The Open Source Revolution in Government

Posted on by Natalie Gregory

Open source technology accounts for a significant portion of most modern applications, with some estimates going as high as 90%, and it is the foundation of many mainstream technologies. Its strength lies in the fact that a vibrant ecosystem of developers contribute to and continually improve the underlying code, which keeps the software dynamic and responsive to changing needs. Enterprise open source software further augments these community-driven projects by providing enterprise-grade support and scalability, while retaining the innovation and flexibility driven by the open source development model. By providing the best of both worlds, such solutions represent a powerful arsenal of tools for addressing government’s most pressing challenges. In a recent pulse survey of FCW readers, 93% of respondents said they were using open source technology. And more than half of respondents to FCW’s survey see open source as an integral resource for strengthening cybersecurity. That number reflects a positive trend toward a better understanding of open source software’s intrinsic approach to security. The power of enterprise open source technologies lies in a combination of collaboration, transparency and industry expertise. As agencies expand their use of such technologies, they maximize their ability to achieve mission success in the most secure, agile and innovative way possible. Learn how the combined power of community-driven innovation and industry-leading technical support is expanding the government’s capacity for transformation in Carahsoft’s Innovation in Government® report.

Why Open Source is a Mission-Critical Foundation

“Open source transforms the way agencies manage hybrid and multi-cloud environments. The most critical technology in the cloud, across all providers, is Linux. Everything is built on top of that foundation — both the infrastructure of the cloud and cloud offerings. Given the right partner, the promise of Linux is that it provides a consistent technology layer for agencies across all footprints, including multiple cloud providers, on-premises data centers and edge environments. From that foundation, agencies and their partners can build portable architectures that leverage other open source technologies. Portability gives organizations the ability to use the same architectures, underlying technologies, monitoring and security solutions, and human skills to manage mission-critical capabilities across all footprints.”

Read more insights from Christopher Smith, Vice President and General Manager of the North America Public Sector at Red Hat.

How Open Source is Expanding its Mission Reach

“The real power of open source technologies was revealed when they cracked the code on being highly powered, mission-specific, distributed systems. That’s how we are able to get insights out of data by being able to hold it and query it. Today, open source innovation is being accelerated by the cloud, and the conversation is still changing, with people now demanding that their open source companies be cloud-first platforms. Along the way, the open source technologies that start in the community and then receive a boost of commercial innovation have matured. The most powerful ones are expanding their ability to address more of the government’s mission needs. They are staying interoperable and keeping the data interchange non-proprietary, which is important for government agencies.”

Read more insights from David Erickson, Senior Director of Solutions Architecture at Elastic.

The Open Source Community’s Commitment to Security

“A central tenet of software development is visibility and traceability from start to finish so that a developer can follow the code through development, testing, building and security compliance, and then into the final production environment. Along the way, there are some key activities that boost collaboration and positive outcomes, starting with early code previews, where developers can spin up an application for stakeholders to review. Other activities include documented code reviews by peers to ensure the code is well written and efficient. In addition, DevOps components such as open source, infrastructure as code, Kubernetes as a deployment mechanism, automated testing, and better platforms and capabilities have helped developers move away from building ecosystems and instead focus on innovation.”

Read more insights from Joel Krooswyk, Federal CTO at GitLab.

The Limitless Potential of an Open Source Database

“One of the most important elements of any database migration is ensuring that proper planning and due diligence have been performed to ensure a smooth and successful deployment. In addition, there are some key considerations agencies should keep in mind when moving to open source databases. It is essential to start with a clear understanding of the business case and objectives for adopting an open source approach. Agencies also need to decide how the database should function and what it should do to support their digital transformation. Then they must choose the optimal method to deploy the database.”

Read more insights from Jeremy A. Wilson, CTO of the North America Public Sector at EDB.

Modernizing Digital Services with Open Source

“A composable, open source digital experience platform (DXP) enables agencies to overcome those challenges. Open source technology is continuously contributed to by a community of developers to reflect a wide array of needs across organizations in varying industries and of varying sizes. A composable approach allows agencies to assemble a number of solutions for a fast, efficient system that is tailored to their needs. When agencies combine a composable DXP with open source technology, they have access to best-of-breed software and the ability to customize the assembly to suit their requirements. An enterprise DXP will enable agencies to achieve a 360-degree view of how constituents are engaging with their digital services and gain valuable data to understand how to enhance their experience. Finally, a composable, open source DXP provides a proactive approach to protecting against security and compliance vulnerabilities.”

Read more insights from Tami Pearlstein, Senior Product Marketing Manager at Acquia.

Creating Secure Open Source Repositories

“Protecting the software supply chain requires looking at every single thing that might come into an agency’s environment. To understand that level of visibility, I like to use the analogy of a refrigerator. All the ingredients necessary to make a cake or pie are in the refrigerator. We know they are of good quality, and other teams can use them instead of having to find their own. At Sonatype, our software equivalent of a refrigerator is the Nexus Repository Manager. A second aspect of our offering, called Lifecycle, allows us to evaluate the open source components in repositories at every stage of the software development life cycle. One piece of software can download a thousand other components. How do we know if one of those components is malicious?”

Read more insights from Maury Cupitt, Regional Vice President of Sales Engineering at Sonatype.

Better Data Flows for a Better Customer Experience

“A more responsive and personalized customer experience isn’t much different from the initial problem set that gave birth to Apache Kafka. When people interact with agencies, they want those agencies to know who they are and how they’ve interacted in the past. They don’t want to be asked for their Social Security number three times on the same phone call. They also expect that the information or service they receive will be the same whether they are accessing it over the phone, via a mobile app and on a website. To elevate the quality of their service, agencies must be able to stream information in a low-friction way so different systems are consistent with one another and up-to-date at all times, regardless of the communication channel an individual uses. President Joe Biden’s executive order about transforming the federal customer experience is based on this capability. The most successful companies across industries have figured out how to do it, and for the most part, they’ve done it with open source software.”

Read more insights from Jason Schick, General Manager of Confluent US Public Sector.

An Open Source Approach to Data Analytics

“For the past 40 years, agencies have used data warehouses to collect and analyze their data. Although those warehouses worked well, they were limited in what they could do. For instance, they could only handle structured data, but by some estimates, 90% of agencies’ data is unstructured and in the form of text, images, audio, video and the like. Furthermore, proprietary data warehouses can show agencies what has happened in the past but can’t predict what might happen in the future. To achieve the government’s goal of evidence-based decision-making, agencies need to be able to tap into all their data and predict what might come next.”

Read more insights from Howard Levenson, Regional Vice President at Databricks.

Download the full Innovation in Government® report for more insights from these open source thought leaders and additional industry research from FCW.

Modernizing Licensing and Regulatory Processes with Thentia Cloud

Posted on by Paul Leavoy

To ensure they are continuously meeting high standards and engaging in ongoing learning in their fields, licensed professionals must renew their license at regular intervals with the applicable regulatory body. Due to the diversity of licenses across industries, licensing agencies manage their processes in a variety of ways. However, across the board, it is important to meet people where they are comfortable: online. Thentia Cloud, an industry-leading, full-service platform for licensing and permitting, provides the perfect solution for regulatory agencies.

Efficient licensing requires shift from manual to digital processes

As the IT landscape continuously changes, industries work to change with it. One recent impactful industry shift has been the switch from paper-based to digitized licensing processes. Previously these manual processes caused long wait times for licensees, which, in extreme cases, prevented them from practicing. On the regulatory side, this often created a large backlog and increased workload for staff, which prevented them from focusing on other important tasks. The inefficiency was heightened especially during the COVID-19 pandemic. With such a large backlog of license applications and renewals, it could take days, or even weeks, for licensees to resolve issues with their applications or receive approval.

Thentia Cloud’s secure online portal makes licensing easier for both regulatory staff and licensees

Licensing services are more efficient when processed digitally. Agencies should move to transform manual licensing into secure, cloud-based services that can be easily utilized by both regulatory staff and licensed professionals. Through Thentia Cloud’s secure and convenient online portal, both parties can manage licensing processes more smoothly. On the licensee-facing side, practitioners can easily make payments and view their invoices, track continuing education requirements, and submit documents related to their license application or renewal. They can also use the web-based portal to securely see all their personal information—such as their name, address, contact information and license status — and make changes if necessary. This eradicates the need for physically mailing forms, payments and documents back and forth, which can add unnecessary time and costs to the process. Another added benefit is that licensees receive an estimated response time. On the agency side, all licensee information is easily accessible and complete. Rather than relying on an annual paper form, all vital information is securely saved in a portal system. This eliminates the need to resubmit the same information, which bogs down staff time.

Thentia Cloud’s powerful data virtualization capabilities enable better reporting and performance measurement

As key performance indicators vary from agency to agency, performance expectations will vary. For some regulatory agencies, the highest priority may be license application turnaround time. For others, it may be how complaints are handled between processing and resolution. Currently, many agencies are limited by their technological maturity. When regulators rely entirely on paper-based processes, their reports tend to be time-consuming, coarsely written, not machine-ready, or completely incompatible with reports from external organizations. Agencies with discrete databases will all face a variety of difficulties generating reports. The process of pulling and analyzing data from multiple different data sets can be tedious and time consuming.

This can be alleviated with data virtualization, which can greatly reduce the time and cost needed to gain information. With licensing solutions, regulators’ comprehensive reporting capabilities can instantly be used to pull new types of queries and export the data from these queries.

Thentia Cloud can also help agencies measure their success. The platform’s powerful analytics and reporting tools can virtualize information from whatever existing database the agency uses, compile information on different queries, and then convert it from discrete data sets into a singular language. With cloud licensing, all agencies need to do is scan and digitize their information. Solutions with reporting capabilities add an additional benefit of robust analytical reports. Thentia Cloud offers 35 custom reports, as well as customer service providers who can help agencies utilize the software to create their own structured query language. This allows regulators to create reports that are specialized to their unique requirements.

Thentia Cloud enables easy communication and information-sharing

Thentia’s cloud-based solution facilitates easy communication and information sharing between government agencies, education providers, licensees and the public. Cloud virtualization allows several groups to meet and collaborate to keep up with changing regulatory requirements. These licensing solutions can perform a variety of functions to aid this, such as schedule meetings, provide reminders, allow areas for documentation, etc. A proper cloud solution removes the difficulties in organizing these elements and provides an easy place for stakeholders to access the information. This can encourage a data-driven decision-making approach for all parties involved. Features such as predictive analytics can help stakeholders avoid potential harm by ensuring licensees are properly tracked, trained and licensed.

Thentia Cloud provides an all-in-one solution to streamline key regulatory processes

With Thentia Cloud, stakeholders have a one-stop location to complete all their licensing needs. Thentia’s cloud-based solution helps regulatory agencies digitize and streamline key regulatory processes, from license registration and renewals, to payments and finance, to analytics and reporting, and more. With the changing expectations of agencies and regulators, Thentia Cloud can maintain pace by providing limitless configurations, automated workflows, centralized data and extensive insights.

Fill out the form to access Thentia’s informative brochure, “Thentia Cloud: Cloud-based licensing and permitting software designed exclusively for regulators, by regulators,” to learn how Thentia can support your organization’s cloud journey.

Overcoming Data Challenges With Virtualization

Posted on by Paul Leavoy

Despite the variation in their individual mandates, all regulatory agencies have one main objective: to protect the public. However, there are hurdles to this goal. There are heavy costs associated with data warehousing, as large projects require extensive telecommunication and server space. This can be both expensive and time-consuming. Luckily, by implementing data virtualization tools, agencies can overcome these constraints and provide more effective services.

What is Data Virtualization?

Data virtualization is an approach to data management that helps organizations accelerate the turnaround time for converting data into digestible information. These data sources can range from a variety of locations, including distributions and data stores and any documents, emails or spreadsheets an agency has. With such a wide array of data, accessing and understanding all vital information can be both time-consuming and overwhelming. Data virtualization is necessary to streamline access to the answers and information agencies and users require.

How It Works

Data virtualization software begins by creating a layer over or around all existing data sources in an organization. Through its complementary interface, the software outputs the needed information. This process saves an abundance of time that is otherwise spent reading labels and searching for a single piece of information.

Another major benefit is that data virtualization software creates a layer of abstraction between the data source and what the user ultimately sees. The software arranges heterogeneous data from all the different sources across an organization, and then quickly presents it to the user. By properly interacting with the data sources, data virtualization software ensures that all data sources are correctly represented. This way, users can receive sufficient context behind the information they are accessing.

Boons that Enhance Virtualizing Servers

Typically, data virtualization exists between the user and their vast array of data sources. Virtualizing tools have several benefits. They:

Reduce the processing time and cost
Provide the same opportunity to accomplish a variety of goals and objectives
Reduce expenses associated with data integration

In addition to these numerous advantages, virtualizing servers have the same security benefits that any other IT system has. For one, data servers exist on a single network, and are isolated from potential threats. Servers have network isolation and segmentation to prevent the unnecessary cross of information. With granular access control, users can implement micro-segmentation to further this boon. Lastly, by maintaining updates and new security patches, virtualizing servers can stay up to date with the latest cybersecurity practices. For a professional licensing agency, it is always beneficial and necessary to take steps to secure their software. Additional steps don’t need to be taken to protect virtualizing servers.

Choosing the right data virtualization software

The process of implementing data virtualization can be daunting at first. As each organization differs in the types of information it collects and how that information is categorized, data virtualization will also differ. However, there are a few elements that regulatory agencies should consider. First, regulators should determine the setup/layout of their existing organization structure. Questions to consider include:

What existing technology is owned?
What systems are being worked with?
What are the agency’s needs?
What are the agency’s top priorities?

All these factors contribute to how data virtualization is implemented. Once the respective regulator reaches a higher end of technological maturity, it should begin looking into fully implementing data virtualization. With the proper virtualization software, regulators can swiftly sift through information.

Data virtualization servers reduce time, resources and cost for regulators

For a variety of agencies, data virtualization can greatly streamline and improve their access to information. By transforming manual systems into a digital, accessible process, virtualization servers reduce time, resources and cost for regulators in their ongoing work to best utilize data to aid the public.

To learn more about Thentia’s data virtualization solutions, visit our website.

EDUCAUSE 2022: Uniting IT and Education

Posted on by Tim Boltz

The education landscape has continued to thrive following the aftermath of the COVID-19 pandemic. While stay-at-home orders have been lifted, education has maintained a digital component through online classes and remote-learning technology. Although online education has many benefits, it brings the concern of security breaches. To continue keeping student information secure, education leaders must adapt alongside the changes in technology. EDUCAUSE is a nonprofit association that provides a community for technology, academic, industry and campus leaders to collaborate and build together. The annual EDUCAUSE conference hosted several sessions that showcased ways to keep students engaged and secure in the new age of education.

Educational Institutions as a Hot Target for Cybercriminals

Cybersecurity deserves consistent attention within the education sector. While schools may be compliant with security standards, they can still be vulnerable. Higher education institutions are top targets as they connect thousands of staff, students and faculty members under one system.

There are several strategies IT professionals recommend that can help education systems defend against breaches:

Keep operating systems and software up to date
Employ multi-factor authentication
Maintain robust user training
Implement encryption
Create cloud back-ups for information
Maintain efficient detection and monitoring systems
Implement a quick incident response plan
Utilize external and cloud data storage

By following these steps, institutions can take the initiative toward deploying security measures for staff and students alike.

Robust Cybersecurity on a Budget

Since many academic institutions still face budget constraints due to COVID-19, their cyber posture may not be their first IT priority. To enhance cybersecurity, even on a budget, institutions should:

Know their external footprint: Through the employment of third-party devices that scan the internet for web service protocol solutions, agencies can see how much of their information is public.

Identify external login flaws: Since hackers can circumvent simple tools like automatic lockout policies, agencies should identify all login portals and check major input fields for automated controls.

Identify cloud security flaws: Agencies should switch to a multi-platformed and open-sourced cloud, since it enables security posture assessments and detection of security risks.

Implement phishing education and exercises: Phishing is one of the most common ways organizations are compromised. Institutions should ensure that all employees are educated on anti-phishing policies.

Clean up network share permissions and information: By utilizing credential scans, sensitive information can be restricted to the proper personnel. Implementing a zero trust framework ensures that each user will only gain the information that they are authorized to.

Limit the success of kerberoasting: Kerberoasting leverages the functionality of service principles to encrypt user’s passwords, which can later be retrieved offline for hacking. While it is impossible to completely prevent kerberoasting, agencies that implement detection capabilities limit the exposure and effectiveness of kerberoasting.

Prevent relay attacks: Software should avoid authentication systems that can be relayed or cracked. Responder tools can be used to analyze traffic and point out vulnerabilities.

Identify active directory misconfigurations: As active directory environments mature, built up misconfigurations can cause excessive access privileges. To prevent these being misused by bad actors, institutions should implement tools that check for vulnerable certificates.

Strengthen password security: Agencies should ban easy to guess passwords, enable multi factor authentication and disable old accounts.

Avoid flat networks and lack of network segmentation: Access should be limited to those that need to know; student and faculty accounts should reside on different domains.

Fostering a Sense of Belonging for Online Students

By meeting students where they are comfortable, educational institutions can readily share information. For example, since students are familiar with their phones, when universities utilize phone apps it can help provide a unified, digital experience for higher education students to reduce complexity, fuel career readiness and stoke student success. When creating an app for an institution, some helpful features to include are:

Tailored experiences with custom events depending on the user
Information unique to students, such as a marketplace to buy and sell goods like dormitory furniture or textbooks
IT toolkits
Self-assessment tools for COVID-19 or the flu
Campus features such as desk or study center reservations, transit routes, dining schedule or university maps
In-app messaging that can be directed to groups, such as students or faculty or personal messages
Feedback surveys to inspire improvement

Higher Education’s Top IT Issues for 2023

As students have become accustomed to hybrid and virtual learning, their expectations for new and elevated digital experiences have increased. There are many ways to achieve this modernization, but it requires intentional effort and technology updates from education administrators. Challenges to consider when implementing technology into learning are to:

Ensure IT has a “seat at the table” so they can weigh in on decisions
Ensure privacy and cybersecurity by training students and faculty to avoid scams, shift to data minimization, address cloud migration risks and leverage contracts with cybersecurity experts and investments
Adapt to students’ interests and products familiar to them
Create a seamless and enriching student experience
Utilize student data to update technology to better empower students
Pursue next-generation IT support to expand and reimagine digital campus abilities

Promoting Independence Through IT

A school’s duty is to prepare students for their futures in the workforce. Oftentimes, many careers require extensive knowledge of an array of technologies. Students should show proficiency in these areas to take advantage of more opportunities in various fields. By implementing technology into everyday use, educational institutions can promote confidence in technology, problem-solving skills, time management skills and collaboration between peers.

Diversity, equity and inclusion are also vital to university standards from both a legal and moral lens. IT intersects with diversity to make enrollment and education accessible to all by analyzing existing data to revamp hiring rubrics or utilizing cross-team conferences to create inclusive policies. With these inclusions, schools can emphasize transparency and accountability.

The pandemic revealed the importance of campus communication systems expanding beyond traditional parameters. Education departments had to shift to a remote work environment that a traditional phone system could not easily support. Universities should leverage communications software to reduce costs, provide additional flexible phone capabilities and accommodate all students regardless of where they live.

Through the inclusion of technology, educational institutions can reach new heights in their accessibility and connection with students. By enhancing security and offered digital features, educators can prepare students for an ever-changing workforce.

To learn more about utilizing IT for education initiatives, visit Carahsoft’s EDUCAUSE resource hub to schedule a meeting and speak to a representative today.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at EDUCAUSE 2022.*

3 Ways to Address Developers’ Productivity Concerns

Posted on by Barry Duplantis

From modernizing software development to creating Zero Trust cybersecurity architectures, the federal government has ambitious plans for 2023. But those plans will only reach fruition by removing the barriers that get in the way of developer productivity.

Government agencies have made great strides to bring IT teams, including developers, closer together over the past few years. For example, they’ve made significant investments in software development factories that are rooted in DevOps cultures. And the Department of Defense clearly recognizes the benefits of collaboration between cybersecurity and development teams, making it a core facet of the agency’s software modernization strategy.

But as a recent Mattermost survey discovered, more must be done to break down communication and collaboration barriers that inhibit developer productivity.

For Unblocking Workflows: The 2023 Guide to Developer Productivity, 300 software developers were surveyed to find out what’s keeping them from being as productive as possible, and what can be done to accelerate productivity. Their responses showed that although organizations have tried to build more collaborative development cultures, there’s still some work to be done in certain areas.

Let’s dig into some of the challenges—and what you, as a government IT professional, can do to address them.

“Poor communication across teams” is a big productivity challenge

Poor communication practices are the biggest obstacles to productivity and collaboration, with 29% of survey respondents citing “poor communication across teams” as an inhibitor. Their biggest issues are around “lack of process and documentation” (27%) and “lack of clarity around project prioritization” (25%).

General-purpose collaboration platforms that other teams use aren’t helping. Thirty-seven percent of respondents said there are “too many distractions from non-developers” using those tools while 25% said they “don’t fit their workflows well.”

“Information spread across too many tools” (46%) and lack of integration with other tools” (45%) are making it tough to collaborate and find information

Having to work with different tools is also making it difficult for developers to collaborate. Indeed, the developers surveyed said that information silos were among their biggest concerns.

These silos are making it frustrating for developers to find what they need when they need it. Thirty-two percent of respondents said they spend 3 to 5 hours per week hunting down information while 18% spent 6 to 8 hours.

Remote work “somewhat improves collaboration” but continues to be a source of tension among some developers

Remote work might be the norm, but developers aren’t entirely taken with it. Forty-three percent of respondents stated that remote work “somewhat improves collaboration” while 33% believe it makes collaboration worse.

That number is down from our 2021 survey, where more than half of respondents said that remote work was a net gain. The fact that the number has fallen is likely a reflection of the deterioration of communications practices and lack of integration, both of which contribute to poor project clarity.

What government agencies can do to improve developer productivity

Our survey respondents sent a clear message: Give us tools and processes that allow us to collaborate more effectively, break up information silos, and share knowledge easily. There are three things you can do to satisfy these needs.

Invest in software built for developer workflows.

Since open source is easily customizable, it’s simple to integrate different development tools. This will make it easier for developers to share code and resources, manage workflows, and communicate with each other without interference from other teams.

Create a central repository for knowledge sharing.

Having a “single source of truth” that developers can refer to when looking for information can save enormous time. Invest in a repository that pulls information from different teams and tools. Provide developers with greater visibility and access to the information they need to do their jobs more efficiently.

Automate information sharing and workflow management.

Automatically input new information into the repository once it’s received so developers don’t have to look for it. Automate workflow processes, too, by using a system that automatically checks off tasks when they’re done, alerts developers when it’s their time to work on a project, and more. Help your developers spend less time focusing on these tasks and more time building applications.

The success of accelerated investments in software factories and modernization initiatives in 2023 will depend in large part on developers’ abilities to be productive. Right now, there are obstacles getting in the way of that productivity. But you can eliminate those obstacles by improving collaboration and information sharing.

Want to learn more about developers’ productivity concerns and what you can do to address them? Check out Unblocking Workflows: The 2023 Guide to Developer Productivity.

Ransomware on the Rise

Posted on by Alex Whitworth

News story after news story, cyberattack after cyberattack has demonstrated the rampant presence of ransomware in today’s society taking down all shapes and sizes of companies in both the public and private sectors. By 2026, Gartner predicts that unstructured data storage, which is very susceptible to ransomware, will triple in size, and with that, an inevitable increase in the attack surface. Currently 80% of enterprises’ data is made even more vulnerable by the number of daily users, its distributed nature across devices and servers and overall lack of secure protection.^[¹^]

Experts have arrived at this bottom-line conclusion—everyone is vulnerable to a ransomware attack and cybersecurity measures have become an absolute necessity, not an option.

RANSOMWARE DEFINITION

Ransomware is a form of extortion through malware exploiting cyber vulnerabilities to infiltrate systems and capture vital operating or private data. The cybercriminals require payment, often in the form of cryptocurrency, for the release, restoration or decryption of the files or the assurance of not blackmailing individuals with the information accessed. Only 2% of organizations within healthcare get their full data back even after paying the ransom, with the majority of organizations receiving about 65% of their information back.^[²^] Currently, the situation has escalated to the point where bad actors are demanding multiple ransoms, one to restore the data and others to not publish the information on the black market.

The primary four ways ransomware infects a system are through:

Phishing emails and malicious links
Insecure network ports, devices and services
Backdoors left by other malware
Network vulnerabilities such as poor password hygiene with little user authentication, too many legacy systems, missing software patches and updates etc.^[³^]

The rise of ransomware as a service (RaaS) has increased the ease of carrying out a cyberattack with practically no technical knowledge necessary for a criminal to execute the attack.^[⁴^] One group creates the malware program code and then sells it for other groups to initiate the attack on specific victims.^[⁵^] X-Force head Charles Henderson said these crime affiliations have created a condition in which “criminals are more collaborative than the cybersecurity industry.”^[⁶^]

All the shifts and advancements in ransomware require a frank review of the past few years and the statistics to understand the situation, properly form the best course of action and minimize the repercussions on American citizens through critical infrastructure.

RANSOMWARE LANDSCAPE

Ransomware has existed since 1989; however, the past two years have seen a dramatic spike in quantity and impact of cyberattacks. All areas of government, business and healthcare are susceptible regardless of their size and relative importance.^[7] In recent years, the landscape has changed from individual domestic hackers exploiting opportunities to organized groups of professional criminals based in and often funded by adversarial nations to strategically disrupt critical functions and achieve financial and political goals.^[⁶^]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified 16 major critical sectors whose capabilities directly impact the national public health, safety, security and economy of America, most of which (14 out of 16) have fallen under heavy ransomware attack in the past two years.^[8] By targeting these essential infrastructures across financial, industrial, transportation and healthcare institutions, bad actors can disrupt nation-wide and global supply chains. CISA executives stress the importance of universal action to improve cybersecurity and combat the widespread ransomware threat. Because of the interconnectivity of U.S. infrastructure, they warn that if one organization is compromised, cybercriminals could gain access and infiltrate other larger vital service providers and ultimately spread out of control.^[9]

Government agencies and critical businesses are not the only groups seeking to improve through tech modernization. The ransomware landscape has changed drastically due to advances in cybercriminal activity as well.

The timeline of these attacks has also accelerated. In 2019, the average time between the initial system infiltration to malware deployment was over two months but in 2021 it dropped 94% to an average of less than four days.^[¹²^] Every 10 seconds, a new victim is attacked by ransomware. Not only are attacks and ransom demands increasing and their deployments faster, the majority (60%) of companies do not feel prepared if their company were to be faced with a similar threat in the next 12 months.^[¹³^] This problem is expected to continue to grow over the next decade, with ransomware cost predictions of more than $265 billion in total damage by 2031.^[¹⁴^] Agencies and organizations must evaluate their cybersecurity standing and make improvements to ensure that they can withstand these escalating attacks.

RANSOMWARE — ACTION REQUIRED

Contrary to public opinion, most cybercriminals do not primarily target organizations based on the perceived importance of their data, but rather the ease of access to infiltrate the system and the probability that the company will pay the ransom. Critical infrastructure in particular has an obligation to strengthen and reinforce their cybersecurity to prevent disruption and protect these vital functions for the American people. With the increasing trends, officials point to the new harsh reality that ransomware is not a question of if a company will be attacked through malware, but when. Based on the current landscape, organizations must act or risk being swept away by the growing tide of ransomware.

Carahsoft and its partners offer cybersecurity solutions to defend against ransomware and mitigate the risks. Reach out to discover how Carahsoft can make an impact for your organization. Dive deeper into how ransomware is affecting U.S. critical infrastructures such as healthcare and utilities in our Ransomware in Healthcare and Utilities Blog. Find our full Ransomware Series here.

Resources:

[1] “Protect, Detect & Recover: The Three Prongs of a Ransomware Defense Strategy for Your Enterprise Files,” Nasuni, https://media.erepublic.com/document/Whitepaper-_A_Three_Prong_Ransomware_Strategy_-_Nasuni.pdf

[2] “The State of Ransomware in Healthcare 2022,” Sophos, https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/

[3] “Security Primer – Ransomware,” Center for Internet Security, https://www.cisecurity.org/insights/white-papers/security-primer-ransomware

[4] “Ransomware: In the Healthcare Sector,” Center for Internet Security, https://www.cisecurity.org/insights/blog/ransomware-in-the-healthcare-sector

[5] “Health Care Ransomware Strains Have Hospitals in the Crosshairs,” Security Intelligence, https://securityintelligence.com/articles/health-care-ransomware-strains-hospitals-in-crosshairs/

[6] “Ransomware Attacks on Hospitals Have Changed,” AHA Center for Health Innovation, https://www.aha.org/center/cybersecurity-and-risk-advisory-services/ransomware-attacks-hospitals-have-changed

[8] “Critical Infrastructure Sectors,” Cybersecurity & Infrastructure Security Agency, https://www.cisa.gov/critical-infrastructure-sectors

[9] “Ransomware Hackers Will Still Target Smaller Critical Infrastructure, CISA Director Warns,” Nextgov, https://www.nextgov.com/cybersecurity/2022/07/ransomware-hackers-will-still-target-smaller-critical-infrastructure-cisa-director-warns/374953/

[12] “Ransomware in 2022: Evolving threats, slow progress,” TechTarget, https://www.techtarget.com/searchsecurity/news/252522369/Ransomware-Evolving-threats-slow-progress

[13] “Global Data Protection Index 2021,” Dell Technologies, https://www.dell.com/en-us/dt/data-protection/gdpi/index.htm#pdf-overlay=//www.delltechnologies.com/asset/en-us/products/data-protection/industry-market/global-data-protection-index-key-findings.pdf

[14] “Ransomware in the Utilities Sector,” ThirdPartyTrust and BitSight, https://info.thirdpartytrust.com/hubfs/03%20Guides%20and%20Ebooks/ransomware-utilities-bitsight-thirdpartytrust.pdf

Infographic Resources:

[7] “Ransomware Threat March 2022: Special Report” Nextgov, https://www.nextgov.com/assets/ransomware-threat-ngq122/portal/

[10] “Looking Back at the Colonial Pipeline Ransomware Incident,” Government Technology, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/looking-back-at-the-colonial-pipeline-ransomware-incident

[11] “Much to Do About Ransomware: Report Highlights a Path Forward,” Government Technology, https://www.govtech.com/security/much-to-do-about-ransomware-report-highlights-a-path-forward