Why cybersecurity in rural broadband buildout strategies is critical
The COVID-19 pandemic spurred massive government funding to close the broadband gap and the digital divide and provide connectivity to unconnected or underserved communities. However, there is another gap – the "cybersecurity gap" – that needs more attention.
The pandemic has ignited a significant rise in cyber threats of all types, from robocalls to SMS fraud, phishing attacks, ransomware, DDoS and state-sponsored cyberattacks, often targeting the most vulnerable residents and the most critical community services.
Unfortunately, communities in rural areas are especially vulnerable to DDoS attacks due to the lack of security infrastructure and expertise and the vulnerability of scarce community resources (e.g., healthcare).
Rural communities are especially vulnerable
For regional ISPs serving these communities, serving the edges of a connected society can be challenging without the resources, capital or expertise of their much larger Tier 1 counterparts.
In the US, over 7,000 service providers are registered with the FCC, excluding the big Tier 1 operators. These cellular carriers, electric utilities and other ISPs use a broad range of access technologies and try to cover rural America. By the way, it's a daunting task because roughly 20% of the US population, spread out across more than 90% of its land mass, is considered rural.
These companies have stepped up previously to provide connectivity for the 23 million to 42 million US rural locations, which has been the focus of much of the broadband funding.
As rural areas have been historically neglected in broadband access investment, there has likely been little, if any, investment in cybersecurity.
DDoS attacks continue to make headlines
DDoS attacks, often combined with ransomware, have surged in the last couple of years and comprise over half of all security incidents. Every year, the size, duration and frequency of DDoS attacks increase.
Verizon reports that 60% of all security incidents are DDoS-related. An average attack costs $20-40,000 per hour. However, terabit-size attacks are not the type that regional ISPs and their served communities should be most concerned about. Attackers are unlikely to target a smaller ISP with a terabit-level DDoS attack because a much smaller, low-cost attack will be just as effective.
Smaller attacks by cyber amateurs are the norm
Most DDoS attackers would prefer to stay out of the headlines, so they target smaller, less defended organizations. Despite media attention relative to large volumetric attacks, 90% of DDoS attacks are under 10 Gbit/s, and the average is only 115 Mbit/s.
These smaller DDoS attacks may not even be detected by Tier 1 carriers. However, for a typical regional ISP serving 50,000 subscribers or homes, a 10 Gbit/s level attack can significantly impact service quality or availability. In that scenario, a 1 Gbit/s attack could take out IT services for an ISP's downstream customers, like a small hospital or school.
Healthcare is a prime target
In rural communities, a scarcity of alternative healthcare facilities, the precarious financial situation of many rural hospitals and the lack of security resources make them easy victims of cyber attackers.
In 2021, the healthcare industry set aside about 6% or less of its IT budget on cybersecurity, with two out of every five respondents reporting that their cybersecurity budget remained similar or shrunk last year.
What to do?
While cybersecurity challenges may seem daunting to regional ISPs, many of whom have only 1-2 people on their IT security staff, the industry is slowly recognizing the importance of including cybersecurity in their rural broadband buildout strategies and providing more resources to assist.
- Cybershare is the small broadband provider information sharing and analysis center (ISAC), administered by NTCA and developed from a pilot program supported by a 2019 grant from the National Institute of Hometown Security.
- ISAAC (Information Sharing and Analysis Centers) help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards.
- CISA (Cybersecurity and Infrastructure Agency) has published a set of "Cyber Essential Toolkits," which outlines many of the steps that can be taken and provides resources for evaluating cyber risks.
There are many actions that even the smallest ISP can take to thwart a good number of attack vectors, including doubling down on basic security hygiene and eliminating the use of default passwords, keeping security patches up to date.
Some service providers are teaming up with peers to share DDoS investment costs and capabilities. Others offer DDoS protection as a service for their downstream customers. This helps offset the investment cost for higher levels of protection.
Overall, security investment must be prioritized within the various initiatives intended to bridge the digital divide and extend broadband to unserved/underserved communities. Ransomware and other cyber threats render the infrastructure of critical services, such as hospitals, unusable, regardless of broadband access.
Broadband access must be fast but also safe.
– Terry Young, Director, Service Provider Marketing, A10 Networks