Cyber Threat: Why We Continue To Get It Wrong

Recently, a good friend sent me an article that described the analysis done by an independent organization that conducts cybersecurity research and the recommendation they made regarding ransom payments. They assume that stopping ransom payments will end the ransomware threat once and for all. Of course, this is inherently flawed for two reasons. First, at least for the moment, there are only two entities required by any applicable regulation to report an incident: healthcare and publicly traded companies. That leaves millions of people who are not, meaning they have no obligation to inform the public that they have had an incident or how they decided to respond to it. Second, paying a ransom is a risk/reward based decision. Is the reward of paying greater than the risk of not paying? The only way to enforce non-payment of a ransom, as suggested in the report, is to criminalize it. Which means you are going to punish the victim three times if they do it, the incident, the payment and the resulting fine, and it will only be effective if again the punishment poses a greater risk than the reward of paying the ransom. Which would mean significant fines in many cases. Effectively setting up a situation where only the smallest businesses could be forced to comply and that doesn’t seem fair, and in the end it won’t stop extortion forever.

Which brings me back to the beginning and the nature of the threat. Believing that ending ransomware payments, without ending all ransoms, will solve the problem is both irresponsible and naive. The threat is like the mythical hydra, that no matter how many times you cut off its head, several more will grow back. History has shown us that the threat does not disappear or end just because an avenue for it is somehow closed, but rather it simply turns in a new direction. Sometimes in an even more dangerous and harmful direction. The crime doesn’t stop, the threat doesn’t just give up and go home, it starts looking for the next way to exploit it. Fast forward your thinking just a few years and consider the petabytes of personal and healthcare data that hackers have already amassed and imagine what they will be able to do with it by applying artificial intelligence and quantum computing. Consider all the times entities have assured the public that their data was not at risk because, even though it was a breach, the information the hacker obtained was encrypted. Soon that will no longer be accurate. The point is that the threat is infinite, persistent, cunning, it has been with us since the beginning of time and it will be with us until the end of time.

I think we can all agree that no one likes paying ransoms, no one likes rewarding criminals for bad behavior, and no one wants to do it. Which we would all prefer to avoid if possible. I would argue that the surest path to avoiding catastrophic outcomes in cyber incidents and having to make extortion payments is to change the way we approach the security of information systems and data. We want to be an information-driven society, we want to rush headlong into new technologies like artificial intelligence. To achieve this we need systems we can count on, processes with discipline and data with integrity. And yet, we are willing to sacrifice all of those things in our rush to innovate, sell, and/or implement. The reason we do this is because we don’t really believe that security is critical to performance. We don’t take the time to design security into new products, software, etc. We don’t take the time to test during development or before we release things to the market. We do not actively analyze new technologies for unintended purposes or consequences and we understand their impact. Simply put, we leave it up to the buyer or user to figure it out. And even when we try, we often do it wrong. Consider the arrival of the Internet after the research and development of DARPA (the Defense Advanced Research Projects Agency). It was going to revolutionize our lives, and it did, but we never imagined or anticipated how it would become a pillar of criminal enterprises or the national security threat it is today. In the ’80s, we had focus groups looking at threats of various kinds and trying to predict where they would be in 30 years. Those efforts often proved insufficient, and the threat exceeded its predictions in half the time. Because we could not accurately predict the future of technology, which historically has evolved much faster than man expected. Right now we have scientists and developers saying they can’t explain the results of various AI models and warning about moderation, meaning they don’t understand the risk either, but you can’t open a magazine, a newspaper or their website favorite. or go to a conference without seeing hundreds of presentations about AI and what we are doing with it. Which means we are once again in reactive mode. Which means Change Healthcare could happen again. Except AI is supposed to be as revolutionary as the Internet was, so let’s imagine the threat.

If we want a different result, then we need a different approach to the problem. We need to become proactive. We need to build rigorous testing into every piece of software, product or service. We need to perform due diligence on every aspect of our IT environment that we rely on to operate effectively. We need to accept that the threat is innovative and evolutionary and therefore we need to understand where each critical redundancy gap exists. We need to emphasize standards in design that allow for the integration of multiple solutions so that if one fails, another can quickly and easily replace it to resume operations. We must assume that we are going to be attacked, that we are going to be violated and that we will have to be prepared to react, respond and recover. We need to accept that the threat is persistent and stop accepting poor hygiene practices. We need to have a strategy to remove/replace old technologies, discipline in system administration (patches/upgrade/configuration), etc. And yes, that means organizations will have to invest more. We spend billions on technology in healthcare alone. It costs billions to develop or innovate new technologies. Stop expecting that you can insure, protect and restore it on a shoestring budget. And while it is difficult to argue with the sentiment of the analysis and proposal, and not everyone is wrong in their thinking, one-size-fits-all solutions or answers will not solve the problem or replace sound, practical and proactive risk management and preparation. .

Mac McMillan is a nationally recognized cybersecurity expert who has spent more than three decades serving in various roles as a healthcare cybersecurity consultant and advisor.

We will be happy to hear your thoughts

Leave a reply

Register New Account
Compare items
  • Total (0)
Shopping cart