How secrecy on cybersecurity is giving hackers an advantage

Hacked targets must reveal details of breaches for others to arm up

Elaine Ou (with inputs from Bloomberg)
Published31 May 2021, 10:18 PM IST
Businesses don’t like to disclose anything that suggests sloppy security
Businesses don’t like to disclose anything that suggests sloppy security(Photo: iStock)

Business is booming for cyber extortionists. DarkSide, a hacking group that shut down a key US oil pipeline in May, has collected over $90 million recently in hard-to-trace Bitcoin from 47 victims, according to the analytics firm Elliptic. That hack ended after Colonial Pipeline paid nearly $5 million in ransom to regain control of systems needed to supply gasoline to eastern US, and was widely dubbed a ‘wake-up call’ to batten down loose digital hatches. After the subsequent executive order on cybersecurity from US President Joe Biden, regulation is expected to tighten. But there are key gaps.

There has been scant coverage of how hacks actually occur. You’d almost think that bad guys are breaking into data centres in the dead of night armed with sinister thumb drives, or sneaking lines of malevolent code past snoozing information security officers. It’s as if malware materializes spontaneously on a server, then worms its way in to seize control of operational assets. Companies are reluctant to discuss the details of a breach because it inevitably reveals some sloppy security. The absence of information creates a sense of bystander apathy, leaving many in the industry unprepared for the next attack.

In real life, corporate servers are often breached through remote log-in services as employees connect to their offices from compromised home networks. Once an attacker has gained initial access to an enterprise network, other hacking tools can be used to exploit software flaws and infiltrate critical control systems. The rise of remote work during the pandemic has drastically increased vulnerability.

Most people don’t think of their personal computers as vectors for malware, but that’s what they are. Laptops are thought of as safe, and manufacturers tend to downplay the vulnerabilities. It came as a surprise last week when Apple’s senior vice president of software engineering, Craig Federighi, admitted that Mac has a malware problem. According to Federighi, there have been 130 types of Mac malware in the past year, one of which infected 300,000 systems. This, from a company that has long advertised its machines as a more secure than alternatives.

Brutal honesty could encourage greater consumer vigilance. In 2016, the comedian John Oliver featured a satirical clip of Apple engineers scrambling to put out fires and patch software vulnerabilities while a malicious hacker steals intimate photos from user devices. It’s a fairly accurate depiction of the challenges of information security, where a few engineers must hold off potential hackers in various time zones.

The lack of transparency is not just the fault of corporate public relations. Software vulnerabilities are often kept secret for national security. The US government exploits security flaws all the time for intelligence-gathering. The National Security Agency and Central Intelligence Agency notoriously stockpile hacking tools, many of which have fallen into the wrong hands.

Biden’s order addresses part of the problem by envisioning the movement of government data and services to the cloud from local servers. A reputable cloud host would have the resources to stay on top of cybersecurity. This may be sensible for government agencies, but perhaps not the private companies operating critical infrastructure. The cloud market is dominated by Google Cloud, Microsoft Azure and Amazon Web Services. Greater dependence on tech giants would make the internet more susceptible to catastrophic failure by reducing the number of prime hack targets. A distributed system, by contrast, should be able to survive a nuclear strike; now, malfunctions at major cloud-storage providers can disable service for the entire country.

America’s new cybersecurity rules will probably draw from the cybersecurity framework maintained by the US commerce department’s National Institute of Standards and Technology. The framework was prompted by an executive order signed by President Barack Obama in 2013 and establishes industry best practices for cyber risk management, but adherence has been limited because implementation requires a huge investment. Security measures are easy to undervalue because the consequences of sloppiness are unknowable. Laziness is a competitive advantage until the day the bad guys strike.

Even with revised security standards, businesses in general would benefit from greater transparency on cyber breaches and software vulnerabilities. Cybersecurity ultimately comes down to questions of human behaviour, and people are prone to cut corners when they underestimate risk. The worst outcome would be for cybersecurity to turn into a checkbox-ticking exercise, like the pointless rituals that we suffer at airports.

Elaine Ou is a Bloomberg Opinion columnist and a blockchain engineer at Global Financial Access

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.

MoreLess
First Published:31 May 2021, 10:18 PM IST
Business NewsOpinionColumnsHow secrecy on cybersecurity is giving hackers an advantage

Get Instant Loan up to ₹10 Lakh!

  • Employment Type

    Most Active Stocks

    Tata Steel share price

    159.65
    11:24 AM | 10 OCT 2024
    0.65 (0.41%)

    Tata Power share price

    470.05
    11:24 AM | 10 OCT 2024
    9.15 (1.99%)

    Tata Motors share price

    931.70
    11:24 AM | 10 OCT 2024
    -7.45 (-0.79%)

    Bharat Electronics share price

    287.85
    11:24 AM | 10 OCT 2024
    5.35 (1.89%)
    More Active Stocks

    Market Snapshot

    • Top Gainers
    • Top Losers
    • 52 Week High

    CG Power & Industrial Solutions share price

    819.90
    11:17 AM | 10 OCT 2024
    17.45 (2.17%)

    HCL Technologies share price

    1,822.90
    11:16 AM | 10 OCT 2024
    12.8 (0.71%)

    Page Industries share price

    44,021.20
    11:03 AM | 10 OCT 2024
    118.15 (0.27%)

    Tech Mahindra share price

    1,651.95
    11:17 AM | 10 OCT 2024
    -6.75 (-0.41%)
    More from 52 Week High

    Home First Finance Company India share price

    1,248.00
    11:15 AM | 10 OCT 2024
    -58.25 (-4.46%)

    RITES share price

    314.25
    11:16 AM | 10 OCT 2024
    -10.35 (-3.19%)

    ICICI Securities share price

    840.50
    11:13 AM | 10 OCT 2024
    -26.85 (-3.1%)

    Natco Pharma share price

    1,436.15
    11:17 AM | 10 OCT 2024
    -39.1 (-2.65%)
    More from Top Losers

    Tata Investment Corporation share price

    7,149.85
    11:16 AM | 10 OCT 2024
    599.7 (9.16%)

    Rashtriya Chemicals & Fertil share price

    182.95
    11:15 AM | 10 OCT 2024
    11.95 (6.99%)

    Mazagon Dock Shipbuilders share price

    4,370.00
    11:17 AM | 10 OCT 2024
    283.85 (6.95%)

    Tata Teleservices Maharashtra share price

    84.30
    11:17 AM | 10 OCT 2024
    5.15 (6.51%)
    More from Top Gainers

    Recommended For You

      More Recommendations

      Gold Prices

      • 24K
      • 22K
      Bangalore
      76,695.00-760.00
      Chennai
      76,701.00-760.00
      Delhi
      76,853.00-760.00
      Kolkata
      76,705.00-760.00

      Fuel Price

      • Petrol
      • Diesel
      Bangalore
      102.86/L0.00
      Chennai
      100.75/L-0.10
      Kolkata
      104.95/L0.00
      New Delhi
      94.72/L0.00

      Popular in Opinion

        HomeMarketsPremiumInstant LoanMint Shorts