Cybersecurity for Idiots – Lawfare – Lawfare
One of cybersecurity’s major challenges is cyberstupidity. So the internet security firm SolarWinds’s decision to use “solarwinds123” as the password for its software updates server was rather inept. Unsurprisingly, hackers guessed the password and were able to upload files to the server, which were then distributed to SolarWinds clients. Similarly, after the Missouri Department of Elementary and Secondary Education failed to check a Web application for a software vulnerability that has been known for at least a decade, its incompetence exposed the Social Security numbers of at least 100,000 teachers. Missouri Governor Mike Parson expanded the bungling by threatening to prosecute the journalist who discovered the flaw rather than focusing on the department’s utterly inadequate security. And when Wyndham Hotels used weak passwords, stored guests’ credit card data unencrypted, and did not bother to use firewalls to protect its network, it invited disaster. Hackers accessed information on more than 600,000 customers in total on at least three occasions; in at least two of those attacks, Wyndham did not even detect the intrusion for months.
Nominally, cybersecurity has been a top policy priority for presidential administrations of both parties since 1997. But even within the federal government “little progress has been made,” according to an April 2021 report by the Government Accountability Office. The private sector is not in much better shape. At least part of the problem lies with shortcomings in the legal regulation (and the lack thereof) for cybersecurity. Regulators tend to focus on process over substance, are overly timid about regulating technology, defer too readily to judgments by regulated entities, and opt for politically safe but largely ineffective measures such as information sharing. Even the Federal Trade Commission (FTC), which has emerged as the de facto national cybersecurity regulator in the United States, employs mostly holistic-style, amorphous assessments of firms’ systems, rather than (as an attacker would) looking for weak points.
<…….