Many infrastructure and national security experts, and most likely your organization’s IT department, have long warned about growing cybersecurity risks (see the New York Times reporter David Sanger’s 2018 book and Brookings podcast). Last December, cyber experts discovered the SolarWinds operation, uncovering a massive, sophisticated hack by Russian spies that targeted the U.S. federal government and affected 18,000 computer networks. Shortly after, President Biden committed to making cybersecurity a top priority.
Generally, only the more sensational cyber breaches implicating national security, like SolarWinds, or those resulting in expensive losses, make headlines. Other infrastructure breaches do not always capture the same attention, which is one reason the story surrounding the breach of a water treatment plant in Oldsmar, Florida is so noteworthy. This event shows the significant risks associated with weak state and local cyber infrastructure and suggests Washington shouldn’t be the only level of government concerned about cybersecurity.
On February 9, hackers remotely accessed a major water treatment plant in Oldsmar, FL and manipulated the level of sodium hydroxide — “you’re basically talking about lye” — to unsafe levels that would have seriously sickened residents. Fortunately, an employee realized in the nick of time that an external force was controlling his computer, and no one was harmed.
Oldsmar, a town of 15,000 and a suburb of Tampa, is not a rural area according to the USDA. However, this incident shines light on threats posed by weak cybersecurity infrastructures across geographies, including in rural areas. As the New York Times reported:
“[Smaller systems] are the targets we worry about,” said Eric Chien, a security researcher at Symantec. “This is a small municipality that is likely small-budgeted and under-resourced, which purposely set up remote access so employees and outside contractors can remote in.”
Cybersecurity experts like to divide the world into two categories: those who have been hacked, and those who have been hacked but don’t know it.
This is a fascinating feature of cyber-attacks. Hackers do not always target the deepest pockets. Malware technology enables hackers to go indiscriminately after a wide swath of devices at once via phishing or ransomware, enabling hackers to get smaller amounts of money from lots of different sources. Some ways hackers make a profit include holding data at ransom, selling huge quantities of personal identifiable information for tiny amounts on the dark web, or adding an innocuous line item on a credit card statement.
Hackers frequently target weak security systems like small businesses, local governments, or independent medical providers and clinics. For example, in 2019, 23 town governments in Texas were hit by a coordinated hack. Also that year, non-metro Archuleta County in southwest Colorado was hacked and a $300k ransom was demanded. This kept the network down for weeks with a various costs. The county purchased more laptops and technical equipment, personnel spent weeks manually inputting records, and law enforcement operations were reduced.
Additionally, some experts say that the pandemic has led to increased attacks because of our national reliance on digital infrastructure. Covid has underscored cybersecurity gaps in the education system. A December 2020 FBI report notes a significant increase in attacks on schools.
In August and September, 57% of ransomware incidents reported . . . involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.
These examples (hacks on schools, water systems, and medical centers) are not specific to rural communities, but they do show that cybersecurity is very much a rural threat too. Authorities have not identified the culprit of the Oldsmar breach yet. Frankly, it sounds a little alarmist to think that a foreign adversary might be hacking a water system, but maybe not. Regardless of who the hacker is, however, incidents like the one in Florida give more credence to the warnings of cybersecurity Cassandras.
As previously discussed on this blog and in Prof. Lisa Pruitt's op-ed, increasing access to broadband should be an immediate priority for American policymakers. Accessing the internet implicates cybersecurity interests because users, whether they be individuals, local governments, or public utilities, rely on secure access. As policymakers consider proposals to expand broadband, breaches like the one in Florida or Archuleta County suggest it is not worth skimping on cybersecurity measures.
2 comments:
Great article, Mary-Claire. I would never have framed cybersecurity as seeing rural cyber infrastructure as the most vulnerable. My first thought were those with the most data, or the most valuable data, would be the target of the most attacks. The stat about hackers more frequently targeting smaller municipalities and groups surprised me. This adds to our conversation about why broadband and increased internet infrastructure is so important for rural America!
I wrote about the broadband gap, but I guess I didn't consider this potential upside to limited internet access! Obviously the benefits of the internet outweigh the potential dangers of hacking, so I say this tongue-in-cheek. However, the relative lack of internet access in rural America could provide some level of cybersecurity that urban areas of America lack.
I wonder if the relative lack of internet access in rural America has led to a gap in the quality of computer scientists/programmers available for rural infrastructure projects. This could lead to poorer cybersecurity for rural-based software.
Post a Comment