(844) 627-8267
(844) 627-8267
0

Security updates should be mandatory to prevent cyberattacks | #ransomware | #cybercrime


Ransomware, malware, data breaches and digital extortion have a common denominator. And the free market can’t or won’t address it, much less fix it. Technical vendors such as Microsoft, Cisco, VMware, Citrix and others offer time-limited security support for their products.

Private enterprise and the government, in an attempt to reduce expenses and boost profits, often give little to no attention to what is required to secure their assets and the infrastructure supporting the necessities of life: water, energy, communications, banking and health care.

The recent cyberattack on Change Healthcare, for example, was executed because the company did not utilize multifactor authentication, a security technique that has been in use for over 20 years.

As an IT industry veteran of over 40 years, I have witnessed more than one executive kicking the can down the road to avoid the expense of upgrading critical systems, installing and testing security patches, and providing security training and awareness to employees. Some do a reasonably good job of this, most do not. This is painfully apparent by the daily reports of yet another health care institution, bank, pipeline or communications provider being victimized by “bad actors.”

Last month, another health care company, Ascension Health, with over 140 hospitals, was victimized by ransomware. Most of these ransomware events have been executed by Russians.

The crux of the issue is that insecure and outdated networked devices are allowed to continue to operate in the most critical pieces of our infrastructure, their owners playing a deadly game of Russian roulette. Getting hacked is not a matter of if but a matter of when. In 2023, ransomware payments exceeded $1 billion, according to an industry analysis.

Technology vendors should be required, by federal law with substantial financial penalties for failure to comply, to provide security updates to any network device in perpetuity. More importantly, if a networked device is not properly updated with required security patches, it be rendered inoperable via a “kill switch” until such patches are applied.

As part of the President’s National Cybersecurity Strategy, the government should not purchase, lease or acquire any networked device that does not comply with this edict. Yes, the time and cost to implement this would be substantial and yes, it would require government regulation. But consider this very feasible and likely alternative:

One morning you wake up and you flip a light switch and the lights don’t come on. Your home has no electricity because the electrical grid has been hacked. This is not farfetched; in May 2018, Russian hackers attacked thousands of routers threatening internet service itself.

Just imagine: no computer, no television, no washer and dryer, no way to charge your devices. You open your phone and have no cell service because the communication grid is down. You drive to the grocery store and are unable to purchase groceries because the credit-card system is down. You can’t fill your prescriptions because the hospital and pharmacy system has been hacked. Multiple attacks on health care institutions over the past decade resulted in denial of patient care and the inability to fill prescriptions.

In this doomsday scenario, you cannot even put gas in your car, since the pumps have no power. Even if you have alternative forms of backup power in the form of solar or gas-powered generators, you are essentially off the grid with no access to food, water, medication, electricity or your finances.

This is what the bad actors are planning and executing on a daily basis. Hackers from Russia, China, Iran and North Korea know our digital infrastructure vulnerabilities and will continue to exploit them. The next world war will not be fought on the battlefield but in cyberspace. On the battlefield, you fortify your every weakness with all available resources, knowing it’s a matter of life and death. Why are we not doing the same in the realm of cyberspace?

Bobby Ess is a former information technology executive from McKinney. He retired after 43 years in the industry in 2022.

We welcome your thoughts in a letter to the editor. See the guidelines and submit your letter here. If you have problems with the form, you can submit via email at [email protected]



Source link

.........................

National Cyber Security

FREE
VIEW