The cybersecurity world has had so many jolts that players are starting to argue with one another. For instance, the so-called WannaCry encryption-and-ransomware attack prompted Microsoft President Brad Smith to chide the National Security Agency for making and storing potent hacking tools. That stockpile became such a tempting target it was famously ripped off in April. That’s how officials think the perps of WannaCry were able to launch their attack.
At the bottom of so many of the commercial and government hacks is a failure to patch and otherwise update systems. That’s the cyber hygiene equivalent of washing your hands. In some situations you might need a hazmat suit, but not at the expense of skipping routine soap and warm water.
To monitor, mitigate and patch, you’ve got to have systems you can patch in the first place. Given that companies like Microsoft eventually cut loose legacy products, if you want to have safe systems you’ve got to keep up with the releases. The government operates a panoply of operating systems on its end points and servers. Never mind Windows 7. You can still find XP, Vista and Windows Server 2003. Microsoft long ago stopped supporting them. Commercial sites may have moved beyond them, but many devices with embedded software use obsolete and eminently hackable OSes.
I’m pulling for John Zangardi. Doc Z, the acting chief information officer of the Defense Department, is pushing a conversion of DoD computers to Microsoft Windows 10. I’m pulling not because I have feelings about Windows 10 one way or the other, but because the switch over will be not only monumental but also critical. Windows 10 is in fact a more secure product than its predecessors, and Microsoft has steadily improved patching and updating mechanisms.
Operating system upgrades have been difficult since ENIAC. For the early decades, they were expensive but the vendors — IBM, Data General, DEC et. al. — would do a lot of the work. Management information systems department had to build the yearly or 18-month upgrades into their budgets.
Today it’s still expensive, but organizations have to do a lot of the work themselves or hire contractors to do it. At one time only MIS interacted with operating systems. Users had their green screens. Now everybody fiddles with the operating system to some degree, meaning many, many devices require constant updating.
In the meantime, the Institute for Critical Infrastructure Technology has published a good general guide for keeping ransomware at bay.
Applications keep the Defense Department and many other federal components wedded to obsolete systems. The government has thousands — perhaps tens of thousands — of applications, many home-grown or custom-coded. Not all of them will be compatible with the newest operating systems. Cloud apps can mitigate this but not completely. To the extent applications retard the move to the latest infrastructure, it’s time to rethink applications. If a critical application were written for Windows 7 and left there, tell the vendor it has 60 days to make it work under Windows 10.
Couple of facts. The U.S. government, so far as we can tell, avoided dinging by WannaCry (unlike the British). Several policy and legislative initiatives are underway for modernization and cybersecurity. We’ve just had the umpteenth wake-up call. Time to hop out of bed.