The latest major information technology (IT) breach is outrageous. The news coverage has centered on the hackers and ransomeware. The bigger story, in my opinion, is the incompetence of Colonial Pipeline. It got major coverage because of the key dependence of the eastern coast of America for gasoline. I hear people saying the problem is the Internet. It is not secure. The news coverage makes it sound like being hacked is just the way things are, and it is not possible to have servers containing important information to be secure. This is not true. In this post I will be offering a different perspective.
The Internet consists of telephone wires, cables, satellites, wireless access points, and other communications methods and equipment. The Internet is built on global standards which enable any device connected to the Internet to be able to connect to any other device connected to the Internet. There are currently more devices connected to the Internet than there are people in the world, there are a mind-boggling 10 billion connected devices.
The Internet itself is inherently insecure. However, it is possible to make any device connected to the Internet completely secure and not allow a connection from any device not authorized or not wanted to connect. This is done with software which provides a firewall to block unwanted connections, authentication to make sure any connection can be confirmed to be a desired connection, encryption to scramble data so only the owner of the data can make sense of it, and many other sophisticated software tools to make servers connected to the Internet secure. Yes, it is possible to have secure servers.
Not protecting the servers and other devices from being breached represents gross negligence and incompetence. Securing servers is important for every organization but especially so for companies which provide part of the nation’s infrastructure or contain very personal information like financial, credit reporting (Equifax), or healthcare organizations.
A small company may not have the skills and resources to properly protect their servers, but Equifax has nearly seven billion in assets and nearly four billion in revenue. Colonial Pipeline has more than ten billion in assets and more than a billion in revenue. Both companies have been very profitable, but they obviously have not made it a priority to protect consumer data or infrastructure IT. We should be outraged by the incompetence of Equifax and Colonial Pipeline. They were not the victims. Consumers who lost their privacy or couldn’t get gas for their cars and trucks were the victims. In the case of Colonial Pipeline, the breach of their systems caused widespread anxiety and panic buying which left gas stations in the midlands and across the southeast without fuel. There is no excuse for these companies not protecting sensitive and critical data. In my opinion, such breaches should be treated as criminal offenses.
The Wall Street Journal reported security researchers at Cisco Systems Inc. discovered a bug in the web server software used by Equifax. Apparently, Equifax had not updated to the latest version of the software. They were not following best practices. Keeping current with security patches is IT 101. Something similar was no doubt the problem at Colonial Pipeline.
The U.S. Chamber of Commerce is calling on the federal government to do more to fight ransomware. This is a cop-out. We don’t need the federal government, which itself has demonstrated incompetency in multiple instances, to tell private companies how to run their businesses. There is however a role for the federal government. In the financial services industry, there are rigid standards for using encryption and other software tools for securing servers. Regular audits occur and are followed with significant penalties for inadequate compliance. This approach should also be in place for any company or organization which stores consumer data or provides infrastructure services affecting millions of people.
The CEO of Colonial Pipeline said he had been very happy most people had never heard of his company. The firm paid almost $400 million in dividends to investors in 2020. It is hard to find the figure but based on prior CEO’s compensation, it is likely the current CEO is paid more than $10 million. Meanwhile, the CEO authorized a $4+ million payment to hackers to unlock Colonial IT systems which had been breached.
Every significant organization has a chief information officer (CIO). It is a tough job with a lot of turnover. Many are paid $1 million or more. That is ok, but they have to be accountable. Likewise for the CEO. Paying millions of shareholder money to hackers because of their own incompetence is outrageous. I could not find much about the Colonial Pipeline CEO, but odds are he doesn’t know much about IT. In the digital economy of today, any leader of an organization needs to know quite a bit about IT. Not as much as the CIO, but enough to ask the right questions to ensure the organization’s servers and network are secure. It is not a hacker problem or a government problem. It is a management problem.