Cyber attacks — and cyber mistakes — caused widespread disruptions this year. The July CrowdStrike incident showed that a technical mistake can down millions of machines worldwide — and threat actors are likely considering how to replicate this. Meanwhile, the February ransomware attack against Change Healthcare had ripple effects throughout the entire sector. It threw some health-care providers and patients into crisis and even impacted hospitals that didn’t directly connect to the company. The attack may have exposed personal and protected information on a third of all Americans.
These incidents show the risks of having a single point of failure, whether that’s one IT solution whose disruption can affect a whole organization or one company whose disruption can disturb a whole sector. In both incidents, seemingly small mistakes turned into crises: CrowdStrike failed to fully validate a flawed update before issuing it, and Change failed to apply multifactor authentication to a remote desktop access portal.
Attacks on several major medical suppliers may reveal a deliberate focus on the health-care sector, suggesting it wasn’t just hit by happenstance in indiscriminate, mass phishing attacks.
Health care isn’t the only critical infrastructure sector at risk, either. The Environmental Protection Agency warned that the water sector is failing to keep up with cybersecurity needs even as threats rise. In a striking example, Iran-linked threat actors disrupted a water facility’s device late last year, after gaining access by simply using the device’s default password. This raises concerns about both the device maker and utility’s cybersecurity practices.
Federal officials also continue to warn about China-backed Volt Typhoon penetrating water and power systems. Hackers appear to be trying to get access they could later use to disrupt or destroy critical infrastructure, should the U.S. and China come into greater conflict. That could be as soon as 2027, when some anticipate China could attack U.S.-supported Taiwan. At home, the U.S. is re-envisioning energy cybersecurity as it moves to a more distributed, greener grid, which brings a bigger attack surface but also resiliency advantages.
Keep an eye on these spaces: Next year, sectorwide risk assessments are expected for health care and water.
Also keep an eye on space. Securing that sector means defending everything from systems on the ground to satellites in orbit and the communication between them. One challenge: Satellites remain in orbit for many years, where they’re difficult to update. Plus, there’s currently little international agreement over space cyber norms.
Federal officials also homed in on food sector cybersecurity and resilience. They conducted a major tabletop exercise and some legislators pushed for regular threat and vulnerability assessments to better protect the nation’s food supply. One significant ransomware group plaguing the food and agriculture sector is also known for attacks on cities, like Dallas, Texas; Lowell, Mass.; and Oakland, Calif.
Local agencies have taken their own steps on cyber, including more counties applying for .gov domains. This improves website security and makes it harder for scammers to spoof them. The .gov transition has been helped in part by an easier application process and by State and Local Cybersecurity Grant Program (SLCGP) requirements. As the SLCGP continues, the federal government has also begun extending similar grants to tribes, awarding $18.2 million this year.
This story originally appeared in the November/December 2024 issue of Government Technology magazine. Click here to view the full digital edition online.