AAs the latest ransomware attack on the Colonial Pipeline shows, hackers are busier than ever – and penetrate more critical components of everyday life.
While the disruption of the country’s largest refined oil products pipeline (and the ripple effects caused by the attack) surprised many, police officers were likely a little less shocked. The average payment from ransomware victims jumped 31% in the second quarter compared to the same period in 2020, according to the US Federal Bureau of Investigation. And cybersecurity complaints to the FBI more than tripled during the pandemic last year.
Government officials have tried to keep up for years – and they look to companies for help. Back in 2019, FBI Director Christopher Wray told the Council on Foreign Relations that the best way to combat increasingly aggressive hackers was to partner with private computer security experts.
“The reality is that the threats we face today are too diverse, too dangerous and too extensive for each of us to address alone,” he said. “We need to find more and more ways to work together, especially with all of you in the private sector. We need to focus even more on a society-wide approach as we face threats to society as a whole in many ways. It is very clear to me that the next few years will depend very much on what progress we can make with public-private partnerships. “
Earlier this year, Wray continued to press for collaboration, speaking at Fordham University’s International Cybersecurity Conference, “There’s a saying that the best time to repair your roof is when the sun shines. It’s the same concept here. We want people to start building these relationships with their local FBI field office before they go into any major intervention. “
Part of the problem, however, is that there is also a shortage of cybersecurity professionals in the private sector. The 2020 (ISC) ² Cybersecurity Workforce Study examined the global talent shortage in the field and found that companies could add 3.1 million additional workers, almost double the number today. (Another 879,000 are needed in the US alone.) More than half of those surveyed – approximately 56% – said the cybersecurity staff shortage is putting their organizations at risk.
“The void in the cybersecurity workforce, put simply, is the difference between the number of skilled workers companies need to protect their critical assets and the actual capacity available to do that work,” the study said. “It is not an estimate of the vacancies available to applicants.”
The good news is that the gap has shrunk from 4 million to 3.1 million over the past year. The bad news is that some of these loopholes play an important role. Colonial Pipeline, for example, reportedly had Two important management positions in the area of security vacant when it was hit with the ransomware attack.
Surprisingly, despite the risks and recent incursions like the SolarWinds hack that compromised a number of US government agencies and large corporations, there isn’t much pressure to boost cybersecurity attitudes. About 48% of the respondents in the (ISC) ² study indicated that they intend to increase their number of employees in this area in the next 12 months, about as many as in the two previous years. (Oddly enough, 15% said they plan to reduce their cybersecurity workforce, up 5% from two years ago.)
Despite this shortcoming, however, the public-private partnership persists. The Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) promotes collaboration in the area of corporate security through an unclassified exchange of information about threats and vulnerabilities. Europol goes even further, with a website This allows officials and private companies to share ransomware decryption tools so as not to pay the hackers.
And sometimes the partnership is more than just exchanging information. In March, the National Cybersecurity Center worked with Google started a program Providing cybersecurity training to U.S. lawmakers and their employees.
The views and opinions expressed are those of the author and do not necessarily reflect those of Nasdaq, Inc.