When customers of Metamora-based MTCO Communications lost Internet service for three days at the end of February – the author of this piece among them – “it’s the Russians” may have been the first blush reaction of more than a few.
To be sure, Russian tanks were crossing the Ukrainian border at about that same time, and Russian leader Vladimir Putin was voicing no end of threats against the West in retaliation for the sanctions leveled against his nation, but ultimately it was a severed fiber optic cable in the Chicago area — not Russian hackers — that was the guilty party.
If there were any doubts about just how dependent many of us are on the Internet – whether a remote employee who suddenly found it impossible to work from home or a restaurant unable to take credit card payments — they were dispelled in those three days. And though it all ended well, any sigh of relief may be short-lived.
Indeed, ransomware attacks have become a fact of life, as we saw with the Colonial Pipeline hack that resulted in significant fuel shortages and rising prices at the pump in 2021. We’re not immune here in the middle of America, however far away the keyboard terrorists may be. Last year, a cyberattack potentially compromised the data of nearly 54,000 OSF HealthCare patients. Meanwhile, there has been much handwringing over the possibility of a cyber-assault on the nation’s power grid, which could prove catastrophic, economically and otherwise.
“The threat is very real,” said David Scuffham, Director of Information Security at Bradley University, a view echoed by colleague Jacob Young, Director of BU’s Center for CyberSecurity.
“Our increasing reliance on technology and just-in-time inventory puts us at considerable risk due to the impact that disruptions can have on the supply chain,” said Young. “The Internet has allowed small nations that would never be able to wage conventional war to inflict tremendous damage with unlimited reach across the globe.
“While the Cold War was largely held in check by the doctrine of mutually assured destruction, I don’t believe we can expect that same level of restraint when it comes to cyberattacks.”
SO, HOW VULNERABLE ARE WE IN CENTRAL ILLINOIS?
That depends, though “unfortunately, we are less secure than most would like to believe,” said Young. “Human beings are always the weakest link in any organization. Many still assume that maintaining organizational security is the sole responsibility of the IT department and fail to recognize how critical it is for all employees to maintain vigilance.”
That starts with practicing “good cyber hygiene,” said Scuffham, who offered the following tips:
- Understand the value of your data and take seriously the threats.
- Keep your systems up to date. Replace software that is unsupported (stop using Windows XP and Windows 7, for example).
- Use strong and complex – and therefore more secure – passwords, and don’t use the same one over and over.
- Enable Multi-Factor Authentication (MFA) on websites that support it.
- Think before you click. Be especially careful with emails and unfamiliar links.
“Successful cybersecurity defense, for both individuals and organizations, truly starts with awareness. The better someone understands the threats, the better he or she will be able to evaluate the risks,” said Young. “That said, we can never mitigate every risk, therefore we need to learn how to prioritize our time and resources on risks with the highest likelihood and impact.
“The challenge, of course, is keeping up with the ever-evolving threat landscape. Technology changes so quickly that it is difficult for consumers to anticipate consequences, especially when the marketing for devices and apps is so effective.”
Beyond that, even if you, personally, do everything right, we’re all handcuffed to one another now. “When one vendor has a problem,” said Scuffham, it “cascades to other businesses or customers.”
The federal government has begun to address that issue by passing laws requiring companies to put protections in place, and by sharing best practices and cyberthreat intelligence. The consensus seems to be, though, that we have a long way to go.
As Glen Gerstell, former general counsel at the National Security Agency (NSA), argued recently in a New York Times op-ed, “American businesses aren’t ready for a war in cyberspace” and “the weekly reports of ransomware attacks and data breaches make it clear that we’re losing this battle.”
He maintains that America’s cyberdefense system is too decentralized, go-it-alone attitudes in both public and private sectors continue to prevail, and bureaucratic inertia and partisan divisions prevent any meaningful progress on a major threat.
Gerstell concludes by writing that “if we don’t want to have to worry about Russian hackers contaminating our drinking water every time we turn on the faucet, now is the time to rethink our approach.”
Peoria’s private university is doing its best to protect itself. Bradley follows the National Institute of Standards Cyber Security Framework, which breaks down cybersecurity into five categories: Identify, Protect, Detect, Respond and Recover.
“Bradley University identifies its data, where it’s stored, who uses it, and why it’s needed. We identify what is on our network, who is responsible for it, and what it’s communicating with,” Scuffham said. “We identify who is targeting us and how they operate.”
Even with the best protections in place, however, “malicious things will still make it through,” he said. Bradley “has detections in place and cybersecurity analysts who threat hunt,” or look for things out of the ordinary. “Time is of the essence, so a quick response helps to limit damage.”
Meanwhile, the university is preparing a new generation of young people to contend with these threats, on defense and offense.
In 2017, BU opened its Center for Cybersecurity and began offering a cybersecurity minor and a concentration within the management information systems major. The resulting growth in student enrollment – up 125 percent annually since 2018 — has prompted Bradley to invest in developing a multidisciplinary cybersecurity major, online next fall, with plans to pursue designation from the NSA.
Among the most popular courses is Advanced Ethical Hacking, which has students performing a real-world security assessment for a local small business. They simulate how real attackers might compromise the organization, report their findings and make recommendations for correction.
“From what I have seen, most people are either unaware or do not think they would be a target,” said Scuffham. “It is really about practicing good cyber hygiene.”
Mike Bailey is editor in
chief of Peoria Magazine.
