By Dr. Steve Albrecht
Originally published in Computers In Libraries Magazine, June 2023
Over the last 6 years, libraries in St. Louis; Boston; Northampton, Pa.; Syracuse, N.Y.; Contra Costa, Calif.; Spartanburg, S.C.; and Butler County, Pa. have all had to deal with outages and disruptions to their servers and data caused by ransomware attacks. In July 2019 and again in April 2022, the Westchester County, N.Y., library system was hit with ransomware attacks. In a news release for the 2022 incident, the library told patrons, “The Westchester Library System informed us yesterday that the public internet terminals’ hard drives need to be wiped. … Considering that there are 500 terminals in 38 different libraries the process will take 1 1/2 to 2 weeks” (bit.ly/401Yi3q). In August 2022, the venerable library supplier Baker & Taylor was hit by a ransomware attack (bit.ly/3YMIzV5).
By this point in our internet lives, we have all seen stories of supposedly secure federal, state, or local government or corporate sites hacked; the hijacking of social media accounts of celebrities; and intrusions of even “unbreakable” password storage sites and smartphone applications. We have moved beyond the need for constant vigilance, deterrence software, and toothless end-user policies. Why is it that even as recently as 2022, the most common passwords—and therefore the easiest and fastest to learn—are still “password,” “123456,” “guest,” and “qwerty?” Have we learned nothing about how easy it is for software programs to guess any password under 12 letters, numbers, or symbols? If a 16-year-old kid from Estonia using a simple brute-force password-cracking program can get into the network of a Fortune 500 company, something is seriously wrong with our cyber-protection strategies.
The Need for Library IT Professionals to Step Up
I have conducted dozens of security site assessment reports for libraries. As part of these projects, I spend time speaking with the IT/information systems (IS) directors, managers, supervisors, and technical employees, asking pointed questions about the strength of their cyber-protections. We talk about software updates; backing up data off-site or to the cloud; preventing hacking; dealing with denial-of-service (DOS) attacks; and even how to train, remind, and encourage all library employees and their patrons to comply with cybersecurity policies and not make things easy for the cyber-predators to steal data, shut down operations, or hold the library’s OSs, payroll functions, or internet access for ransom.
The problem with this approach is that unlike physical security devices that I can see or security operations that I can observe, I can only take the word of the library’s IT/IS experts that all they have told me is true and “everything is fine.” This is their area of security expertise, not mine. This makes me uncomfortable. Not only do I not know what I don’t know, but it’s more likely they feel uncomfortable revealing their real security concerns to me about actual or potential weaknesses in their systems. Their lack of openness to me about real vulnerabilities—including issues senior library management would likely not know or fully understand either, but would want to—does a disservice to us all. It’s time we ask our IT/IS security colleagues in our library systems to own up to their concerns and ask for and get the financial help and—bureaucracy-limiting—support they need to make ongoing improvements, instead of the usual response of trying to clean up the cyberhack after it has happened.
Going After Our Power Grids
We are hearing more about the rising number of attacks on unsecured/unsupervised power stations, as happened in December 2022 in North Carolina and in June 2022 in Washington state. Both left thousands without power for many days. According to a January 2023 article by investigative journalists from the Oregon Public Broadcasting service and the Seattle radio station KUOW, the western power grid—which serves 11 U.S. states and the provinces of British Columbia and Alberta in Canada—“has had more incidents of vandalism, sabotage, and physical attacks during the first 8 months of 2022 then the rest of North America combined” (bit.ly/404Mr4W).
We have also seen disturbing cyberattacks on hospital systems, which have affected their ability to give quality, life-saving care. Most of the cyberattacks on healthcare facilities have attempted to shut down their electronic medical records/electronic health records (EMR/EHR). This has forced the victimized healthcare facilities to revert to pen-and-paper recordkeeping for patient care during the time these systems were hijacked. CNN ran a Dec. 20, 2022, story about this, titled “Brooklyn Hospital Network Reverts to Paper Charts for Weeks After Cyberattack” (cnn.it/3ZP4Xin), and The Washington Post’s “An ‘Unprecedented’ Hospital System Hack Disrupts Health-Care Services,” from Oct. 6, 2022, describes a cyberattack that hit a large healthcare provider with 140 hospitals and 1,000-plus patient care sites in 21 states (wapo.st/3Woc2U1).
One of the most valuable uses of EMR/EHR computer systems is that they help to cut down on human errors in the receipt of medical services, which is a problem that still leads to thousands of patient deaths per year. (This number is in constant dispute by medical researchers, patient advocates, and defenders of their various healthcare providers and systems. Even one medical error leading to a death is too many, and the reliance on computers in healthcare makes hacking and DOS attacks life-threatening events.)
Time for a New Model for Measuring Workplace Violence?
“Workplace violence is the act or threat of violence, ranging from verbal abuse to physical assaults directed toward persons at work or on duty,” according to the National Institute for Occupational Safety and Health (NIOSH). There are four perpetrator types:
- Criminal intent (i.e., involving criminals)
- Customer/client (i.e., taxpayers, students, patrons, patients, passengers, etc.)
- Worker to worker (current or former)
- Domestic violence (involving an employee, for example)
These labels are often used in the policy language of most research, government publications, and law enforcement agencies; K–12 schools; colleges and universities; churches; malls; concerts; and public gathering places, such as libraries. The four perpetrator types help academics and government researchers, security practitioners, first responders, human resources professionals, and those who seek to identify the connection between the attacker and an act. Our constant goal is that by understanding this nexus, we can develop ways to stop them, enhance the security, and improve the way we interact with each group, either as potential perpetrators or as potential victims. (How we treat people—as library patrons or customers who use our facilities and services—can make an enormous difference in their desire for revenge, a major factor that encourages or deters them from making threats or using violence.)
We can now define a cyber-driven workplace violence incident as one that can cause the injury or death of many people because the electronic or internet systems we rely on have been compromised, shut down, or held hostage. It’s time to make the case that a new fifth workplace violence perpetrator type should be cyberattacks, which cause fear, injuries, or the potential for actual deaths. We need more awareness-building through continuous education; better cyber-vigilance, starting in our K–12 schools; and advanced deterrence and denial software and hardware tools to combat what is clearly a growing threat to our peace and our lives. The bad guys should not have more advanced tools and techniques than our government, intelligence, and military agencies. We should not have to worry about the necessities that make civilized life possible—constant electricity, clean water, hygienic sanitation, and healthcare facilities—being extorted and forced into operating as if it were the 1950s.
A DOS attack or a successful ransomware attack isn’t just an inconvenience—it has the potential to be life-threatening. While it may be true that some of our fiercest foreign enemies lack technical sophistication, they can certainly buy the brainpower they need from other countries who hate us too. We continue to see so much in open source news about hacking attacks from China, Russia, North Korea, and Iran, as well as numerous others from unidentified attackers or anonymous nation-state actors. (Imagine what is not publicized by our own military or intelligence services and those of our allies.)
At a Jan. 26, 2023, U.S. Department of Justice and FBI press conference, Deputy U.S. Attorney General Lisa Monaco said, “Using lawful means, we hacked the hackers.” This referred to the government’s takedown of a notorious cybercrime and ransomware network known as Hive. “The Justice Department said that over the years, Hive has targeted more than 1,500 victims in 80 countries, and has collected more than $100 million in ransomware payments,” according to Reuters. A Canadian researcher working for a cybersecurity company called Hive “one of the most active groups around, if not the most active” (reut.rs/3ZNCBEy). Let’s hope this is the start of our stronger offense, not just a defensive posture, wherein we wait to be cyberattacked.
A Worst-Case Cyber-Scenario
It’s too painful to even think about a darkness falling over this nation, literally. Imagine digital terrorists shutting down the country, using keystrokes from thousands of miles away, not weapons of mass destruction. Let’s consider a worst-case scenario, in which 10–20 midsize American cities have their electric power grids taken down. How could this happen? By targeting their power stations, transformers, and electrical towers—not with bombs that destroy them, but with cyberattacks on the software that runs them. With no electricity, no internet, no basic human needs for water and hygiene met, and no civil protection, our society would crumble into lawlessness and despair—and quickly.
Consider the chaotic environment created if several major U.S. cities were to go completely without power for a week: Hospitals run out of diesel fuel for their backup generators; banks can’t open their vaults or dispense cash from ATMs; burglar alarms stop working after their batteries die; food spoils in homes, grocery stores, and restaurants; no gas from local gas stations can get delivered or pumped; no one can charge their cellphones; water pumps and wells won’t work; sewer treatment stops; there’s no heat in the winter or A/C in the summer; and emergency communications systems at fire stations, police stations, airports, aircraft control towers, and emergency operations centers stop functioning when their backup generators go down.
Think this won’t happen in our lifetime? Southwest Airlines had a major software shutdown over the 2022 holiday season that crippled its operations and reputation. The Federal Aviation Administration’s national air traffic control system known as NOTAM (Notice to Air Missions) had a 90-minute shutdown in January 2023 that created the largest single-event aviation ground stop since the 9/11 attacks. Had enough doom and gloom with just these two non-life-threatening scenarios? If our lives are put at risk, we will enter a Digital Stone Age.
What will happen if they do knock out our power grids, power plants (nuclear, gas, coal), mass server sites, water supplies, sewer treatments, and hospitals? And our libraries? It’s time to make our case for a new fifth type of workplace violence perpetrator: the cyberattacker. Libraries are a component of our national heritage and identity and are part of the strength of our communities. Library leaders and staffers need to do their part, every day, to keep internet and intranet access safe in their facilities.
How Vulnerable Are You? Questions to Ask IT
Library leaders need to have an honest discussion with the IT/information systems (IS) professionals responsible for keeping the library's network, servers, hardware, and software systems protected and in working order. This includes these questions:
- Even if our data is backed up nightly to an off-site location or a cloud-based system, if we were to get hacked, what is the potential for data loss in time? Is 24 hours' worth of data gone? Less? More?
- Have we ever conducted a worst-case scenario drill? If so, what was the scope, and what did the outcome tell us we still need to do?
- Do we make regular changes in our network access systems, so that we don't trade security for convenience with our passwords and with whom we allow to access our servers?
- Is there a complete removal process for server access that IT/IS uses when one of its employees leaves, even under pleasant circumstances? Since many library employees at all levels worked from home during the pandemic, have we removed all remote access capabilities since then? If not, who still has them and why?
- Does the IT director or manager have a physical sign-in/sign-out procedure each time any employee goes into our server room? Have we considered installing a camera over the server room door to be able to see who enters?
- What type of fire control system do we use for our server room? Since halon is usually no longer used, do we have a CO2 or FM-200-type fire suppression system?
- How often is the air conditioning system in the server room serviced?
- If money was not an issue, what systems, procedures, or policies would you put in place to fully protect our server systems? Can we buy, install, or change portions of those perfect-world solutions to create better best practices?
- What three things do you want all library employees to do when it comes to protecting our IT/IS systems?
- What three things do we need staffers to remind all patrons to do to help us protect our IT/IS systems?