Are Large-Scale Data Breaches the New Normal?
Friday, July 23, 2021
By: Hannah Pell
Image credit: Wikimedia Commons.
In early May 2021, a ransomware attack on the Colonial Pipeline caused massive disruption to the East Coast’s fuel supply. Pictures of cars lined up at gas stations and warnings not to “panic buy” gasoline evoked memories of the 1973 oil crisis. Colonial Pipeline Co. paid a $4.4 million ransom demanded by the hackers — which the Federal Bureau of Investigations has since recovered — and chose to shut down the pipeline for the first time in its 57-year history, avoiding the possibility of the hackers gaining direct control over infrastructure transporting 2.5 million barrels of gasoline, diesel, heating oil, and jet fuel per day.
“We were in a harrowing situation and had to make difficult choices that no company ever wants to face, but I am proud of the fact that our people reacted quickly to get the pipeline back up and running safely,” Colonial Pipeline Co. CEO Joseph Blount said in his testimony to the Senate Committee on Homeland Security and Governmental Affairs.
Over the course of the COVID-19 pandemic, we’ve seen one large-scale data breach after the next; in fact, cybercrime has increased 600% since the pandemic started. Unfortunately, the ransomware attack on the Colonial Pipeline is not the first directed at energy systems, and likely will not be the last. Healthcare systems, too, are constantly at risk. Even McDonalds has been targeted. With our increasing reliance on digital technology, cybersecurity is of critical importance, even prompting a recent executive order from the Biden administration. I can’t help but wonder: are such large-scale data breaches the new normal? Are we reacting when necessary, rather than taking proactive measures to ensure adequate cyber protections? If so, how are we modernizing our infrastructure accordingly?
Cryptography is the science of code-breaking and traces back to antiquity with evidence of ciphers and non-standard hieroglyphics. Codes were widely used during World War II to protect military intelligence, and cryptographers — such as British mathematician and “father of modern computing” Alan Turing — were recruited to decrypt enemy ciphers using Enigma machines. The World Wide Web was launched in 1990 (invented by CERN computer scientist Tim Berners-Lee), accelerating the growth of tech companies such as Google and Facebook. (Google engineers discovered a significant software leakage in 2018, and over five million users’ data was compromised. That same year, Facebook selling user data without their consent to Cambridge Analytica unfolded as a major scandal.)
Cyberattacks can vary in approach. Ransomware, which is predicted to remain the number one cybersecurity threat, is a type of malware allowing hackers to block access to files or personal data until a ransom is paid. In the Colonial Pipeline case, the DarkSide-affiliated hackers gained access through the company’s virtual private network (VPN) with one single compromised password. Other cyberattack techniques include phishing, Trojan horse viruses, and spam. Fortunately, there are a number of countermeasures, including “security by design,” automated theorem proving, audit trails, code reviews, and “defense in depth.”
Many have stood up to meet the challenge of improving and strengthening cybersecurity. The Cybersecurity and Infrastructure Security Agency Act of 2018 established a new federal agency of the same name to serve as our “Nation’s risk advisor.” Private sector ransomware negotiations have opened an entirely new line of work. Additionally, scientific progress in quantum key distribution enhances data encryption, although the technology could also be utilized for more sophisticated cyberattacks if in the wrong hands. Setting up multi-factor authentication is an effective strategy for securing sensitive data on our personal devices.
According to the 2020 Internet Crime Report published by the Federal Bureau of Investigation’s Internet Crime Complaint Center (I3), losses incurred by victims of cybercrime amounted to $4.2 billion in 2020 alone. I3 received an average of 2,000 complaints per day and 2,211,296 total over the past five years. “In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cybercriminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree,” FBI Deputy Director Paul Abbate wrote.
At a recent press conference on the Colonial Pipeline ransomware attack, Abbate emphasized the following: “With continued cooperation and support from victims, private industry, and our U.S. and international partners, we will bring to bear the full weight and strength of our combined efforts and resources against those actors who think nothing of threatening public safety and our national security for profit.” It’s clear that cooperation and coordination between public and private sectors, as well as increased transparency and openness about the extent of such large-scale cyberattacks, will be necessary to effectively tackle this issue.