Earlier this year, Congress voted to spend $1B on improving government IT systems…markedly short of the $9B that was originally being pursued, but still a step function increase for the Technology Modernization Fund (TMF), which had previously raised $150 million in total appropriations in the three years of its existence.
Almost instantly, the Department of Labor received $9.6M to (in part) update its enterprise data platform.
It seems that almost every month there is a report of a network being compromised, resulting in consumers’ personal information being exposed or the functionality of a system being modified. In fact, recent research Lynx Software conducted revealed that 36% of working Americans have been, or know someone who has been, impacted by a cybersecurity attack since the start of COVID-19.
Critical infrastructure is one of those areas being targeted. February’s attack on a water-treatment plant in Florida—where a hacker was able to adjust the level of sodium hydroxide being added to the supply—was discovered by a worker who noticed his mouse had been moved without him doing anything. While some people argued that the company’s security policies had worked, to me this feels like a bullet was dodged.
One of my mantras over the last decade has been that just because devices can connect, it doesn’t mean they should. The benefits of having a device connected, versus any potential risks incurred if and when the network gets breached, have to be seriously weighed. In the case of the water-treatment plant, enabling some staff to do some remote management sounds cool…but is that truly better than removing that connectivity and employing additional workers to read and control machinery?
I am not a luddite…I have worked in the technology industry for (gulp!) more than thirty years and I am not suggesting we revert back to a world without technology. But in my opinion there will be times where the value of the assets and the IT capabilities of the organization are such that the cons of connectivity outweigh the pros.
In another wide-ranging hack, around 150 thousand cameras in locations such as Tesla factories and hospitals were taken over, potentially giving anyone access to sensitive data. Let’s take hospitals as an example. Hospitals have an expertise on keeping humans alive; they are not set up to deal with the very dynamic world of sophisticated hackers. In spite of the concerns about data ownership, network availability and cost, I personally feel that the right people to trust with protecting your data are the cloud-infrastructure companies. It is in their DNA to continuously raise the bar for system immunity and, when warranted to remove connectivity from systems.
I believe that the cybersecurity situation will get worse before it gets better. In part this is because of the shift to a hybrid work environment. Our recent survey shows that since working remotely during the pandemic, workers believe their companies have sufficiently strengthened security policies and measures. For example, 60% say their company has not prohibited the use of certain apps and tools that fail to meet high security standards. 58% say their company has not implemented antivirus software. Companies are going to need technologies that can (immutably) extend the corporate IT policies all the way to the home and (soon we hope) local coffee shops.
If there’s a network connection, a company has to plan for a someone accessing it to cause harm, steal data or extort the company. My advice would be to prioritize safety and security over time-to-deployment. It’s better to hire some additional workers to read and control machinery than run a connected system that’s prone to attack.
Systems have to realize immediately when they have been compromised. In the case of the water-treatment plant, the worker noticed that a system’s mouse had been taken over. This is important because it does take time for a hacker to find valuable assets if access to an enterprise’s network is achieved. Artificial intelligence can play a vital role here—recognizing out-of-the-norm behavior for that system and alerting a user to decide the correct course of action. Options from there could include disconnecting the system from the network, blocking a specific IP address, and/or disabling certain system functions.
“Lock all the doors, not just the front one,” Microsoft announced during its Azure Sphere initiative a few years ago—an analogy that has stuck with me. When we leave our homes, we lock the front door. In the world of IoT, we need to lock every door—inside the house as well as those that connect outside.
From a network perspective, if there’s a breach, the entrant only gains access to a subset of the valuable assets. Software and hardware have to partition systems to isolate functions. There needs to be strong controls in place so that if an operating system is taken over, the core functions of the system can continue safely and reliably. In short, the security and system-access processes need to be decoupled from the operating systems.
By Ian Ferguson, VP of sales and marketing at Lynx Software Technologies