Here are just a few recent cybersecurity headlines: Earlier this month, a cyberattack hit electrical systems in Los Angeles and Salt Lake City. Security research firm Digital Shadows said this week more than 2 billion files containing sensitive information have been exposed on various cloud servers that aren’t properly secured. Baltimore is still recovering from a ransomware attack in which hackers used tools stolen from the National Security Agency to compromise the city’s networks. And not for nothing, Robert Mueller reminded us all this week that Russians definitely hacked our election systems, and we’re still unprepared and barely even talking about it.
Host Molly Wood asked Nicole Perlroth, who covers cybersecurity for the New York Times, how exposed we are to hackers. The following is an edited transcript of their conversation.
Nicole Perlroth: Basically, [hackers] could easily be neutralized if everyone was really good at patching their systems and upgrading software. Unfortunately, we have a lot of old software sitting out there that certain infrastructure, management providers and IT overseers don’t even know really what’s on their systems. The places where that is most prominent are universities, municipalities that really just don’t have a good handle on how many of their systems are plugged into the internet. But I also think Baltimore is a really interesting case because Baltimore has a lot bigger problems than getting a hold on its software upgrades and patching procedures.
We’ve done nothing to fight back, and we’ve done very little to protect any of this from happening again.-Nicole Perlroth
Molly Wood: Does that raise this larger question? I feel like information security people right now are putting all these cryptic things on Twitter like, “We’re at DEFCON 5.” It makes me wonder, are we paying enough attention, all of us generally as a society, to cybersecurity issues at a time when things seem like they’re getting a lot worse?
Perlroth: It’s such a good question, and the answer is no. I was just in Ukraine recently, and they were hit by these very same weapons in a massive cyberattack. But there were two things that really saved them from it being a lot worse. The first is their systems are still pretty archaic. Unlike in the United States, where we’ve plugged in every possible device we can think of to the internet, Ukraine is still pretty far behind in terms of how much of their infrastructure is digitized. The other thing that really saved Ukraine is they have such a sense of urgency there because they’re living in a state of constant cyberattack from Russia. What they said to me when I was there was, “This is what’s coming your way.”
Wood: It seems like there are a lot of pleas for us to be paying attention, and yet what’s it going to take?
Perlroth: I think it starts at the top. We have an administration that doesn’t really want to hear about Russian interference in the election. But also Mike Rogers, the former director of the NSA, testified before Congress. In his testimony he was asked, “What orders have you been given to combat Russian interference in American elections systems and critical infrastructure?” And his answer was, “None.” We’ve done nothing to fight back, and we’ve done very little to protect any of this from happening again. As you saw with our story, cities still aren’t doing the very, very basic thing when it comes to securing their systems, which is just keeping them upgraded and keeping them patched.
Related links: more insight from Molly Wood
This story from ZDNet about all the files that have been exposed on servers and hard drives and cloud services is kind of bananas. Digital Shadows said it was a 50% increase over the number of files that were exposed last year. That includes everything from medical files to real estate contracts to … remember in April when Facebook admitted that millions of Instagram passwords were being stored in plain text on its servers in addition to the 600 million actual Facebook passwords that it accidentally exposed?
There’s also a slightly hopeful but perhaps pie-in-the-sky piece from CSO speculating that maybe, just maybe, our government would create a federal cybersecurity agency? That would be awesome, but let’s just say there are a lot of question marks in that article. Once again, it is unfortunately just not a priority at the highest levels of our government right now. I guess it’s back to the same old solution: you and me and cyber training. Don’t plug in any stray USB drives that you find in the parking lot, kids! Only you can prevent cyber-geddon.