Secrecy fuels cybersecurity risks – Taipei Times
By Elaine Ou / Bloomberg Opinion
Business is booming for cyberextortionists.
DarkSide, the hacking group that shut down a key U.S. pipeline earlier this month, has raised more than $ 90 million in hard-to-trace bitcoin from 47 victims, blockchain analytics firm Elliptic said.
The pipeline hack didn’t end until Colonial Pipeline Co paid nearly $ 5 million in ransom to regain control of the computer systems needed to supply gasoline to much of the eastern states. United, and has been widely dubbed a ‘wake-up call’ to close loose digital hatches.
Following the subsequent release of US President Joe Biden’s new “Nationwide Cyber Security Improvement Order,” the US Department of Homeland Security is preparing to regulate cybersecurity in the pipeline industry. The US Transportation Security Administration (TSA) is expected to publish mandatory rules and reporting requirements to protect pipelines from cyber attacks.
However, there are significant gaps. In all of the recent reports on cyber attacks, there is little coverage of how they actually happen. You’d almost think bad guys were breaking into corporate data centers in the dead of night armed with sinister USB drives, or sneaking malicious lines of code in front of information security officers. It is as if malware spontaneously materializes on a server and then makes its way to take control of operational assets.
Businesses are reluctant to correct false impressions by discussing the details of a breach, as this creates bad press and inevitably reveals sloppy security. The lack of information creates a feeling of apathy among onlookers, leaving many members of the sector unprepared for the next attack.
In real life, corporate servers are often hacked through remote connection services when employees connect to the office from compromised home networks. Once an attacker has gained initial access to a corporate network, other hacking tools can be used to exploit software vulnerabilities and infiltrate critical control systems. The rise of remote working during the COVID-19 pandemic has dramatically increased these attack surfaces.
Most people don’t think of their personal computers as vectors for infectious malware, but they are. Laptops are considered places to store private photos and files, and manufacturers tend to downplay vulnerabilities. It came as a surprise last week when Apple Inc’s senior vice president of software engineering, Craig Federighi, admitted that Mac had a malware problem.
According to Federighi, there have been 130 types of Mac malware in the past year, one of which has infected 300,000 systems.
It all comes from a company that has historically advertised its machines as a more secure alternative to Microsoft Windows.
Brutal honesty could encourage greater consumer vigilance. In 2016, comedian John Oliver featured a satirical clip of Apple engineers scrambling to put out fires and fix software vulnerabilities as a hacker steals intimate photos from users’ devices. That’s a pretty accurate description of the challenges of information security, where a few engineers have to fend off potential hackers in 24 different time zones.
The lack of transparency is not just the fault of corporate public relations. Software vulnerabilities are often kept secret for national security purposes. No one likes to talk about it, but the US government exploits security loopholes all the time for intelligence gathering and counterterrorism measures.
The United States’ National Security Agency (NSA) and the CIA notoriously stockpile hacking tools, many of which have fallen into the wrong hands. In 2019, hackers used a leaked NSA exploit to disrupt government services in Baltimore, Maryland.
Biden’s executive order fixes part of the problem by envisioning the movement of government data and services to the cloud from local servers. A reputable cloud hosting provider has a full-time staff who monitor the infrastructure and keep abreast of security updates, so newly revealed vulnerabilities can be fixed immediately.
This might make sense for government agencies, but maybe not for private companies that operate critical infrastructure. The cloud computing market is dominated by three players: Google Cloud, Microsoft Azure and Amazon Web Services.
Greater reliance on tech giants would make the internet more vulnerable to catastrophic outages by reducing the number of primary hacking targets. A distributed communications system, on the other hand, should be able to survive a nuclear strike; Now malfunctions at major cloud storage providers can turn off the service for the whole country.
Moreover, those concerned about the growing monopoly power of big tech would have their own reasons for opposing it.
The TSA’s new cybersecurity rules would likely build on the cybersecurity framework maintained by the U.S. Department of Commerce’s National Institute of Standards and Technology. The framework was prompted by an executive order signed by then-US President Barack Obama in 2013 and establishes industry best practices for managing cyber risk, but buy-in has been limited as implementation requires a considerable investment.
Safety measures are easy to underestimate because the consequences of neglect are unknowable. Laziness is a competitive advantage until the bad guys strike.
Even with security standards enforced by the TSA, the industry would benefit from greater transparency about breaches and software vulnerabilities. Cyber security ultimately comes down to human behavior, and people are prone to take shortcuts when they underestimate the risk. The worst outcome would be for cybersecurity to turn into an exercise in ticking the box like the unnecessary ritual we go through at the airport.
Elaine Ou is a Bloomberg opinion columnist. She is a blockchain engineer at Global Financial Access in San Francisco. Previously, she was a lecturer in the Department of Electrical and Computer Engineering at the University of Sydney.
This column does not necessarily reflect the opinion of the Editorial Board or of Bloomberg LP and its owners.
Comments will be moderated. Keep comments relevant to the article. Comments containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. The final decision will be at the discretion of the Taipei Times.