Digital infrastructure modernization
President Biden's proposed infrastructure package does not address one key area: our nation's digital infrastructure. Virtually everything we do in our daily lives is enabled by the technologies that surround us.
That has become even more clear over the last year, as the pandemic has caused a tectonic shift toward full-fledged digital and remote school, work, entertainment, worship and commerce.
Foreign adversaries and criminals alike are also able to harness the power of the internet to harvest sensitive personal information, conduct espionage, steal intellectual property, or lock up critical systems in our communities.
Ransomware attacks against small businesses and state and local governments increased exponentially over the last three years, with billions of dollars lost. Moving forward, it's all but certain that we'll see a cybercrime spree across our communities that pales in comparison to the last few years. Ransomware is a business, and business is good.
These aren't theoretical problems, just look back at cyber events of the last five years.
2016's greatest hits include Russian efforts to interfere with the U.S. election, capped off with Moscow shutting down the Ukrainian power grid.
The North Koreans followed in 2017 with WannaCry, the Russians, not to be outdone, launched a similar attack the next month, dubbed NotPetya, likely the costliest cyberattack in history - decimating networks across the world, including shipping titan Maersk.
2018 is the year that ransomware fully entered the global stage, with Atlanta, Baltimore, Charlotte, counties in Texas and parishes in Louisiana and others locked up, in part enabled by cryptocurrency and the ability of criminals to extort ransoms from victims from the other side of the planet.
China crowned 2019 with its CloudHopper campaign, where Chinese thieves compromised managed service providers (MSPs) with trusted access to hundreds of customers across the world.
In 2020, we saw the year of big vulnerabilities and even bigger hacks. Russian, Iranian, North Korean and Chinese cyber actors and cybercriminals quickly exploited newly discovered vulnerabilities in thousands of networks (that some organizations failed to patch), sending government and private sector incident responders to every corner of this country to shut down attacks.
It's clear that we're in the midst of a new normal of cyber enabled malicious activity. The status quo costs American businesses and government agencies hundreds of billions of dollars a year in lost productivity, fraud, and disrupted operations.
Our first order of business should be to make the underlying systems more secure and easier to defend. The promised Federal Cybersecurity Executive Order out of the White House should include requirements for more secure software development processes, eradication of legacy products, and more transparency in the supply chain of software products. While the EO will only apply to Federal Government procurement, there will no doubt be a trickle-down effect to the rest of the economy.
State and local governments, and small businesses that are constantly at risk cannot afford more modern systems and support necessary to manage that risk. This troubling divide between the digital haves and have-nots has become more stark over the last year. COVID-19 has impacted the way countless businesses operate, with many suspending or dramatically altering in-person services or shifting to remote work entirely. Those still using decade-old technology - more often than not our nation's small and medium sized businesses, as well as state and local government agencies - have stumbled in this new normal.
Making matters worse, this risk mitigation gap will grow in the next few years as already cashstrapped agencies may not be able to join the digital transformation because COVID decimated tax revenues. Against that backdrop, the latest attacks could not come at a worse time: It's like throwing these organizations an anchor when they're already drowning.
Now is the time for Congress to act to protect the cybersecurity of our local communities. Congress needs to pass a comprehensive digital infrastructure investment bill that authorizes and funds grants to state and local agencies to modernize their technology platforms and obtain the support they need to manage those systems, and safeguard against cyber attacks like ransomware. They need scalable support to identify and mitigate vulnerabilities, patch systems and respond to incidents as they arise.