What Should Your City Do if It's Hit by Ransomware? |
| Baltimore refused to pay a $75,000 ransom to hackers who locked down its computer systems. It will cost millions to restore them. Alex Wroblewski/Getty Images | |
Each week, we review the week's news, offering analysis about the most important developments in the tech industry. |
Hi, I'm Jamie Condliffe. Greetings from London. Here's a look at the week's tech news: |
Imagine you're a mayor trying to spend your city's money wisely. You've heard about ransomware attacks, where hackers locking I.T. systems using encryption and demanding money for their release. But what should you do about them? |
Ideally, you'd ensure systems are up-to-date and properly backed up. But it's "unrealistic" to expect many cities to afford big security overhauls, according to Gregory Falco, a cybersecurity entrepreneur who teaches at Columbia, Harvard and M.I.T. as well as researching at Stanford. |
And it might never happen, right? |
Only: |
"More than half a dozen cities and public services across the country have fallen to ransomware so far in 2019, on a near-monthly basis; the Administrative Office of the Georgia Courts became the latest victim on Saturday." |
Cities are now seen as low-hanging fruit by hackers, because of "legacy systems and lack of budget" to upgrade, said Jennifer Daffron, a risk researcher at the University of Cambridge. They're also great places to cause chaos, and hackers, especially nation-state ones, "love to cause chaos to get street cred," Mr. Falco said. |
And what if your city does get hit, mayor? There are a few options. |
You could take a principled stand and not pay — an approach the F.B.I. endorses — and then repair the damage. That's what Baltimore did in May, refusing to pay about $75,000. It now expects to spend $10 million restoring its systems, and the disruption may have cost $8 million more. |
That's created a "post-Baltimore mind-set," Mr. Falco said: Paying the ransom now potentially looks cheaper and faster. See, for instance, Riviera Beach and Lake City, both in Florida, which paid a combined $1.1 million in late June to recover their systems. But that encourages more attacks, Ms. Daffron said, by signaling that a city is willing to pay and doesn't have an effective response plan. It will be interesting to see if the Florida cities suffer follow-up attacks. |
There's always negotiation, too. "If the motive is to cause chaos," Mr. Falco said, then maybe hackers "want to hear the city calling for mercy." |
None of these options is perfect: Each is expensive or risky. |
For now, until security becomes an affordable norm for cities, the best option is to be proactive: Spend some money improving security, have contingency plans in place, and take out cyber insurance. (Though insurers may soon become more stringent about what they'll pay, said John Zanni, the chief executive of the security firm Acronis SCS.) |
One thing cities shouldn't do: ignore the threat. As municipal infrastructure digitizes, there will be more entry points for hackers, Mr. Falco said. "This is here to stay as a risk," he said. |
What is a national security threat? |
Sorry, trick question: It's a moving target. |
In May the United States government blocked the sale of American products and services to Huawei and other Chinese tech companies over national security concerns. Last weekend, the stance appeared to soften: During talks with President Xi Jinping of China at the Group of 20 meeting in Japan, President Trump agreed to allow American companies to restart selling products and services to Huawei "where there is no great national emergency." |
That is to say: Not all the products that the administration said were national security threats were national security threats. |
United States chip makers, who mounted a significant lobbying effort, may benefit. Some of their products are widely available from foreign suppliers, and are thought to present little national security risk. |
More broadly, little may change. Larry Kudlow, chairman of the National Economic Council told Fox that "this is not a general amnesty." Huawei will remain blacklisted, according to a Commerce Department memo that Reuters saw. And the Justice Department on Wednesday supported a ban on federal agencies buying Huawei equipment. |
But the flip-flop is troubling. The Trump administration is still trying to persuade countries like Britain and Germany to shun Huawei over national security issues, but its own inability to make up its mind is unlikely to help. And companies will rightly wonder whether American policies are ever more than transient. |
"It reinforces the view that the U.S. is not going to be all that trustworthy on this issue," said Adam Segal, the director of the digital and cyberspace policy program at the Council on Foreign Relations. |
Superhuman's super-creepy week |
If you paid $30 a month for a premium email experience and it offered the option to see when and where someone read your messages, you'd probably use it. For $30 you deserve special features, right? |
But: |
"One of the most hyped new email clients, Superhuman, has decided to embed hidden tracking pixels inside of the emails its customers send out. Superhuman calls this feature "Read Receipts" and turns it on by default for its customers, without the consent of its recipients." |
Tracking pixels — tiny, hidden images that report information when an email is opened — are not new. They appear in plenty of emails, like newsletters. But what Superhuman was doing meant that any recipient of an individual's message was unknowingly being tracked — a one-sided practice that riled privacy advocates because of the ways it could be used nefariously. |
The backlash was strong enough for Superhuman to scrap the location tracking and turn the read-receipt feature off by default. |
But the situation, and the company's apology, revealed a shortsightedness. "We focused only on the needs of our customers," wrote Rahul Vohra, the founder and chief executive of Superhuman. "We did not consider potential bad actors." |
Some stories you shouldn't miss |
■ Facebook's Libra cryptocurrency faces serious skepticism. Four House Democrats asked Facebook to enact a moratorium on it. And a survey by the investment bank Jefferies found that 80 percent of respondents were unlikely to make use of it at first. |
■ Was there tension at the top of Apple? The Wall Street Journal reported that Jony Ive, its outgoing chief design officer, was "dispirited" by Tim Cook's lack of interest in product design. Mr. Cook called the report "absurd." |
■ G.M. says it needs to embrace tech to survive, but thousands of workers may lose their jobs in the process. "The Weekly," which airs on FX at 10 p.m. Sunday and streams on Hulu starting Monday, will dig into the issue. |
■ Facebook still struggles with racial issues. An audit called its policies on white supremacy "too narrow." And the United States Customs and Border Protection agency is investigating a secret Facebook group where agents joke about migrant mistreatment. |
■ China snares tourists' phones in a surveillance dragnet. Border agents routinely install an app on the phones of people entering the Xinjiang region and use it to gather their personal data. |
■ Broadcom is said to be in talks to buy Symantec, underscoring how the chip maker has had to shift its focus to software after a failed attempt to buy Qualcomm last year. |
■ The E.U. could get even tougher on tech. Its new leadership has been vocal about reining in America's tech giants. |
■ Digital fingerprinting is one the rise as a way to track us online. Here's what you can do to avoid it. |
■ Is it too easy to sell food via meal delivery services? A BBC journalist grilled burgers in his yard and successfully had them delivered by Uber Eats. |
■ It's been 40 years with music in your ears, everywhere. The first ever Sony Walkman — the TPS-L2, sticker price $150, or about $530 in today's money — went on sale on July 1, 1979. |
No comments:
Post a Comment