Today, the average American leaves the house with a smartphone that has more computing power than the systems that landed humans on the moon. The Internet of Things (IoT) enables refrigerators to tell you that you’re running out of milk and cars to provide assisted driving. The reality is that the knowledge economy is in full swing, and the modern world’s relationship with technology has advanced to a state where nearly all aspects of our daily lives are touched by the internet. As a result, threats to cybersecurity are among the most critical issues facing the world today, holding the capacity to disrupt political, economic and individual activities around the world.
Even as an entire industry emerges to develop innovative and improved defenses against cyber threats, malicious actors continue to develop more sophisticated tactics for exploiting vulnerabilities.
In a recent example, the City of Baltimore was struck by a ransomware attack this past May. Malicious hackers used the ransomware to disrupt government computer systems by encrypting files and demanding around $80,000 to restore normal operations.
As Baltimore officials continue to deal with the fallout from this cyber-attack, the repercussions have been felt well beyond the inner-sphere of city government. The attack has directly affected how the city is able to work with the public, leaving emails and voicemails inaccessible. This has also disrupted city residents paying water bills, property taxes and traffic citations, as well as the city’s ability to officially close real estate sales.
These issues and the estimated $18 million cost of recovering from the attack are a testament to the reality that in 2019, cyber technology undergirds and connects some of the most fundamental aspects of everyday life. In order to safeguard the collective cybersecurity and functionality of governments, businesses and individuals, it is crucial to maintain awareness of evolving cyber threats and to remain vigilant about one’s personal cyber defenses.
Where technology leads, cyber threats will follow.
Far beyond the realm of city government, offensive cybersecurity strategies by foreign states stand to transform the geopolitical cyber scenario as we know it. Russia’s interference in the 2016 United States presidential election continues to have ramifications, many of which may not be fully realized for years to come. Along with the 2017 WannaCry ransomware attack attributed to North Korea indicate a growing trend of cyberwarfare and the need for increased investments in cyber-defense strategies. Cyberwarfare threats are increasing, and governments must protect the welfare of its citizens by safeguarding government networks, internal perimeters and supply chains against cyber threats.
The development of new technologies also creates new security challenges for the businesses that develop and provide innovative products for consumers. In particular, innovations in the automotive and biotechnology industries are increasingly vulnerable to cybersecurity threats as new ways to exploit emerging technologies are devised. The introduction of self-driving and assisted-driving cars carries the risks of key hacking, personal data compromise and interference in vehicle-to-vehicle and vehicle-to-traffic infrastructure communications. In biotechnology, scientists are engineering devices enabled by the internet to conduct biological processes, such as implanted medical devices and pharmaceutical delivery systems.
The security challenges that these devices create for the businesses that develop them will be accompanied by serious personal risk for any individuals who rely on medical devices that are not adequately shielded from cyber-attacks. Modernization is accompanied by many cybersecurity risks, and businesses need to protect themselves and their clients by ensuring systems’ resilience, such as implementing strong cryptographic encryption of sensitive data and continually developing and deploying new security updates in response to evolving threats.
While individual citizens rely heavily on government and businesses to implement cybersecurity protections, successful resistance to cyber threats often boils down to basic human decision-making. Individual defenses against cyber threats are crucial because most cyber-attacks deliver malware through phishing campaigns that target corporate and private emails. Additionally, many systems are susceptible to cyber threats when people fail to install operating system and application updates that are designed to patch the system vulnerabilities that adversaries target. While personal and employee training can help people identify obvious phishing attacks, the growing sophistication of phishing campaigns will require the development of active solutions to instigate revisions of policies and procedures, user training and awareness and Artificial Intelligence (AI) based technologies.
Cyber threats are evolving. You should too.
As cybersecurity threats develop and become more advanced, authoritative bodies are responding by introducing new regulations and standards to defend systems against cyber-attacks. As an example, the European Union has been developing and implementing new cybersecurity regulations over the last few years. As a follow-up to the 2018 implementation of the General Data Protection Regulation (GDPR), which standardizes policies for giving individuals control over their personal data, this year the E.U. plans to introduce the new ePrivacy Regulation, which will enhance the level of confidentiality within electronic communications. Even though these are E.U. based initiatives, their reach and impact is global for anyone who has customers in the E.U.
Additionally, the International Organization for Standardization (ISO) is set to release new standards regarding the security and protection of personal information within cloud-based services. ISO/IEC 27552, for example, provides additional requirements to establish, implement, maintain and continually improve a Privacy Information Management System (PIMS) and will be an extension of ISO/IEC 27001, the standard for Information Security Management Systems. This new standard is in addition to the controls currently in use through ISO/IEC 27017, security techniques for cloud services, and ISO/IEC 27018 protection of Personally Identifiable Information (PII) for PII processors. Another standard under development will target the security of consumer electronics.
For all the rules and regulations being introduced to defend against evolving cyber threats, organizations are not responding fast enough. The City of Baltimore is a prime example of an organization that did not effectively implement cybersecurity protection. Reports from Baltimore officials speculate that the ransomware attack was initiated through phishing efforts. A critical vulnerability prevalent in some Microsoft operating systems, famously exploited in 2017’s WannaCry ransomware attacks, was reported to be the vector for the attack. Microsoft introduced a patch for the vulnerability in 2017, yet the city never updated its systems to mitigate this well-known threat.
What this illustrates is that even large organizations like the Baltimore City Government are not adequately defending or responding to cyber threats, and the consequences are now being felt by individuals and businesses throughout the Baltimore area. Significantly, Baltimore is not an outlier when it comes to lax cybersecurity. Just last year the city government of Atlanta was hit by a ransomware attack, and a recent article in the Washington Post highlights how poor funding for IT departments in city budgets around the United States makes many local governments vulnerable to cyber-attacks.
It goes without saying that cybersecurity threats will persist and continue to evolve. Tackling these threats and unpacking endless new laws, regulations and standards will require a continuously high level of expertise, knowledge and multidisciplinary approaches. Organizations must adopt a position of organizational resilience that makes information and cyber resilience top priorities. International standards and other cybersecurity best practices promoted by all organizations enable individuals, companies and governments to achieve a state of enhanced and sustainable resilience in the face of cybersecurity threats.