Why Are Organizations Still Getting Hacked?
The lack of collective action on cybersecurity is a threat to everyday necessities that free credit monitoring won’t solve.
E-mails and pop-up messages encouraging the use of multi-factor authentication or complex passwords made users throughout the world aware that last month was cybersecurity awareness month. Many are also still being reminded of -- and becoming numb to -- the personal stakes of cybersecurity breaches, thanks to free credit monitoring offers in the aftermath of far-too-regular personal data theft from the financial, healthcare, and human resources institutions that we trust to keep our information safe. But just as we didn’t address the automotive safety threats addressed in Unsafe at Any Speed through either blind trust in existing safety features or a defeatism around the hazards of automotive accidents, we shouldn’t allow the mounting stakes of cybersecurity to go unchecked.
Given the pervasiveness of personal data theft as a cybercrime, it’s easy to believe that the consequences of a cyberattack would be limited to individual harm that can be detected and remedied through free credit monitoring and a messy-but-doable identity recovery process following a breach. It’s equally easy to believe that the nation-state hackers who use sophisticated attacks that can cause not only individual financial and corporate reputational damage, but also massive societal impact, have limited their hacking to high-level government-controlled systems. However, recent events have proven that this is not the case.
Americans got their first taste of the potential physical and economic impact of a cyberattack in May 2021, when Eastern European cyber criminals caused the shutdown of Colonial Pipeline’s operations due to ransomware in its IT systems -- a breach that did not even directly impact the critical operational technology (OT) systems that control the pipeline itself. The criminal actors responsible were able to extract a multimillion-dollar ransom, most of which was recovered thanks to law enforcement collaboration. Criminal attacks against utilities remain ongoing, as evidenced by the August cyberattack against Halliburton; moreover, utilities and even the government won’t always be able to pay their way out of a cyberattack.
The next time America, or one of its close allies, experiences a major infrastructure attack, our credibility on the world stage and the sovereignty of our partners abroad may be at stake. A China-affiliated cyber actor, codenamed Volt Typhoon, was conducting low-profile hacks to be able to orchestrate a massive “everything, everywhere, all at once” cyberattack that could impact the availability of power and water across the United States. Such an attack would be used to weaken American resolve to support Taiwan in the event of an invasion or other hostile action, warned US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly in January 2025.
CISA, in partnership with US law enforcement and intelligence agencies, has built unprecedented intelligence sharing and cybersecurity collaboration mechanisms with critical infrastructure providers to mitigate this capability, but the drumbeat of attacks has not stopped. In the midst of Cybersecurity Awareness Month, an unattributed attack on American Water and a China-linked attack against US telecom providers that may have targeted lawful intercept capabilities were potent reminders that hackers aren’t just after our money -- they’re also trying to jeopardize access to basic necessities and invade our privacy, even if they’re holding their full capabilities in reserve to strike at the moment that’s most advantageous for them.
As strong as the collaboration between government and critical infrastructure in the cybersecurity space has made us, it’s not enough to overcome the threat of highly sophisticated attackers using AI to target industrial systems, but also personal accounts and devices to gain a foothold in corporate networks. Software companies must incorporate more secure coding practices as CISA is encouraging with its Secure by Design and Default initiatives. Cybersecurity companies must keep innovating to create technologies that can defuse new types of attacks, like a browser-based attack developed in mid-2024 that could compromise a computer if a user so much as viewed a compromised image file.
But at the end of the day, it’s not enough that the US Government and corporations -- both those that deploy enterprise software and those who develop it -- emphasize cybersecurity. Each of us must realize that cybersecurity is a fundamental safety concern that merits due diligence in our day-to-day lives. In the automotive world, more than 60 years of life-threatening accidents occurred between the production of the Model T and the requirements for safety belts; it took 20 more years for laws requiring drivers and passengers to use them. It’s been 30 years since the introduction of the World Wide Web to the public, and it’s evident that we don’t have 80 years to only create, but also embrace, technology to enforce internet security and safety. The threats are accelerating, and neither the US Government nor free credit monitoring alone can save us.
About the Author
You May Also Like