What I’m watching: Technology Connections — A YouTube channel that explains the inner workings of household stuff in a fun, digestible way
About 16 months ago (read: 10 years or a few weeks depending on how strange your lockdown got) I wrote a Buzz about ransomware hitting local governments, and the problem has … exploded since? Seriously. Come ON.
According to cybersecurity firm Blackfog, there were more than 200 noteworthy ransomware attacks this year, and to my chagrin, government was the worst-hit sector. It makes sense when you think about it — even as pervasive as some retailers seem, there are more cities than Starbuckses* in the US, and every one of them is more vulnerable, more valuable, and more upsetting to their customers as a potential target — a really, really bad trifecta to hit.
So to close out 2020, I want to talk to you about a new & exciting (read: scary as hell) type of hack that we need to all be on guard for in 2021 — the supply chain hack.
Think about how many companies we all know and love and trust and allow into our computers every day. Not just Adobe, Microsoft, Spotify, but those small-to-medium enterprise companies too. And think about how much data, both important and unimportant that each of these gather and transmit.
Now, think about how much easier it would be for a hacker to stop trying to target you, the single entity with your guard up, and instead switch their focus to a well-liked software firm that has access to hundreds, if not thousands of government computers. That’s exactly what’s happening now.
That’s exactly what happened when Russian hackers used SolarWinds to gain access to records within the US Departments of Energy, Commerce, Treasury and Homeland Security (among others) recently.
Now, it’s not entirely important that you know the inner workings of most private hacking victims, but if you’re not in IT you probably haven’t heard of SolarWinds. In fact, it might be more accurate to say that if you’ve heard of SolarWinds, you’re probably a very valuable part of your organization’s IT team.
All this is to say that SolarWinds is, itself, IT software for IT people by IT people … and it got hacked. Bad. So what are you, the (Clerk/Planning Director/Communications Specialist/Code Enforcement Officer) supposed to do?
Well, not much, honestly. But there are two steps I think you could take that might be invaluable.
First is talking to the nerds upstairs about the software that you’re using for record-keeping. Are you storing valuable (i.e., sensitive) information within third-party software? It doesn’t have to be social security numbers. As people put more and more information about themselves online, it becomes easier and easier for friend and foe alike to triangulate other data back to a specific person.
Imagine you’re looking at information about code & permits. It doesn’t take long to figure out that any residence that applies for a permit to build a ramp probably has someone societally vulnerable living there. That address’s geolocation can be used as a search parameter on certain social media sites. Oh look, there are some photos of the person outside their house. Hey, neat, they have kids. Exactly who backdoored this information is now the only thing that determines how much and what kind of uncertainty they face.
And this is just one example, right? Other than in very rare cases, it’s nothing. But sometimes it isn’t. You have to imagine (not hypothetically, you actually are forced to reckon) that anyone who’s going to surreptitiously gather data in such an arcane manner has the time, interest, and technical know-how to perform this type of deviousness — because they do.
Which means the second part has to be moving sensitive records out of proprietary & third-party systems as much as possible. You know the old bit about “if you want something done right.” And like I mentioned before, this doesn’t just mean SSNs. Birthdates, addresses, car models, all this stuff and more can be used to reverse engineer access someone’s most personal information.
In short, if you want people’s HIPAA**/otherwise personally-identifiable information to stay safe, you know who has to protect it.
Sorry. It sucks, but … hey it sucks a lot less than being organizationally liable for the work of bad actors.
Happy New Year!
Please don’t make me write about your organization next December.
*(Wait, seriously, is my spell checker not going to try to correct “Starbuckses?” Is that really the plural?)
**HIPAA. It’s HIPAA. Not HIPPA. Health Insurance Portability and Accountability Act. It’s been around for 25 years. Spelling it “HIPPA” is like saying “nucular.” Stop it.