Adding Urgency to Cyber
Terry H. Schwadron
May 10, 2021
Whether the cyber-attacks that shut down 5,500 miles of oil pipeline this weekend are coming from private crooks or a state-sanctioned effort is almost beside the point. Somehow our response to this attack, as the big one apparently triggered by what looked like Russian-sponsored hackers on government agencies and companies last month, ought to be generating a lot more urgency.
The idea that a small group of bad guys in a faraway darkened room can control our electric grid, our fuel supplies, our business functions, our very defenses virtually at will should be as frightening as the prospect of powerful bombs in the likes of Iran or North Korea. In 10 minutes, these same people will be in position to send electric cars and trucks awry, or kill appliances of industrial scale built with Internet or network connections.
Instead, what we’re hearing is much concern about whether oil and gas costs are going to go up in the next weeks as the result of immediate shortages in delivering 2.5 million barrels of oil a day, or almost half of production across the East Coast. Actually, if they restore operations within a week, even that result is unlikely.
What we’re not hearing our Democratic and Republican leaders on the barricades over cyber at anywhere near the volume we hear harangues about nonexistent election fraud already six months old or whether “socialism” is going to end the American Dream as we know it or about a dozen “cancel culture” disasters that some perceive. Instead, our Congressional leaders seem content holding occasional check-in hearings and leaving the actual work to the Cyber Command agencies to resolve.
One might even call such defenses critical to, um, “infrastructure” in a realistic look at current technology.
It might be nice to see an approach to international policing approach the fervor of our continuing community policing debate.
In the next week, the administration is expected to issue an executive order intended to bolster security of federal and private systems after two major attacks from Russia and China in recent months caught American companies and intelligence agencies by surprise.
Meanwhile, Colonial Pipeline, a private company, is being tight-lipped over whether it plans to pay a ransom demanded by the suspected criminal hacker group, or has already paid, or when normal operations will resume from shutdowns ordered to prevent further problems from the hackers. The FBI, the Energy Department and Cyber Command at Fort Meade, Md., all have dived into the detective work, along with FireEye, a private security company hired by Colonial.
This time, officials said they believed the attack was the act of a criminal group, rather than a nation seeking to disrupt critical infrastructure in the United States. But at times, such groups have had loose affiliations with foreign intelligence agencies and have operated on their behalf. But that doesn’t make it better.
Ransomware is the uncharted attempt by evildoers to threaten damage to networked computers, often encrypting the business’ own data that control increasingly vast operations in return for payment of millions of dollars and the decryption code. It’s kidnapping without the emotion. When backed by state powers, it veers into somewhere beyond espionage and into actual act of war.
This Spring’ disclosure of a massive breach of government agencies and corporations for which the U.S. sanctioned Russia last month; if there is more retaliation planned, we won’t know about it until Moscow’s red lights turn green or the like. We still don’t even know how deep and wide the break was.
In either case, this is where I’d like to see all that Law & Order haranguing wasted on suppressing votes and threatening jail time for peaceful protests going instead. Where’s the Blue in these cases? Where’s the send-troops-to-Afghanistan-for-20-years demand?
Colonial Pipeline, based in Georgia, said the ransomware attack Friday affected information technology systems and that the company moved “proactively” to take certain systems offline, halting pipeline operations, to forestall further damage.
I’ve worked in news companies that dealt with hackers who entered networks that were private and not connected to the Internet, and experienced both in the fear that our newsroom operations could be touched — they weren’t — and in the difficult creation of defensive shields and practices. Hackers often can find doors opened through getting an employee to unintendingly allow a malicious piece of software enter through an otherwise innocent-looking email, or they can criminally seek to obtain employee identification information allowing more direct access.
It can be hard to protect against in a working environment or a society that prizes individualism over security, which is exactly where America now finds itself. We’re relying more and more on machinery, and the networks that increasingly operate them, often without human intervention. That creates opportunity for bad guys.
The Associated Press notes that while there have long been fears about U.S. adversaries disrupting American energy suppliers, ransomware attacks by criminal syndicates are much more common and have been soaring lately. The Justice Department has a new task force dedicated to countering ransomware attacks across types and size of businesses or agencies.
So far, the advice in the security industry and government alike is akin to coronavirus — take heed of the problem and take common sense steps towards hardening network defenses. There are no vaccines that outlast the latest and greatest hacker attempts.
Attacks by criminal syndicates operating out of Russia and other countries reached epidemic proportions last year, costing hospitals, medical researchers private businesses, state and local governments and schools tens of billions of dollars, the AP reports. Average ransoms paid in the United States tripled to more than $310,000 last year, as compared with the cost of an average outage of business for 21 days for each incident, according to security firm Coveware.
American cyber folks say that some of these criminals have worked with Russia’s security services and that the Kremlin benefits by damaging adversaries’ economies and cover for intelligence-gathering.
Anne Neuberger, the Biden administration’s deputy national security adviser for cybersecurity and emerging technology, told the AP that that the government has an effort underway to help electric utilities, water districts and other industries defend themselves. The goal seems to be to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block attacks. The White House has announced a 100-day initiative aimed at protecting the country’s electricity system by encouraging owners and operators of power plants and electric utilities to improve capabilities for identifying cyber threats to their networks.
U.S. Cyber Command and the Department of Homeland Security last month released details on eight code files attributed to the Russian Foreign Intelligence Service that were used in the so-called Solar Winds attacks discovered earlier this year. The disclosure was described as part of “Hunt Forward” operations to generate insights to understand the source of attacks.
It’s not exactly 100 million shots of vaccine in the arm in 100 days, but it is a start. I’d prefer that we wipe out the bad guys rather than issuing sanctions and warnings to protect ourselves.