Former Army Cyber Corpsman Shares Rural Cybersecurity Threat
The Vidalia Kiwanis Club received a seminar on Cybersecurity on Tuesday, June 14, as former U.S. Army Cyber Corpsman Chris Apsey spoke to the group about the cyber threat in rural Georgia.
Apsey, who now resides in Evans, Georgia, spent 5 years in the Army Cyber Corps as an officer and was the director of the Georgia Cyber Range. He now works as an independent consultant to bring manufacturing back to the United States and to make sure those manufacturing companies have adequate cybersecurity.
“The cybersecurity industry is wrong about pretty much everything for two reasons: They misjudge what matters to people and they focus only on things they understand,” he explained. Apsey began discussing two concepts of human psychology to outline this principle.
He referred to Maslow’s Hierarchy of Needs. “This tells us how humans value certain things in life,” Apsey said. “The basic principle is that people need to satisfy bottom levels to move up in their satisfied needs.” According to Maslow’s Hierarchy of Needs, people must have food, water, shelter, and sleep first as a basis for any other satisfied needs. The next level is safety needs, such as money, employment, and other things to feel secure. The next level is love and belonging, which comes from family and socialization. The next level is esteem, which comes from appreciation and respect. At the top of this pyramid is self-actualization, which is concerned with personal growth and fulfilling potential.
“At any point, if a need is not met, everything above it is gone,” he summarized.
Apsey also discussed the concept of Parkinson’s Law of Triviality to explain his thoughts behind the largest concerns of cybersecurity. He described this concept: “Say there are a group of (ordinary) people whose job it is to design a nuclear power plant, and there’s two buildings that make up the power plant: the power plant itself and a bike shed. Let’s say the committee has an hour to complete this task – they will spend around 45 minutes discussing how to build the bike shed and only 15 minutes on the nuclear power plant. Why is that?” He then revealed the answer. “People naturally want to engage in things they have an inherit understanding of,” he remarked. “Nuclear power plants are very complicated, and most don’t understand them, but most can understand building the bike shed. They will not spend most of the time talking about the power plant even though they know it is the most important aspect because they do not understand it.” Apsey says the cybersecurity industry does just that, and referred to the 2018 hack of the city of Atlanta to exemplify this concept. “It cost about $2.7 million, there was a wifi outage as the Hartsfield- Jackson International Airport went down, the bill pay system for the water utility went down, the judicial fine system went down, and the Atlanta Police Department lost a couple databases,” he told attendees.
“These things sound bad – no one likes losing money, no one likes having no wifi at the airport – but at the end of the day, this is just money,” he continued. “This represents only a financial cost to a municipality, states, and institutions. What it doesn’t include is actual damages to society as a whole.”
He added, “While the hack was going on, if you picked up the phone and called 911, someone answered. When you turned on the tap at your house, water came out that was drinkable. When you turned on your heat, it was hot. So if you asked the average Atlantean if they knew the hack occurred, they weren’t even sure that something actually happened.”
According to Apsey, this event was in the news for a long time, but really was not a big deal to the people of Atlanta because it did not directly attack any level of the hierarchy of needs. He says that the cybersecurity industry tends to focus on hacks, such as the Atlanta hack, because it details quantitative data on losses, like the amount of money lost, which can easily be understood by these professionals. Meanwhile, the true threat, Apsey believes, is the loss of basic needs, such as food and water.
“Can you imagine if you went to turn on the tap in your house and there was no water?” he asked. “Society would collapse as a whole.” Apsey listed the areas of cybersecurity which concern him most: power generation, food production, water, transportation, and emergency services. “Now, going back to Maslow’s Hierarchy of Needs, all of these things fall on the bottom two rungs,” he explained. “What I can tell you is that these things receive almost 0 attention in the cybersecurity realm in comparison to your laptop, email, and those types of things.”
“Let’s say someone attacked the Purdue chicken processing plant, and caused all the chickens to spoil,” he said as an example. “It would be devastating. But these kinds of things get almost no attention.”
He continued, “If you took surveys of companies and what they had to offer, you wouldn’t find much because we really don’t have protection for these kind of things in the United States – and it’s scary because it doesn’t take much to knock some of things (food supply chain, etc.) over.”
Apsey gave other examples of why these issues should be at the forefront of cybersecurity concerns. “The Port of Savannah is the 3rd busiest port in the United States by volume, behind only Los Angeles and New York. Hartsfield-Jackson is the busiest airport in the world. Can you imagine what would happen if flights couldn’t run for a week or a month because of a hack on air traffic control by Russia or China? Can you imagine what would happen if Savannah couldn’t unload those cargo ships because the systems of the machines that unloaded those goods were hacked?” he emphasized. “The devastation it would wreak on Georgia and the nation would be unimaginable, yet almost no money is spent on [protecting these resources].”
What You Can Do
According to Apsey, the areas in which cybersecurity is most important are: power generation, food production, water, transportation, and emergency services.
“Most of the things on that list [of what areas of society concern me regarding cybersecurity} are from rural areas,” Apsey explained. “That is why, to me, rural cybersecurity is the most important cybersecurity.”
Apsey spoke to attendees about what could be done to attempt to protect these sort of issues. His solutions included: have a third party review your procurement processes when you purchase a new computer or other equipment, have periodic external audits of existing systems, pay attention to electronics vendors’ end of life equipment (how service should be given when the vendor chooses to stop producing the product), apply updates from the vendor whenever possible, and look at your operations beyond the information technology perspective (review the tangible data storage). “Basically, just be careful in what you buy – do your research,” he commented. “Make sure to update when needed, and backup your data.”
Q & A Segment
Apsey also answered several questions from the crowd regarding everything from social media to the possibility of attacks from other countries. According to him, terrorism is the biggest threat to American cybersecurity, because these individuals do not desire to gain anything but to take from the nation. Also, Apsey encouraged everyone to make long passwords rather than changing passwords every so often. He says these longer passwords are harder to guess, and make it more difficult for accounts to be hacked. He also advised the public to refrain from sharing their location on social media, and to avoid entering valuable information to websites when using public wifi.