By Byron V. Acohido
As wake up calls go, the Colonial Pipeline ransomware hack was piercing.
Related: DHS embarks on 60-day cybersecurity sprints
The attackers shut down the largest fuel pipeline in the U.S., compelling Colonial to pay them 75 bitcoins, worth a cool $5 million.
This very high-profile caper is part of an extended surge of ransomware attacks, which quintupled globally between the first quarter of 2018 and the fourth quarter of 2020, and is expected to rise 20 percent to 40 percent this year, according to insurance giant Aon.
Ransomware is surging at at time when the global supply chain is being corrupted from inside out, as so vividly illustrated by the SolarWinds supply chain debacle.
In response, President Biden last week issued an executive order requiring more rigorous cybersecurity practices for federal agencies and contractors that develop software for the federal government. Last Watchdog asked a roundtable of cybersecurity industry experts for their reaction. Here’s what they said, responses edited for clarity and length:
Chenxi Wang, founder & general partner, Rain Capital
The new executive order is a swift response from the administration. It’s refreshing to see a government executive order that understands technology trends such as “zero trust”, is able to delineate “Operational Technology (OT)” from “information technology (IT,)” and can talk intelligently about supply chain risks.
While some of the measures stipulated in the order are considered table stakes like multi-factor authentication, the fact that the order exists will help to raise the collective security posture of products and services. It will not be sufficient to defend against sophisticated adversaries, but it will help organizations on the lower end of the capability spectrum to improve their cyber posture and defense.
Keatron Evans, principal security researcher, Infosec Institute
President Biden’s order was drafted with heavy involvement from actual cybersecurity experts, and this is encouraging. Requiring federal agencies to produce an actionable plan to implement Zero Trust Architecture is a lot taller order than it sounds. Also, he speaks directly to defining specifically what types of incidents require reporting – this will be one that could get very interesting very quickly.
Another significant requirement deals with enhancing software supply chain security, and there’s some very direct language about isolation, multi-factor authentication and risk assessments, as well as defining what critical software actually means.
Bryson Bort, CEO, SCYTHE
They exfiltrated at least 100GB of data and Colonial was down for almost a week . . . from our analysis of what’s been made publicly available, basic detection engineering would have caught this campaign very quickly. The caveat is that I don’t know if that’s the same as what was actually done with Colonial Pipeline, which may have represented something more sophisticated.
The stricter compliance rules have only been around those doing business with the U.S. government. There is no specific proposed increase in compliance for Critical Infrastructure that I am aware of, nor is that necessarily the answer. As I said at the CISA Summit in 2019, the U.S. government should provide and curate a catalog of resources, such as configuration, tools, etc., that asset owners may choose to take advantage of— the carrot approach. More paper (regulation) is not going to solve this problem.
Baber Amin, COO, Veridium
President Biden’s executive order sets clear asks and timelines for an up-to-date, modern cyber security approach. It’s a framework that can evolve with the changing threat landscape. It also lays a firm foundation to build upon.
What is lacking is more transparency around breach investigations, clearing up overlapping and confusing rules (e.g. ransom payments may trigger sanctions on the victim), too many hurdles for upcoming technology vendors to be able to do business with government agencies, which, in effect, reduces agency access to novel and innovative technology.
Deepika Gajaria, vice president of product, Tala Security
What stands out in Biden’s proposal is the requirement for federal agencies to take a “zero-trust” approach in engaging with third party software vendors. This is rightly motivated by the SolarWinds hack that brought third-party supply chain risks to the forefront.
The proposal calls for increased transparency between the federal agencies and the vendors that they choose to do business with – full disclosure of known and exploitable vulnerabilities, detailed documentation of steps that have been followed by the vendor to demonstrate compliance, as well as disclosure of breaches that have happened in the past. This is a positive first step in solving the third-party risk problem that confronts every digital business today
Elena Elkina, partner, Aleada
President Biden’s administration is on the right path but there is much more that needs to be accomplished. Federal cybersecurity standards and the executive order are enough to create a momentum in the current state of cyber affairs in government agencies.
The standardization will bring structure and repeatable approach that can be iteratively improved. However, whether the execution will be handled properly is up to those who the government contracts with. I can see how it can generate uncertainty across various sectors.
Sascha Fahrbach, cybersecurity evangelist, Fudo Security
This is not an easy magical fix; it’s a very significant document and carries with it the full weight of the President and federal agencies. However, the government and every citizen must know this truth: no single law or government policy or even technological development will completely prevent a similar incident like the Colonial Pipeline attack.
This order will seek to push better security practices onto companies at the risk of losing out on government contracts. It also aims to go deeper than ever before into private industry and the economy. What’s really fascinating is the depth and also the long-term aim of this executive action. Could this follow the same route as in motor vehicles? Will we see a government rating of security software, much as we have agencies to rate the safety of cars?
Garret Grajek, CEO, YouAttest:
Better and more immediate sharing of intel on attacks – especially those impacting national security — has got to happen if the U.S. is going to get on top of Colonial-type ransomware attacks – and this is well covered in the executive order.
Of course, we live in a comparatively free part of the world. The US government does not own or control Internet traffic, as some nations such as China does. Given this lack of centralized control, communication sharing is essential. The Biden Executive Order’s mandate of The National Cybersecurity Safety Review Board, modeled after the National Transportation Safety Board, is a well-considered and smart move toward this goal.
Eric Cornelius, chief product officer, iBoss
This Executive Order is a good first step but it is likely not going to materially change the threat landscape. While the order sets the stage, it is mostly focused on federal networks. But the fact is that nearly all of America’s critical infrastructure is privately owned and operated. If America’s national security interests are to truly be protected, we will need regulatory requirements across all sectors of critical infrastructure.
Matias Katz, CEO, Byos
The fact is that the convergence of IT and OT systems for increasingly connected infrastructure will continue to see these vulnerabilities. This latest attack further underscores that strategies for detection, prevention, and mitigation are all greatly needed in order to be prepared in the future for the potential of incidents such as the Colonial Pipeline ransomware attack.
As these networks become more intertwined, understanding traffic and controlling access at the edge is absolutely essential. This can be accomplished with new and emerging technologies that offer proper micro-segmentation, ransomware kill switches, and threat intelligence.”
Eddy Bobritsky, CEO, Minerva Labs
Colonial pipeline is a really good case study for the whole critical infrastructure industry. A lot of resources have been invested in security, yet the security systems that are in use there couldn’t identify and couldn’t block. The conclusion is that critical infrastructures should have a multilayer coverage of security tools, and that prevention tools that deals with evasive malware should be the first in line, tools that don’t need to identify malware to prevent them.
Another common thing for many critical infrastructure organizations is that they work with SCADA OT infrastructure that rely on legacy systems, some which are no longer widely supported by security tools. President Biden’s new compliance rules should address this issue, and make sure that proper security tools are used.
Anurag Gurtu, CPO, StrikeReady
President Biden’s cybersecurity order will respond to all types of cyberattacks in a better way. It spells out stricter requirements for organizations, especially those that do any type of business with the government. Moreover, the order also has some new parameters that will allow the agencies to perform better investigations.
It would also create a particular board to investigate cyberattacks and determine their aftermath. The tasks that the new investigatory board will need to perform include analyzing the data logs and code to identify the reasons behind any successful cyberattack. The new draft cybersecurity order is the most important step in Biden’s proposal that stands out. Not only will it educate and inform the cybersecurity experts regarding the cyberattacks. But it will also allow them to understand how to respond and remediate from it.
Tom Garrubba, CISO, Shared Assessments
Some are saying this is the largest cyberattack on energy infrastructure. As energy is a core component of the US and world economy, any fear and doubt in the inability to secure such vital components can certainly hurt the image of the energy sector in the public’s eye and invite a bunch of “copy-cat” attacks from other threat actors who may now perceive the sector’s overall cyber posture to be weak.
We can expect to see more of these types of attacks and attempted attacks, unfortunately. Ransomware is now a billion dollar business, and a successful attack increases the threat actor’s profile and stature in the dark world. This in turn invites other criminal enterprises – and even nations states – to hire them or to share intelligence for future attacks.
Ryan Yackel, vice president of product marketing, Keyfactor
Federal action alone is not enough, and executive orders only go so far. A cohesive strategy cannot be accomplished without equal partnership and participation by the government and private industry. This acknowledgment is a step in the right direction. However, this EO recognizes the reality that most of ‘our domestic critical infrastructure is owned and operated by the private sector.’ So, while the administration can encourage the private sector to follow the federal government’s direction, they need to find ways to encourage and incent participation from the private sector.
Etay Maor, senior director security strategy, Cato Networks
There are hints that the attack was initiated by gaining access to a remote administration system or an employee’s computer and credentials. This would not be the first time a critical infrastructure is targeted this way, just earlier this year it was a water purification system in Florida.
I am very happy with the executive order Biden initiated. We need to switch gears when talking about cyber security on the federal levels; infrastructure is not just roads – it’s the Internet and the systems connected to it. The federal government should be an example of what good cyber security practices are, it should serve as a role model for the private sector. I hear a lot of people saying “this is what the military uses for…” and “this is what NASA uses for…” I would really be happy to hear “This is what the government does for cybersecurity – and we should do it too!
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
