The abnormal heat that Connecticut experienced this summer has heightened calls for new kinds of resilience to deal with the effects of climate change. Yet the warming planet is not the only evolving threat that played out this summer that demands greater resilience. The past few months have seen a spike in cyber attacks that have targeted critical infrastructure and businesses large and small across the state.
Some of the more high profile attacks over the last months include a cyber attack on New Haven Public schools that resulted in over $6 million being stolen, money that was earmarked to pay for buses. Another is an attack on the parent company of Eastern Connecticut Health Network and Waterbury HEALTH that limited patients’ access to outpatient services and blood work.
Then there are the smaller attacks that target individual businesses that the public doesn’t always hear about. A close friend of mine told me that they’d been out of work for almost a week because their business was shut down. While the management of the business claimed that the work stoppage was the result of a server issue, rumors quickly spread that in fact the business had been hit with a ransomware attack that prevented access to necessary information systems.
Connecticut is not facing this challenge alone. Only a year ago the United States experienced one of the most high-profile cyber attacks ever, when hackers shut down the Colonial Pipeline, leading to panic about the availability of gas all along the East Coast. According to Check Point Research, there was a 38% increase in global cyber attacks from 2021 to 2022, so these problems are only becoming more common.
Part of the challenge of preventing cyberattacks is that the fiction created around cyber threats often overrides the reality. In the popular imagination, cyberattacks are carried out by incredibly sophisticated individuals that stare at computer screens like Neo from The Matrix, using state-of-the-art technology to break into systems. In reality though, cyber crimes are basic in their implementation. Three of the most common cyber attacks are surprising in their simplicity:
Malware: Malicious software that is installed when a user clicks on an infected link. Malware can block access to information and networks, covertly gather data, or render computer systems inoperable;
Phishing: Fraudulent communications, usually through email, where the attacker pretends to be a trusted source to collect critical and sensitive data from users that attackers can exploit;
Zero-Day Exploit: Software companies often announce flaws and other issues with their programs to warn users. Attackers utilize those weaknesses before the software companies can fix them.
None of these cyberattacks require an advanced degree or deep understanding of technical computer systems to commit. They rely heavily on the victims themselves for success, which is the good and the bad news. It reaffirms that people are the weakest link in cybersecurity, but people are both the easiest and most difficult elements of computer systems to secure. People still click on links that they shouldn’t. And with the rapid development of artificial intelligence technologies, cyberattacks will take new forms that even the largest and most well-resourced organizations will struggle to adapt to, much less individuals and small businesses.
The state has responded to cybersecurity threats by creating the Connecticut Cybersecurity Task Force, which partners with local and federal authorities to prevent cyber crime. State government must be as forward leaning as possible in combating cybercrime. There’s nothing less at stake than our children’s ability to go to school, our ability to work and protect our assets, and even receive medical care.
But the responsibility for preventing cybercrime cannot fall only, or even primarily, on decision-makers in Hartford. The foundation of good cybersecurity is built by individuals practicing good security hygiene. Using strong passwords (and not sharing them), following company protocols regarding securing data and other practices are the best ways to help safeguard everyone. And please, if you don’t know the sender of an email or trust it implicitly, DO NOT CLICK ON THE LINK!
