Page 19 - Cyber Warnings
P. 19
healthcare providers in the US and were able to generate a stream of false billing information, or
alter electronic medical records. It would have immediate, sometimes life-threatening, wide-
scale effects. If the adversary were able to get into the information systems on which the
insurance systems that drive the healthcare industry work, that could have major impacts on the
quality of healthcare of our society and could certainly lead to death, but that’s something that
we as a society don’t really hear about, because it hasn’t happened yet.
That’s just one example. Certainly people talk about financial systems as being a target of
cyberattacks, but there are many others we don’t immediately think about, things like shipping
and rail systems. Those critical transportation networks move the vast majority of food and
goods in this country. In fact, generally speaking, there are not even enough trucks to keep
everybody in the US fed. What if attackers were able to completely subvert the information
systems that run the rail systems in the country? What would be the impact? Would it lead to
food shortages? Possibly, but what would be the cascading effects of such a disruption?
Perhaps we could provide food, but our ability to deliver non-essential goods would drop off
significantly-- that would have a tremendous impact on our economy. So while it’s important to
spend time and resources protecting against the threat-of-the-day type attacks, we ignore these
large societal-scale infrastructure attacks at our own risk.
With the public more concerned about cybersecurity policy than ever before, what
should the top cybersecurity priorities be for the new US administration during its first
100 days in office?
Last year, President Obama launched the Cybersecurity National Action Plan (CNAP) which laid
out perhaps the most cogent plan for how the nation should address cybersecurity. Among the
first steps was fixing federal systems. Our federal IT systems, as we’ve learned repeatedly, are
very much antiquated, due to things like underfunding. But if our society is to become more
secure, we need to focus on updating and fixing those systems. One way would be for the
current administration to immediately prioritize creating a national two-factor authentication
system, either for federal employees or more broadly. Although that sounds somewhat boring,
I think that is the single simplest thing we can do to reduce the threats to our information
systems. It’s achievable, using technology as it exists today. A good friend and colleague of
mine, Farnam Jahanian, the Provost of Carnegie Mellon University, has said that “we are not
good at doing the easy things, and we need to get better at them.” Building a national-scale two-
factor authentication system would certainly come with expenses, but it is a relatively simple
and effective way to discourage and prevent multiple forms of cyberattack. It’s not universally
popular, but it would be easy, and it’s the easy stuff we’ve got to get better at.
This brings up another concern: what, as a nation, do we do about cybersecurity? There is a
misperception in some portions of the political arena that the current problems with
cybersecurity are due to a failure of engineering, but that’s not really the case. The existence of
security problems isn’t because the technology isn’t necessarily good enough, it’s that we
haven’t made it a priority, and now it’s gotten out of hand. Although it may be a bit cliché, I think
19 Cyber Warnings E-Magazine – March 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
