April 28, 2021 - Podcast

Episode 122—Racism, and cybersecurity

The Centers for Disease Control and Prevention has joined hundreds of cities and counties across the country in declaring racism a public health threat, calling racism an epidemic that affects “the entire health of our nation.” IUPUI Professor Paul Halverson says declaring racism a public health threat will create a sharper focus on understanding and combating racism, an important step forward. Halverson says acknowledging racism as a public health threat allows for the creation of workforce training programs in public health, medicine, nursing and other fields. It also may require all health-related professional training programs to include structural racism identification and implied bias and anti-racism strategies within the curricula which will help to better measure the factors that influence racism. Halverson says health is a result of many factors. The most striking one has nothing to do with intelligence, diet or job status. Instead, Halverson says, it’s a person’s ZIP code. Where someone lives is the greatest predictor of health and life expectancy and is also a good predictor of their race and ethnicity. Where you live, how much you earn, your access to transportation and your ability to shop at a supermarket in your neighborhood are all part of the social determinants of health, which are the most powerful predictor of how long and how well people live. Halverson says decades of discriminatory housing practices have burdened Black communities with poverty, substandard housing and environmental hazards. Most federally assisted housing is located in segregated areas at a greater risk of lead poisoning, exposure to air pollution or lack of access to healthy food, he says. Of the $3.8 trillion spent on health care, public health and prevention is less than 3 percent of this gigantic budget. However, a 2018 report showed a 3-1 return on investment on public health funding. Halverson says treating racism like the disease that the CDC says it is suggests boosting our investment in public health funding would be money well spent.

In other news, the FBI has the authority right now to access privately owned computers without their owners’ knowledge or consent, and to delete software. Cyber security expert Scott Shackelford says it’s part of a government effort to contain the continuing attacks on corporate networks running Microsoft Exchange software, but the intrusion is raising legal questions about just how far the government can go. On April 9, the United States District Court for the Southern District of Texas approved a search warrant allowing the U.S. Department of Justice to carry out the operation. Shackelford says the software the FBI is deleting is malicious code installed by hackers to take control of a victim’s computer. Hackers have used the code to access vast amounts of private email messages and to launch ransomware attacks. The authority the Justice Department relied on and the way the FBI carried out the operation set important precedents and also raises questions about the power of courts to regulate cybersecurity without the consent of the owners of the targeted computers, Shackelford says. Shackelford says public-private cooperation is critical for managing the wide range of cyber threats facing the U.S. But it poses challenges, including determining how far the government can go in the name of national security. He says it is also important for Congress and the courts to oversee this balancing act. Since at least January 2021, hacking groups have been using zero-day exploits – meaning previously unknown vulnerabilities – in Microsoft Exchange to access email accounts. The hackers used this access to insert web shells, software that allows them to remotely control the compromised systems and networks and made it difficult for administrators to remove the malicious code. The FBI is accessing hundreds of these mail servers in corporate networks. The search warrant allows the FBI to access the web shells, enter the previously discovered password for a web shell, make a copy for evidence, and then delete the web shell. The FBI, though, was not authorized to remove any other malware that hackers might have installed during the breach or otherwise access the contents of the servers. Shackelford says what makes this case unique is both the scope of the FBI’s actions to remove the web shells and the unprecedented intrusion into privately owned computers without the owners’ consent. The FBI undertook the operation without consent because of the large number of unprotected systems throughout U.S. networks and the urgency of the threat. While cybersecurity is national security, Halverson says it does portend a sea change in the government’s responsibility for cybersecurity, which has largely been left up to the private sector. Much of U.S. critical infrastructure, which includes computer networks, is in private hands. Yet companies have not always made the necessary investments to protect their customers. Shackelford says this raises the question of whether there has been a market failure in cybersecurity where economic incentives haven’t been sufficient to result in adequate cyber defenses. With the FBI’s actions, the Biden administration may be implicitly acknowledging such a market failure he says.