Despite all of this damage and chaos, the U.S. was lucky that the cyber attackers who took down the critical infrastructure of Colonial were only extortionists, Virginia CISO Mike Watson told Government Technology.
“Even though this is bad overall, it’s kind of the best possible outcome you can ask for,” Watson said, noting the criminal group took the ransom and delivered the encryption tool without dealing deeper damage to the system. “If this was somebody that didn’t have a financial motive, they could have just shut down that pipeline for a month or more … That’s really scary.”
Public officials cannot expect the same relative fortune from the next major cyber attack, however.
When public agencies are hit by cyber attacks, governments can respond with steps like developing new response strategies and procuring upgraded defense software. But officials are working from a different playbook when the critical infrastructure is run by private corporations, and may need to reassess the tools they have — and the tools they need — to stave off or contain the next big incident.
MORE ATTACKS TO COME
“We had a private group of individuals operating within normally achievable means cause pretty significant economic and critical operations impact to a significant portion of the country,” Watson said.
In the aftermath of the Colonial attack, DarkSide posted a message apologizing for the “social consequences” caused by the choice of victim. But the criminals still extracted funds, and North Carolina Chief Risk Officer Maria Thompson told GT that Colonial’s decision to pay only confirms to cyber criminals that these are lucrative targets.
“If hackers know that when they hit certain elements of our infrastructure we’re going to pay, we’re setting ourselves up for future failure,” Thompson said.
DRIVING VOLUNTARY CHANGE
Government officials are often focused on ensuring private firms do two core things: adopt strong cyber defenses and inform officials when something goes wrong. Both actions are so law enforcement and intelligence agencies can work to apprehend the perpetrators.
Many breaches stem from organizations failing to follow established cybersecurity best practices, Thompson said. Watson separately underscored that it’s essential for entities to ensure they can maintain critical functions even if hackers manage to penetrate their systems. But states lack the authority to require private companies to adopt recommended measures and must rely on encouraging rather than demanding improvement, said Thompson.
Financial motivators can be an important tool, and Watson said that when his state contracts with third parties, it stipulates they must follow certain cybersecurity frameworks and standards.
“It’s up to each of us as state and government entities to stand fast and enforce those [cybersecurity] requirements on the parties that we contract with,” Watson said. “Where the contracts and where the money is spent is always the best place to enforce anything, because it drives the right behavior.”
To Watson’s point, President Biden’s recent executive order includes a similar approach, calling for contracts between the federal government and IT vendors to hold the latter to certain cybersecurity reporting requirements.
Helping a business resist the temptation to give in to hackers can also entail providing funding to support recovery, should the business maintain good cybersecurity and avoid paying a ransom, Thompson said. North Carolina is providing a similar resource to public agencies, but federal efforts may be necessary to extend such a model to the private sector. Funding should be prioritized for entities that impact a wider swath of society, she added.
REGULATING INFRASTRUCTURE DEFENSE?
True cybersecurity can’t rely just on optional adoption, and Watson said there is need for stricter regulation regarding how critical infrastructure providers prevent and respond to emergencies in the digital space, similar to how regulations already guide the safety procedures that nuclear power providers use to prevent and contain physical disasters.
On a federal level, the Transportation Security Administration reviews the cybersecurity and physical security of pipelines transporting oil, hazardous materials and natural gas, but adherence to its security recommendations is voluntary.
The Federal Energy Regulatory Commission (FERC) does, however, mandate cybersecurity rules for the bulk electric grid. FERC chair Richard Glick said in a statement that the Colonial attack underlines the need to make pipeline cybersecurity obligatory.
“Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors,” Glick said.
States have been playing a role, too. State utility commissions, often charged with regulating electric distribution systems and policymakers, are increasingly eyeing regulation. The National Conference of State Legislatures reports that 2019’s legislative session saw a 30 percent year-over-year increase in the number of considered policies related to critical infrastructure cybersecurity.
RETHINKING REPORTING
Companies are often neither required to nor interested in informing the government when they fall to ransomware attacks, but intelligence community officials need this information to pursue perpetrators, learn about emerging threats and warn other potential future victims. Even in the case of Colonial — where the company said it promptly alerted the FBI — there was still a further five-day wait for the Cybersecurity and Infrastructure Security Agency (CISA) to receive technical details about the event, according to CISA Acting Director Brandon Wales.
State laws require companies to inform law enforcement about breaches that expose personal information — which would not cover the Colonial hack, said Daniel Garrie, founder and managing director of cybersecurity, forensic and e-discovery consulting group Law and Forensics.
“People are focused on the privacy aspects and not the security aspects as the trigger for disclosing to the government,” he told GT. To improve reporting, “you’d have to create a sort of new conceptual framework.”
States have tried to encourage reporting, and North Carolina law treats details disclosed to governments about data breaches as sensitive information that shouldn’t be included in public records, but that does not go far enough to reassure all companies, Thompson said.
Business concerns over issues like reputational damage and risk of lawsuits often overshadow any desires to engage the government, Garrie said. He added that requirements are the only way to drive more reporting.
Federal policymakers may do just that and are reportedly working on legislation that would require certain sectors — like critical infrastructure providers — to disclose hacks.
