Last week, Mr Biden acted through ordinance to enforce some of these changes in the pipeline industry, using the Transportation Safety Administration’s oversight powers over the pipeline industry.
However, in the absence of comprehensive government mandates, cybersecurity practices have been voluntary. The result is that many companies and other organizations are left to their own devices. And the recent ransomware attacks have shown the lack of adequate defenses in American cities, city councils, law enforcement agencies, and even the ferry routes between Cape Cod, Martha’s Vineyard, and Nantucket.
For example, the most recent attack on one of the world’s largest beef suppliers, JBS, was carried out by a Russian company called REvil, which has successfully broken into companies using very simple means. The group usually gains entry to large companies through a combination of email phishing, in which they send an employee an email tricking them into entering a password or clicking on a malicious link, and the slowness of one Exploiting the company to patch software.
REvil’s cyber criminals often find and abuse vulnerable computer servers or break into a known vulnerability in Pulse Secure security devices known as VPN, or Virtual Private Network, that companies use to protect their data. The bug was discovered a year ago after a series of cyber attacks by Chinese hackers.
But a year later, many companies have still neglected to apply the patch, essentially leaving an open window into their systems.
In the White House memo entitled “What We Urge You to Do Now”, Ms. Neuberger urged companies to focus on what matters. One step is multi-factor authentication, a process that forces employees to enter a second one-time password from their phone or a security token when logging in from an unknown device.
It encouraged them to regularly back up data and separate these backup systems from the rest of their networks so that cyber criminals cannot easily find them. It called on companies to commission companies to carry out “penetration tests”, essentially test runs in which an attack on a company’s systems is simulated in order to find weak points. And Ms. Neuberger asked them to think ahead about how they would react if their networks and hostages were ransomware.