From Y2K To NYC Parking Meters: Have We Learned Anything About Complacency In Cybersecurity?

Cybersecurity Complacency

This past January – in what seems like a different world now – a story briefly hit the headlines and was seen as more of a quirk than a threat. It was soon eclipsed by the enormity of the COVID-19 pandemic, which has occupied the world’s attention ever since. But this story should not be forgotten, because it has roots that extend far back into the past and, more importantly, has serious implications for computing and threat management far into the future. And it starts with some parking meters in New York City.

The problem – as small as it might seem to some – was that immediately after New Year’s Day 2020, some parking meters in NYC stopped accepting credit and parking cards. At fault was the credit card payment software built into the meters. According to the manufacturer, its anti-fraud system had not been updated, which meant the software essentially expired as the calendar turned to January 1, 2020. Technicians were dispatched to manually adjust the individual meters, one at a time, and in the meantime, New Yorkers were still able to pay using coins.

But dismissing this story as a mere quirk would be like walking across a frozen lake and shrugging your shoulders at a small crack that radiates out from your footstep. Small cracks inevitably lead to larger ones and tend to grow exponentially.

The NYC parking meter software bug serves as a very real reminder that the applications and networks we rely on for every part of our lives are still inextricably interconnected, and much of this connectivity includes legacy technology that was built and deployed in an earlier time, usually with a finite life that is quickly approaching its end or may already have done so.

The biggest of these was, of course, the Year 2000 Problem. Collectively known as Y2K, this revealed the hundreds of thousands of systems worldwide using a two-digit date system that meant a move beyond 1999 would be a move backward to 1900. There were worries of aircraft falling out of the sky, power grid shutdowns and all manner of destructive events to come. Fortunately, enough skilled programmers, many brought out of retirement, were martialed, and enough money was spent – estimated at $500 billion globally – to thwart most of the problems.

The fact that nothing bad happened on January 1, 2000, was not hailed as a victory of proactive crisis management, but more like a disappointment that the entire thing had always been a nonevent, and perhaps was overstated from the start. This is a problem that happens with human beings in general. Being wired for reaction and not pro-action, it becomes exceedingly difficult to comprehend threats until they are actually upon us. Endless case studies will be written on this topic by people observing different countries’ responses to the COVID-19 pandemic, climate change, earthquake preparation and much more.

Software glitches will continue to plague us. In 2036 and 2038, two separate computer systems that rely on time-codes will roll over into potential chaos if they are not upgraded or replaced. The 2038 problem affects 32-bit systems relying on time-codes that max out on January 19 of that year, and before that a rollover is expected in 2036 for Network Time Protocol systems.

In all likelihood, the affected systems will have been replaced within the next 16 years, but the dangers still exist. The most obvious place where they exist will be legacy systems once again, following years of patches and layering. But the other and more pressing circumstance may be cases where advance calculation of expiry dates is needed. This may result in computing failures or physical defects in products long before the year 2036 comes around.

The elephant in the room is not so much the software glitches themselves, but the complacency that influences decision making at all levels within an organization. In addition to shrugging away potential risks, humans also tend to avoid situations that make them fearful or uncomfortable. On a personal level this is called procrastination, but on a corporate and strategic level, proactive change may be suppressed due to financial concerns, or potential damage to a reputation. An airline, for example, will likely never want to go to the press to describe a software glitch that may affect flight safety, even if it is being fixed.

These are examples of challenges, both past and future, that organizations need to be aware of. There will be many more – not just in terms of calendar-specific software glitches, but also in terms of data security, as networks continue to connect with IoT devices, phishing crimes grow in sophistication, and threat actors exploit artificial intelligence and machine learning to dig through stored legacy data to find new and innovative ways to prey on organizations worldwide.

Safety and preparation come from having a team of people who understand threats and also know how to speak the language of decision makers whose priorities might lay elsewhere. It is not enough to just be good with cybersecurity. Communication skills and strategic awareness are vital components of this battle. This is why (ISC)² does what they do. Their mandate is to teach and certify cybersecurity professionals who are able to not only understand technical challenges and threats, but who can also play a more involved role in proactive governance of an organization.

For more information, read the Proactive Cybersecurity Beyond COVID-19 white paper.

By Steve Prentice

Big Data Explosion

Developing Machine Learning-based Approach for Optimizing Virtual Agent (VA) Training

Optimizing Virtual Agent (VA) Training Achieve NLU model’s precision, recall & accuracy up to 78% The success of any Virtual Agent (VA) depends on the training of its Natural Language Understanding (NLU) model prior to ...
Kokumai

Identity Assurance – Sufficient and Necessary Conditions

Identity Assurance It is not easy to define the 'sufficient condition' for describing a set of processes used to establish that a natural person is real, unique, and identifiable; criminals keep coming up with hitherto ...
Gilad David Maayan

Leveraging Managed Kubernetes to Improve Your Operations

Leveraging Managed Kubernetes Kubernetes simplifies container orchestration, but sometimes companies are struggling with Kubernetes adoption. Many organizations do not have the required expertise to configure and manage Kubernetes by themselves. Managed Kubernetes is a good ...
Ransomware Hostage Prevention Tips

Ransomware Hostage Prevention Tips

Ransomware Prevention Tips (Updated: 09,24,2020) Ransomware can bring your business to its knees. Whether it comes as a system- or network-wide infection, it can do a severe damage to your company. Attacks are at a ...
Anita Raj

Can the cloud handle the streaming explosion caused by the pandemic?

The Streaming Digital Explosion From the time the coronavirus forced the global community to stay at home, a whopping 16 million people have newly subscribed to Netflix, which is more than double the number the ...
Anita Raj

Will there be a normal to go back to after COVID-19?

The COVID-19 Aftermath Until November last year, not one of us would have expected life to take such a dramatic turn in as short as 4-5 months. Yet here we are - confined to our ...