Opinion: Why We Never Seem to Get Ahead in Cybersecurity

By Ernest Worthman

September 20, 2021

Cybersecurity is one of my favorite topics to discuss. It is also one I frequently beat up on. I lay most of the blame for poor cybersecurity on the supply side. But the demand side deserves its fair share of the blame, as well.

Much of my finger-pointing at the supply side has to do with economics. In most cases, especially in the consumer segment, security represents a cost with no tangible benefit (read: value to manufacturer). With the highly competitive situation in the consumer segment, they usually only provide the minimum, cheapest solution.

Business, government, industry and such are a bit more knowledgeable about good cybersecurity. That is because they are more educated about it and have more to lose. Additionally, many players already have been victims of cyberattacks and have suffered economically. Most are willing to eat the cost of keeping a good security screen up because it is less than the cost of an attack.

To be fair, keeping ahead of malicious code and bad actors is not easy. Corporations spend millions of dollars and countless person-hours securing their perimeters. Sometimes, in spite of their best efforts, they still get hacked. Malware and other nefarious code is in a constant state of flux. New threats emerge constantly, and keeping up with them is challenging and costly.

Unfortunately, not all are so vigilant. Some organizations get lax for a number of reasons. Perhaps they are in a bit of a financial crunch. Perhaps they have not been exposed to the havoc an attack can render. Or perhaps they may not have the proper intellectual resources or the attitude to understand the gravity of what a breach can do and how much money is at stake.

It seems as though not having proper intellectual resources or the proper attitude never would be the case, considering all the noise and visibility of poor cybersecurity. Yet it is the case. Just look back a few months to the FireEye debacle. That breach was due to poor oversight and some sloppy housekeeping. The truth is that most breaches stem from poor due diligence on the part of an organization.

Whether it is consumer or commercial, there are many more reasons than fit the space in this column as to why security is such a nagging problem. The issues cut across both consumer and commercial lines. The issues are similar, in many cases. The difference is in the complexity of hardware and the size of the particular environment.

Perhaps the biggest challenge comes from antiquated equipment running on aging software. The challenge is the cost to replace or upgrade it. It is one thing to replace an aging router in a home. However, for a large organization upgrading hardware to plug security holes, it is not only expensive, but it also has additional soft costs in downtime, lost revenue and outside costs, for example, for experts, analysts and added outside manpower. Organizations, both public and private, often have a hard case to make for spending money to replace something that is currently working, even if it is a security risk.

On the uptime side, take, for example, a municipal water system. Today, hundreds of municipal water systems manage billions of gallons of water with old hardware. Most of them are running years-old, if not decades-old, operational technology (OT). The downtime required to change out hardware and software to improve security, if the systems are managing the water well (no pun intended), can cause interruptions in water service to customers – including critical systems such as connections for fire protection. Similar situations exist in other utilities, too.

In many cases, system operators are simply afraid to patch or update systems, often because patch or update history has been a nightmare. This results in systems, with hundreds of exploitable vulnerabilities, running on operating systems that have long since aged out.

In fact, this is exactly what occurred earlier this year. A couple of water systems were specifically targeted for these very reasons. The particular systems had the front, side, backdoors, and all the windows wide-open, allowing a bad actor to simply walk in, because the priority was the system to not be down.

This is also the case with hospitals and particularly medical equipment. Today, everything is connected to a computer: X-ray machines, MRIs, CTs, vital sign monitors, infusion port devices, EKGs, EEGs … the list goes on and on. Part, or all of it, is usually outward-facing to the internet at some point.

Medical equipment has an additional roadblock. Medical hardware and software is under the thumb of the Food and Drug Administration, and any changes to such systems have to be blessed by them. That is never fast, easy or cheap. Even if they do patch or update, if the change is not properly sanctioned and all the hoops are jumped though if something happens, the organization faces the possibility of a lawsuit or decertification.

There are similar issues across nearly all segments of business and industry that face such challenges. Many are unique to the specific segment.

On the consumer side, smart may make life easier, but this smart new world of devices is creating a new batch of headaches in the cybersecurity space. The lack of diligence by consumers coupled with the lack of security by manufacturers is creating nightmares. Smart TVs, smart light bulbs, smart power strips, smart home security, smart toasters, smart refrigerators, smart HVACs and smart pretty much everything else are placing a plethora of devices, generally all facing inward to a network and many outward to the internet. Everything is connected to everything else, as well as to personal data.

Exploits abound. Aside from the well-worn baby cam hacks, many well-known exploits are hacking some brands of smart TVs, as well as the Roku smart TV platform. New ones emerge daily. Additionally, smart TVs are getting smarter, adding more vectors for ingresses, such as built-in cameras and microphones. These are easy components to capture, allowing bad actors to get a peek into your world.

This will not stop with TVs. Count on just about everything getting a video and audio interface at some point. Washers, dryers, refrigerators, stoves, maybe even your electric toothbrush as it videos your teeth and tells you how bad a job you are doing at brushing.

A bit farfetched? Today, perhaps, but I have to wonder what devices will be like in 20 years.

Sadly, most consumers simply take whatever device they get out of the box, download the app and read just enough of the instructions to connect it with their Wi-Fi — if it is not auto-sensing and connecting. There are, generally, ample notices that once the device is connected to update the software, if needed, and change the password, but these usually go unheeded. The fact is that, in spite of all of this, it has been shown that people rarely update the firmware or change the default setting.

Is there a way to make the world security-conscious? The enterprise has a better chance at it than the consumer segment. However, many consumer devices are beginning to interface with manufacturers or other businesses — like my smart thermostat manufacturer, which tracks my usage and gives me reports. Another example is medical devices, which many of which are capable of interfacing with your doctor, the hospital and first responders, and even be monitored by the manufacturer for battery life, calibration and more.

Getting everyone on the same page will be impossible. There are just too many complex variables in the equation, including cost, competition, data value and relativity to other systems for functionality. The list goes on and on.

No one single solution will be the magic cure-all to cybersecurity woes. It is unlikely the consumer will ever become as security conscious as necessary. That means consumer devices will have to become self-securing. What that looks like is up for grabs, but that is the only way the consumer security space will become sufficiently secure.

On the enterprise and industrial side, there simply needs to be a unwavering priority placed on security. Everyone and everything need to be up to date. Security teams need to be at the ready and vigilant, always looking for potential security leaks, holes and access points.

Although we will never be able to achieve a 100 percent secure network, being on top of cybersecurity will both prevent as much as possible and lessen what breaches do occur. Simply put: Pay attention to what is going on in this space, and throw enough resources at it to cover all bases as best as possible

____________________

Ernest Worthman is an executive editor with AGL Media Group.