Op-Ed: Promoting Cyber Hygiene
New revelations have surfaced of just how defenseless Target’s computer network was when hackers stole the personal financial information of 40 million customers in 2013. The findings of an internal company probe by Verizon security consultants revealed that there were “no controls limiting [hacker] access to any [Target] system, including devices within stores such as point of sale registers and servers.” According to the exclusive reporting last month of the investigation by one security blogger, even a deli meat scale was compromised.
Here’s a lesson every system administrator should heed: If an employee working the deli counter is required for public health purposes to keep a hygienic workspace, administrators of a company’s computer network must also practice good “hygiene” when it comes to data security.
Why? The scary truth is that data security experts have suggested 90 percent of successful cyberattacks are due to system administrators overlooking two integral pillars of network security: cyber hygiene and security management. Think of an employee using a weak password or an engineer forgetting to update server software.
Lack of cyber hygiene and poor security management are resulting in a growing number of attacks and escalating losses in both the public and private sectors, which have proven to be equally vulnerable. The federal Office of Personnel Management announced last week that hackers stole 5.6 million fingerprint records were stolen by hackers in a breach. This is millions more than originally estimated and is in addition to sensitive information about employee health, financial history and families.
These are chilling developments with potentially devastating implications, yet the American people are largely numb to the consequences, in part due to the frequency with which cyberattacks occur.
The personal and financial information of millions of Americans is under constant attack and being sold to criminals on the black market. American ideas are being stolen. Research, formulas, source code and blueprints are being nabbed by hackers on a massive scale. Critical infrastructure, now interconnected and operated through computer networks at unprecedented levels, is potentially vulnerable to large-scale attacks that could cripple our national security. The Center for Strategic and International Studies estimated last year that the annual cost of cyber crime to the global economy is approximately half a trillion dollars, almost one percent of global income. And attacks continue to rise at an alarming rate. According to Symantec’s annual Internet Security Threat study, cyberattacks against large companies increased globally by 40 percent in 2014.
An impregnable computer network is ambitious, but the good news is that common-sense steps can be taken now to mitigate risk. A senior Pentagon official stated earlier this year, “We’re all reading about breaches in [network] security, and everyone that I can think of is related to poor network hygiene, some patch that somebody didn’t put in, some weak password that somebody had, some systems administrator that had a simple password that could be hacked.” Similarly, a former senior National Security Agency official told a congressional committee in 2009, “[I]f one institutes best practices, proper configurations [and] good network monitoring, a system ought to be able to withstand about 80 percent of the commonly known attack mechanisms against systems today.”
I’m introducing legislation to promote cyber hygiene. The Promoting Good Cyber Hygiene Act builds on President Obama’s 2013 executive order by instructing the National Institute of Standards and Technology, in consultation with the Federal Trade Commission and the Department of Homeland Security, to establish best practices for network security. These best practices would be used voluntarily by federal agencies, the private sector and any individual or organization using an information system or device.
The legislation will help system administrators better protect their network and devices against known cyber threats by: 1) establishing a set of voluntary best practices; 2) ensuring these practices are reviewed and updated on an annual basis; and 3) making them available in a clear and concise manner on a publicly accessible website. For companies both small and large, implementing these best practices on a voluntary basis means protecting their investments, their reputation, their customers and their bottom line.
Our digital world is imperfect, but this is not an acceptable excuse for the millions of consumers who’ve had their identities stolen, their bank accounts drained or their credit destroyed, especially if it could have been prevented.
Eshoo represents California’s 18th Congressional District, which includes Silicon Valley, and has served in the House since 1993. She sits on the Energy and Commerce Committee and is ranking member on its Subcommittee on Communications and Technology. Published in the October 1, 2015 edition of The Hill newspaper.