The World Economic Forum’s Global Risks Report 2021 identifies cybersecurity failure as the fourth clear and present danger worldwide covering the next two years. It comes after infectious diseases, livelihood crises, and extreme weather events. Several high-profile cyberattacks prove the reality of cybersecurity failures.
Cases of Cyberattacks in the U.S.
In December 2020, hackers inserted malware into SolarWinds’ network management software, affecting organizations that use it. Among more than 300,000 users of the software are the U.S. federal government, almost all the companies in the Fortune 500, and many other companies worldwide. The Washington Post and Reuters reported a breach in the U.S. Treasury Department. According to SolarWinds, the malware was in updates released from March to June 2020, affecting only 18,000 of its customers.
According to Microsoft, 80 percent of the affected users are in the U.S., while others are in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the United Arab Emirates (UAE). Among them, almost half are from the information technology (IT) sector. Almost a fifth are U.S. government agencies in the finance, national security, telecommunications, and health sectors. A similar percentage are non-government organizations and think tanks. Almost a tenth are government contractors serving national security and defense agencies.
In early March 2021, multiple cyberattacks on Microsoft Exchange affected servers in the U.S., Germany, Holland, and the European Banking Authority (EBA). The Cybersecurity and Infrastructure Security Agency (CISA) directed all U.S. federal agencies to disconnect from on-premises servers of Microsoft Exchange. Up to 250,000 organizations could have been infected, according to the Wall Street Journal.
On April 29, an attack at Colonial Pipeline Co. forced it to shut down its fuel pipelines and pay the hackers a $4.4 million ransom to regain its data. This is the largest fuel pipeline in the country, transporting about 2.5 million barrels of fuel a day across the East Coast. The shutdown led to fuel shortages and higher fuel prices. The company was only able to resume its services on May 12.
Defense Against Cyberattacks
The U.S. Department of Defense beefed up its cybersecurity by requiring the Cybersecurity Maturity Model Certification (CMMC) from all its contractors. There are more than 300,000 companies in the DoD’s supply chain. If any of these companies’ IT systems are compromised, the DoD becomes vulnerable to attack. The CMMC provides third-party assurance that contractors are complying with a unified cybersecurity standard.
There are five certification levels. Level 1 involves basic cybersecurity practices to protect Federal Contract Information (FCI), like the usage of antivirus software. Level 2 involves intermediate cybersecurity practices to protect any Controlled Unclassified Information (CUI) by implementing some of the NIST 800-171 r2 security requirements. Level 3 involves the creation of an institutionalized management plan to cover the requirements of Levels 1 and 2 and any additional standards. Level 4 involves reviewing and measuring the effectiveness of practices to detect and respond to changing methods of advanced persistent threats (APTs). Level 5 involves standardized and optimized processes and enhanced practices with more advanced capabilities to detect and respond to APTs.
The CMMC Accreditation Body (CMMC-AB), in coordination with the DoD, is responsible for certifying Third-Party Assessment Organizations (CP3AOs) and assessors. These, in turn, will provide the CMMC assessment service to contractors.
Current Risks
The CMMC is proof that organizations become more vulnerable through various exposures to other organizations and even its own people’s errors. A single password hack can provide entry to attackers, and the breach can spread to all other connected organizations.
With most employees now working from home, each company’s vulnerability multiplies. Companies must provide tough cybersecurity measures and ensure that employees are professionally trained in cybersecurity compliance. They must never take for granted even seemingly simple things such as changing passwords regularly and using difficult passwords.
A survey by Insight showed that most IT leaders across a wide range of industries believe that their companies lack adequate protection against cyberattacks in the face of work-from-home arrangements and distributed IT. They bemoan the lack of automation in their companies as the top challenge for security. They are inundated by the notifications and events produced by the current complex security infrastructure, and they are unable to analyze all of these manually.
The leaders cited a lack of IT specialists who are knowledgeable enough to implement automated processes. With a stretched IT team, they can only focus on day-to-day blocking and tackling activities to thwart constant threats while long-range complex cybersecurity projects are not undertaken. They also highlight outdated technology that does not support automation.
The World Economic Forum points out that nations and organizations must also contend with varied complex privacy and data protection regulations across countries and even across states within countries. This creates further difficulties in compliance while defending against cyberattacks. The Forum is calling on policymakers to cooperate in creating policies that increase protection while reducing regulatory complexity.
National Security Risk
The Forum rightfully calls cybersecurity failure a national security risk that should be a priority of nations. As almost everything is digitalized across the world, cyberattacks threaten almost everything, as well. This includes vital industries such as fuel, power, water, and health. Nations and businesses must, therefore, band together in facing this global threat.