nonprofits and cloud providers are even following basic cybersecurity 101 principles. How much of the American economy is simply low-hanging fruit?
-
This has been a big and building issue for over 10 years, since I last looked at it with DHS (and US Navy-NAVFAC) my then client.
Here is a 2 year old DHS/NASCIO study (have not read it) that looks at Virginia’s approach to governance to address how to “manage investments in strategic cybersecurity priorities as part of budget and acquisition processes across multiple organizations?”
-
Good article Peter. Thank you!
Quite a bit of the ransomware is done by low level hackers with rudimentary cyber skills who basically hack into your system and encrypt your file system which effectively freezes it and they will then sell you the decryption key for a price they calculate you are able and willing to pay – not too much such that you flat refuse.
This is DIFFERENT than nation-state espionage to break into government and critical industry infrastructure not for ransom but sorta “counting coup” and just plain vandalism and mayhem.
It’s an interesting issue because one would think that by now – most governments would have taken sufficient measures and to have not done so is the equivalent of not fixing the roof or having broken plumbing or lights or heat that don’t work, etc.
Don’t really buy the “not enough money”. It’s always about priorities and clearly many companies are learning just how important “cyber” is.
And it’s little bit laughable because on one hand, we have all these smartphones, gps, drones, technology out of the wazoo … then we have this…knotty problem that we are still struggling with.
-
Thanks, all, for the comments. Jim, I read the document you attached and wonder why no one would discuss it with me. Larry The G, you are right that holding systems ransom can be done in fairly primitive ways.
-
Something else to worry about: Deepfakes ……. can you believe what you seeing in a photo or video ?
-
There’s an interesting Netflix documentary, The Great Hack, describing what the election hacks are about so far. It’s a bit slow but very interesting information from a journalist at the Guardian and a former employee at Cambridge Analytical and others.
-
I will add my thanks for bringing up this critical issue. Apparently, the Virginia General Assembly does not believe that this is a pressing issue.
The Virginia National Guard has a unit dedicated to cybersecurity. That unit supports the U.S. military’s cybersecurity unit at Ft. Belvoir. In the past, it was also available, through discretionary funding through the state’s office of the Secretary of Technology, to assess cybersecurity threats to Virginia state agencies and local governments. That funding pot with the Secretary of Technology was eliminated through budget cuts . For the 2018-2020 budget biennium, the Dept. of Military Affairs requested $100,000 each year for its cybersecurity unit and the Governor included that request in his introduced budget.
The General Assembly did not approve that request, indicating that the department should continue getting its funding from the Technology Secretariat, although it also eliminated that secretariat in the budget and transferred funding for those sections to several other secretariats.
In the most recent session, the Governor included $150,000 in his introduced budget for the Department of Military Affairs to assist state agencies and local governments in FY 2020 with cybersecurity assessments. The General Assembly turned down that amendment with no explanation. (https://budget.lis.virginia.gov/get/amendmentpdf/3816/
amendment to Item 416 #1c)One would think that, with all the additional funding available to the legislature last session, it could have found $150,000 to help protect state and local governments from cybersecurity threats.
-
First, I’d like to see a confidential report prepared by all Virginia localities and agencies/entities that shows what cybersecurity measures are presently in place. I suspect many use minimal protections and could easily upgrade by utilizing basic best practices.
While I would support additional state funding for cybersecurity, using basic tools should be a prerequisite for getting more financial or technical assistance. My gut tells me that there are many instances of simple failure to do basic Dick and Jane security measures.
-
TMT, that should bring needed local attention to the issue. That would also provide a roadmap to cyber attackers, and another juicy target for hackers, ransomware vendors, foreign bad actors, cyber muckrakers. They will go after it. A copy of each local report would reside on computers in the originating jurisdiction with all its weak defenses, on computers in the relevant state agencies, and of course in dozens of federal offices. Do we think all those copies will remain secure? Seems to me, the widespread distribution of such a detailed list of all our local government cyber weaknesses poses a far greater risk than any benefit from assembling it.
-
It shouldn’t take a visit from the State for local governments to sit down with their tech people and, if applicable, tech provider(s) to make sure that the basic security practices are being followed. Every month we see more and more evidence that governments, be they run by Democrats or Republicans, simply cannot fulfill their basic functions even as they seek to expand their responsibilities and suck up more tax dollars.
If government cannot ensure basic safety against cyberattacks, why are they trying to fix climate change?
-
-
I agree with the implication that many local governments probably do not use basic best practices. Don’t forget, there are also public utility authorities that operate water and sewer facilities that are quasi-independent entities that provide vital public services. The funding requested for the Dept. of Military Affairs was intended to provide assessments of these entities’ vulnerabilities and to make recommendations for upgrading. The funding for the actual upgrades would be the responsibility of the local government or authority.
-
-
-
The grid has a secure communications network of its own, embracing all generators and LSEs on the grid. The big utilities have senior-vice-president level executives in charge of cyber security and budgets running into the $millions. In a recent survey of cyber security practices among the smaller generators connected to the grid, one investigation turned up a little hydroelectric facility in New England which (as a generator occasionally supplying the grid) necessarily had full access to the grid communications network, but where the IT person, who also was the only employee of this little hydro plant, and ran the place part-time (he had other duties with the municipal electric company that owned the dam), left his municipal laptop computer in the dam’s control room during the day when he was working elsewhere. The lake had a fence around it but the dam’s control room was not normally locked. His computer password was “password”.
Cyber security, especially of special networks like those linking utility systems, can be no better than the weakest link.
Leave a Reply
You must be logged in to post a comment.