Business is booming for cyber extortionists. DarkSide, a hacking group that shut down a key US oil pipeline in May, has collected over $90 million recently in hard-to-trace Bitcoin from 47 victims, according to the analytics firm Elliptic. That hack ended after Colonial Pipeline paid nearly $5 million in ransom to regain control of systems needed to supply gasoline to eastern US, and was widely dubbed a ‘wake-up call’ to batten down loose digital hatches. After the subsequent executive order on cybersecurity from US President Joe Biden, regulation is expected to tighten. But there are key gaps.
There has been scant coverage of how hacks actually occur. You’d almost think that bad guys are breaking into data centres in the dead of night armed with sinister thumb drives, or sneaking lines of malevolent code past snoozing information security officers. It’s as if malware materializes spontaneously on a server, then worms its way in to seize control of operational assets. Companies are reluctant to discuss the details of a breach because it inevitably reveals some sloppy security. The absence of information creates a sense of bystander apathy, leaving many in the industry unprepared for the next attack.
In real life, corporate servers are often breached through remote log-in services as employees connect to their offices from compromised home networks. Once an attacker has gained initial access to an enterprise network, other hacking tools can be used to exploit software flaws and infiltrate critical control systems. The rise of remote work during the pandemic has drastically increased vulnerability.
Most people don’t think of their personal computers as vectors for malware, but that’s what they are. Laptops are thought of as safe, and manufacturers tend to downplay the vulnerabilities. It came as a surprise last week when Apple’s senior vice president of software engineering, Craig Federighi, admitted that Mac has a malware problem. According to Federighi, there have been 130 types of Mac malware in the past year, one of which infected 300,000 systems. This, from a company that has long advertised its machines as a more secure than alternatives.
Brutal honesty could encourage greater consumer vigilance. In 2016, the comedian John Oliver featured a satirical clip of Apple engineers scrambling to put out fires and patch software vulnerabilities while a malicious hacker steals intimate photos from user devices. It’s a fairly accurate depiction of the challenges of information security, where a few engineers must hold off potential hackers in various time zones.
The lack of transparency is not just the fault of corporate public relations. Software vulnerabilities are often kept secret for national security. The US government exploits security flaws all the time for intelligence-gathering. The National Security Agency and Central Intelligence Agency notoriously stockpile hacking tools, many of which have fallen into the wrong hands.
Biden’s order addresses part of the problem by envisioning the movement of government data and services to the cloud from local servers. A reputable cloud host would have the resources to stay on top of cybersecurity. This may be sensible for government agencies, but perhaps not the private companies operating critical infrastructure. The cloud market is dominated by Google Cloud, Microsoft Azure and Amazon Web Services. Greater dependence on tech giants would make the internet more susceptible to catastrophic failure by reducing the number of prime hack targets. A distributed system, by contrast, should be able to survive a nuclear strike; now, malfunctions at major cloud-storage providers can disable service for the entire country.
America’s new cybersecurity rules will probably draw from the cybersecurity framework maintained by the US commerce department’s National Institute of Standards and Technology. The framework was prompted by an executive order signed by President Barack Obama in 2013 and establishes industry best practices for cyber risk management, but adherence has been limited because implementation requires a huge investment. Security measures are easy to undervalue because the consequences of sloppiness are unknowable. Laziness is a competitive advantage until the day the bad guys strike.
Even with revised security standards, businesses in general would benefit from greater transparency on cyber breaches and software vulnerabilities. Cybersecurity ultimately comes down to questions of human behaviour, and people are prone to cut corners when they underestimate risk. The worst outcome would be for cybersecurity to turn into a checkbox-ticking exercise, like the pointless rituals that we suffer at airports.
Elaine Ou is a Bloomberg Opinion columnist and a blockchain engineer at Global Financial Access
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
MoreLess