Making Future IT College Grads Champions of Cybersecurity
There’s a war raging in cyberspace, and cybersecurity educators need to inspire their students with a sense of urgency and mission. Those students will be on the front lines in an increasing struggle with hackers, thieves, and saboteurs—like the ones who tried to take control of a computer at a Florida water treatment plant. Fortunately, an alert employee thwarted the attack, which could have endangered residents.
Another recent infrastructure attack was the Colonial Pipeline ransomware attack that netted a Russian-based ring $5 million. The company had to shut down the major U.S. oil pipeline to keep the ransomware attack from spreading to the pumping system. The shutdown caused panic gas buying and hoarding throughout the southeastern United States.
Too little, too late
Two weeks before the malware attack, the Colonial Pipeline Company had advertised a cybersecurity manager job on its website. In a statement after the attack, Colonial insisted that “the cybersecurity position was not created due to the recent ransomware attack."
The company said it was looking for someone with an understanding of today’s security threats “to design security policies and procedures to mitigate threats where possible.” As of Friday, May 14, the job announcement was still posted online.
The war is heating up
The multi-million-dollar payday hackers reaped—and the fact that the Colonial Pipeline decided to pay the ransom—will undoubtedly encourage future attacks. Previously, ransomware attackers had (mostly) stayed clear of federal government networks and vital infrastructure, although hospitals have not been spared. That may have changed.
Attacking a country’s infrastructure has always been part of warfare. Notwithstanding repeated claims that they are only in it for the money, many ransomware actors have either implicit or active support of governments who would like to hurt the United States.
The Colonial Pipeline shutdown is an alarming precursor of future problems. If warfare is diplomacy by other means, cybersecurity specialists may become the future diplomat-warriors in this struggle. Cybersecurity experts will be on the front line and will need a combination of technical/forensic skills along with a dedication to spreading cybersecurity consciousness among colleagues and decision-makers.
But the buck stops at IT
As Colonial Pipeline company concentrates on getting the fuel flowing again, company executives who had to dance to the tune of foreign blackmailers will have to face the music and be accountable to regulators, investors, and insurers.
Their IT experts undoubtedly feel the heat and the answers to loaded questions, which will disclose poor security planning, failed technology, and poor leadership. For example:
- How did the ransomware enter the company’s administrative network?
- Why couldn’t the company recover its system through secure off-premises backups?
- Why are we paying an average salary of $111,000 a year to our IT experts, whose failure just cost the company $5 million?
Getting back to basics
To equip future cybersecurity workers to answer those questions, instructors need to develop students’ analytic and strategic skills. Those skills need to be focused on five areas of inquiry:
- What information does their organization collect? How do you use that information, and what laws and regulations govern its collection?
- How does the organization store the information? If the information resides as backups offline or through a third-party service, everyone needs to know that you cannot outsource responsibility for data protection.
- Who can gain access to the information? The answer should be miles deeper than “only people with known user IDs and passwords.”
- How does the organization protect the data it collects? Solid answers to questions 1 through 3 above will be the foundation for a successful answer.
- What steps is the organization taking to secure its computers, network, email, and other devices/tools?
This would be the $5 million-dollar question that Colonial Pipeline should have answered before the ransomware attack.
The answers to the foregoing questions branch off into a decision-tree process centered around many issues ranging from compliance to making everyone part of the organization’s security team. It has been said that a problem well-defined is a problem half-solved. The cybersecurity warrior has to know both the questions and answers to conduct the remaining half of the battle.