3 Apr 2024

Should You Rent or Own Your Home Internet Equipment?

by | | 0

If you’re thinking about getting Internet in your home for the first time, changing providers, or wondering if you should ask your provider about an equipment upgrade, you may want to consider the option of owning versus renting the equipment that connects you to the Internet.

The equipment that connects your home to the Internet through your provider can consist of a modem, router or Wi-Fi router, or combination router\modem (sometimes called a gateway). Equipment might also include a range extender to enhance the Wi-Fi signal across your home.

There are advantages and disadvantages to owning your own equipment or renting the equipment through your Internet Service Provider (ISP). When you sign up for an Internet plan through your provider, you have the option to rent their equipment and have them perform the installation or buy your own equipment and do the installation yourself with specific instructions from the provider on the initial setup.

Let’s explore the pros and cons of renting or owning the equipment that connects you to the Internet to help determine which option is best for you.

When renting equipment from your Internet Service Provider some of the advantages are:

  • You don’t have to worry about compatibility issues. The equipment is designed to work with your providers’ network and service.
  • You get free upgrades or replacements if the equipment fails or becomes outdated.
  • You get technical support from your provider if you have any problems with the equipment or your internet connection.
  • You can easily return the equipment if you switch ISPs or cancel your service.

Some of the disadvantages to renting equipment from your Internet Service Provider are:

  • You pay a monthly rental fee that can add up over time and cost more than buying your own equipment. This may take several years depending on the equipment used.
  • You may have limited control over some of the features and settings of the equipment, as they are determined by your ISP.
  • You may not get the best performance or security from the equipment, as it may be of low quality or use outdated technology.

When you own your modem, router, and/or Wi-Fi Range Extender to use with your provider, you have some options about where you purchase the equipment and its quality. Your provider may suggest brands they consider compatible with their Internet connection to your home.

The advantages of owning your home networking equipment are:

  • You save money over time, as you don’t have to pay a monthly fee to your provider.
  • You have more control over the features and settings of the equipment, as you can choose the model and brand that suits your needs and preferences.
  • You get better performance and security from the equipment, as you can choose one that uses the latest technology and supports faster speeds and stronger encryption.
  • You can make sure the equipment is updated to the latest operating system or firmware by setting automatic updates.
  • You can keep the equipment if you switch ISPs or cancel your service if it is compatible with other networks.
  • You do not have to wait on a visit by technicians to upgrade or replace failing hardware.

The disadvantages of owning your own home networking equipment are:

  • You must pay upfront for the equipment, which can be expensive depending on the model and brand. You should consider buying the latest equipment which has the latest security features.
  • You must make sure that the equipment is compatible with your ISPs network and service, and that it meets their requirements and specifications.
  • You are responsible for upgrading or replacing the equipment if it fails or becomes outdated. Due to the expense of the equipment, you might want to see if the equipment can be covered through your home or renter’s insurance.
  • You have to troubleshoot any problems with the equipment or your internet connection yourself or seek help from the manufacturer or a third-party service.

After reading about the pros and cons of owning versus renting home network equipment, how do you decide which option is better for you?

Several things to consider in your decision are:

  • Your budget: how much can you afford to spend upfront to buy equipment or spend monthly to rent your home networking equipment?
  • Your needs: what kind of features and performance do you want from your routing equipment?
  • Your preferences: do you value convenience and simplicity, or customization and flexibility?
  • Your plans: how long do you intend to use your current ISP and internet service?

You may want to consider renting the equipment if you:

  • Have a limited budget and don’t want to pay upfront for your routing equipment.
  • Don’t care much about the features and performance of your networking equipment.
  • Prefer to have technical support from your ISP if anything goes wrong.
  • Plan to switch providers or cancel your service in the near future.

Consider owning your home networking equipment if you:

  • Have enough money to buy your own routing equipment.
  • Want to have more control over the features and performance of your routing equipment.
  • Are comfortable with troubleshooting any issues yourself or seeking help elsewhere.
  • Plan to stick with your current ISP and internet service for a long time.

Renting versus owning your home networking equipment is a personal choice that depends on several factors including convenience, support, and flexibility, savings, control, and performance.

Before deciding between renting or owning your home networking equipment, weigh the pros and cons of each option carefully, and consider your budget, needs, preferences, and plans. Ultimately, choose the option that works best for you and your home internet experience.

19 Mar 2024

Exploring Alternatives to the Affordable Connectivity Program

by | | 0

The Affordable Connectivity Program (ACP) is a U.S. government initiative designed to help low-income households afford internet service. However, this program stopped accepting new applications February 7, 2024, and is scheduled to run out of funding in April 2024.  Congress will need to renew the funding for the ACP to continue.

Almost 400,000 households are enrolled in the ACP in Missouri saving over 11 million dollars each month on their internet bills.  As the program winds down, many will be looking to find either lower cost options or another program to help cover Internet costs.  Some may even decide to discontinue their internet service.

However, there are alternative options available. In the remainder of this blog, these options will be discussed along with the differences to the ACP.  Some of these options may not be available to all Missourians due to location or qualifications to participate.

One option is the FCC Lifeline program.  The Lifeline program works similar to the ACP program but has stricter requirement for participation and has a small benefit to the household for covering the cost of internet.  Lifeline provides qualified subscribers a discount on qualifying monthly telephone service, broadband Internet service, or bundled voice-broadband packages purchased from participating providers.   If your household income is 135% of the federal poverty guideline you qualify for the Lifeline program.  You may also qualify for the program if you are receiving benefits from one of the following programs:

  • Supplemental Nutrition Assistance Program (SNAP)
  • Supplemental Security Income (SSI)
  • Veterans Pension and Survivors Benefits
  • Federal Public Housing Assistance (FPHA)
  • Medicaid
  • Tribal Programs for Native American

One alternative is exploring community-based programs. Many local libraries and community centers offer free Wi-Fi access or loan Wi-Fi hotspots to community members. You may also want to contact the local community action agency or other local non-profits to see if there are funds to help assist with the cost of internet access, access to hotspots, or free Wi-Fi access .  You can use the Digital Asset Map at mobroadband.org to help with your search.

National non-profit organizations also play a role in bridging the digital divide. Groups like EveryoneOn and PCs for People connect people to low-cost internet service and affordable devices.

Another avenue is negotiating with internet service providers (ISPs). Some ISPs offer discounted plans for low-income families or special programs for students and seniors. It’s worth contacting providers directly to inquire about any available options that may not be widely advertised.  Here are links to several providers that have their own assistance programs.  This is not an exhaustive list, so be sure to talk to the ISPs in your community about their programs.

In conclusion, while the ACP provides a valuable service to many, there are several alternatives worth considering. Each option has its own set of benefits and limitations, and what works best will depend on individual circumstances.

7 Mar 2024

BEAD — Let’s Not Throw Away Our Shot Part 2 –Affordability

by | | 0

By Marc McCarty

& Meredith Morrison

The last Blog described the Missouri Office of Broadband Development’s (OBD) proposal to spend up to $1.7 billion for broadband projects that will be funded by the federal government’s Broadband Equity Access Deployment (BEAD) program. We highlighted ways local government and nonprofit organizations (Public Organizations) can play an important role at the outset, by helping to make the list of locations eligible for BEAD funding as accurate as possible, and by initiating contact with internet service providers (ISPs) to express the community’s interest in partnering to “digitally connect” their community.

Three ingredients are essential for communities to digitally connect while holistically benefitting the health, education, and economic advancement of its residents: (1) access to internet service, (2) the skills necessary for service adoption, and (3) a pricing model that makes service affordable. BEAD only directly addresses internet access. Internet adoption and affordability will require Public Organizations to organize and enter into partnerships with existing and new ISPs.

This blog focuses on the challenge to make broadband service affordable; a challenge that has been made much more difficult because of the end of funding for the Affordable Connectivity Program (ACP).

Why Affordability Matters

Obviously, community residents and businesses cannot reap the benefits of broadband service if they can’t afford it! Like other utilities, broadband service comes with a monthly fee, and all ISPs generally must earn enough in monthly subscription revenue to cover the costs of capital investment, network maintenance, and service operations. In Missouri, most ISPs are “for-profit” companies, in which shareholders/investors must earn a reasonable return on their investments. For this reason, particularly, in hard to reach communities where there are fewer locations per square mile, obtaining a high percentage of paying subscribers can be critical to an ISP’s survival.

Most Missourians are understandably unwilling or unable to pay for high-cost broadband service. Multiple surveys show that a high monthly internet subscription cost is one of the biggest roadblocks to the adoption of broadband. Of course, in part the affordability of broadband service depends on whether potential subscribers feel confident they need and can use fixed broadband, or instead, can continue to rely on their internet-connected mobile phone or public hotspots. The next blog will cover how Public Organizations can address this issue by boosting internet adoption.

Many Missourians face a “would if I could” problem when monthly internet subscription costs compete with basic necessities, such as food, housing, water, and other utilities. Ironically, these households most desperately need broadband service to effectively access government and nonprofit assistance and improve their economic prospects for a better life. Clearly, some targeted program to make broadband affordable to low-income households is needed.

The Affordable Connectivity Program

The Affordable Connectivity Program was enacted along with BEAD as part of the 2021 infrastructure law to address this specific concern. In the two years it has been in place, 23 million households nationwide (nearly 400,000 in Missouri alone) received a $30 per month subsidy for internet service and a one-time discount they could apply to the purchase of a basic computer or tablet. Roughly 1 in 6  households across our state benefited from ACP, and in many rural counties 1 out of every 4 or 5 internet subscribers, received service subsidized by ACP.

The ACP became a victim of its own success. As structured, 42 million households were estimated to be eligible for the ACP benefit. Even though just a little more than half those families eventually applied and began participating in the ACP, the original $14 billion appropriation for the program is almost entirely depleted. The FCC has barred any new subscribers, and the program will end next month. While bipartisan legislation has been introduced to fund the ACP until year end, it is not expected to be enacted, and of course it is only a stopgap measure. In order to truly meet the needs of families, and provide a stable subscriber income base for ISPs, the program needs a permanent funding source, and this need is particularly evident as ISPs attempt to build out broadband in hard to reach unserved and underserved areas using the BEAD program.

Certainly absent a viable alternative, many participating households served by the ACP may be forced to drop service. While the federal government’s Lifeline program can offer some current ACP subscribers discounted broadband at connection speeds up to 25/3 Mbps, that is below the 100/20 Mbps mandated by the BEAD and ARPA programs. Additionally, the qualifying income levels for Lifeline are lower, and other eligibility requirements are more difficult to meet than those imposed by the ACP. Finally, many ISPs are not qualified to offer customers the Lifeline program benefit.

The Subscriber Revenue Gap Created by the End of ACP

Of course, the end of the ACP also creates some significant financial challenges for ISPs. ACP gave ISPs an incentive to build infrastructure in low-income communities, because the program increased their estimated take rate and subscriber revenues.  One study estimated that the loss of the ACP will translate into a decline in subscribers that will raise the cost of bringing broadband to unserved rural communities by 25%!

It is also unclear how ACP’s termination affects the sixty ISPs that were awarded grants as part of Missouri’s  $261 million Broadband Infrastructure Grant Program. These grant came from Missouri’s share of the American Recovery and Reinvestment Act — Coronavirus State and Local Fiscal Recovery Fund (SLFRF). Federal Regulations for the SLFRF program require that grant recipients offer low-income households affordable subscription options, commensurate with ACP’s benefits in areas served by grant-funded broadband infrastructure. While this requirement may soften the blow from the loss of the ACP in these isolated communities, the question remains, how will ISPs afford to implement a “commensurate” ACP benefit on their own?

Taken together, the loss of the ACP seems destined not only to make it harder for lower income households to subscribe for internet service, it also may make it significantly harder for Missouri to achieve the overall goals of the BEAD program – to extend broadband service to all unserved and to as many underserved areas of the state as possible.

How can Public Organizations Help?

In 2022, Governor Parson proposed using state funds to supplement broadband subscription costs for low income households.  However, that legislation ultimately was not enacted, and other than the Lifeline program previously discussed, there is no comprehensive federal or state program that directly subsidizes the monthly cost of broadband for lower income families. However, that does not mean that Public Organizations – particularly local government – are unable to indirectly help ISPs provide affordable broadband service to households that need financial assistance.

The key here is to recognize that ISPs can provide an ACP-type benefit to their customers so long as that cost is subsidized and that subsidy can take the form of either a direct payment to help the customer pay for service or, indirectly, by further reducing the ISP’s cost of building the broadband infrastructure. A BEAD grant can do that in part, but likely not if the ISP’s subsidy needs to be increased by 25%, because the ACP is not available! Yet it makes no sense to increase the government subsidy to the ISP for construction unless the ISP is willing to use the amount saved to provide an affordable broadband connection to its customers, through a program similar to the ACP.

For example, assume that an ISP was able to build and successfully operate a broadband network with a BEAD grant of $2 million, so long as it could rely on ACP-funded subscriber revenues to help pay for the infrastructure and cost of network operations. Based on the Commonsense study, one would conclude that the ISP would need 25% more ($2.5 million) because of the loss of the ACP. In that case Public Organizations might agree to provide the ISP the additional money needed to close the funding gap ($500,000), but only on the condition that the ISP agrees to self-fund an ACP-type benefit for the community in the future.

Unspent Local ARPA Funds

One possible source of the additional money needed, that some local governments may have available is the local government component of ARPA SLFRF money. In addition to money paid directly to the state, Missouri’s 114 Missouri counties and 15 cities received a separate SLFRF award. These local governments have the flexibility to use these funds for many purposes, one of which is “high-speed broadband infrastructure.” All local SLFRF money must be obligated by December 31, 2024 and spent by December 31, 2026. As of September 2023, Missouri’s local governments reported that they had obligated only $1,450,997,654 of the $2,419,661,436 in SLFRF Funds. This means that as of last Fall, just over 40 percent of the money awarded remained available.

Other possible local programs to access local money.

Many communities may already have appropriated their entire ARRA SLFRF award for other permitted purposes. In these cases, there are other options that can be used to provide financial support to ISPs that agree to provide affordable broadband service to lower income households. Again, the overall strategy is the same: use locally generated funds to reduce the ISP’s cost installing broadband infrastructure in unserved and underserved locations, in exchange for the ISP’s commitment to provide a targeted low-cost subsidy to qualified low income subscribers.

These options include special financing districts and government sponsored tax-exempt financing.

Special District Financing

Three  types of special financing districts are available to Public Organizations seeking to raise money to support an ISPs broadband infrastructure project. In each case, these special financing districts must support and fund a “public private partnership” (P3) that will provide broadband service within a specific geographic area or “District.” Each type of District may impose various new local taxes or special assessments for that purpose. The three types of districts are (1) a Community Improvement District (CID), (2) a Neighborhood Improvement District (NID) and a Broadband Infrastructure Improvement District (BIID).

The statutes set out the procedure and powers for each of these districts and while they are not identical, they do share some common elements:

  • The area served by the District can be specifically tailored to include all or a portion of a city or county, or in the case of CIDs and BIIDs multiple jurisdictions.
  • The District may fund a public private partnership that will bring broadband service to one or more unserved or underserved areas (as certified OBD). The statute defines unserved and underserved using similar criteria to that used for BEAD grant funding.
  • The District can impose a variety taxes (sales tax, property taxes, or a special property assessment to fund its contribution the P3). However in most cases, voter approval of the affected district residents is required to impose the tax.
  • In each case, the P3 agreement must provide that the ISP will own and operate the broadband network infrastructure (not the District).

A significant advantage of Missouri’s special financing district laws is that they are flexible and can be adapted to a variety of situations. Since Districts can impose local taxes and/or assessments that only apply in the District, it is possible to tailored them to include only those areas that need broadband. In this way they could be an ideal source of locally sourced funds to help ISPs close a funding gap and make it economically feasible to provide broadband service to residents of all income levels. This is important both because of the gap created by the loss of the ACP funding and, more generally because all BEAD – funded projects must have at least 25% of the project costs funded from some source other than the BEAD grant.

 

Example of a Special District Financing to Support Broadband Affordability

A community might decide to create a CID to assist in funding broadband infrastructure for 20 unserved farms and homes along a county road. Property owners along that road could petition the County to form and authorize funding for the CID. The District’s objective would be to lower the cost of installing broadband so that the ISP was financially able to provide free or low-cost service to low income families with school age children.

To fund the CID, property owners in the area would agree to impose an annual special assessment (collected along with real property taxes each year) from each property owner in the District. As part of the P3 agreement, the CID would agree that amounts collected each year would reimburse it for part of its cost of funding the broadband project that was not paid for out of the BEAD grant, and that the collected amounts would be applied to fund a monthly broadband service subscription subsidy for lower income families.

Tax-exempt Private Activity Bond Financing

Tax-exempt private activity bond financing may provide another option for Public Organizations that want to reduce an ISPs infrastructure cost, so that a low cost broadband subscription option can be offered to lower income residents. Tax-exempt private activity bonds are a special type of local government debt. Unlike traditional bonds where the local government is the named borrower and responsible for repaying the debt, private activity bonds are usually repaid only from money provided by a private entity (in this case an ISP).

These tax-exempt bonds can only be used in a specific geographic area where 50% or more of the structures are “unserved” (broadband service less than 25 Mbps download and 3 Mbps upload). When completed, the constructed project must provide at least 90% of the previously unserved locations with connection speeds of at least 100 Mbps download and 20 Mbps upload. If these and other requirements are met, interest paid to investors (bond purchasers) is exempt from most federal and all Missouri income tax. Because investors do not pay income tax on the bonds they own, they are willing to accept a lower interest rate than a similar taxable bond or loan. In this way, the ISP benefits because it pays substantially less interest each year on the debt used to finance the project.

 

Example of Tax Exempt Private Activity Bond to Support Broadband Affordability

 

Assume an ISP wished to bring broadband service to all structures in a county, and that the cost of constructing the network was $50 million. The ISP receives a BEAD grant for $35 million, but is responsible for raising the additional $15 million. The County’s residents want the service, but know that a significant number of residents simply cannot afford to pay the monthly subscription cost for broadband service. For a variety of reasons, the county cannot provide financial assistance to the ISP through a new tax or assessment.

Instead, the County might issue $15 million of private activity bonds that the ISP would use to fund the project. The ISP (not the County or any Public Organization) will be solely responsible for repaying the bonds.  The bonds have an interest rate that is 1.5% lower than a taxable borrowing. This means the ISP “saves” $225,000 of interest cost each year the bonds remain outstanding.

As a condition for issuing the bonds, the County requires the ISP to offer lower income subscribers a special low cost broadband plan, which it is able to fund because of the interest expense saved each year. 

Where There’s a Will….

In a perfect world, funding for broadband affordability would not have run out just as funding for broadband access and adoption was becoming available. Of course no one would say that the ACP was a perfect solution. Many would argue that the ACP and Lifeline programs need to be combined and a permanent funding model needs to be put in its place, and there is considerable merit to that position. But allowing ACP to expire without reworking the Lifeline program or providing some other workable alternative is difficult to justify. The unfortunate result for many communities is that they must work creatively with their ISPs to make sure that the broadband infrastructure built is affordable to all members of the community. The alternatives listed here all seem to be feasible, and there are many others (described in a recent “White Paper”) that communities can consider. However, all require a community effort, and some creative thinking. The question for many communities – is whether they are willing to make this effort, or will they instead risk “throwing away their shot” at digital connectivity.

6 Mar 2024

Setting Up a Home Network

by | | 0

A home network connects multiple devices in your home to each other and the Internet. These devices can include computers, smartphones, tablets, TVs, printers, thermostats, security cameras, and other smart home devices.

A home network provides many benefits, such as:

  • Sharing files and folders among devices
  • Streaming media content from one device to another
  • Printing documents from any device
  • Controlling smart home devices remotely
  • Accessing online services and applications

To set up a home network, you will need the following:

  • An internet service provider (ISP) that provides you with an internet connection
  • A modem or other device, such as an optical network terminal (ONT), that connects to the ISP’s network and converts the signal to a format that your devices can understand.
  • A router that connects to the modem or ONT and creates a local network for your devices
  • Ethernet cables for wired connections or Wi-Fi adapters for wireless connections
  • The devices that you want to connect to the network

The following steps will guide you through the process of setting up a home network:

Step 1: Choose an ISP and a modem

The first step is to choose an ISP that offers a package with the internet speed and bandwidth that suits your needs and budget. You can estimate your required internet speed by using the broadbandnow.com bandwidth calculator  as well as compare different ISPs and plans in your area.

Once you have chosen an ISP, you will need a modem that is compatible with their network. Some ISPs may provide you with a modem as part of their service, or you can buy your own modem from an electronics store or online. Make sure that the modem supports the type of internet connection that you have, such as cable, DSL, fiber, or satellite.

Step 2: Connect the modem to the internet source

The next step is to connect the modem to the internet source using a coaxial cable, a phone line, or a fiber optic cable, depending on the type of connection that you have. You may need to contact your ISP for activation or configuration instructions.

Step 3: Choose a router and connect it to the modem

The router is the device that creates a local network for your devices and allows them to communicate with each other and with the internet. There are many types of routers available, with different features and specifications. Some of the factors that you should consider when choosing a router are:

  • The number of devices that you want to connect
  • The size and layout of your home
  • The Wi-Fi standards and frequencies that your devices support
  • The security and parental control options that you need
  • The advanced features and settings that you want to use

Some modems may have a built-in router function, which means that you don’t need a separate router. However, if you want more control and flexibility over your network, it is recommended to use a standalone router.

To connect the router to the modem, you will need an Ethernet cable. Plug one end of the cable into the WAN port of the router and the other end into the LAN port of the modem.

Step 4: Configure the router settings

After connecting the router to the modem, you will need to configure some basic settings for your network, such as:

  • The network name (SSID) and password (key) for your Wi-Fi network
  • The security mode and encryption type for your Wi-Fi network.  This is known as the Wi-Fi Protected Access (WPA).  The latest version is WPA3.  Check your Wi-Fi connected devices to see which versions they are compatible with
  • The administrator username and password for accessing the router’s web interface
  • The firmware update for your router

To configure these settings, you will need to access the router’s web interface using a web browser on a computer or smartphone that is connected to the router. You can find the default IP address, username, and password for your router in its user manual or on its label. Alternatively, you can use an app provided by your router’s manufacturer to set up and manage your network.

Step 5: Connect your devices to the network

The final step is to connect your devices to the network using either wired or wireless connections. For wired connections, you will need Ethernet cables and Ethernet ports on your devices. Plug one end of each cable into an available LAN port on the router and the other end into an Ethernet port on your device.

For wireless connections, you will need to use Wi-Fi adapters in your devices or purchase external Wi-Fi adapters that plug into the device generally through a USB port. Turn on the Wi-Fi function on your device and scan for available networks. Select your network name (SSID) and enter your password (key) to join the network.

You can also use other methods to connect your devices wirelessly, such as WPS (Wi-Fi Protected Setup), NFC (Near Field Communication), or QR codes. These methods allow you to connect without entering a password by pressing a button on the router or tapping your device on another device.

For smart devices such as TV’s and gaming stations, appliances, and printers, make sure you have the manuals available on how to connect these devices to the network.

Once you have completed connecting all your device to your home network, you can enjoy browsing the web, streaming media, sharing files, printing documents, controlling smart home devices, and more from any device in your home.

10 Jul 2023

Critical Thinking and the Internet: Developing Skills to Counter Online Disinformation & Confirmation Bias Algorithms

by | posted in: | 0

It’s impossible to overstate how much the internet has changed our lives over the past three decades. Internet-based technologies and products have unleashed exponential economic growth and efficiencies. It is no accident that the five largest companies in the S&P 500 are Apple, Microsoft, Amazon, NVDIA and Alphabet (Google). Certainly the internet has been, and will continue to be, a driver of economic growth and internet-based innovations that promise to continue to improve the health, education and economic opportunities for all of us. However, as has been true with all new technological innovations, there is a dark side to the internet; challenges that if ignored, will substantially reduce the benefits expected to be realized from universal access to broadband and its applications. These challenges need to be understood and addressed, particularly as we work to connect the remainder of homes and businesses in the United States to broadband by 2030.

One of these challenges was described earlier this year in a three-part blog on cybersecurity. More recently, I explored some of the potential questions and challenges associated with generative artificial intelligence. This blog discusses yet another challenge:  How do we spot internet disinformation and counter internet-based algorithms that tend to confirm our preexisting biases, and blind us to opposing viewpoints?

For representative democracies like the United States, particularly now when most of us rely on the internet to get our news and form our opinions, the ability to analyze and test the accuracy of sources of  information on the web (to engage in critical thinking) has and will continue to be a vital skill to effectively use the internet. While there is no “magic bullet” solution, ignoring this issue risks more than just continued economic progress, it could threaten the very institutions that sparked the creation of the internet itself.    

Of course the goal of this blog (and the others that preceded it) is not to discourage the development of internet infrastructure and internet-based applications. But the degree to which our goals of better health, education and economic opportunity will be realized, depends in large part on how well we adapt to use these new internet-based applications and technologies effectively. Developing these skills is an important part of the University’s Broadband Initiative, and programs such as the pilot Digital Ambassadors project are expected to be an important part of that effort.

Defining the Challenge

At the outset, it’s worthwhile to spend time defining the challenge. The term “disinformation” is closely related to its companion – misinformation. Misinformation is simply inaccurate or false information. Disinformation on the other hand is misinformation put to a purpose. It’s the use of misinformation in a way specifically designed to deceive or hide the facts.

The motives that lead a person (or more recently an artificial intelligence algorithm) to place disinformation on the web, most often are not perceived to be morally wrong by the person responsible for posting. In fact, in many cases the opposite is true; disinformation is used to serve what is perceived as a higher purpose or objective. In other words, the means (an intentionally false or misleading story or headline) are justified by the belief that it supports a view or position that is in the best interest of society.

Unlike disinformation, “confirmation bias,” requires no intentional act. Instead it describes our unconscious tendency to seek out and treat information as true if it supports our biases and predispositions. We all use confirmation bias to make decisions in our daily lives, and it is not necessarily a bad thing. For example, most of us have a “confirmation bias” that would make us hesitant to climb into an enclosure to get a better view of a grizzly bear at the zoo. It might well be that the particular bear was trained and well-behaved, but we know from books or film that these animals often can be dangerous, and we run the risk of being “lunch” if we get too close. Research indicates that internet-based algorithms make extensive use of our tendency for confirmation bias in ways that we may not fully understand or appreciate, usually with the goal of keeping us engaged and online.

Disinformation – How Does the Internet Differ from Earlier Forms of Mass Communication?

History contains many examples of individuals that used mass media to disseminate disinformation. In addition to charlatans, disinformation has been used by some that we hold in high regard. In fact, none other than Benjamin Franklin apparently is guilty. In order to stir up revolutionary fever, he apparently made up a story accusing King George III of promoting attacks on colonists — offering a cash bounty for each colonist scalp that was collected! Disinformation in mass media also has always been difficult to stop. This is particularly true in societies like ours that value freedom of expression. Early attempts by our government to rein in false or “fake” news, even if motivated by a noble purpose have been unpopular and ineffective

So it’s fair to point out that  disinformation in public media (whether it’s a printed pamphlet, a newspaper, television or radio) is nothing new. However, there are several unique aspects that make disinformation on the internet more challenging to identify and counter. The same characteristics that make the internet such an effective tool for learning and disseminating information, also have made it much more effective in spreading disinformation. One reason the internet spreads disinformation so effectively is that multimedia (videos and audio) can be used along with text  to get ideas across. It is not surprising then, that researchers have found that most disinformation on websites today consists of images and videos.   A second reason is that the internet permits information and disinformation to be shared far more easily and quickly than earlier technologies. In the past few could afford a printing press, and more recently television and radio stations could make use of audio and visual images, only after obtaining a license from the Federal Communications Commission.  Today, anyone with an online connection can create and share text and full resolution video content with millions in just a few hours, and do so anonymously.  

The risks posed by disinformation on the web seem destined to grow. For example, software has been developed that permits most anyone to create near perfect video imitations of public figures that can say anything the programmer desires. The age-old adage “seeing is believing” seems destined to become a quaint anachronism.

Internet Algorithms & Confirmation Bias – “There’s No Such Thing as a Free Lunch”

Most of us don’t reflect on why there is so much information available to us on the web “free of charge.” Of course, in some cases government, nonprofits and public-spirited individuals have provided content as a public service, and there are many subscription fee-based websites, but that does not explain the millions of commercial websites that provide news, entertainment, and personal connections free of charge.

These websites have a profit motive, and most exist to sell advertising.  Many of these ads are structured as a “cost per click” arrangement – meaning that advertisers pay the website owner a set amount each time someone clicks on a hyperlink that directs the web browser to the advertiser’s content. Again, intellectually, many of us realize this is happening, but we may not fully appreciate just how significant this revenue has become. In 2022, ads of this type were estimated to generate $95.2 billion. To put this in perspective, that’s over $275 of cost per click revenue for every man, woman, and child in the United States.    

With this much money at stake, it is not surprising that a primary goal of many commercial websites – particularly social media websites, is to keep us online and engaged with the website’s content for as long as possible.  Like print media advertisers that came before, today’s web designers know they can do this most effectively by keeping us emotionally engaged. Again, the ultimate goal of these efforts most often is to increase ad revenue. After all, the longer you are online and looking at website content, the more ads you will see, and potentially the greater the chance that you will click on at least one, and earn revenue for the website’s owners. There’s a name for these targeted efforts to keep us on a website, it’s call “clickbait,” and anyone who suddenly realized they are late for a meeting because they have spent the past 30 minutes looking at “50 cute kitten” videos knows clickbait can be very effective.

Applying Critical Thinking Skills to the Internet

We tend to lose sight of how quickly the internet has become a part of our lives. Thirty years ago blogs like this one did not exist. Google was founded in 1998. The first Facebook page was created by Mark Zuckerberg less than 20 years ago, and Jack Dorsey posted the first “tweet” on Twitter in 2006. Given the speed of these developments, it’s not all that surprising that critical thinking skills training may not adequately address web-based disinformation or the impact of web-based search algorithms on our confirmation bias.

Certainly there is nothing new in the idea that critical thinking skills are essential to the sound functioning of democratic institutions. Skilled critical thinkers are able to:

  • Raise vital questions and problems, formulating them clearly and precisely.
  • Gather and assess relevant information, using abstract ideas to interpret it effectively.
  • Come to well-reasoned conclusions and solutions, testing them against relevant criteria and standards.
  • Think open-mindedly within alternative systems of thought, recognizing and assessing, as needs be, their assumptions, implications, and practical consequences.
  • Communicate effectively with others in figuring out solutions to complex problems.

Even if critical thinking is not taught as a stand-alone subject in elementary and secondary schools, most children do receive instruction in basic critical thinking skills as part of their education, although the amount of training varies and surprisingly, may decline once the student enters middle school and high school. Most colleges and universities, including several of the University of Missouri System campus libraries and schools, provide critical thinking skills training designed to help students when they do internet research.

Yet a comprehensive 2019 study found that students are not well equipped in ferreting out disinformation on the internet. This also is not all that surprising. There may be other reasons for this, but one suggested by the study and other related research is that critical thinking skills taught to identify disinformation on the web may not be particularly effective today.  Those methods included assigning credibility to information contained on “.org” websites and discounting those that had a “.com” designation; relying on the website’s statement located on its “about” webpage to understand its mission; assigning more value to content on websites that have professional looking “error free” layouts; and giving credence to web-based materials that includes footnotes or hyperlinks referencing journals that are not generally well-known, but that have professional-sounding names. While all of these may seem reasonable or have direct corollaries to fact checking traditional printed text material, the study discounted their value in discovering disinformation on the web.

For example the fact that a website has a “.org” label, does not mean that it is sponsored by a nonbiased nonprofit organization; instead, it simply is an alternate catch-all designation available for any website  that does not wish to be classified as having a commercial (.com), government (.gov), or educational institution (.edu) sponsor. Nor is the website’s “about” page or its professional design particularly helpful in ferreting out disinformation. After all, the text of the “about” page was written by the same folks who wrote the content that is being checked, and modern website design programs enable most anyone to prepare a very professional looking website.

Distinguishing disinformation simply based on how the content appears likely will be even more difficult in the future because of the development and widespread availability of new programs using sophisticated graphic design and artificial intelligence. This was illustrated just this past month, when several attorneys were sanctioned and fined $5,000 for filing a legal brief, authored by an generative artificial intelligence program. The problem wasn’t that the attorneys used an AI program to write the brief; instead they were sanctioned because the AI program had “made up” the names and legal citations for several cases to support the brief’s legal position! The attorneys made the mistake of assuming that the information was accurate, because the legal citations appeared to be in the proper format. In other words, they relied on the superficial appearance of the information, rather than taking the time to check that it came from a legitimate source.

A Sandford University study recommends applying a different mindset to web-based publications, one that takes into account how easy it now is for anyone to impersonate legitimate resources and to post false information. The recommended approach is not to look at the website or its materials to validate the information, but instead to access external unrelated sources to evaluate the website’s sponsoring organization and materials contained on that website. To do this effectively and efficiently, web-based search engines (such as Google) and multiple fact checking websites can be used. While this approach may not be foolproof, it does capitalize on the ease of finding independent third-party resources to evaluate both the efficacy of the website sponsor and the accuracy of information it contains.

Social & News Media Sites: Applying Critical Thinking Skills to Overcome Conformation Bias Algorithms.

No amount of fact and source checking can fully counter the internet’s ability, through search engine algorithms, to feed us a nearly unending supply of whatever information we ask for. These algorithms have been very beneficial. Most of us use them every day to do a variety of tasks, such as evaluating a product we are considering purchasing, repairing or obtaining instructions on how to use an appliance, selecting a hotel or vacation resort, or even finding source material for a blog. However, these algorithms are most useful if we do not lose sight of the fact that most often they are optimized to raise revenue for the sponsor. We also need to consider that the same algorithm that feeds us an endless supply of cute kitten videos may also be used to keep us engaged on websites featuring news and social issues.

Again, no conspiratorial motive seems to be at work here; it’s just application of a time-honored principle of advertising to this new form of mass-media: if you want to get someone’s interest, use flashy emotion-based content, and if you want to keep them interested, show them more and more of it, making each subsequent “click” just a little flashier and more emotional. Today this happens with little or know human input at all; it’s a product of algorithms that could care less whether the topic you are viewing is cute kittens or gun control.

A 2022 study published by researchers at the University of California-Davis illustrates how this technology operates when the topic involved is a political or social issue. The goal of the study was to see how YouTube’s recommended content would change over time, when viewers initially selected a political topic.  The study, described in an August 2022 article, assessed the effect of following YouTube’s “recommended” videos. The idea behind the study was to determine what happened if users viewing a political video, followed the YouTube recommendation for the next video, and the video after that one.

Researchers in the study created fictitious YouTube accounts (sock puppets) that were programmed to access and “view” a video initially tagged by the researchers as having either a slightly conservative or as slightly liberal/progressive viewpoint. After viewing the video, each sock puppet automatically accessed the next recommended video, and viewed it. The sock puppets repeated this process over a number of days, accessing many videos.    

One result that is not all that surprising, was that sock puppets that initially viewed a conservative or a liberal/progressive bias tended to only be recommended videos that matched their original view. That makes sense; that is how confirmation bias operates. If one initially prefers and connects to content that had liberal/progressive bias, they are more likely to like and view more videos that support or “confirm” that bias, as opposed to videos that promote an alternative “conservative” viewpoint.  Of course, the same principle holds true for those that prefer content with a more conservative bias. Muhammad Haroon, the leader of the study noted: “Unless you willingly choose to break out of that loop, all the recommendations on that system will be zeroing on that one particular niche interest that they’ve identified.”

What was more disturbing, was that the YouTube algorithm tended not only to limit views to conservative or liberal/progressive content (depending on which bias was initially selected); the content selected tended to become increasingly more radical the longer the program ran. Again, this doesn’t imply any nefarious intent on the part of the YouTube algorithm programmers; it just seems to be a logical extension of a program designed to give the viewer more and more of content that supports their original bias. Again, the purpose might be solely to maximize the time spent on the website and the revenues generated from advertising, but obviously for the viewer, the algorithm shuts out competing voices and apparently over time tends to emphasize more extreme positions.

Another university study published in 2023, found that the risk of being caught up in group think and misleading or false information on the web tends to be directly related to the viewer’s analytic reflection skills. The study compared the web browsing activities of individuals that scored higher in analytic reflection on a standardized Cognitive Reflection Test (CRT), to a second group that tended to rely primarily on “intuitive reasoning” to reach conclusions. The study found that individuals with higher analytic reflection skills as measured by the CRT, appeared to be better able to counteract the tendency to view only those websites that confirmed their initial bias.

The CRT used in the study was designed to measure analytic reflections skills by asking participants to answer a number of questions that included an option that, while they at first seemed intuitively correct, on reflection were obviously wrong. For example:

“If you’re running a race and you pass the person in second place, what place are you in?”

The “intuitive” answer – the one that initially seems most appealing – is “first place.” However, after a little reflection one recognizes this answer is clearly wrong. After all, if the person you were trailing in the race was in second place, passing them only means you are now in second place, and you still need to catch the person who is in the lead.

When comparing the web browsing activities of the two groups, the study found that individuals who scored higher in analytic reflection skills also tended to rely on more traditional and reliable sources of news and information. The study concluded that these participants tended “to be more discerning in their social media use: they followed fewer [Twitter] accounts, shared higher quality content from more reliable sources, and tweeted about weightier subjects (in particular, politics).”

Critical Thinking is a Skill, Not a Measure of Intelligence

One misconception about critical thinking is that it is somehow directly related to the level of education and innate intelligence. In other words individuals with higher levels of formal education will be good “critical thinkers.” Academic research does not support this view. While critical thinking can be a complex process that includes clearly defining the issue, identifying and analyzing the sources of the information, testing and seeking confirmation from alternative sources and checking for alternative viewpoints; it is a skill. Equally important, hundreds of separate studies over many decades have shown that critical thinking can be learned, regardless of an individual’s age or education level.  Learning that skill is not limited to those with a college degree, and having a college degree is certainly no guarantee that the individual is a good a critical thinker.

Applying Critical Thinking Skills to the Internet – A Path Forward

The challenges posed by internet disinformation and confirmation bias algorithms can seem insurmountable.  We live in a free and open society. Any form of censorship or controls over web content run against our core belief in freedom of speech and expression. Of course, as a practical matter the internet itself is structured in ways that make regulation of its content, either by the government or industry difficult to implement even in authoritarian societies.

Responsible internet content providers may be able to provide tools that are useful in identifying disinformation on the internet. However, internet experts polled in a 2017 Pew Research Center study were evenly split on whether misinformation on the internet can be reduced in the future, and there is little reason to believe the results would be different today. Likely real improvement will depend in part on us, the individuals that use the internet on a daily basis. If we develop and use the skills necessary to avoid falling prey to disinformation, the rationale for posting it in the first place will be reduced. However, this will happen only if critical thinking skills training are a core part of improving adoption of the internet and internet-based applications.

The internet is a relatively new medium of mass communication, and new products and innovations that enhance its capabilities to provide information come to market almost daily. It is a much more powerful means of conveying information – and disinformation – than anything that has come before. There are few legal or practical restrictions on what content can be added to the internet, or on who is able to add it. But most of us would not want it any other way. As was true in the past, critical thinking skills can be learned by anyone, at any age, and there is evidence that they can be highly effective in identifying disinformation, particularly if the skills learned are adapted to account for ways in which the web differs from other forms of mass media technology that came before.

Yet it also is evident that developing the skills necessary to separate facts from false or misleading content on the web may not be enough to reduce society’s polarization and help us find common ground to peacefully resolve our most difficult policy issues. As a society, we have always had issues of disagreement that require compromise, but we never have had to reach compromises when large segments of the population have isolated themselves in “opinion silos” created by web-based algorithms.

More of us now rely on the internet as our primary – and in some cases our sole – source for news and opinion.  Limiting consumption of news and opinions on the web to one or two social media websites seems to create the very real possibility that, like the “sock puppets” in the YouTube video research experiment, we will be fed only a steady diet of confirmation-biased information that resonates with our world view and suppresses all others.

In the past, our parents and grandparents could counter this risk by subscribing to multiple newspapers, or at least they could read and consider opposing viewpoints on the op-ed page of their newspaper. Our generation can find alternative viewpoints as well. In fact, an important advantage of the internet is that it contains many points of view and information sources. However, accessing those views today likely requires that we take affirmative steps to break out of the “comfort zone” of algorithm-generated content, so that we at least understand the views of those with whom we disagree.  

Over the next several years, government and private business will invest more than $100 billion to bring affordable reliable internet infrastructure to every home and business in the United States. Funding through the Affordable Connectivity Program is available to help make the internet affordable for everyone regardless of income. However, to take full advantage of this resource, to use it safely and effectively, we also must develop and implement programs to make skills-based critical thinking training generally available.

14 Apr 2023

Part three Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance

by | posted in: | 0

A Short Guide for Owners and Leaders

Part 1 of this blog described the risks posed to micro businesses and similar-sized nonprofits from a cyberattack, Part 2 outlined a three-prong plan to develop a cybersecurity plan for your organization – starting with identifying the organization’s mission-critical assets and protected third-party data, and assessing your organization’s risk level. This part concludes, by describing the core elements of  an effective cybersecurity plan.

Step Three – Implement a Cybersecurity Plan

The final step of a cybersecurity strategy for your organization is to implement a cybersecurity plan. The specifics of the plan will vary, depending on the outcome of the first two steps discussed in Part 2. However, all organizations will find that their cybersecurity plan must be applied consistently over the long term to afford them maximum protection, and every plan should focus both on mitigating the consequences of a successful cyberattack in addition to preventing one. Finally, the most effective cybersecurity plans recognize that aggressive use of available software technology must be balanced and supplemented with ongoing training.

Password Protection & Data Management

Multifactor Authentication

One of the most obvious risks to your organization is unauthorized use of a password to gain access to your LAN, website, email or internet connected devices. As discussed Part 1, most cybercriminals need access to your network to steal or corrupt your organization’s data or software applications. While this may be is changing, network access is often achieved by providing the correct password, and of course, if the password is stolen, compromised, easily guessed, or left in an unsecure location, your organization is vulnerable.

You can address some of these risks by changing passwords regularly, using complex generated passwords, not using the same password for multiple websites, using a password vault or other policies designed to make it harder for a password to be compromised. However, a more effective solution is to require multifactor authentication for all devices that access your organization’s website or local area network (LAN).

Multifactor authentication requires both a password and a correct response to a challenge sent to another internet-connected device – usually a smart phone — that previously has been registered with the person who is seeking access. Taken together, this should mean that even if the password is hacked, as long as the cybercrook doesn’t have access to the secondary device receiving the challenge, the organization’s LAN or website cannot be accessed even if the cybercrook has discovered the password. Multifactor authentication is available for major email and network services, and it has already become a standard feature for most business and government network security.  Of course, these security efforts are more easily defeated if you or others use easily guessed passwords (e.g., “password”, “password 123”, “12345” etc.) or if they fail to keep their secondary authentication device (smart phone or laptop) secure.  

                Multiple levels of security within the organization and data encryption

A second method to strengthen cybersecurity is to require additional levels of password protection within the organization’s LAN for sensitive PII or mission-critical data. This is likely to become more important as the organization expands and adds employees, volunteers or contractors. Examples of data that might require an additional level of security include employee social security numbers, customer bank or financial account information, and health records. Requiring a second level of password protection to this information is the “digital equivalent” of locking a filing cabinet or desk drawer to discourage intentional or inadvertent access to information that should be limited to a specific group within your organization.

An additional approach that should be taken, particularly if your organization has protected PII financial information is to encrypt sensitive data that is maintained on the organization’s local devices or in the Cloud. Common email services and many operating systems and Cloud based storage products offer the option of encrypting files, folders or even an entire hard drive or network.  Of course, data encryption will protect against unauthorized use or disclosure of the encrypted data only if you have properly protected the password or “encryption key” that is used to de-crypt the data.

                Screen locks and time outs

Laptops, desktops and smart phones and other devices all contain options to “lock” access to the device if it is left unattended for a few minutes. Particularly for mobile devices or for any device used by individuals working in an open office environment, enabling this feature is a simple and highly effective way to guard against unauthorize access to the device.

Minimize and reduce access points to sensitive data.

This might seem obvious, but all things being equal, the more places you store sensitive personal data the greater the likelihood that data will be accessed and compromised in a cyberattack. Having at least one off-site backup of the organization’s critical data and software should be part of an effective overall cybersecurity plan. Yet because of the popularity of automatic Cloud backups of email and computer drives such as Google Drive, Apple’s iCloud drive, Microsoft One Drive, and many others it is not at all uncommon to find that at least some of the organization’s data has been stored in multiple locations and at some point multiple storage sites can greatly complicate the organization’s cybersecurity plan and add unnecessary burdens of maintaining all of the  locations where sensitive PII is stored. As part of your development of a cybersecurity plan, you should consider whether the added benefit of storage of the data — particularly sensitive PII, in multiple locations is worth the risk. While Cloud-based storage is relatively secure, most can be compromised and accessed with a password – or best case – a password and some form of multifactor authentication.

A related point that should be considered is whether your organization is only keeping the sensitive PII that it actually needs. Storing multiple backups that are not regularly monitored, particularly on multiple local devices such as desktop and laptop hard drives can greatly complicate efforts to properly handle sensitive data. For this reason, when you are assessing the need for multiple backup storage for the sensitive PII your organization keeps, you should also develop strategies and procedures for periodically reviewing that data to determine if it can be deleted when no longer needed. 

Promptly Update Software and Applications

No application or software is “hack proof.” Over time, cybercriminals learn new ways to access and plant malware in even the most carefully constructed software. It literally is a “cat and mouse” game played between the software developers and cybercriminals. In recognition of this reality, reputable software companies work hard to identify vulnerabilities in their software and create updates (security patches) to eliminate them. Of course, these security patches work only if they are promptly downloaded and installed on all digitally connected devices that access your network. Therefore a critical part of all good cybersecurity plans is to download and promptly install security patches as they become available. Most software and applications that run on computers and smart phones contain an option either to automatically update the program or at least to provide you notice that a new update is available for installation. Generally, these options should be enabled.     

Web-traffic Encryption – Virtual Private Networks

Information (data) is transmitted over the internet using wires (such as an ethernet or fiberoptic cable) and wirelessly over the air (through your wireless modem or smartphone hotspot). While most data transmission is secured (meaning that the information is encrypted before it is transmitted over the internet), public networks or websites that do not encrypt data allow cybercrooks to easily intercept and “listen in” on the communication. The federal government’s cybersecurity watchdog – CISA – has downplayed the risk of this type of attack.  However, one study conducted in late 2016 found that 28% of the public Wi-Fi “hotspots” (at airports, coffee shops, etc.) were unsecured.

So, how do you tell if you are communicating over an encrypted network? When you navigate to a website, look at the address bar on your website browser.  If it begins with the initials “https” you can be at least somewhat confident that your data is being encrypted as it is transmitted over the internet. However, if it says “http” – the data is not encrypted – and can be intercepted and easily read by anyone unless you take additional steps. Many website browsers will warn you when you are communicating over an unsecure network. As a matter of good cybersecurity practice, these sites should be avoided, particularly if you have not implemented a second level of encryption that is discussed next.

Only accessing sites with the  “https” designation will greatly reduce the risk of a cyberattack using wireless networks. However, it is not foolproof. Unfortunately, even an “encrypted” Wi-Fi connection can be defeated through a process known as SSL Stripping. This involves tricking your computer into removing the encryption protocol, in effect downgrading your communication from “https” to “http,” without your knowledge.

For this reason, if your organization relies on wireless networks or if you and others often work remotely using public Wi-Fi, you may want to consider using virtual private network (VPN) software. VPN software can run on a single local computer, a LAN, or on a digitally connected device such as a tablet or smartphone. Once installed and activated, most VPN software offers two additional levels of protection for internet access.

First, it masks the originating address of the communication, making it difficult for a cybercriminal to determine what network is being accessed by the user. This is done by causing the transmitted data to go from the computer to the VPN provider’s server before it continues on through the internet to the user’s ISP and the destination website. For many, this feature of VPN is most important because it may offer a higher degree of privacy, making it more difficult for websites or government entities to track web browsing activity. 

However, there is a second advantage to a VPN. VPN communications between you and the VPN provider are encrypted. In other words, even if a cybercrook is able to “strip” the “https” encryption, they will only be able to see data that has been encrypted using the VPN program. No technology is completely secure from cybercriminal hacking or “eavesdropping,” but a VPN connection provided by a reputable provider is very secure, and it’s a relatively inexpensive way to guard against this type of cyberattack.

If you decide a VPN is a worthwhile investment, VPN software is offered by a number of private companies, and it is important to pick one that best meets your needs. You will need to do some investigation and find articles that evaluate VPN providers and offer advice on how to pick a provider best suited for your organization’s needs, but keep in mind that some of these articles focus more on privacy (the first advantage of a VPN) rather than your organization’s objective — defeating a cybercrook’s attempt to intercept and read the data being transmitted. For your organization, the primary concern may be the number of servers the VPN provider has and the speed and capacity of those servers. This is important because once the VPN is activated, all of your communication over the internet must pass through your VPN provider’s server. If the provider does not have sufficient network capacity, the speed and reliability of your internet connection will be significantly reduced.

Addressing “Human” Vulnerabilities

It would be nice if you could protect your organization from cybercrooks just by buying additional software. Unfortunately, relying on software at best is just half the solution. The other half is dealing with the “human” side of cybersecurity. The reason is simple: even the most robust software technology can be defeated or rendered useless by bad actors inside the organization, by failing to properly use the cybersecurity software tools that are available, or simply a failure to recognize a cybersecurity attack. This section focuses on ideas for reducing your organization’s human vulnerabilities to a cyberattack.

Background checks for those who access the network.

Obviously, you want your organization to grow and become more successful, but as that happens it becomes more important to know who has access to your connected devices and data. A good cybersecurity plan should include a set procedure that includes conducting background checks on all prospective employees. This should include criminal record checks, credit checks, as well as verification of employment and education. Even if you are the only “employee” in the organization, the same considerations apply to others such as vendors, customers or volunteers who have access to your organization’s network.  Of course your background check may not be as extensive as what you would use if you were evaluating a person for employment, but depending on the nature of the contact, the role the individual or entity will play, and the level of access to your organization’s data, you will want to know enough about the individual’s background to feel reasonably certain they will not put the organization’s data or its connected devices at risk of a cyberattack.

Implement  cybersecurity policies and procedures.

Even if you are a sole proprietor or the “staff of one” in a local nonprofit, it is important to consider and implement common sense policies and procedures to minimize the risk that your organization  will fall victim to a cyberattack. Items to consider include:

  • Setting a schedule to regularly check all critical software for security patches and immediately installing critical security patches when notified by a software provider.
  • Developing a policy to create robust passwords and to regularly change passwords.
  • Avoid loading any personal software or email on a computer or other device connected to the organization’s network.
  • Avoiding use of the organization’s email address for personal communications.
  • Install screen password locks on all of the organization’s desktops, laptops and tablets.

Admittedly not all of these policies will be popular, and like many things in life, you may decide that the level of risk your organization faces does not justify implementing some of them. That of course is up to you as leader of the organization. However, before making any final decision, consider whether some or all of these steps may be mandated by clients, customers or suppliers with whom you are dealing.

Educate yourself and everyone who has access to the organization’s digital resources.

Hopefully one of the things you have learned from this blog is that the cyberattacks on businesses, organizations and government have continued to evolve to counter efforts to make software and networks less prone to attack. This will certainly continue. For that reason it is important that you commit to remain up to date on evolving cyber security risks. Fortunately there are a number of resources available to assist in that task. Two are listed below:

You also should consider ongoing training and reminders for employees or others who regularly access your network. Here you might want to use resources developed specifically for that purpose:

Develop a Cyberattack Recovery Plan

You may find this part to be discouraging. After all, if you have taken all of the previous steps to protect your organization from a cyberattack, it’s sobering to think that your  still aren’t protected. Of course, that’s not true. By implementing the previous steps you will have made it much more difficult for a cybercrook to access, disable your network, or steal data. However, just as the best physical security and alarm systems don’t provide 100% protection against the risk of theft or loss, even the best cybersecurity strategies can – and are – defeated each day. Just as you take steps to deal with that reality for your physical assets, it’s important to consider how to deal with a successful cybersecurity attack as well. Here are three ideas you should consider.

Offsite Secure Backups

Earlier, in developing your cybersecurity plan you identified the “critical” data and applications that were needed to operate your organization. As part of your Plan, you need to arrange for these critical items to be regularly backed up, and securely stored in a safe location. How often you decide to back up the data will vary, but obviously data that is added after the backup likely will not recoverable, so it may make sense to back up daily or at least weekly.

Nearly all major software providers offer the ability to backup data to remote “Cloud-based” servers. Some providers offer the ability to automatically back-up data on an hourly, daily or weekly basis, together with the option of accessing earlier backup versions. This last feature can be useful if you are concerned that an “infected” file may have been downloaded onto your network or computer prior to your last backup. Of course, there is always a possibility that your automatic backup system may not initiate for some reason, and as part of your  Plan, you will want to periodically check to make sure the backups are occurring  as expected, and that they can be accessed.

Develop a strategy to notify third parties of a cyberattack.     

This step is most relevant for organizations that maintain sensitive PII (described earlier in Part 2), that have an ethical obligation (such as an attorney) to maintain confidentiality of client data, or that have entered into a contract to maintain the confidentiality of third-party data. Organizations in these situations need to consider and include in their plan, a procedure to document and update where third-party data is stored, and a method to easily identify businesses or individuals that need to receive notice of a cyberattack.

Consider cybersecurity insurance.

It’s probably apparent at this point that a successful cyberattack might be an expensive proposition for your organization, not only from lost revenue but from third party claims for collateral damages as well. You likely insure against the risk of loss of your organization’s physical assets, so it may occur to you that insurance against losses from a cyberattack might be a good idea as well.

Many companies offer insurance policies for some losses incurred in a cyberattack, and for some organizations insurance can be part of a comprehensive cybersecurity plan, however cybersecurity insurance may not be appropriate for all organizations, and as part of preparing the plan for your organization, you need to carefully consider the pros and cons before purchasing a cybersecurity insurance policy.

Cybersecurity insurance generally will insure your organization against some losses arising from interruptions to normal operations, the cost of notifying third parties of cybersecurity attacks, and the cost of defending lawsuits from third parties for damages arising from the event. However, these policies typically will not insure against losses arising from damage occurring from criminal activities by your employees or for the loss of physical or intellectual property resulting from a cyberattack. 

You can begin determining whether cybersecurity insurance is right for your organization by talking with your insurance agent. Generally organizations that store significant amounts of third-party personal information and those most at risk from business or operational interruption in the event their network is compromised, will find cybersecurity insurance to be most useful.  However, cybersecurity insurance is NOT a substitute for a good cybersecurity plan. Be aware that if you decide to purchase a policy, you can expect the insurance provider to demand that you institute the policies and procedures outlined in this blog as a condition for providing coverage. In other words, cybersecurity insurance provides an additional level of financial protection, but only after you have implemented a good cybersecurity plan.

Cybersecurity – Is It Worth the Effort?

These three blogs have outlined the risks to your organization of a cyberattack and outlined the steps you should take to implement a cybersecurity plan to defend against an attack. Operating a business or nonprofit on a shoestring budget is extremely challenging and requires leaders to constantly set priorities and trade-offs. Success often depends on not letting “perfect be the enemy of good enough,” and the amount of time and effort organizations need to put into their cybersecurity plan will vary. However, it is not an exaggeration to say that every organization needs to do something. You can confirm that by simply imagining how your organization could operate if your network, records, computers and even your phone all stopped working. Unfortunately even for very small organizations the risk of an attack is significant, and the consequences of being unprepared likely will be  catastrophic. While it is not possible to completely secure your digital assets, the steps outlined, can significantly reduce that risk, and mitigate the damage in the event of a successful attack. For that reason, even for the smallest business or nonprofit, it’s worth the effort to implement an appropriate cybersecurity plan. 

12 Apr 2023

Part Two Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance –

by | posted in: | 0

A Short Guide for Owners and Leaders

Part One of this Blog explained the risks your organization faces from a cyberattack, describing the most common objectives and the primary ways cybercrooks attack microbusinesses and similarly sized nonprofits. You learned that successful cyberattacks often involve tactics that are designed to deceive, along with sophisticated malicious software, and that potentially any device that connects to the internet, or to your local area network (LAN) could be an entry point for a cyberattack.

While the risks posed to your organization by cybercrooks are real, and no solution will be 100% effective, there are several things you can do to greatly limit the risk posed by cyberattacks. The objective of this blog and the next one is to describe a strategy you can use to secure your organization against a cyberattack, and help you mitigate the damage done even if an attack is successful.

There are many good educational resources available online that provide specific guidance to assist in understanding how to spot a cyberattack and more are being developed all the time. Examples include the resources offered by the  U.S. Small Business Administration, the Federal Communications Commission and the Missouri Cyber Security Office as well as commercial software providers, such as Microsoft .   In addition, resources published by PCI Securities Standards Council, the organization that works to secure the processing of credit and debit card payments, can help you identify ways to reduce this significant area of risk for many microbusinesses and nonprofits.

These tools and resources will be essential in implementing a comprehensive strategy for cybersecurity. However, implementing and using them effectively requires that you develop a comprehensive strategy that is tailored to address your organization’s unique vulnerabilities. The next two parts will describe one process you can follow to develop an effective strategy.  Doing this will help you use the available tools and resources more effectively and make the most of these resources. By taking this approach, you’ll be able to better use the available tools and resources to address your organization’s cyber security needs and risks.

Part 2 –Developing  a Cybersecurity Plan for Your Organization – Beginning the Process

Given the number of cybercrooks out there, and the many strategies used to carry out an attack, the task of securing your organization may seem daunting, and it is easy to become overwhelmed. One way to keep yourself on track, is to break down the plan for securing your organization into three steps: Identify Critical Data; Assess Your Risk Level; and finally, Implement an Ongoing Cybersecurity Strategy.

Part 2 of this Blog addresses how to identify your organization’s critical data and assess your primary risks and vulnerability to a cyberattack. In Part 3, will discuss how to use this information to  implement an effective cybersecurity plan that is tailored to your organization.

Step one – Identify Critical Data

This step may seem unnecessary, but overlooking it could sabotage your efforts to create an effective plan or cause you to spend far more time than is warranted working on issues that really do not constitute a substantial threat to the organization. The reason is simple; in order to mount an effective defense against a cyberattack, you must first know what data and applications need to be secured. For this reason, your first step in developing an effective cybersecurity plan is to evaluate your situation with by asking two questions: First, what data and software are “mission critical” to the organization? and second, what “third-party data” do we store and retain that must be protected? Taking this this step is critical because leaders of microbusinesses and similarly sized nonprofits simply do not have the luxury of unlimited staff and resources. They must focus their cybersecurity efforts on what is most important based on their unique situation.

Identify “Mission Critical” Information and Software Applications

Identifying what is “mission critical” to your organization requires a little bit of imagination, as well as some investigation. A good way to start is to imagine what would happen if you discovered one morning that your entire organization had been subject to a successful ransomware attack. You have just grabbed a cup of coffee, turned on your desktop or laptop, and were faced with this screen: 

This Photo by Unknown Author is licensed under CC BY-NC-ND

You open your smartphone and tablet and find that they have the same message! This means you can’t access your documents, such as Word and Excel Templates, customer lists, records and forms. Access to everything saved to a computer or stored online has been blocked. You really panic when you attempt to access your company email account and discover that it has also been hacked and the password has been changed! 

Now, ask yourself, what information (data) is critical to the operation of your organization over the next day, the next week, and the next month? What “software” (apps, programs and applications) do you use daily to generate forms, invoices and correspondence in your organization. This likely would include things like customer lists, templated, custom business software, and a variety of transaction records. You’ll likely decide that some data and applications truly are “mission critical” (things you simply cannot operate at all without immediate access) while others you could work-around for at least some period of time.

One point to remember though, is that your list likely will be different than that which another organization would prepare. For example, an architect or engineer’s ability to access work it performed for a client five or ten years ago, may be the most important competitive advantage they have to gain repeat business for improvements or modifications to a project. On the other hand, that same data maybe simply taking up space on another business’ computer hard drive.

Identify protected third-party Information.

Once you have identified data and information critical to your organizations operation you then need to determine what data your organization maintains relates to third parties (customers, suppliers, employees and independent contractors). The previous blog described ways cybercrooks use personal information to compromise computer networks and rob innocent third parties. For that reason, you need to identify data you have retained that could be exploited in a cyberattack to injure these third parties.

This third-party data is often referred to as personally identifiable information (PII). The Department of Homeland Security defines PII as any information that permits the identity of an individual to be directly or indirectly inferred. Sensitive PII includes social security numbers, driver’s license numbers, alien registration numbers, financial account and medical records, biometric data, or an individual’s criminal record.

Of course, it is important to identify what sensitive PII your organization has to protect others against losses from a malicious cyberattack. However, It also is important for your organization to do this because most every state has enacted laws mandating disclosure to these third parties if your organization is the victim of a cyberattack that likely resulted in the disclosure of sensitive PII to a cybercrook. Missouri’s statute can be found here.

In addition, there are laws and regulations that impose requirements on specific industries, such as finance and health care, and these will vary, but the risk to your organization is much the same: a failure to safeguard this third party sensitive PII may lead to its disclosure, and in turn to a successful attack directed against the third party. To protect these individuals, your organization will need to notify them of the attack. Depending on the amount of information involved, this could be quite expensive and time-consuming. It almost certainly will damage your organization’s reputation.

While you may be able to quickly identify the type of sensitive PII your organization retains, determining where that information is located and stored can be a challenge. Most organizations have multiple devices (computers, tablets, servers, smartphones and others) that store the data locally. In addition, this information often also is stored remotely on devices maintained by third parties, in what has come to be known as “the Cloud.”  Since data backups to the Cloud can be initiated automatically, you may find that there are multiple copies of sensitive information stored in multiple locations. Depending on your organization’s size – and most importantly whether it likely receives, maintains and stores sensitive PII, you may want to look into using specialized software that is designed to search out various locations to identify where your organization has stored sensitive PII, both on local devices and in the Cloud.

Step Two – Assess Your Risk Level

Once you have identified “mission critical” information and applications and the sensitive PII your organization holds, you can move to the second step of your cybersecurity strategy, assessing how well this information and applications are protected from a cyberattack. Since a cyberattack is most likely to be launched by someone who is accessing the internet, a good way to begin is by examining how your organization interacts with the internet.

Inventory internet-connected devices

One place to start this effort is to catalogue the devices that can access the internet. Of course, this will include desktops, laptops and tablets and smartphones owns and maintains. However, that may only be the first step, and it may not include your most vulnerable access points for a cyberattack.  For example, you or your employees may access the organization’s LAN remotely from a home computer, smart phone or tablet. You may also have granted customers, patrons or suppliers’ special access your network resources. Each of these is a potential “point of access” to a cyberattack. As you develop an appropriate cybersecurity plan in Part 3 of this blog, you will need to take these devices and entry points into account as well as your LAN and the devices that are attached to it.

Addressing customer credit or debit card payment information

Most businesses and nonprofits must be able to seamlessly accept payments and/or donations with a credit or debit card. However, it is very important to understand what responsibilities your organization has assumed through its credit or debit card payment arrangements, and how that risk can vary depending on how the organization has structured its payment receipt system.

In 2004, the major payment card companies created the “Payment Card Industry — Data Security System”` – usually referred to as “PCI DSS.” The PCI DSS establishes industry standards for businesses and organizations that accept, transmit or store payment card information. This is not a federal or state law although as previously discussed, separate federal or state laws or regulations may require disclosure and create liability issues for your organization if  PII is compromised in a cyberattack. Data Security Standards for PCI compliance vary depending on the payment brand (Visa, Mastercard, American Express, etc.) and the number and size of credit or payment card transactions. An organization that is not PCI compliant may lose the right to accept credit or payment card payments and, more importantly, face very substantial fines and penalties.

That said, most PCI compliance obligations are triggered only if the organization handles, transmits or stores credit or debit card information its network. Fortunately, most small organizations can avoid many of the ongoing requirements to remain PCI compliant, and still offer customers or donors the convenience of using credit and debit cards by using a payment card processor company. In a payment transaction these companies act as an “intermediary.” Once the transaction is initiated, the exchange of protected information (PII) is conducted on the processor’s network rather than the organization. The processor takes the payment card information directly from the customer and credits the organization’s account with the appropriate payment. Since the processor’s network handles the mechanics of the payment processing and stores that information as needed, the organization does not handle, transmit or store any protected data relevant to the transaction.

Of course, if your organization collects or stores payment data by some other means, such as requesting it directly from the customer or donor, that short-circuits the protection afforded by using the payment processor. It then must handle  and secure the sensitive PII in accordance with the PCI DSS standards, and it potentially could be subject to significant economic fines and penalties if the sensitive PII it has stored is compromised through a cyberattack. For these reasons, organizations will want to be extremely cautious about collecting and storing any payment card information. 

Cybersecurity and your organization’s website

Your organization almost certainly has some sort of “online presence” whether it is through a commercial website provider or just a page on a social media site. As with other aspects of cyber security, your organization’s risk of a cyberattack will vary, and will depend in large part on the level of access offered to the public through the website. Additionally, in cases of a ransomware attack, the extent to which your organization relies on its website to maintain day-to-day operations will be important in assessing the extent to which the cybersecurity plan for the organization needs to focus on website cybersecurity. As a general rule, if your organization has a website, you’ll want to spend time understanding the cybersecurity risks associated with the site, even if you rely on a third party to prepare and maintain it for your organization.

The risk of a successful cyberattack through your website can depends in part on the software and cybersecurity tools used by the company that hosts that site for your organizations. Websites that regularly update security software are at less risk. However, if your website permits customers or users to upload any files or documents onto the site, you will need to be particularly diligent to ensure that those files are screened for malware, as this feature presents the potential for any cybercrook to launch a malicious attack on the website. Additionally, if your website provider provides options to accept payment cards you’ll need to assess whether it is PCI DSS compliant.

The Final Step

Now that you have learned what a cyberattack is, how it is implemented, determined what data and applications your organization needs to protect, and reviewed your organization’s unique risk profile, you are ready to focus on ways to protect your organization. This is the focus of Part 3 of this Blog.

29 Mar 2023

Part 1 Cybersecurity for Small (Micro Business and Nonprofit Organizations: Striking a Balance

by | posted in: | 0

A Short Guide for Owners and Leaders

Inflation, supply chain issues, COVID, staff shortages, rising wages – and you want me to spend time thinking about cybersecurity?

Well, yes – you should – at least just a little. That advice applies even if it’s just you “pulling the levers” to keep your small business or nonprofit operating, and it applies even if you have outsourced all of your website, email management, and credit card processing to a third-party provider.

This is the first of a three-part blog specifically targeted to cybersecurity for very small organizations.  Owner-operated businesses with no more than 5-10 employees — sometimes called “microbusinesses” as well as similarly-sized nonprofits. This part (part one) will describe what a cyberattack is, how it is carried out and ways it can cripple or destroy your organization. While almost everyone understands that large businesses and the government are at risk of cyberattacks, in recent years cybercrooks have focused on smaller organizations, in part because these crooks know that you may lack a dedicated IT staff to defend against the attack. Your organization is assumed to be “low hanging fruit” for cybercrooks, but if you understand the risk and take some reasonable steps to address it, you can greatly enhance your organization’s ability to avoid or recover from a cyberattack.

Just because your organization is small does not mean it is less vulnerable to a cyberattack.  Unless you are prepared, an attack can cripple your operations and do irreputable harm to your reputation. Microbusinesses already face challenges that lead 30% of them to fail within the first year of operation and similar failure rates apply to nonprofits as well. As the leader of a small organization with limited resources time spent working to secure your business against a cyberattack and to recover from a successful attack, could be critical to the organization’s survival.  

Creating a strategy to address this risk doesn’t require a substantial amount of time, and once it is in place, effective cybersecurity is much like protecting your organization’s physical assets. You have locks on the doors and windows, perhaps even a security monitoring device or service to discourage criminal activity and alert you in the event of a break-in, and worst case – you’ve insured as best you can against potential losses should those steps fail. Addressing cybersecurity is much the same, except that instead of physical assets (building and equipment) you are working to protect the information contained on your internet-connected devices and the software that keeps those devices operating

With that in mind, keep on reading to learn more about the risks your organization faces, and how to protect it.

Part One: What is at Stake — The Risks of a Cyberattack

The purpose of cybersecurity is to prevent or limit damage to your operations from a cyberattack.

Cyberattacks can cripple your operations and put your organization’s viability at risk. A January 2023 article states that 43% of small businesses surveyed had suffered a cyberattack, and that cyberattacks are expected to cost 6 trillion dollars. This risk is not limited just to your organization. Even if you can quickly recover from a cyberattack others can suffer significant harm. Confidential information relating to third parties that is stored on your network or computers can be stolen and exploited, or your “infected” network and devices can spread harmful programs to customers, donors and suppliers. In addition to badly damaging your organization’s reputation, it may face lawsuits, fines and penalties for failing to properly secure the information on the network and connected devices.

There are many types of cyberattacks, with confusing names and acronyms, and to make matters worse they are consistently changing and evolving as cybercrooks find new ways to achieve their goals. That said, to develop effective strategies to prevent or deal with a cyberattack it is useful to understand what a cyberattack is, what the attacker wants, and some of the common strategies used by cybercrooks that pose a particular risk to small businesses and nonprofits.

What is a cyberattack?   

In these blogs, the term “cyberattack” means an attempt to gain unauthorized access to a digital network and/or to the physical devices that are connected to that network in order to steal information or to disable your operations by locking, corrupting or destroying critical data and applications..

A “digital network” is the mechanism your organization uses to transmit “data” (e.g., email, files, credit and debit card information, video or audio) from one physical location to another. The “internet” is a digital network with more than 5 billion users and by some estimates 50 billion devices that connect to it. However, the switches, routers and modems your organization uses to connect computers and other devices to servers and the Internet is also a digital network. It is usually called a local area network or LAN. Unlike the internet, a LAN connects a limited number of devices with each other, and it most often acts as a gateway that some or all of these devices can use to access the internet. Typically, a cyberattack originate from a device located somewhere on the internet, and it succeeds by gaining access to your LAN or to one of its connected devices.

What physical devices need to be secured against a cyberattack?

An important point to understand here is that any device that is connected to your LAN (or to the internet directly) is at risk in a cyberattack. This of course includes desktop computers, laptops, network servers, switches and routers – but it also includes a smart phone or a tablet, smart appliances, surveillance cameras or sensors that are part of your alarm system or inventory control, perhaps even your wristwatch. All of these devices have the capacity of interacting and connecting to your LAN and the internet, and thus all of them are at risk of a cyberattack.  

What are the common objectives of a cyberattack?

Most cyberattacks are intended to achieve at least one of these goals.

Extortion –

According to a recent Forbes article the most common cyberattack threat facing small business in 2023 is ransomware. As the name implies, in a ransomware attack, the cybercrook attempts to load some type of malicious software onto your device or your LAN to encrypt the data or otherwise block access. In other words, the attack “locks you out” of your device – or all devices on the network. Once that is accomplished, the cybercrook demands a payment (ransom) with the threat the failure to pay will result in destruction of the data, or disclosure of the personal or financial information of the organization or third parties to other criminals. A derivative of this type of attack could involve theft of sensitive data or third-party information, again with the threat that the cybercrook will disclose it to criminals if the ransom payment is not made.

Theft –

Attacks of this type can take one of several forms; the first category is theft by deception.  Here the cybercrook’s goal is to convince you that they are someone else and deceive you into the sending them money or valuable information (e.g., credit card or bank account numbers – or passwords to protected networks). The “great-grandfather” of these types of attack is the infamous “Nigerian prince email”  (send a relatively small amount of money to aid a Nigerian prince to gain access to a far greater sum that will be shared with the victim). Surprisingly, even though this ruse has been around for decades, it still is used to steal hundreds of thousands of dollars each year. Maybe you like to use the term phishing somewhere because that was one of the most common attacks in 2022.

These types of attacks have greatly evolved over the years. More sophisticated versions used today involve using false credentials and other nefarious approaches to impersonate a known person or business. These are used to trick the unsuspecting into sending money to the cybercrook. The attack is successful because the request itself seems reasonable, such as an email request to move funds from a finance officer or for payment of an invoice from a trusted supplier. At times stolen emails are used, making it impossible to determine from the communication that it is illegitimate, unless the recipient decides to verify its authenticity by phone or some other communication. A second class of theft by deception cyberattacks seek is disclosure of valuable private information (e.g., credit card, bank account information, email passwords, etc.) in lieu of requests to transfer funds.

Sometimes the objective of a cyberattack may not be money or data, but instead use of your computer itself. Cryptojacking is the most common objective of these attacks. Here the cybercrook seeks access to your computer or networks so that it can use the hardware for “crypto mining” – solving extremely complex mathematical equations to create digital currency. While it may seem farfetched to you that your small organization might be subject to this type of attack, it should not be discounted. A 2021 report on cyber security threats prepared by Cisco found that nearly 70% of organizations studied had at least one computer that had been successfully “highjacked” for use in an illegal crypto mining operation.

This is not a victimless crime; unauthorized crypto mining can greatly reduce the efficiency and useful life of computers and related hardware and result in higher electricity bills. More troubling, since the cybercrook can only highjack your machine by placing software on it, these cyberattacks also usually involve other objectives, such as eventually triggering ransomware or steeling confidential data as well. 

Monitoring — Exploitation –

This last category of cyberattack (monitoring and exploitation) typically is undertaken in advance, or in conjunction with one of the others, such as extortion or theft. However, sometimes the cybercrook’s initial goal is simply to gain access in order to eavesdrop and monitor your organization’s online activity. The individual behind the attack might just be a maladjusted “cyber-voyeur” who enjoys the thrill of breaking into and looking at things that are none of their business. On the other hand, news reports regularly surface stories of state-sponsored cyberterrorist attacks that target government websites for purposes of espionage. However, the greatest risk to your organization posed by this form of attack is likely to be that it allows the cybercrook access to confidential information that can be used and exploited at a later date.  

How is a cyberattack carried out?

All digital devices use computer programs (drivers, apps, software, algorithms etc.) to operate. These programs are used let us communicate via video or audio, monitor business inventory, transfer funds and process credit card payments, create and transmit email and text, and perform many other tasks that keep our organizations running. To achieve the one or more of the purposes of the cyberattack, the attacker has to gain access and, in some cases, to add a program or modify an existing program on the LAN or on a computer or other device that is connected to the LAN. These programs or program modifications are referred to generally as “malware,” and they include “viruses, tojans, adware and ransomware.

You may think that this occurs only through highly sophisticated exploitation of a flaw in the device’s operating  system, undertaken without any action on your part. However, while there have been successful attacks of this type in the past, readily available network and computer defenses make this much less likely today, particularly if existing software is regularly updated.

While the computer algorithm  or “malware” used to implement a successful cyberattack may be complex, according to the 2021 Cisco report previously mentioned,  9 times out of 10 those algorithms were introduced to your computer or network by actions taken by you or someone in your organization! Further, while it is certainly possible for a cyberattack to be initiated by a disgruntled current or former employee with physical or remote access to your organization’s network, it is far more likely that access will be unwittingly granted simply by opening an attachment on an email, clicking on a link in a text or on a website, or simply replying to a seemingly legitimate request from a customer or colleague.

This method of attack is generally referred to as phishing (pronounced “fishing”) and there are many variations.  However, the objective of all these attacks is to trick the recipient into taking some action that enables the malicious program to be downloaded so that the attack can proceed. The objective of the attack itself might involve any one of the three objectives described above. There are many examples and derivatives of phishing  as well as sites that offer cues you can use to recognize and avoid them.

A second less common, but effective means of launching a cyberattack can occur when the attacker intercepts and accesses a wireless network connection. This wireless connection could be the wireless modem used to connect devices at your place of business, or it could be the public wireless network at the airport, coffee shop or Walmart parking lot. In each case the cybercrook uses various means to cause your device to communicate unencrypted information, so that it can be read and later exploited.

Is there any way to defend against a cyberattack?

This blog is by no means an exhaustive discussion of the types of cyberattacks. There are others. However, those discussed do comprise the most common small organizations face. The bad news is that these attacks continue, and are becoming more sophisticated. The good news is that with a little planning and thought you can greatly reduce your risk of becoming a victim.

Part 2 of this blog will describe a strategy your organization can use to develop a cybersecurity plan that will minimize your risks, and speed recovery even in the event of a successful cyberattack.

25 Aug 2022

Remember the FCC RDOF Auction? When is a “Funded Area” Actually “Funded”?

by | posted in: | 0

By Marc McCarty

Today I re-read my Blog from December 2020 about the winners of the FCC Rural Digital Opportunity Fund (RDOF) auction awards. It was an exciting time! Over $9.2 billion awarded — $346 million to Missouri providers that promised to connect nearly 200,000 Missouri locations to high-speed internet!

Twenty months later, while some Missourians now have the service available, many do not, and for some the connection promised by the funding will never come at all.

Why?

Part of the answer was described in the December 2020 Blog:

“Companies receiving awards are required to submit much more detailed information to the FCC throughout next year before their award is final.  That information includes engineering data, deployment plans and financial data, and failure to submit it by the deadlines can result in forfeiture of the award.” 

As this map shows, as we approach the second anniversary of the initial FCC award announcement, companies who won awards in the areas of the state shaded in yellow still have not been able to satisfy the FCC’s criteria to begin receiving funding. Those areas shaded in red represent locations where companies have “defaulted” and lost their chance for federal funding.  This map does not include the latest disqualifications of “winning companies” — $885 million to Star Link (disqualified because it could not show it could deliver service to all locations at the promised speeds) and $1.3 billion to LTD Broadband (disqualified because it failed to obtain necessary state issued licenses to offer internet service). LTD Broadband’s disqualification is particularly relevant for Missouri because it represents the majority of Missouri locations that had not been funded.

Of course, even in areas where the final applications for funding have been approved by the FCC, another reason many folks are waiting for broadband service is that the funding is spread over 10 years and the providers have 6 years to meet their obligation. 

On August 15, the Department of Economic Development began taking applications for up to $265 million of state grant funding for broadband infrastructure, and Missouri likely will receive hundreds of millions of dollars more funding over the next few years through the Infrastructure Investment and Jobs Act programs.

Government officials are very concerned that this new funding does not go to areas already covered by another federal grant funding award. For example, under the DED program:

“project areas where high-cost support from the federal Universal Service Fund has been received by rate of return carriers, funding from the National Telecommunications and Information Administration Broadband Infrastructure Program, or where any other federal funding has been awarded to provide broadband service at speeds of 100/20Mbps will not receive Program funding.”

This of course, seems very logical. Why should the federal or state government pay twice for the same promised broadband access?

However, this logic breaks down when the promised federal funding is delayed for months or even years and then ultimately denied, or where the funded project cannot deliver the promised levels of broadband access.

This is a problem that is unlikely to go away. The FCC, NTIA and USDA (Reconnect) all have had funding programs in place over the past several years, with slightly different criteria for eligibility, requirements for connectivity levels, and build-out timelines. In some cases, the funding program did not require, and the provider did not commit to build out the locations to the current 100/100 Mbps or 100/20 Mbps standard.

Some of these issues can be addressed through a focused grant application and challenge process of the type DED has implemented. After all, providers that do expect to move forward with federal funding should be able to make that intent known. Further, in situations where “preliminary” awards were granted only to ultimately be rejected during an extended evaluation process – such as Star Link and LTD Broadband — the DED Broadband office has already taken steps to encourage applicants to make the case for funding through a new addition to its broadband program grant FAQ:

Questions added August 22, 2022:

Q31:The Federal Communications Commission today announced that it is rejecting the long-form applications of LTD Broadband and Starlink to receive support through the Rural Digital Opportunity Fund program, what does that mean for my broadband application?  

A31:Due to the FCC rejecting the long-form applications of LTD Broadband and Starlink, areas within Missouri that may have been considered federally funded/awarded may no longer be considered federally funded. In the application, for Section IV Questions 13 & 13a, if your proposed service area was a previously funded area, but it is no longer, provide an explanation of how the area was previously awarded,  and why that proposed service area is eligible for this Program’s funding.

Certainly, it also would be helpful if all federal agencies had more consistency in their requirements and process for funding programs and more transparency to identify when an “awarded” area:  (1) actually is reasonably likely to qualify for funding and (2) is building infrastructure capable of meeting modern standards for broadband service (100/100 Mbps or 100/20 Mbps).

Finally, it might be appropriate to consider more objective criteria for determining if an area that is unserved or underserved actually should be excluded because of a competitor’s challenge.  For example, Ohio’s state grant program definitions exclude unserved and underserved communities from participation in its grant program only when a competitor’s network is actually under construction and expected to be deployed within 24 months. Likely there are other ways of addressing this issue, but for the sake of residents and businesses currently on the other side of the digital divide, solutions need to be found. For Missourians without access, it is little comfort to learn that they live in an area that cannot participate in new rounds of federal and state funding for broadband, because funding was promised but never provided in a prior award or was used to construct infrastructure that doesn’t meet current standards. In either case, these folks are unconnected, with no realistic prospect of becoming connected, unless their homes and businesses are eligible to participate in future federal and state grant programs.

7 Jun 2022

A Wrap-up – Broadband and the 2022 Missouri Legislative Session

by | posted in: | 0

The Missouri General Assembly closed out its regular session on May 13, 2022 (Friday the 13th). The General Assembly committed unprecedented amounts of new public investment in high-speed internet infrastructure. Yet, the amounts provided were substantially less than what the Governor proposed last fall and did not address some of the key objectives identified in his budget proposal. Aside from the appropriation, limited progress was made on other fronts as well, and these are discussed in more detail below.

The ARPA Broadband Appropriation

Much of the General Assembly’s work this session centered on the Governor’s American Rescue Plan Act (ARPA) spending proposals – a key component of which was spending for Broadband. Using federal money provided by ARPA, the Governor proposed a multipronged approach that included infrastructure funding (broadband access), adoption (digital skills training) and affordability. In this regard, the Governor’s proposal mirrored the approach of the Infrastructure Investment and Jobs Act (the IIJA) enacted by Congress last year and described in an earlier blog.

As shown in the following table, while the General Assembly provided funds for internet access, it did not approve funding for the Governor’s adoption or affordability proposals. Administration of the new grant funding program (as well as development of a 5-year plan to apply for and secure more federal funding from the IIJA programs) will be provided by Department of Economic Development’s Broadband Office (DED), which received $10 million of additional funding this session.

ProgramGovernor Parson’s Proposal (Missouri Department of Economic Development (DED)General Assembly Appropriation
Access (Infrastructure)$250 Million  — Competitive Grant Program for locations lacking fixed wired or wireline service of at least 100 Mbps/20Mbps250 Million
“Digital Literacy”  (Adoption/Digital Skills)$30 Million – Competitive Grants  to Nonprofit and Educational OrganizationsNot Funded
Affordability (Assistance for broadband subscription cost )$30 Million – Would funds an additional $10 per month benefit to households eligible for the $30 per month benefit provided as part of the IIJA’s Affordable Connectivity ProgramNot Funded
Pole Replacement (supports fiber on pole deployment)$0* *Pole replacement costs could be funded through broadband infrastructure grant program  $15 Million
New Cell Towers for Wireless Access$30 Million$20 Million

There are a couple of observations that seem relevant here:

  • First, while the amount of money appropriated for broadband infrastructure far exceeds previous funding, it will not be enough to provide broadband to every location in Missouri that needs one.

The Governor’s proposal was expected to be enough to connect approximately 75,000 households in the state.  However, in a webinar presentation last month DED noted that a recently completed gap analysis showed that nearly 500,000 locations in Missouri lack broadband service at speeds of 100/20 Mbps (the new standard for “underserved” locations). The cost to connect those locations was estimated at a little less than $2 billion, whether wireless or wired technologies are used to provide service.

That said, the goal of funding universal broadband access across Missouri seems to be well within reach. The $285 million appropriated by the General Assembly this session is money the federal government provided to the state through the ARPA last year. An additional $1.3 billion (the second installment of State and Local Fiscal Recovery Funds (SLFRF)) will be deposited with the state later this year. This money also can be used to fund broadband and other infrastructure needs. Thereafter, Missouri is eligible to receive a sizable portion of the $42.5 billion available to states to fund broadband infrastructure as part of the IIJA. Finally, of course, assuming a public-private partnership model is used to provide broadband access, no one thinks that the federal and state governments will need to finance the entire cost of building out broadband to all underserved locations, as the private sector can fund the investment as well.

In other words, over the next several years, there appears to be an opportunity to access enough federal money to construct the infrastructure needed to close Missouri’s digital divide. However, this will require continued support from the General Assembly to appropriate the federal money. ARPA money left unspent by the end of 2026 must be returned to the United States Treasury. IIJA funding will be allotted to states based on need and funded only after submission and approval of a five-year plan designed to provide access to all unserved locations in the state. Thankfully, in this session the General Assembly began this process by appropriating money to DED this session from ARPA funds to develop this five-year plan, so that Missouri can fully participate in the IIJA funding programs both for access and adoption over the next several years.    

  • Second, the General Assembly’s decision to “zero-out” the Governor’s proposed appropriation for internet adoption is somewhat puzzling. One could make the case that $30 million was not the right amount – that it was too much – or that the need for adoption programs could be deferred to a later date and paid for out of future IIJA grants, and did not need to be included in this year’s appropriations. 

It may be simply that the proposal suffered from “misbranding”– the decision to call it “Digital Literacy.”  One would think most folks don’t like being referred to as “illiterate” – even if it’s “digitally” illiterate, and that term doesn’t really do a very good job of describing what the money was intended to pay for – or why it was needed in the first place.

Likely what was lost in the debate was an appreciation that the public benefit of broadband access, what justifies the investment of hundreds of millions of public dollars for broadband infrastructure, comes only when all individuals throughout the state can actually use that resource in ways that make a positive impact on public health, education and economic opportunity. This would include visiting their doctor online (telehealth); starting an in-home, internet-based business; reversing population declines in rural communities and saving commuting time and expense through telecommuting; obtaining an advanced degree or skill online from a university or junior college; monitoring crops in the field, reducing fertilizer and production input costs through precision agriculture; accessing online federal, state and local government services; and otherwise using high-speed internet in ways that make business, government and other institutions more efficient and effective.

In short, to fully realize the public benefit of broadband that justifies the unprecedented public investment in broadband infrastructure, there is a need to move beyond smart phones and recreation-centered internet-based applications (things like texting, social media, YouTube videos, online gaming etc.) and to provide everyone – not just the “tech-savvy” with the training and skills needed to effectively use this new resource. While certainly most everyone believes these goals and programs are worthwhile and necessary, the private sector has limited motivation (and expertise) to provide them. This was the rationale of an internet adoption program that would use nonprofit, local government, and educational organizations to develop the skills-based resources designed to further these objectives. Hopefully, as the need for these resources becomes more evident, funding for adoption programs will be included in future appropriations so that communities receiving public funding for internet  access will have the means to fully realize the benefit of this new resource.

Senate Bill 820   

Aside from the appropriations bills, significant – but more incremental progress was made through passage of  Senate Bill 820. This legislation incorporated several of the proposals from the work of the House Special Interim Committee on Broadband Development chaired by Representative Louis Riggs.

Among the changes, was a proposal supported by the DED, that incorporated a badly needed update to the definition of areas that lack access to adequate broadband service (underserved areas). This definition is important because it is used to identify broadband infrastructure projects that can be financed by Community Development Districts, Neighborhood Improvement Districts, and Broadband Infrastructure Improvement Districts, as well as describing locations that can qualify for direct grant funding administered by DED.

Assuming SB 820 is signed by the Governor later this summer and becomes law, underserved areas will be defined to include areas lacking fixed wired or wireless service equal to  100 Mbps download and 20 Mbps – a substantial increase from the old standard (25/3 Mbps).  This new standard is the same as that contained in the Infrastructure Investment and Jobs Act (the IIJA). SB 820 also permanently ties the definition to future increases in the speeds necessary to qualify internet service as “broadband” as changed by Federal Communications Commission – the  FCC – from time to time. By raising the standard used today, many more projects will qualify for funding and can use existing financing district legislation today, and by tying the definition to future increases implemented by the FCC, the statute will continue to be a useful tool in the future as new technologies such as virtual reality and artificial intelligence require even faster internet connections.

SB 820 also includes a new Vertical Real Estate Act (new §8.475) to expressly authorize any political subdivision to erect wireless telecommunication towers and related ground-based equipment and to enter into public private partnerships for the same purpose.  Finally, the new law adds several provisions designed to enable DED to better enforce and administer state broadband infrastructure grants in the cases where the recipient has failed to construct the promised infrastructure.