In the past month alone, cyber attacks have been revealed on a French shoe manufacturer, a regional library in the U.S., and a Spanish delivery startup. They escaped widespread attention because the disruptions did not bring the supply of oil or T-bone steaks to a standstill.
JBS SA's meat packing facilities in the U.S. ground to a halt this week after a Russia-linked hacking group infiltrated the company, forcing all beef processing to be shut and impacting other facilities. Now we are left to ponder whether a quarter of the nation's meat ranks closer to hippie sports shoes or automotive fuel. That is the wrong way to look at it.
After a ransomware attack last month shut down the U.S.'s biggest gasoline pipeline, regulators and legislators rushed to Capitol Hill to implement new requirements. For more than a decade, oil companies and pipeline operators had successfully pushed back at attempts to implement stricter cybersecurity rules. As Ari Natter and Jennifer A. Dlouhy of Bloomberg News wrote, the U.S. Chamber of Commerce was among those opposing 2012 legislation that would force energy companies to tighten cybersecurity, labeling it heavy- Lobbyists may not have the upper hand this time around, but the fact that any one industry has the power to stymie legislation is evidence of the piecemeal approach being taken. This exposes the entire nation, indeed the entire world, to soft spots in defenses and will likely result in regulatory Whac-a-Mole that could last decades, allowing attackers to keep probing new targets.
Ransomware attacks, which lock computer systems before a ransom is paid, have climbed. Many of the operations we have seen in recent years have been undertaken using a similar set of tools developed by software engineers who have sold it on to the final users. They are largely agnostic to the specific industry or nation in which the victim operates, which means target-specific solutions will do little to prevent future problems.
Instead, regulations should specify standards required across all industries, which would include monitoring and logging network activity, procedures for ensuring software is kept updated, and reporting breaches when they occur. A no-weak-links strategy can then help secure industries overseas by forcing any company that operates in the U.S. to meet American standards. JBS, for example, is a Brazilian company yet this recent outage also impacted operations in Australia and Canada.
There can be no doubt that a breach of nuclear power stations or military systems are more dangerous than most other incursions. Yet government officials, both regulatory and legislative, should not focus on one sector or another as critical and recognise that attacks on any one business — be it a local library or a health-care provider — are an assault on the entire U.S. economy.
The U.S. can make its cyber borders more secure, but not if leaders start playing favourites and lobbyists are allowed to exploit legislative weakness.
Disclaimer: This article first appeared on bloomberg.com, and is published by special syndication arrangement.