Last week, Mr Biden acted by executive order in an effort to force some of these changes into the pipeline industry, using the powers of oversight of the Transportation Security Administration over the pipeline industry.
However, in the absence of full government mandates, cybersecurity practices have been voluntary. The result is that, in fact, many companies and other organizations have allowed themselves to be defended. And recent ransomware attacks have exposed the extent to which U.S. cities, city governments, police departments and even the ferry services between Cape Cod, Martha’s Vineyard and Nantucket have failed to defend enough defenses.
The latest attack on one of the world’s largest beef suppliers, JBS, for example, was launched by a Russian group known as REvil, which has had great success entering companies with very simple means. Typically, the group accesses large corporations through a combination of e-mail fishing, in which it sends an e-mail to an employee who deceives them by entering a password or clicking on a malicious link and taking advantage of the company’s slowness to fix software.
REvil cybercriminals often search for and exploit vulnerable computer servers or break into a known flaw in Pulse Secure security devices, called VPNs or virtual private networks, that companies use in an effort to protect their data. The flaw was detected and corrected two years ago, and was marked by U.S. officials last year after a series of cyberattacks by Chinese hackers. But many companies have not yet managed to correct it.
However, a year later, many companies have still neglected to run the patch, essentially leaving a window open on their systems.
In the White House note, titled “What We Urge You to Do Now,” Ms. Neuberger asked companies to focus on the basics. One step is multifactor authentication, a process that forces employees to enter a second unique password from their phone or a security token when they sign in from an unrecognized device.
He encouraged them to back up data regularly and to separate these backup systems from the rest of their networks so that cybercriminals could not easily find them. He urged companies to hire companies to conduct “penetration testing,” essentially dry, in which an attack on a company’s systems is simulated, to find vulnerabilities. And Ms. Neuberger asked them to think in advance about how they would react if their networks were held hostage by ransomware.