You do not have to work very hard to discover the subject of cybersecurity. It is around us, part of a new normal in our daily lives. It is persistently evolving, just as our data systems are. Some of us are old enough to remember personal computers in the days before Al Gore invented the Internet. We had memory on cassette tapes, modest monochrome monitors, and sharing data was a frustration.
The concept of linking computers began with proprietary networks. These opportunities allowed you to connect your computer to a remote "host" computer by "dialing" a telephone number. Some will remember the days when you physically pushed buttons on a telephone to make that call, and when you heard the static and squealing on the answering end you put that phone handset into a special cradle to allow the two computers to communicate over the auditory link.
As we evolved, floppy drives became the norm. The industry brought us 8 inch discs. As inconvenient as that size may sound, we were so enthralled with this innovation. It made moving data so much easier. Those evolved to 5.25 inches and then 3.5 inches (no longer "floppy," but in a hard plastic case with a metal or plastic door that opened to afford disc reading). With each iteration, convenience increased. Back then, we never even dreamed of the now ubiquitous flash drive.
Through the 1980s, the concept of interconnecting hardware continued to evolve. Networked systems became the norm. We continued to connect our computers to hosts using phone lines, but we evolved from those special cradles to specialized integrated modems. In time, they became integrated into the computers themselves. By the early 1990s we were slowly introduced to the Internet, email, and social media. We were enthralled and amazed. The convenience and functionality brought us productivity and efficiency.
We were all somewhat shocked when we learned that there were mean people on the Internet. This brave new world of sharing and communicating had its share of bad actors. They would attempt to steal your information or identity. They would infect your computer with viruses to assist their malfeasance. Some merely sought to damage us, with no real corresponding gain for themselves. We were all introduced to "antivirus" software, an expense for both businesses and consumers. Those who would do us harm, however, seemingly had limitless imagination as to how we might be tricked or enticed into having our data breached.
Through the 1990s we continued to evolve from using those modems to dial up proprietary hosts into a paradigm where we would dial up to a connection to the Internet. We called them Internet Service Providers. There were many of them, and their utility and convenience drove us to demand more from our computers. The networking of data became ubiquitous and we were persistently thirsty for ever more of that Internet nectar.
And the limitless imaginations of the bad actors also continued. There were worms, Trojans, and viruses. We did our best to avoid them. We purchased increasingly sophisticated defenses, and the bad actors developed increasingly sophisticated attacks. We would see our email hijacked, our data compromised, and sometimes would simply lose our entire computer to these assaults. And, they continue today with us worrying in 2020 about phishing, smishing, vishing, spoofing, and more. The simple fact is that I cannot keep up with these imaginative criminals and their malfeasance buffet.
In the last decade, there have been big stories of data breaches. Target stores' breach affected 41 million customers according to some sources, 110 million according to others. That was not the biggest, not even close. A Yahoo breach is thought to have affected billions of user accounts. The last decade seemed to be a parade of data breaches and the potential for stolen identity, loss of data, and expense. The companies attacked were often well-known to consumers. They included retail (both stores and online), video games, social media, and government.
More recently, the trend turned to ransom. This is a method of depriving an owner of access to compute data. It is not a recent innovation, but it certainly became newsworthy in 2019. CRN reports that almost 1,000 government agencies were the target of such attacks in 2019. The cost is estimated at almost $200 million related to
"investigating the attack, rebuilding networks and restoring backups to paying the hackers ransom and putting preventative measures in place to avoid future incidents."
Another source, Health IT Security says that the volume of ransomware roughly doubled the volume in 2018. To say that it is a growing trend is an understatement.
Certainly, a lot of those attacks were on high-profile, large, targets. But others hit less-known municipalities. Riviera Beach paid hackers a $600,000 ransom. Lake City paid $460,000. There were also attacks in St. Lucie and Pensacola. The Pensacola attack resulted in constraints on telephone systems, email, and accounting programs. And, those four were just the high-profile attacks in Florida. There were more attacks elsewhere, an increasingly common occurrence.
And phishing continued in 2019. According to the Naples Daily News, seven Florida jurisdictions fell victim to phishing (Collier County, Tallahassee, Stuart, Riviera Beach, Naples, Lake City, and Key Biscayne). Some employee in each of those jurisdictions clicked on an errant email link and facilitated an infection. Effects included loss of computer systems, theft of funds, and in some cases payment of ransom. In some instances the attack was direct, but in others, these jurisdictions suffered because of an attack on some vendor with which it did business.
I have known people whose businesses were forced into bankruptcy by data breaches. A few attorneys have seen their practices crippled as they lost control of their data, calendars, and even bookkeeping. Small firms leveraging the technology to their benefit have periodically become risks to large firms with which they do business. The network, you see, is only as strong as its weakest link. The convenience we build for ourselves can sometimes be co-opted and used against us with equal convenience for the attackers.
What all these phishing and ransom attacks have in common is the threat to business. In effect, the hacker is holding the business hostage and demanding payment in exchange for releasing the data, the systems, or the function.
But, in 2020 a new twist made the news in Florida. A physician's office was hacked and data was pulled from the business' server. This is not that novel, but rather like the examples above. However, instead of demanding a ransom from the doctor to return the data, this hacker(s) contacted the patients whose records had been breached. This hacker(s) essentially threatened patients with
"the public release of their photos and personal information unless unspecified ransom demands are negotiated and met.”
Thus, "ransomware" has evolved into "extortionware." Though this is seemingly novel, it is perhaps not that different from a string of stories we have heard about celebrity photographs and the supposed "cloud" (hint, there is no "cloud," just other people's computers). Those celebrity instances have been going on for years involving such names as Jennifer Lawrence, Kate Upton, and others. The Washington Post warned us then of "concerns about security."
The opportunities for hackers to both obtain and leverage our data seem endless. Their imagination seems boundless. And, from the dollar figures discussed above, it seems that their criminal enterprise is persistently lucrative. Thus, governments, businesses large and small, and even individuals are increasingly focused on cybersecurity as 2020 began.
Presently, we are distracted by another kind of virus. The world has slowed, in some places nearly stopped, due to COVID-19. That has driven more of us to telecommuting than ever. More and more of us accessing and manipulating data remotely. Some would argue that computer networks are at risk more than ever before. And, the potential for malfeasance continues.
Starting from the government, there is a new day of network security dawning. The federal government will require network awareness and security from those with whom it does business. And, that will be a "chain" requirement. Thus, the government vendor will be required to secure its network and to assure that all of the companies with which it does business likewise secure theirs. Security certification is a new reality that will affect large and small businesses alike. Everyone in business must come to understand and appreciate the cyber threat. Each business will be compelled to protect against it. Survival and the ability to do business will depend upon such knowledge and sophistication.
Those who will be part of commerce will be increasingly required to assure network integrity as a component of the business interactions that generate revenue. Interestingly, a major component of that will not be either software or hardware. Those with network expertise often lament that the "weakest link" in network security is the very humans who use it. We are the most likely to click on some link, to fail to log off some terminal or to otherwise fall prey to hackers. It is likely in educating ourselves that we stand the best chance of both protecting networks and thereby livelihoods.
Just as humans can be the weakest link lamented so often, we can also be trained to be effective in the defense of our data, networks, and businesses.
