COMMENTARY: Nevada’s cyber attack a wake-up call on legacy service provider failures

Nevadans are still reeling from the unprecedented cyberattack that paralyzed our state government for weeks. By exploiting vulnerabilities in the systems we have used for years, bad actors effectively shut down Nevada’s state government, ceasing critical services such as background checks and putting our sensitive data at risk. An attack of this scale not only shows how fragile the systems we depend on are but also exemplifies the need for us to reconsider the vendors we have fallen back on for decades.

While the investigation continues and Gov. Joe Lombardo pushes for legislation to ensure something like this never happens again, we should ask ourselves how we got here in the first place. Recent analysis shows that U.S. government organizations have faced more than 520 ransomware attacks since 2018, which should give us all pause. Perhaps worse than the sheer number of attacks themselves is the fact that they’ve caused an estimated $1.09 billion in losses to downtime as a result.

Given that many of them originate from America’s adversaries, including China, Russia, Iran and North Korea, one might expect many of these attacks to target federal agencies such as the Department of Defense and others. Although many do, we’ve seen a concerning rise in the targeting of local communities nationwide. In the past few years, attacks have debilitated St. Paul, Minnesota; Fulton County, Georgia; and Aliquippa, Pennsylvania, by exploiting vulnerabilities in their systems.

With so many attacks perpetrated by foreign actors, it’s fair to assume that the providers we use should take every precaution to ensure that the systems used in local, state and federal governance are secure. Unfortunately, Microsoft, the primary provider employed by all levels of our government, including in Nevada, has done no such thing. In fact, the actions it has taken to cut costs have left Americans to pay the price.

This year, ProPublica reported that Microsoft, out of a desire to reduce expenditures, was using engineers in China to maintain the Department of Defense’s secure computer systems without proper U.S. supervision. To make things worse, the outlet later reported that the company failed to disclose its use of employees based in China in the routine security plans it submitted to the DOD. In fact, Microsoft didn’t make a single reference to its China-based operations or use of foreign engineers.

Microsoft’s lack of transparency and its continued desire to cozy up to China, our chief adversary in cyber conflict, is deeply concerning. Why should we trust a company that is so willing to omit truths, cut corners and routinely fail to secure vulnerabilities with our most trusted data?

Actions speak louder than words, and while Nevada has a lot to learn from the August cyberattack, one of the most important takeaways is that we should re-evaluate relying on companies that say they will resolve concerns without actually doing so. Momentum has already been built in Congress for action to ensure that Microsoft doesn’t allow the same mistakes to happen again, but state action is long overdue.

Nevadans deserve secure and reliable systems, and we must use this moment to take action to ensure that their data doesn’t fall into the hands of America’s enemies.

Thomas Quilty is an expert in cybersecurity. He currently serves as chief security officer of IMA Team in Scottdale, Arizona. He writes from Las Vegas.