Do you remember the Y2K problem? In the years before the year 2000 there was huge concern that a wide range of systems would fail because many programs and even compilers used only two digits for the year, and therefore 2000, stored as “00” could be erroneously interpreted as 1900. I won’t go into the details, but Wikipedia has all you’ll need. The Y2K problem was understood globally to represent a huge threat to computer systems of all types – from control systems for nuclear plants to banking and commercial applications – and hence to the world economy. In preparation for January 1, 2000 the business sector spent over $300BN to remedy the problem ($410BN today). And the Y2K problem did not destroy the economy.
The OPM breach makes me think it’s time for a Cyber-Y2K. Fear and fatalism are at an all time high. Orgs with big budgets are still easily rolled and we read warnings of a “Cyber Armageddon”. Leading figures such as Keith Alexander say “There are only two kinds of companies – those that have been hacked, and those that will be”, and CSO magazine says we’ve passed the cyber-tipping point. But often when I visit large enterprises or Federal Agencies I’m appalled at the lack of basic security hygiene. Endpoints that are over a year out of date on patching; Extensive “dependencies” on Windows XP; firewall rules that take hundreds of days to update due to approval procedures; standard username/password access control; applications and users that are granted admin rights… The list is long and tedious. And fear makes it worse: IT Pros fearing change don’t want to upgrade or change anything because that would introduce a whole new set of issues.
We need to move forward. Doing so needs to be a national priority. We have a tax code that businesses are required to comply with. Why is there no national mandate for security practices that insists that enterprises of all sizes move forwards to more secure infrastructure and security practices? Why is it acceptable that a large bank or a major Federal agency still runs Windows XP? There is no good reason. Specifically, excuses such as “legacy app dependencies” have to be addressed. Businesses need to be forced to move forward if necessary, and they need to insist that their application vendors move forward too. A national mandate for compliance with the best practice in security would force companies to invest – similar to the Y2K problem. And the Federal Government would not be able to get off the hook. Excuses like “Sequester” or “my printer driver won’t work on a new OS” need to be shown for what they are – pathetic excuses that leave our infrastructure vulnerable, making every one of us less secure.
It’s time for a Cyber-Y2K. We need a national effort to move our online society to a more secure foundation. The litany of breaches must stop. We know how to stop them and we need to mandate that every enterprise moves forward.