The recent disruption of the computers used by banks, airlines, radio, television stations, hospitals and more using Crowdstrike’s Falcon EDR product on Microsoft Windows machines was a prime reminder of our dependence on computers and software. It should be of little solace that the cause was due to poor quality control at Crowdstrike rather than a cyberattack.
Massive computer attacks by cybercriminals and foreign nation-state adversaries are now common, yet we seem to learn little each time. Cybercriminals have learned to target companies or government agencies with better security through supply chain attacks, targeting companies with lax security that provide products or services to the real target. In 2013, Target’s credit card processing equipment was hacked, exposing credit and debit card information of 110 million of its customers by sending malware-infected spear-phishing emails to Fazio Mechanical, the HVAC contractor for Target. Fazio employees ultimately provided the credentials necessary to access Target’s point of sale systems.
So what did we learn? Apparently little. 2017 brought the massive NotPetya attack. NotPetya was a ransomware strain that cybercriminals managed to insert into Ukrainian accounting software called M.E. Doc. The Solar Winds attack in 2020 was another supply chain attack that purportedly began with malware-infected spear-phishing emails sent to infect its Orion software, a management software program used by thousands of companies around the world such as Microsoft, Cisco and Intel as well as federal agencies including the Department of Homeland Security, the Treasury Department and the Department of Energy.
Again, little was done.
Next came the MOVEit Transfer supply chain attack in 2023. MOVEit Transfer software was used by 2,700 companies and government agencies including American Airlines, TD Ameritrade, Johns Hopkins, Shell and the Department of the Army. The company Chainalysis estimated the amount of ransom paid to Clop in response to its ransomware attack was $100 million.
In a required regulatory filing, AT&T recently disclosed that it had suffered a significant data breach affecting pretty much all of its 109 million customers. The data breach was not of AT&T’s computers, but rather of the cloud data provider Snowflake, a cloud storage company with which AT&T stored data. Other companies affected include Allstate, State Farm, Ticketmaster and Santander Bank.
The cybersecurity firm Mandiant in its investigation attributed the data breach not to direct attacks on Snowflake’s computers, but rather to the affected companies using the same passwords that they use for other accounts that had been compromised in earlier data breaches and made available to cybercriminals on the Dark Web. No one should use the same password for multiple accounts. Making matters worse was that the affected companies failed to use simple multi-factor authentication which would have protected the accounts even if passwords were compromised.
So, what steps should be taken to protect the security of our data, networks and systems?
According to the data gathering company Statista, there were 3,205 data breaches in the United States last year affecting 353 million people and passwords are often among the compromised data stolen. Further, we can well expect to have our passwords compromised through large-scale data breaches as indicated by a Mandiant report that indicated in 2023 cybercriminals used compromised passwords in 40 percent of their ransomware attacks. Strong, unique passwords for all accounts are an essential element for basic security.
We also should require multi-factor identification so when a password is compromised, the cybercriminal will not be able to access the account. Companies lacking this simple step are just plain negligent. The Cybersecurity and Infrastructure Security Agency (CISA) has advised that multi-factor authentication be incorporated into all services by default as part of its secure-by-design principles and while many companies have voluntarily committed to doing so, many more have not.
Rigid security standards should be established for vendors to defend against supply chain attacks. Software development should require continual and complete testing for vulnerabilities. Too often, security has been added-on to software development instead of a primary concern.
To date, there has been little in the way of repercussions for industry failures. Occasional class actions have not provided a sufficient financial incentive to institute proper security measures. In addition, the lack of regulations mandating security measures with stiff financial penalties have landed us here. Voluntary security measures, as advised by CISA, too often go ignored without sufficient financial incentive to do the right thing.
Today, we must incentivize companies to implement proper cybersecurity, and not hesitate to levy sizable financial penalties when negligence puts consumers at risk. We tried the carrot, but it is now time for the stick.
Steve Weisman is a senior lecturer in law, taxation and financial planning at Bentley University in Waltham, Mass. He is also the author and creator of www.scamicide.com.