The cyber attacks on political organizations and election infrastructure added a level of intrigue to this year’s U.S. presidential election – culminating in the U.S. government officially blaming the Russian government for trying to influence the election.
If the Cold War has taught us anything, it’s that global espionage is a game of chess, not checkers. These cyber attacks need to be viewed in context if our goal is to achieve greater levels of security – it’s not just about this election or a candidate.
These attacks are part of a long-game strategy designed to destroy or minimize our collective faith in our most trusted institutions.
Attacking the Foundations of Trust
The stakes are high, and rising. In the last two years, we’ve seen major cyber attacks on the foundational infrastructure that is supposed to instill trust in the day-to-day operations of our country: government agencies, including the State Department, the White House, OPM (Office of Personnel Management), the IRS, and many more; banking and financial institutions; the healthcare system; the power grid; news organizations; and the stock market. The list goes on and on. The inability to secure this infrastructure creates a greater sense of anxiety about the state of our social and economic systems in general.
The cyber attacks on election infrastructure and the candidates themselves have thrust nation-based attacks into the spotlight, but we can’t look at these attacks in silos or as an end in and of themselves.
Addressing these attacks and espionage as singular events and being lured by curiosity about attribution are ineffective and play right into the cyber attacker’s hands because it keeps us from seeing the bigger picture.
Defining our Cyber Insanity
Albert Einstein is credited with saying that the definition of insanity is doing the same thing over and over again and expecting a different result. In this case, our cyber insanity is based on what we’re NOT doing repeatedly, despite facing unprecedented attacks. Cyber security in the face of aggressive, motivated attackers requires a different mindset.
Often attributed to lack of access to skilled resources, funding, or a simple lack of prioritization, poor security hygiene persists across organizations. While there may be sophisticated hacking tools and malware being developed in the world, our reality is that most organizations that are infiltrated or breached failed to address basic cyber security steps that could have made an attack much more difficult.
Attackers are taking advantage of our failure to patch systems, change passwords, and protect critical administrative and privileged credentials – items that should be at the top of any security best practice list.
In a recent survey my company CyberArk conducted, we found that while nearly 80 percent of companies say they’ve learned their lessons from major cyber attacks, a majority of them are failing to address vulnerabilities that have directly led to infiltrations and breaches at similar organizations.
Getting Off the Vulnerability Carousel
The idea that organizations are not learning lessons from past breaches is evident in our government agencies.
Despite general awareness of public sector breaches, how many citizens are aware that the U.S. has also been calling out the very weaknesses cyber attackers are exploiting? The U.S. Government Accountability Office (U.S. GAO) is an independent watchdog for Congress. Part of their job is to issue Information Security alerts on known weaknesses and vulnerabilities in government agencies – ostensibly so they can be secured before they’re exploited.
In the past year, the U.S. GAO has issued reports highlighting critical cyber vulnerabilities at the FDA, the FDIC, the IRS, the Department of Education, the FAA, and, in one case, called out 24 agencies in one report.
What’s fascinating in examining the reports is how similar the