OPINION

Prioritizing a Proper Response to the Colonial Pipeline Hack.

Biden’s laundry list of spending projects is distracting us from an effective cyber security solution.

The best way to get the American public’s attention is to hit them in their wallets, especially if it happens at the gas pump. Still, inviting the ire of the entire East Coast and commanding headlines of major news publications for a week was certainly not what the DarkSide ransomware group had in mind when they targeted Colonial Pipeline’s IT infrastructure. On May 7th, DarkSide launched a ransomware attack against Colonial Pipeline, resulting in a shutdown of their entire operation and an eventual ransom payment of $5 million.

It seems that the most powerful nation in the history of the world has a major issue with cyber threats…

While most Americans were wrapped up in the more sensational parts of the story—plastic bags filled with gas or the mysterious perpetrator and any possible ties they may have to the Russian government—there is a more serious underlying issue that is garnering less attention. It seems that the most powerful nation in the history of the world has a major issue with cyber threats, and despite some promising solutions that are being implemented as a result of this recent hack, there is still a prioritization issue and an ongoing ignorance about the proper path forward.

Ironically, not many people know what good cyber security hygiene looks like despite spending most of their days within the cyber world. Part of that can be explained away by the novelty of this new way of living where we are permanently connected, but the amount of time left to use that excuse is running out. Americans are soon going to wake up to find that all their personal data is littered throughout the world’s computer infrastructure, just waiting for a crafty hacker to steal.

Thankfully, the blinders are starting to lift, ever so slightly, as drivers are confronted with the price to fill up—if they can find gas at all.

Out of service gas pump.

Out of service gas pump.

CALCULATE THE RISK, THEN ASSUME BREACH

Businesses are not ignorant of the dangers that they face, especially after the high-profile cyber attacks targeting SolarWinds’ software and Microsoft Exchange servers. The realization that no company, big or small, is safe has resulted in a positive trend among American businesses as they are starting to increase their cyber security budgets. Still, even though 55% of security executives have plans to increase their budgets in 2021, there is still an issue that arises from a different type of ignorance. These same executives “lack confidence that cyber spending is aligned to the most significant risks,” that significance being measured in dollars lost from threat events. Without implementing proper risk management solutions—such as the increasingly popular risk quantification framework known as FAIR, or Factor Analysis of Information Risk, which “help[s] organizations measure, manage and report on information risk from the business perspective”—businesses will continue to throw money in vain at technologies and personnel in hopes to reduce their exposure to cyber threats.

[W]hen it comes to cyber attacks, this is a matter of when not if.

This lack of preparedness is not unique to the business world. Domestically, the most susceptible areas to cyber attacks are the countless federal government agencies and unsuspecting local municipalities that have jurisdiction over the nation’s critical infrastructure. It is almost unthinkable, given the size of the military and intelligence agencies, that a foreign actor could take down vital chunks of the United States’ energy or financial sectors with a material assault (such as a ground invasion or long-range missiles), but when it comes to cyber attacks, this is a matter of when not if.

The counterintuitive truth is that organizations and government entities should operate from the premise that adversaries have already penetrated their defenses. This core tenet of the “zero trust” framework, an idea I previously brought up when discussing the issue of software supply chain attacks, is essential to adopt if proper mitigations are to be put in place. “In this system, no person, device, or service is trusted to be non-malicious, leading to stringent conditions and controls being placed on actions and access requests made within a system.”

Unfortunately, the systems and protocols that laid the foundation for the current internet landscape were insecurely built and continue to result in unintentional exposures and breaches of sensitive data—which further emphasizes the necessity of assuming breach.

Line of cars waiting to get gas.

Line of cars waiting to get gas.

THE GOOD, THE BAD, AND THE UGLY OF BIDEN’S CYBER SECURITY PLAN

The good news is that soon, “zero trust” assumptions are going to be implemented within our government systems and networks. The Biden administration recently issued Executive Order 14028, on “Improving the Nation’s Cyber Security,” to address the “malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” In the section about modernizing the federal government’s cyber security posture, the “advance toward Zero Trust Architecture” step assures cyber-aware Americans that the proliferation of cyber intrusions into our federal government is being taken seriously.

[Y]ou would hope that the recent focus on infrastructure spending would elevate these workable solutions, but unfortunately, the miasma of politics and rhetoric is too thick to escape.

Another promising statement reads, “Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector” because “cyber security requires more than government action.” A critical step on the never-ending journey to secure the United States’ cyber domain is developing a trusted partnership between government and private industry that promotes sharing of data and providing support. While not an explicit part of this executive order, there are organizations such as InfraGard, an FBI outreach program founded in 1996, that have been created to foster these kinds of relationships and build trust. By voluntarily joining this partnership, critical infrastructure members can, as the InfraGard site puts it, collaborate with the FBI “to provide education, information sharing, networking, and workshops on emerging technologies and threats.”

Another key element of an effective cyber security plan, as indicated by the executive order, comes from removing certain barriers to threat information sharing, like the contract terms and restrictions between the federal government and service providers. The order notes that “Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained by or for the Federal Government.”

All this is moving us in the right direction. However, our leaders seem to be fumbling when it comes to communication and prioritization. For instance, you would hope that the recent focus on infrastructure spending would elevate these workable solutions, but unfortunately, the miasma of politics and rhetoric is too thick to escape.

While President Biden’s executive order was going out the door, his deputy national security advisor for cyber and emerging technologies, Anne Neuberger, claimed at a May 10th press conference for the White House’s response to the hack that it is a “private sector decision” on whether Colonial Pipeline should send a ransom payment to their hackers in order to get access back to their systems. Neuberger’s statements amounted to an abdication of duty to oversee a complete federal response to an attack on the nation’s critical infrastructure. This “private sector decision” involved a foreign group of cyber criminals, potentially linked to the Kremlin, that was holding hostage over 5,500 miles of pipeline, which supplies 45% of the East Coast’s fuel.

[T]he argument that the private sector has the ability to make business decisions without the government’s intervention is a conveniently fungible rhetorical weapon to wield when it suits political interests.

Neuberger even acknowledged that “the FBI has provided advice in the past that paying a ransom would encourage further ransomware activity.” In this case, the argument that the private sector has the ability to make business decisions without the government’s intervention is a conveniently fungible rhetorical weapon to wield when it suits political interests. The hands-off approach on providing ransom payment advice to Colonial Pipeline can be juxtaposed with the administration’s recent shut down of the Keystone XL pipeline. That decision is similarly perplexing when contrasted with Department of Energy Secretary Jennifer Granholm’s claims at a May 11th White House media briefing that utilizing pipelines is the best way to transport fuel.

Even more hair-raising is Granholm’s answer to a question about the “macro view” of the Colonial Pipeline situation. At that same event, a reporter inquired about the impact that the situation has on the U.S. moving in the renewables direction; Granholm smiled and laughed as she said electric car owners are not experiencing these fuel shortage issues. She quickly corrected course by praising Colonial Pipeline for shutting down their systems to stop the propagation of the malware, but she could not help herself from continuing to talk about “broader issues” such as Biden’s job plan or a transmission grid that is apparently going to magically get rid of these “cyber issues.” Granholm finished with a succinct summary of the administration’s wishes: “We hope that we’ll be able to see that investment in infrastructure that will facilitate clean and renewable energy.”

If this attack had been directed at a more politically sensitive industry or group, would there have been a “private sector decision” excuse or a focus on promoting unrelated spending bills?

Another confusing bit of messaging came straight from President Joe Biden when at a May 12th press briefing, he said, “we have to make a greater investment in education” while highlighting the need for more proficient cyber security professionals. The talent gap in the cyber security industry, an issue where the United States has half of the required qualified candidates to fill positions, has been widely acknowledged by private industry for some time now. What is worrisome about the President honing in on this issue is that his highlighted solution, once again, fits his spending (and ideological) agenda.

By directing attention to their desired budget items and ideological priorities, the Biden administration is letting the most pressing issues fall to the wayside in the wake of the most significant cyber attack on critical infrastructure in our nation’s history. Hopefully, these political antics will not get in the way of businesses, citizens, and the federal government reevaluating their risk posture as they deal with the fallout from this ransomware attack.

Colonial Pipeline company.

Colonial Pipeline company.

THE NECESSITY OF UTILIZING LAW ENFORCEMENT

A more fruitful—not to mention cheaper—solution to the recent rise in ransomware attacks is to aggressively target those responsible: the groups, their infrastructure, and the nations harboring them. Earlier this year, an international group of law enforcement agencies successfully brought down the infrastructure of Emotet, a strain of malware used to launch secondary ransomware attacks after infecting devices through emails or texts. The collective effort resulted in the dismantling of hundreds of command-and-control servers and the botnet they controlled, which consisted of millions of infected machines. Emotet was a high-priority target for this team, as a botnet of this size and scope could launch an average of 100,000 emails per day, leading to subsequent and equally virulent malware deployments from other high-profile cyber criminal organizations. Its ability to ferociously spread is why Europol called it the “world’s most dangerous malware.”

The Biden administration is not responsible for the Colonial Pipeline shut down, but it is responsible for providing a proper response.

This tactic of applying pressure on cyber criminal groups may actually have been used on DarkSide as they have officially disbanded. According to a May 13th announcement posted by the group on a Russian-language cybercrime forum, they had lost their access to their infrastructure due to “disruption from a law-enforcement agency and pressure from the U.S.” (Although the facts of this supposed story have not been verified; the DarkSide group was getting immense attention because of their actions, and they may have shut down simply because of the heat.)

The Biden administration seems to be aware of how effective law enforcement action can be in situations like these. In a May 13th press conference during which the President remarked on the Colonial Pipeline incident, Biden outlined his plan to address the hack with Russia directly: “We do not believe—I emphasize, we do not believe the Russian government was involved in this attack. But we do have strong reason to believe that criminals who did the attack are living in Russia. That’s where it came from—were from Russia,” the President said. “We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks.” The President also announced a new “task force” that will be “prosecuting ransomware hackers to the full extent of the law.”

After laying out these viable and effective solutions for stemming the tide of this ransomware scourge, however, the President yet again muddled America’s priorities, making sure to take some time to plug his American Jobs Plan: “My American Jobs Plan includes transformative investments in modernizing and in securing our critical infrastructure.”

Removing politics from these important decisions is essential if we are going to secure the nation’s cyber infrastructure. If the United States wants to stop cyber-attacks from criminal organizations and malicious nation states while honestly selling the solutions to the public, our leaders must stop including their bureaucratic bias and laundry list of spending projects.

The Biden administration is not responsible for the Colonial Pipeline shut down, but it is responsible for providing a proper response. If the citizens of the United States are to understand this grave threat, they must be told the facts and presented with solutions that will deal with it effectively. Capitalizing on the ransom of America’s fuel supply to generate support for a gigantic infrastructure bill is not going to cut it.

Written By:

Caleb Larson is an information security engineer in the financial services industry and a member of InfraGard, a partnership between the FBI and private U.S. critical infrastructure organizations.