Wednesday, June 2, 2021
This article was first featured in Yahoo Finance Tech, a weekly newsletter highlighting our original content on the industry. Get it sent directly to your inbox every Wednesday by 4 p.m. ET. Subscribe
Without new regulations, cyberattacks will just get more disruptive
It seems like every other day cybercriminals go after a new industry and disrupt people’s lives.
This time, it’s a ransomware attack that took out the servers of the world’s largest meat producer JBS, halting production at a number of facilities in the U.S. this week. And with each new attack, cybersecurity experts offer words of caution: It could get a lot worse, and it probably will.
So far, at least in the instance of last month’s Colonial Pipeline hack, cybercriminals have focused on stealing cash through ransomware. But sophisticated attacks from nation states or politically motivated hackers could cripple infrastructure thanks to lax cybersecurity protections.
“I often say the worst is yet to come,” MIT Sloan School of Management professor Stuart Madnick told Yahoo Finance, adding that it looks as though the Colonial hackers, known as DarkSide, accidentally caused the company to shut off its pipeline that supplies the East Coast with 45% of its fuel, causing shortages in several states.
“If so much damage can be done by accident, not intentionally, imagine how much can be done if someone really wanted to do damage,” Madnick said.
So, how do we stop cyberattacks? The answer may be for the U.S. government to step in and mandate cybersecurity standards for the nation’s most crucial companies — but even that could have its own unintended consequences.
Cyberattacks cause real-world damage
For many people, cyberattacks evoke images of hackers in dark hoodies who deface or knock out websites. But cyberattacks can also cause real-world damage ranging from destroying a Turkish pipeline to crippling a German steel mill. And on Wednesday, hackers attacked the Massachusetts Steamship Authority, causing delays on the service that provides transportation from the mainland to Martha’s Vineyard and Nantucket.
Throughout the coronavirus pandemic, hospitals have been targeted by cybercriminals seeking to make a quick buck at a time when few health systems could handle being forced offline.
Universal Health Services, which operates 400 health care facilities across the U.S., was hacked in September — forcing hospitals to send patients to other locations. The company ended up incurring $67 million to make repairs, though it didn’t pay a ransom.
In October, the Sky Lakes Medical Center in Oregon canceled nonessential procedures after a hack put many of its services out of commission and forced staff to rely on paper charts. The problem got so bad that by October, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warned of an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”
But hospitals are far from the only target. In 2020, suspected Russian hackers attacked a network management company called SolarWinds, in a massive hack of private companies and federal agencies including the U.S. Treasury Department and the Department of Defense.
The U.S. needs cybersecurity requirements for critical infrastructure companies
Currently, the U.S. government requires no cybersecurity protections for a variety of crucial economic sectors including pipeline and energy infrastructure companies or agriculture firms.
To be sure, the Biden administration has prioritized cybersecurity far more than the Trump Administration, which had eliminated the position of cybersecurity czar. On May 12, Biden signed an order calling for improvements to U.S. cybersecurity responses, including reporting requirements for companies that do business with the government, better public-private coordination, and security mandates for software providers. But the order doesn’t pertain to private companies that don’t receive federal contracts.
And according to Herbert Lin, senior research scholar at Stanford University’s Center for International Security and Cooperation, without proper regulations, private infrastructure firms have little incentive to secure their own networks.
“Companies have an incentive to only spend as much as they need to...up to their own business needs,” Lin said. “It doesn't make sense for them to spend $10 on cybersecurity to avoid $1 worth of loss. But it should make sense for them to spend $1 on cybersecurity that avoids $10 worth of loss. So, they're incentivized to go up to the break even point.”
The problem with that, Lin says, is that companies don’t know what the break even point is for their cybersecurity needs. What’s more, there’s a difference between the interests of a private company and the nation.
That is especially true of firms that deal with critical infrastructure. “Their cybersecurity posture has to be stronger than their own individual business needs,” Lin said.
How does the government make companies do the right thing? Lin says the U.S. government should show preferential treatment to companies with enhanced cybersecurity — either that, or lawmakers should enact new cybersecurity regulations.
There are potential risks to cybersecurity regulations
Still, regulation doesn’t always work. According to Madnick, regulation could also stifle new developments, meaning any measures put into place will also have to take into account the need for continued innovation, especially in the ever-evolving energy sector.
More troublesome, though, is that companies will game the system. Madnick points to an example of a bank that was well known for its supposed cybersecurity capabilities but got hacked anyway. An investigation found the bank, which Madnick declined to identify for privacy reasons, ramped up its cybersecurity procedures right before inspections. The rest of the time, it took a lax approach to cybersecurity — leading to the hack.
Ideally, the right regulatory framework would prevent companies from underspending on cybersecurity and ensure they maintain the highest level of preparedness at all times.
Will the recent spate of hacks prove to be enough to spur companies and the government to adopt such a framework to stop the next big cyberattack? Madnick and Lin aren’t sure.
“I keep waiting for the wake-up call that wakes people up,” Madnick said. “Each one that comes along we think is the wake-up call, but then a month passes and people barely remember it. But I do think that there's a heck a lot more that can be done.”
One thing is clear: Without some form of regulatory framework, cyberattacks will persist on the nation’s infrastructure. And it won’t be long before America’s luck runs out, and we experience something far worse than a single pipeline outage.
More from Dan: