By Jonny Lupsha, Wondrium Staff Writer
A cyberattack on the United States, likely sponsored by Russia, may be the largest in history, The Conversation reported. The extent of the damage from the Sunburst hack is still unknown, though its victims include the U.S. Treasury, Microsoft, and Intel. U.S. computer infrastructure has many vulnerabilities.
According to The Conversation, the recent cyberattack against the public and private sectors of the United States is nothing to take lightly. “U.S. officials widely believe that Russian state-sponsored hackers are responsible,” the article said. “The attack gave the perpetrators access to numerous key American business and government organizations. The nature of the affected organizations alone makes it clear that this is perhaps the most consequential cyberattack against the U.S. to date.”
U.S. computer infrastructure has a growing list of vulnerabilities. One controversial theory is that we should stop planning for perfect security, opting instead to focus on resiliency and recovery.
A Long, Hard Look in the Mirror
“One way to approach a model of private-sector cybersecurity is to become resigned, in a good way, to reality; to recognize that ‘stuff happens’ is not just a mantra for the disaffected and the unhappy,” said Professor Paul Rosenzweig, Professorial Lecturer in Law at The George Washington University Law School. “Rather, the reality of failure is a truism of the world, and it’s a particular truism for the cyber domain. What this means is that, for better or worse, cyber breaches are inevitable.”
However, Professor Rosenzweig isn’t saying to give up hope, but rather that focusing too strongly on building a system that’s 100% hackproof is generally unattainable. Therefore, it may be wise to switch gears and look at how to prepare for inevitable failures in security, and other factors of a functioning system. In fact, he said, several infrastructure systems already do this.
“The electric grid itself is not designed to work 100 percent of the time,” he said. “Everyone knows that blackouts can occur, both because of man-made errors and as a result of natural disasters. The principal goal of the electric grid management system is to make sure that power is rapidly restored.
“That means [having] many back-ups to replace systems offline and an effective repair system for fixing the grid when it gets broken.”
Of course, when we lose power, we’re pretty put out and feel as though it takes too long to restore power, no matter what; however, if electric companies never planned for outages, things would be far worse.
Good Cyber Hygiene and Vaccination
Professor Rosenzweig compared a cybersecurity system that assumes failure to the medical system. The first step is disease and infection prevention.
“In the health care world, these are often simple steps related to personal hygiene—washing your hands; drinking good, clean water; and the like,” he said. “Good passwords, regularly changed, are like washing your hands. Making sure that you think before you click on a suspect hotlink to avoid malware infection is a lot like boiling your water before you drink it and not drinking water that you suspect is unsafe.”
The next part of the analogy is vaccination. Since most Americans got their inoculations before starting school, smallpox has been eradicated and polio is at a serious low. Likewise, malware can often be blocked by purchasing and installing the aptly named antivirus programs to protect your computer system.
Building public infrastructure or a private corporation based on assuming failure in cybersecurity is a controversial opinion, but not without precedent. The Sunburst hack may even lead to some public and private institutions rethinking their approach to cybersecurity.
Professor Paul Rosenzweig contributed to this article. Professor Rosenzweig is a Professorial Lecturer in Law at The George Washington University Law School. He earned his JD from the University of Chicago Law School and then served as a law clerk to the Honorable R. Lanier Anderson III of the United States Court of Appeals for the Eleventh Circuit.