LEXINGTON, Ky. (LEX 18) — The Colonial Pipeline ransomware attack disrupted life for millions of Americans in early May and caused those watching from a distance to wonder if they too could be affected by a similar hack.
Former Marine and University of Kentucky Director of Cybersecurity George Insko said a hack that large could "absolutely" happen anywhere.
"What's worse is that we've known about the types of attacks for quite some time; we haven't been doing a whole lot about it," explained Insko. "And, although a pipeline is bad, we're lucky that it didn't explode and kill somebody."
Insko said he and other colleagues in the security world are not surprised by what happened.
"The reason we're in this predicament in the industry as a whole, is that the systems that we are creating and writing in the software that we're creating and writing is very complex, lots of lines of code, they're designed to do specific tasks, and may not, and oftentimes do not have security built around them," he explained. "They're more interested in getting up, working and out the door, and easily fixed, than to have secure security built-in and wrapped around it."
Part of the problem, Insko said, is convincing companies to spend money on cybersecurity.
"Most CIOs and board of directors or go the cheap route," he said.
Insko said many of them don't always understand the intricacies of cybersecurity because they are not digital natives.
"The younger kids, they understand it, they understand the risks, they understand how to get into things and what it all means.," he said. "So until some of the more younger digital natives, get up into the boards into the CIO spots, it's gonna be hard for some of this to change."
Another issue? Top-notch skill in the necessary places. Insko said in the cybersecurity field, there is nearly a negative 2 percent to 0 percent unemployment rate. In consequence, places where the infrastructure lies in the ground are hard to convince young talent to move to, "so states like Kentucky and Appalachia, are hurting for talent."
Insko said more attacks are imminent it just depends on where and how.
"They're just gonna get bolder and bolder and target more important things because that's where the money's at," he said.
Insko is pleading with the public and with companies to pay more attention to cybersecurity from the bottom up.
He also believes cybersecurity education should start as early as kindergarten.
We don't cyberbully, we keep good hygiene we don't post pictures of ourselves until we're 18 online in certain situations. We know what bad behavior is and stay away from certain sites and how to be just a good American online," he said.
For adults, Insko said he hopes they vote their opinion at the ballot box or limit their purchases to companies that invest in cybersecurity protection to send a message with their dollars.
For companies, though adding cybersecurity is a burden, "The other side, this argument has very valid points, right? You're trying to hit a moving target. And you're just increasing burden on small businesses, but there needs to be a national plan to help combat this," Insko said.
Although it could take years to address, Insko said it is crucial for not only safety but sense of normalcy that cybersecurity comes centerfold as next time it might not be just a long line at a gas station.
"We're not surprised because we knew it was coming, and we know we have a lot of work to do," said Insko. "The work isn't necessarily putting technical and physical controls in place, that some of it. But, the real work is educating, small businesses and legislators, and people in control with the pocketbooks to say, 'Hey, look this is a problem.' And it doesn't just impact you, impacts, it can impact many many people."