It’s almost the end of the 2018 Congressional session, and despite efforts to address national security and cybersecurity issues with various bills and hearings, Congress still doesn’t know what it’s doing.
The clumsy, failed attempt to pass an election security bill, the recent passage of Rep. Ro Khanna’s (D-Calif.) 21st Century IDEA Act and the House Oversight Committee’s report last week on the Equifax data breach are all examples of politicians still struggling to grasp the true impacts of the technology they’re attempting to regulate.
While Congress is finally aware of the cybercrime nightmare haunting American businesses and federal agencies — even going so far as to create a new federal agency to deal with cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) — it still has a long way to go before successfully uprooting cybercrime in the U.S.
Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, told InsideSources part of the problem is that neither the private or the public sectors foster a robust cybersecurity culture.
In other words, they often don’t address cybersecurity issues until they’ve already been hacked, and they don’t allocate resources to fortifying their systems against cybercriminals.
A perfect example is the Equifax data breach. Per the House Oversight Committee’s report, Equifax employed an “aggressive growth strategy” in 2005 to catapult ahead in the race to digitize and streamline operations. The company acquired many new companies and information technology (IT) systems over 12 years, but never updated its cybersecurity protocols to handle the integration of new IT systems and data.
According to the report, “Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.”
Given the current corporate approach to technology — in which industry conferences host dozens of seminars on Big Data, blockchain, software as a service (SaaS), Internet of Things (IoT) and how to digitize every aspect of operations and logistics to dramatically improve efficiency and competitiveness — it’s shocking industry leaders aren’t discussing how to protect one’s wealth of data in the Big Data or SaaS seminars.
Instead, cybersecurity is partitioned off into separate conferences, which exacerbates the disconnect.
For every technological advance or improvement adopted by a business, equal time should be spent discussing how to ward off cyberattacks, Madnick said. It’s not just IT’s responsibility.
The McAfee Labs 2019 Threat Predictions Report also advises this, warning that in 2019, hackers will use multi-pronged attacks to catch businesses and federal agencies off guard, using phishing emails, compromised videos, scheduled attacks and other mechanisms to steal data from the cloud or hard drive.
The more data and operations you move to the cloud, the more IoT-connected devices you have, the more susceptible you are to cyberattacks, especially as cybercriminals get better and better and infiltrating IT systems with even basic cybersecurity protocols.
Instead of recognizing the disconnect within corporate culture between cybersecurity and new tech adoption, the House report slams Equifax for its lack of preparedness, concluding that the data breach was “entirely preventable.”
While companies certainly need to be held accountable for their lack of cybersecurity, “politicians go to a point where they’re expecting things that are unrealistic given the state of technology and the state of the world,” Madnick said.
In other words, Congress still doesn’t understand the state of cybersecurity. Khanna’s recently passed 21st Century IDEA Act, for example, mandates federal agencies update their websites to comply with modern website standards and make information and data more easily accessible to civilians via the internet — but doesn’t include a single clause about how to protect these technologically updated websites.
Various high-ranking businessmen from software providers like Adobe, Oracle and ServiceNow praised the legislation (it means more business for them), but even their comments didn’t say a word about securing new software from cybercriminals.