Opinions expressed by contributors are their own and not those of The Hill.
Steve Weisman, Opinion Contributor 07/26/24 11:30 AM ET
WASHINGTON, DC – JULY 19: An affected check-in terminal is seen at Ronald Reagan Washington National Airport in Washington, DC on July 19, 2024. The global computer outage, which began with an update by cybersecurity firm CrowdStrike, affected air travel around the world and disrupted broadcast and banking services. (Photo by Nathan Howard/Getty Images)
The recent computer disruptions at banks, airlines, radio and television stations, hospitals and other organizations using Crowdstrike’s Falcon EDR product on Microsoft Windows machines are a stark reminder of our dependency on computers and software. It’s no consolation that the cause was not a cyberattack, but a lapse in Crowdstrike’s quality control.
Large-scale computer attacks by cybercriminals and foreign nation states are now commonplace, but we seem to learn little each time. Cybercriminals are learning how to target well-secured businesses and government agencies through supply chain attacks, which are less secure businesses that provide products or services to the real targets. In 2013, Target’s credit card processing facilities were hacked and malware-infected spear-phishing emails were sent to Target’s HVAC contractor, Fazio Mechanical, exposing the credit and debit card information of 110 million customers. Fazio employees ultimately provided the necessary credentials to access Target’s point-of-sale systems.
So what did we learn? Apparently, very little. 2017 saw the massive NotPetya attack, a type of ransomware that cybercriminals managed to sneak into Ukrainian accounting software ME Doc. The 2020 Solar Winds attack was another supply chain attack that allegedly began with malware-infected spear-phishing emails sent to infect Orion software, a management software program used by thousands of companies around the world, including Microsoft, Cisco, and Intel, as well as federal agencies such as the Department of Homeland Security, the Department of Treasury, and the Department of Energy.
Again, very little was done.
Next came the MOVEit Transfer supply chain attack in 2023. MOVEit Transfer software was used by 2,700 companies and government agencies, including American Airlines, TD Ameritrade, Johns Hopkins, Shell, and the Department of the Army. Chainalysis estimated that the ransom paid to Clop in response to the ransomware attack was $100 million.
AT&T recently disclosed in a required regulatory filing that it had suffered a significant data breach affecting nearly all of its 109 million customers. The breach did not occur on AT&T’s computers, but on cloud data provider Snowflake, the cloud storage company where AT&T stored its data. Other companies affected include Allstate, State Farm, Ticketmaster, and Santander Bank.
In its investigation, cybersecurity firm Mandiant concluded that the data breach was not the result of a direct attack on Snowflake’s computers, but rather was caused by the victim companies using the same passwords they used for other accounts that had been leaked in a previous data breach and exposed to cybercriminals on the dark web. No one should ever use the same password for multiple accounts. To make matters worse, the victim companies did not use simple multi-factor authentication to protect their accounts even if their passwords were leaked.
So what steps should you take to secure your data, networks, and systems?
According to data collection firm Statista, there were 3,205 data breaches in the United States last year, affecting 353 million people. Passwords are often included in the stolen data. Moreover, a Mandiant report predicts that in 2023, cybercriminals will use compromised passwords in 40% of ransomware attacks. Having strong, unique passwords for all your accounts is an essential part of basic security.
Multi-factor authentication should also be mandatory to prevent cybercriminals from accessing accounts even if a password is leaked. Companies that don’t take this simple step are simply negligent. The Cybersecurity and Infrastructure Security Agency (CISA) recommends that all services build multi-factor authentication into them by default as part of its secure by design principles, and while many companies are voluntarily doing so, many more are not.
Rigorous security standards must be established for vendors to protect themselves against supply chain attacks. Software development requires continuous and thorough testing for vulnerabilities. Too often, security is treated as an add-on rather than a primary concern in software development.
To date, there have been few repercussions for industry failures. The occasional class action lawsuit has not provided sufficient economic incentive to take proper security measures. This has been compounded by the lack of regulation mandating security measures with stiff penalties. Voluntary security measures recommended by CISA are too often ignored due to the lack of sufficient economic incentive to take proper measures.
Today, we must incentivize companies to implement proper cybersecurity and not hesitate to impose heavy fines when negligence puts consumers at risk. We’ve tried the carrot, now it’s time to use the stick.
Steve Weissman is a senior lecturer in law, taxation and financial planning at Bentley University in Waltham, Massachusetts. He is also the author and creator of www.scamicide.com.
