Opinion: Cyberattack on Scripps Health has scary, broad implications

The editorial board operates independently from the U-T newsroom but holds itself to similar ethical standards. We base our editorials and endorsements on reporting, interviews and rigorous debate, and strive for accuracy, fairness and civility in our section. Disagree? Let us know.

A ransomware attack on Scripps Health that began last weekend had the health-care provider scrambling to regain access to vital electronic records that had been targeted by malicious software. Reports showed Scripps hospitals were getting by through use of “established back-up processes” to keep patients safe at its five hospitals and 19 outpatient clinics in the county. But some seeking care were sent to other facilities, and ambulances were also being diverted from Scripps sites. Scripps appears determined to solve the problem with the assistance of an independent cybersecurity contractor and law enforcement, and to not pay the ransom sought by hackers.

Yet this shouldn’t just be a wake-up call for local medical providers. It should be a wake-up call for all of those with any clout, only starting with lawmakers, who don’t realize the profound vulnerabilities of an increasingly networked world. This threat is likely going to grow as network technology keeps improving and hackers grow more skilled.

The good news on this issue is that Donald Trump — who downplayed cybersecurity threats because they often involved warnings of malevolent Russian machinations — is no longer president. His elimination of the White House cybersecurity coordinator position in 2018 was astonishing. Thankfully, in January, Congress passed a law mandating the White House have a national cybersecurity director who reported to the president and was subject to Senate confirmation. Last month, President Joe Biden nominated Chris Inglis, a former deputy director of the National Security Agency, for the job.

But the bad news is that the U.S. Government Accountability Office released a report in March that showed cybersecurity was a profound problem for the nation. The GAO has long warned that the nation’s critical infrastructure — including energy plants, communications hubs and financial services centers — are insufficiently protected against sophisticated cyberattacks, whether they are launched by other nations, those engaged in industrial espionage or ransom-seeking bandits. Russian hackers allegedly shut down Ukraine’s power grid in December 2015, causing chaos. In 2018, U.S. officials said they had evidence of Russian hackers’ intrusions into the computer networks of American power and water plants, though not of specific acts of sabotage. Those intrusions may have been in response to similar efforts by the U.S. in Russia that were first reported by The New York Times in 2019. The U.S. and Russia are in a de facto cyber cold war, both lining up potential soft targets.

Given this background, one of the GAO’s most alarming warnings involves the Department of Defense. Each year, the Pentagon pays tens of billions of dollars to defense contractors to develop advanced weapons and technology. But the GAO says of the four major military services, only the Air Force routinely includes strict language with strong cybersecurity mandates in its contracts. Rather incredibly, a senior defense official told the GAO that “standardizing cybersecurity requirements is difficult.” Biden and Inglis should make it clear to the Pentagon that it must do better.

In fact, virtually all American institutions need to do better. On Wednesday, Homeland Security Secretary Alejandro Mayorkas warned that ransomware attacks had increased by nearly 300 percent over the past year. “The threat is real. The threat is upon us. The risk is to all of us,” Mayorkas said. “Inform oneself. Educate oneself and defend oneself.” He’s right. Better for those with internet connections to pay attention than pay any ransom.