The ransomware attack of the U.S. Marshals Service which compromised large amounts of sensitive data was just the latest in a long line of data breaches of government agencies. Preceding them was the Office of Personnel Management, which conducts background checks for the government, where the personal information of 21 million people was stolen; the U.S. Department of Veterans Affairs and even the IRS, where hackers stole tax returns of more than 100,000 Americans.
This state of affairs has long been of concern to the Government Accountability Office, which earlier this month issued the latest in a series of studies warning about serious vulnerabilities in the country’s critical infrastructure. This included energy, transportation systems, communications and financial services, all of which are dependent upon technology to carry out their essential operations.
In addition, at the same time that we learned about the U.S. Marshals Service ransomware attack news broke surrounding a ransomware attack at Dole Foods that caused significant disruptions. Since January, data breaches and ransomware attacks include that of Pepsi Bottling Ventures, Heritage Provider Network, where personal information of 3.3 million patients was compromised, PayPal and T-Mobile, where personal information of 37 million customers was stolen. In the case of T-Mobile this was its fifth major data breach since 2018.
Making things worse, expanded work from home policies, both in the private and public sector, have increased the vulnerability of government agencies and private companies to savvy hackers targeting remote workers and leveraging their network accessibility. Add to that the vulnerability to hacking of Internet of Things devices and you have a huge problem.
But wait, it isn’t as bad as you think. It is far worse.
For too long the government response has been lacking both in developing programs and protocols to increase cybersecurity in government and in the private sector. In particular, through multiple presidencies the strategy in regard to the private sector was for companies to voluntarily report cyberattacks and take steps to increase their own security and this strategy has been a dismal failure in the face of relentless attacks by cybercriminals for profit or foreign governments such as Russia, China, Iran and North Korea.
However, there may be a glimmer of hope with President Biden’s recent announcement of a new national cybersecurity strategy.
Among the provisions of the new strategy are:
1. Proposed legislation to strengthen the Department of Homeland Security’s Cyber Safety Review Board, which is a partnership between the federal government and private industry designed to conduct fact-finding and issue recommendations regarding cyberattacks;
2. A complete and needed change of strategy from voluntary compliance by private industry with necessary cybersecurity practices to proposed regulations requiring companies, particularly those companies involved with critical national infrastructure to take minimum cybersecurity measures with the possible imposing of liability of companies failing to do so.
3. Security regulations to hold software manufacturers liable for cybersecurity failures to avoid another SolarWinds type attack.
4. Modernizing cybersecurity technology used by the federal government.
5. Increased offensive cyber actions by federal agencies to attack and destroy cyberthreats posed by foreign governments and cybercriminals.
It can be expected that there will be resistance to the plan, both by private companies which fail to meet new, higher, more expensive standards, and Republicans such as Homeland Security Committee Republican Chairman Mark Green, who has already been critical of the president’s new strategy. But partisan gridlock must not deter an already vastly overdue comprehensive national cybersecurity strategy. The biggest winners in that scenario would be the hackers who are already thriving with the status quo, while the American public remains vulnerable to their worst intentions.
Steve Weisman is a Senior Lecturer in Law, Taxation and Financial Planning at Bentley University in Waltham, Mass. He is also the author and creator of www.scamicide.com.