Report: U.S. Government Cybersecurity Defenses Are Too Weak

August 9, 2021 Pete Cavicchia

When it comes to a report card for how fortified its cybersecurity defenses are, the United States federal government doesn’t make the grade. That’s according to a new 47-page report issued by the Senate Homeland Security Committee. Out of eight federal agencies, four received grades of “D,” three earned “Cs,” and just one earned a “B,” according to coverage from tech news website Ars Technica.

“It is clear that the data entrusted to these eight key agencies remains at risk,” quotes Ars Technica from the report. “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.”

This isn’t the first report of its kind. Two years ago, an earlier review of these agencies found glaring failures in protecting personal data, maintaining a list of hardware and software used on all agency networks, and installing timely security patches. That report covered information from a decade-long period — from 2008 to 2018.

Here is how the different federal agencies fared in the new report:

Department of State: D
Department of Transportation: D
Department of Education: D
Social Security Administration: D
Department of Agriculture: C
Department of Health and Human Services: C
Department of Housing and Urban Development: C
Department of Homeland Security: B

For many in the government, this kind of oversight report signifies we are in a precarious moment where our federal agencies need to better defend against sophisticated hacks that threaten some of the nation’s most sensitive data — not to mention the data of its citizens.

"From SolarWinds to recent ransomware attacks against critical infrastructure, it's clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America's data," said Ohio Senator Rob Portman in a statement reported by CBS News.

“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” Sen. Portman added. "I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade.”

In the face of these concerns, some movement has been made. In July, the Biden Administration swore in its first National Cyber Director Chris Inglis. During his public introduction, Inglis announced he will make it a point to guarantee the digital infrastructure utilized by “the 102 civilian components of the federal government” have “the right technology and the right practices” to reach “unity of effort and unity of purpose,” CBS News reports.

During a time when so much is at stake regarding how we safeguard our data, reports like this reiterate that the U.S. is at an inflection point where cybersecurity has to remain front and center.

Just How Secure are the Tokyo 2020 Olympics?

August 2, 2021 Pete Cavicchia

We’re now in the middle of the 2020 Olympics Games in Tokyo — a moment of international connection after a challenging year when the COVID-19 pandemic postponed the original date of the iconic sporting competition.

While it’s a celebratory moment, speculation has ramped up about just how secure the global sporting competition is after all.

Concerns are justified. Both the 2016 and 2018 Olympic Games were targets of Russian hackers. In fact, the attack on the winter 2018 Olympics in PyeongChang, South Korea went straight for the opening ceremonies, hitting stadium Wi-Fi and even affecting security gates, according to Wired.

Leading up to these games, cybersecurity experts and international watchdogs have been sounding the alarm that governments, Tokyo officials, sporting teams, and individual athletes alike should all be on high alert.

The Washington Post reports on some of the most common concerns surrounding this year’s Olympics. For example, the FBI was recently alerted to the potential of a major hack, aware that live broadcasts could be targeted as well as the personal data of athletes and their teams.

“In 2021, the Tokyo Summer Olympics may shape up to be what COVID-19 PPE and vaccine diplomacy was to 2020 — a clear opportunity for nation states to deploy information campaigns to denigrate their adversaries, promote their system of governance, and burnish their image on the world stage,” wrote Rachel Chernaskey, Max Glicker, and Clint Watts in a piece for the German Marshall Fund’s Alliance for Securing Democracy, as cited by the Post.

Despite these concerns, the Olympics seem to be going along smoothly so far. Earlier, reports surfaced that Olympic ticket data was leaked, with IDs and passwords from the Tokyo Olympic ticket portal was posted publicly to a leak website.

A spokesperson for the Tokyo 2020 International Communications Team told ZDNet that this was not in fact a leak from Tokyo 2020’s system and that “we have already taken measures int he form of password resets to limit any damage for the very limited number of IDs detected in this case based on the information supplied by the government.

Cybersecurity officials will be ever present as the 2020 Olympics continue. The games run through the Closing Ceremony, which will be held on Sunday, August 8.

As the world continues to reckon with the ever-present threat of hackers who are growing consistently more sophisticated, vigilance over personal and government data will vault to the forefront of everyone’s minds as the summer games roll on.

How Secure Are Our Water Supplies From Cybercriminals?

July 27, 2021 Pete Cavicchia

Earlier this year, a hacker was able to infiltrate the water supply in Oldsmar, Florida. The cybercriminal was able to increase the levels of lye, or sodium hydroxide, in the city’s water treatment system. Luckily, a city worker detected the hack and reversed any potential damage done, reports the BBC.

The cyberattack touched on both cybersecurity and public health concerns, one of multiple recent examples of how vulnerable our nation’s water supplies are to ever more sophisticated hackers.

The threat to the nation’s water supplies

Another similar example came on January 15, when a hacker attempted to attack a water treatment plant that is used by portions of the San Francisco Bay Area. The cybercriminal utilized the login information for the program that employees of the plant use to operate their computers remotely. The hacker — who has yet to be identified — deleted programs used by the plant to treat the area’s drinking water. This person’s activity was detected the next day, prompting the plant to immediately reinstall programs and change login information for employee accounts, reports NBC News.

In their broad-ranging report, NBC spotlights just how vulnerable our nation’s water system is to hacks — more than other sectors of our infrastructure.

This is due to the fact that water systems nationwide are difficult to institute universal cybersecurity safeguards and, unlike other parts of the infrastructure, can have severe impacts on the population at large if tampered with.

One benefit of our nation’s water supplies is that each system differs, there is no centralization. This means it would be very difficult to carry out a nationwide hack all at once given that each water facility functions on its own. On the flip side, this means there is no standard protocol that each system can implement. This results in a somewhat chaotic situation.

"It's really difficult to apply some kind of uniform cyber hygiene assessment, given the disparate size and capacity and technical capacity of all the water utilities," Mike Keegan, an analyst at the industry trade group, the National Rural Water Association, told NBC. “You don’t really have a good assessment of what’s going on.”

The vulnerabilities of local water systems

The threat is very real. NBC reports there are more than 50,000 drinking water facilities throughout the country. Most of them are nonprofit companies. While some are for the nation’s large metropolitan and urban centers, many provide drinking water for rural areas that might not have the means, staff, or defense protocols in place to defend against a major cyberattack.

A big problem facing these rural water facilities is the fact that many rely on remote employee system logins as with the situation in Oldsmar.

For facilities located in difficult-to-reach rural areas — an employee might have to drive 50 miles to work at a water treatment plant — and in a year where the pandemic saw all industries embrace work-from-home routines, we are facing an environment where these rural facilities are especially vulnerable.

NBC reports that some light is on the horizon. Congress just gave the Cybersecurity and Infrastructure Security Agency (CISA) authority to compel Internet providers to reveal the identities of organizations and companies that are prone to hacks. The Biden administration is also aiming to begin a cybersecurity initiative, an overdue collaboration between these water plants and the U.S. government.

Hopefully, we are entering an era where we are particularly vigilant about keeping the water we drink — and our communities depend on — are safe from cyberattacks.

How To Keep Your Cybersecurity Front and Center During Summer Vacation

July 12, 2021 Pete Cavicchia

It’s summer vacation time, and it’s safe to say that this season of fun in the sun will be a lot better than last year. In fact, a survey from April found 50 percent of U.S. adults are likely to take one vacation during the summer months — June to September — this year. This July Fourth saw record-setting road travel, with 43.6 million holiday revelers hitting the highways, 5 percent more than the last record set in 2019, Reuters reports.

While a post-vaccination summer means you’ll be able to enjoy the summer sun with friends and family, the regular concerns of daily life still persist. While it might seem like the ideal time to be carefree, the Center for Internet Security (CIS) cautions that it’s crucial to keep personal cybersecurity at the top of your mind.

In a guide written in partnership with the National Cybersecurity Alliance (NCSA), CIS outlines that you have to think of “your smartphones and devices as being just as important as your wallet.” Here are a few of the key tips they highlight:

Keep your devices up to date: Make sure you update your devices to the latest software versions. If there’s an update, don’t put it off. These contain important security patches to keep your data secure.
Come up with strong passwords: Make sure you have a strong laptop password that is at a minimum of eight characters and that ideally includes a phrase with both upper and lowercase letters, numbers, and special characters. For smartphones, they recommend a passcode of at least six characters, or “a swipe pattern with at least one turn of direction when protecting the lock screen.”
Lock your device: If you’re leaving your phone behind to jump in the pool or head to the volleyball court, make sure you set an automatic device lock that would require someone to enter your secure passcode after a specific period of inactivity.
Be vigilant about travel booking sites: Booking your lodging and vacation itinerary through travel websites can come with security risks, especially as you share credit card and other personal information. Before you log on, make sure to review the reputation of the website if it is one you haven’t used before. Try to focus on sources with good reputations and if you feel you’re being asked intrusively for information that is too personal or has nothing to do with your travel itinerary, do not share your data and please use a different method for booking your trip.
Keep a tab on your device: Similar to the need for an automatic device-locking system, be vigilant at all times about where your devices are. Keep them on your person, or if not, in a secure location while you’re enjoying summer activities. Devices like smartphones and tablets contain your most sensitive information and they are expensive, a major target for thieves.
Be wary of public W-Fi: While public Wi-Fi signals might be convenient when you’re on the go in a new town or city, they pose significant security risks. These Wi-Fi systems are unregulated — they often don’t need specific credentials for logging on and are generally not protected by encryption services. Your browsing activity, bank account and social media information — even your geo-location — are not secure. Avoid making financial transactions while using these networks. Use your phone carrier’s Internet connection, make another device a personal hotspot, or set your device to ask for your permission before it logs onto any Wi-Fi network.
Be careful with your social media: It can be tempting to post every aspect of your vacation on Facebook or Instagram, but keep in mind this comes with risks. It can alert potential burglars that your home is unattended, or could also open you up to travel-related scams. Consider setting your posts to private — only accessible to select family or friends — or, at the least, be judicious about what you’re sharing and who can see it.

What New Tech to Fight Hackers Can Teach Us About Our Cybersecurity

June 27, 2021 Pete Cavicchia

It sounds like something out of a science fiction film. Scientists just developed new technology that entraps hackers in an artificial, cyber “shadow world.” The goal is to prevent these cybercriminals from carrying through with their objectives by luring them into what is being defined as “an attractive — but imaginary — world.”

The cybersecurity technology is called “Shadow Figment,” and has been designed mainly to protect key physical targets like the electric grid, water systems, and pipelines, among other crucial aspects of our country’s infrastructure.

This groundbreaking tech was created by researchers at the U.S. Department of Energy’s Pacific Northwest National Laboratory (PNNL), according to a recent announcement.

Shadow Figment: A new era of national cybersecurity defense

Shadow Figment uses AI to keep attackers engaged in an illusory online world once they enter a system like the electrical grid. The hackers are led to believe they are interacting directly with users in real time, with the AI responding realistically to commands.

“Our intention is to make interactions seem realistic, so that if someone is interacting with our decoy, we keep them involved, giving our defenders extra time to respond,” said Thomas Edgar, a PNNL cybersecurity researcher who led the team designing Shadow Figment, in the announcement.

The AI utilized in this program is very sophisticated. Hackers will be given false signals of success, thinking they have accurately infiltrated a system. This gives a cybersecurity defense team time to learn about the hack itself and better fortify the real system. Think of it like a digital smokescreen, throwing the hackers off their game.

PNNL’s research team says this “model-driven dynamic deception” made possible by advanced machine learning is a more credible AI defense than “static decoys” that have more traditionally been a part of cyber defense.

The real-world threat of hackers

The PNNL stresses there is a pressing need for this kind of technology. In recent years, we’ve seen examples like the 2015 attack on Ukraine’s electrical grid as well as the hack of the Colonial pipeline here in the United States.

While this new technology can be a game changer in national defense, it further reiterates why we all need to be vigilant about our own cybersecurity hygiene.

We might not be able to deploy our own version of Shadow Figment, but we can still make sure we use unique passwords for all of our accounts and devices, set up two-factor authentication, and be judicious in what emails and links we open to avoid phishing scams and ransomware attacks.

These new innovations from the U.S. government can offer a helpful reminder of how pressing the threat of cybercriminals is in our daily lives and what we can do to defend ourselves.

Cybersecurity Needs to Keep Up With A Changing World

June 10, 2021 Pete Cavicchia

The past year has brought cybersecurity front and center as work-from-home became the norm and the average person had to become better equipped at keeping sensitive data safe and secure. Despite these security friendly cultural and societal shifts, a new survey of tech professionals reveals we might not be quite up to par with best cybersecurity practices.

Tech news website TechRepublic reports that the survey from the Thales Group shows security teams across a wide international range of companies have generally been having difficulty adjusting to the new cybersecurity demands of the COVID-19 era. This means security teams have not been brought up to speed on ever-evolving cybersecurity protocols — from lack of modern infrastructure needed to defend their firms from hacks to improper training in current programs and software.

The extensive report found 20 percent of respondents said their security systems were ready for a sudden shift to the cloud as the pandemic altered overnight how companies handled their workflows. The survey also revealed 82 percent of respondents were concerned about security risks posed by the push for at-home work and 44 percent said they feared their firms’ systems were not equipped to keep data generated and transferred from home-based employees secure.

A need to embrace cloud computing

This doesn’t mean the majority of firms have security teams that are lacking in talent. It’s quite the opposite. Instead, the report reveals that these cybersecurity professionals just haven’t been given the appropriate tools fast enough to handle this changing world.

“Technologies such as encryption and multi-factor authentication (MFA) have not reached saturation levels such that the majority of applications and data are fully protected,” TechRepublic cites in a passage from the report.

One of the main cybersecurity realities that has emerged during COVID-19 is the need to embrace cloud computing. As we continue to normalize working from home — with many workplaces turning to hybrid home-and-office models — the cloud will only continue to be a necessity.

The Thales Group found that just 17 percent of respondents said more than 50 percent of sensitive data hosted on the cloud is encrypted at their firms. If you zero in further, 24 percent reported having full knowledge of where their data is even stored in the first place while 45 percent say their teams have clearly defined company-wide cloud protocols.

What this means is there is a lot of work left to do.

The Thales report lays it out clearly — everyone at a firm needs to be on the same page when it comes to cybersecurity: “Senior executives need to ensure that they obtain a more complete understanding of the levels of risk and attack activity that their front-line staff are experiencing. They can't make effective strategy and security investment decisions when perspectives across the organization aren't aligned."

How Cybersecurity Impacted Working from Home During COVID-19

June 3, 2021 Pete Cavicchia

The past 12 months reoriented daily life in myriad ways. This is represented most starkly in how we work. In 2020, 62 percent of Americans worked from home, with 49 percent doing so for the first time, reports business website B2C.

That high volume of employees in the United States taking their work laptops home and from brought with it a 300 percent increase in cybercriminal activity targeting remote workers. The frequency of these hacks increased during the first six weeks of American quarantine and shelter-in-place orders early last spring.

The business website reports that 20 percent of companies experienced data breaches linked to these home-based workers.

If you’re a business owner — or even just an employee who still sees your home as your “office” for the foreseeable future — it is understandable that numbers like this give you cause for concern. With cybercrime targeting work from home on the rise, one bright spot appears to be the reality that cybersecurity etiquette is also on the rise.

Best practices for keeping your personal and professional data secure are part of the normalized parlance of office conversation. Now, it is becoming second nature for American workers to be cognizant of the importance of keeping their information protected from hackers.

Two-factor authentication, secure passwords, and wariness over phishing and ransomware attacks are increasingly a normalized part of professional life. In short, protecting your data isn’t just reserved for the company’s IT team.

CFO reports that companies are relying on the cloud. One example is the fact that organizations are using cloud-located intranets that use direct, private connections and even virtual desktop interfaces.

Artificial Intelligence (AI) and machine learning are also playing a needed role in identifying threats.

CFO cites a recent Infosecurity Magazine piece that shows how machine learning is detecting phishing attacks, referencing a cloud-based algorithm that scans email header messages to pinpoint what is known as “ratware,” or software that generates automatic mass messages. Then, another algorithm looks for phishing vocabulary in the body of an email. Eventually, this algorithm continues to grow more sophisticated, better picking up on suspicious emails as it collects more information about what is and isn’t malicious information hitting your Inbox.

While the rise of cybercrime is worrying, there is reason to hope. The deployment of canny AI made specifically to fight back against hackers coupled with increased cybersecurity literacy among America’s workforce hints at a future primed for a world that will continue to rely on working from home — safely.

The Need for More Cybersecurity Professionals

May 13, 2021 Pete Cavicchia

Whatever it is, the way you tell your story online can make all the difference.

The past 12 months have been uncertain, with the COVID-19 pandemic causing major economic damage to a range of industries, from retail to education to communications.

Cybersecurity is one field that hasn’t necessarily experienced mass job loss, but is still suffering from a different problem — retention and hiring.

A new report from ISACA and HCL Technologies found that a high 61 percent of cybersecurity leaders say their teams are understaffed, while 55 percent say they have unfilled cybersecurity positions in their offices. The survey reached 3,600 information security professionals who revealed they had a hard time holding on to important talent over the past year, reports Help Net Security.

Difficulties with hiring and retention

While the pandemic might not have led to layoffs in the cybersecurity space, the cultural shifts brought about by the health crisis certainly impacted the information security workforce. One big reason for such low hiring and retention numbers seems to be “limited remote work possibilities” at their firms, as work-from-home culture has largely — in many instances, enthusiastically — been adopted by most American workers.

The report also found that 50 percent of cybersecurity leaders say the applicants they do see are “not well qualified.”

Ensuring cybersecurity firms are fully staffed is important given the crisis that has been growing ever grimmer in recent years — the rise of cyberattacks

About 68 percent of those surveyed who said they’ve experienced more cyberattacks also reported being “somewhat or significantly understaffed.” Additionally, 63 percent who have experienced these cyberattacks revealed they have a hard time retaining “qualified cybersecurity professionals.”

Jonathan Brandt, ISACA information security professional practices lead, told Help Net Security that the past year revealed “just how vital cybersecurity is to ensuring business continuity.”

“As a global cybersecurity community, it is imperative that we all come together to recalibrate how we hire, retain and train our future cyber leaders to ensure we have a solid workforce to meet these evolving cybersecurity needs,” Brandt added.

Skills cybersecurity professionals need

If you’re a cybersecurity professional and looking for work, the industry leaders surveyed by ISACA and HCL Technologies highlighted what they’re looking for.

About 95 percent of respondents said they are seeking candidates with hands-on cybersecurity experience, 89 percent cited credentials, while 81 percent cited hands-on training. When it comes to gaps in experience, 56 percent said “soft skills” are often lacking, 36 percent cited security controls and 33 percent referenced software development skills.

To close these gaps and fix this cybersecurity hiring void, they pointed to better training programs for non-security staff who hope to move to security positions, an increased reliance on contract employees and external contractors to better adjust to our modern “gig economy,” more emphasis on artificial intelligence (AI) and automation, as well as better performance-based trainings.

In an ever more complex world full of increased cybersecurity threats, it’s crucial we continue to build and harness a workforce that can keep our companies and personal and professional data safe and secure.