John Licato: Florida’s cyber wake-up call

Nearly two years ago, the ransomware attack on Florida’s Department of Health exposed something cybersecurity professionals have long worried about: our state’s digital infrastructure is far more fragile than most people realize. One attack was enough to disrupt vital records, delay services and raise serious questions about how well we protect some of the most sensitive data the state holds.

As someone who works at the intersection of AI, computing and cybersecurity, both at USF and as a co-founder of Actualization.AI, I tend to look at incidents like the Department of Health attack as symptoms of a deeper problem: we have been too willing to trust complex systems built by others without demanding enough accountability for how secure they really are.

One example is Microsoft, a company whose products and services have long held a dominant position in government technology. Unfortunately, Microsoft systems have repeatedly been at the center of multiple high‑impact breaches affecting federal and state officials. The company has relied on engineers based in China to help maintain cloud systems used by the Department of War and other sensitive government customers. From a security perspective, that meant foreign-based personnel were brought closer to the infrastructure that underpins America’s military and intelligence operations. Investigative reporting and congressional commentary have warned that this pattern of outsourcing, combined with a history of overlooked or downplayed weaknesses in products like Exchange and SharePoint, has repeatedly given Chinese and Russian actors opportunities to penetrate U.S. systems.

The SolarWinds hack from 2020 is another example: hackers allegedly supported by the Russian government breached more than 200 government agencies and organizations worldwide. The hackers exploited SolarWinds, Microsoft and VMware software and credentialing systems in use by NATO, the U.S. Treasury Department, the U.S. Department of Commerce and others. There is evidence to suggest that SolarWinds was being targeted by hackers as early as 2017 and had various security concerns that were not addressed before the 2020 attack, while former CEO Kevin Thompson bragged on an earnings call two months before that the company had a dominant position and managed “everyone’s network gear.” That dominance, according to Reuters, was used against the company to gain access to thousands of SolarWinds customers.

When a vendor manages a sizable portion of the public sector’s technology stack, its security decisions become part of the government’s cyber risk profile. Incidents like the Microsoft and SolarWinds breaches have shown that, when forced to choose between tighter security and lower costs, many companies are willing to treat national defense and government systems as variables in a financial equation to underwrite their bottom line. Their decision to lay bare the government’s defense and intelligence cloud infrastructure to our greatest geopolitical rival could be seen as a deliberate business choice that increased cyber vulnerability to save money.

We cannot afford to ignore this pattern, especially given the landscape changes that agentic AI and similar technologies will introduce.

Going forward, cybersecurity performance and independent verification of a vendor’s practices need to be at least on par with cost and convenience in every major procurement decision.

Our state is home to serious expertise in AI, cybersecurity and defense technology; we have the talent to ask hard questions and the capability to build more resilient systems. But the long list of corporate security lapses shows how much damage a single vendor’s weaknesses can do at scale.

Taken together, they send a clear message: our state’s digital future depends on making security and vendor accountability non‑negotiable, and we must embrace more modern approaches to enable our procurement processes to do better.

___

John Licato is an Associate Professor at the Bellini College of Artificial Intelligence, Cybersecurity and Computing of the University of South Florida and owner of Actualization.AI.