Hackers infiltrated the Colonial Pipeline’s systems, held its data hostage for a $5 million ransom, and in the process, triggered local gas shortages across the eastern U.S. In response, politicians began talking about needed reform to protect critical infrastructure. Cybersecurity experts say talk is common around such initiatives, but because of the recent attack’s impact on the everyday lives of Americans, legislators may finally be ready to make real changes.
“What we’ve had at the federal level, I mean really dating back since the Clinton administration, so spanning both Republican and Democratic administrations at the presidential level, has been a Congress and a Senate that talked a lot about cybersecurity and drafted various national legislation, but very rarely passed any. So we have not had any real meaningful federal legislation around privacy or cybersecurity,” said John Pescatore, a director at the Sans Institute, which provides training and research for cybersecurity.
Experts told The Virginia Star that real change is rare in part because of concerns that regulations on businesses are too restrictive and can harm businesses’ competitive ability.
Sans Instructor Tim Conway said that government has instituted some standards and guidelines internally.
“Extending those approaches and concepts outside of government agencies and organizations and putting mandatory regulations in place for investor owned and operated utilities or private businesses, is much more complex,” Conway said.
Secure Anchor founder Eric Cole said, “The United States has been no stranger to cyberattacks. It seems that every year or two, a major attack happens, whether we go back many years to the Marriott breach, or more recently last year with SolarWinds. It seems whenever this happens, Congress spins up, the White House starts talking about cybersecurity, but the general attitude has been more of a blame game of pointing fingers as opposed to taking any real action.”
In the 2020 SolarWinds attack, government agencies who used SolarWinds software had data allegedly stolen by Russian intelligence, according to The New York Times. Agencies affected included the Treasury Department, the State Department, the Department of Homeland Defense, and the Pentagon.
Cole said, “The response from the White House, from SolarWinds, was going in and putting sanctions against Russia, blaming Russia, and once again, with little proof.”
He said that even though he doesn’t agree with the sanctions, he thinks it’s a good sign that President Joe Biden has already taken steps against cyberattacks.
“With all the other previous presidents, cybersecurity was a lower priority, it was number three or four. Maybe it was talked about periodically, but there wasn’t any real action,” Cole said. “Even though I don’t agree that sanctions were the right solution, I am optimistic that within 100 days of being in office, President Biden did pass executive orders involving cybersecurity. That is a good sign that this is going to be a priority.”
Biden’s Cybersecurity Executive Order
On Wednesday, Biden signed a new cybersecurity executive order.
Pescatore said the executive order is more of a response to the SolarWinds attack than to the Colonial Pipeline attack. The order has all the weaknesses of executive orders — there’s not a clear path to funding and they can be reversed by the next administration. However, Pescatore said new administrations aren’t usually eager to reverse cybersecurity executive orders from previous administrations.
Pescatore said the executive order had some “fluff” language like “removing barriers to sharing threat information.”
“All it really means is, ‘Hey private industry, please tell the government more stuff,” he said. “It’s not very meaningful.”
He also said there’s not enough focus on identifying vulnerable pieces of critical infrastructure like the Colonial Pipeline. Pescatore said, “There’s others like this. Just like we saw with the pandemic, where the hell did all the toilet paper go, why did that happen? There’s other cascading events like that. They need to do better analysis and use this executive order to force those higher levels of analysis.”
But Pescatore likes other parts of the order, including an emphasis on making sure vendors to the government follow improved security guidelines, which can influence the rest of the market.
“Make security in the government better so that the government will require the software it buys to be safer,” he said.
One key part is the requirement to use multi-factor authentication — a process that uses extra steps beyond passwords to verify a user.
Pescatore said, “That’s really, really important. So many of these attacks, including this one the Colonial Pipeline, start with these phishing attacks where they trick people into giving up their password. So the multi-factor authentication is really, really critical and the government’s been slow to push it in this country.”
“The second thing they mention is more encryption. Encrypting data, so that if the bad guys did get the data, it wouldn’t matter, because it would be encrypted and they couldn’t even see it,” Pescatore said.
“We saw a lot of hesitancy in the government to push encryption because quite often intelligence agencies will say, ‘Wait a minute. If the bad guys are encrypting, we can’t see their stuff.’ The FBI will say, ‘Wait a minute, if we arrest these criminals, or we get their iPads or iPhones and it’s encrypted, we can’t see it.’ So the U.S. has been very slow to require encryption,” he said.
Pescatore said he and other experts have been pushing for a system like the Cybersecurity Safety Review Board for years.
“Every time you have a plane crash, a National Transportation Safety Board team is out evaluating the causes of the crash,” he said. “This team of experts that goes out and determines, was it a mechanical error, or pilot error, and so on.”
“There should be a team, and it would be both government and private sector that would staff these various teams that would go out, and they would analyze what happens, and make concrete recommendations for change or for improving cybersecurity,” Pescatore said.
“There’s always going to be airplane crashes,” Pescatore said. “But we also know that every time a plane crashes, changes are made to try to make that same thing not happen again. Well, with these breaches, we’re constantly seeing the same mistakes made that enable these big breaches, because things are not forced to change.”
The Cybersecurity ‘Enron Moment’
Cole said that the Colonial Pipeline attack was “the Enron moment for cybersecurity.”
“Before Enron happened, there were no regulations or oversight of publicly-traded companies. It was believed that companies could act on their own in a good, moral ethical matter. Well, Enron proved that all wrong,” Cole said.
He said that after Enron, Congress decided they needed to regulate companies because companies weren’t doing it on their own.
Cole said, “To me, that’s what the Colonial Pipeline hack is going to do. In my opinion, Washington D.C., Congress, the President, are now going to pass not only executive orders but regulation now, regulating cybersecurity, and I believe they’re going to start with critical infrastructure: oil, gas, water, electricity.”
“If you look at SolarWinds, honestly, most people didn’t even know it happened. They don’t know what it is, it didn’t impact their lives,” he said. “However, Colonial Pipeline — kids can’t come home from college because the gas stations are out of gas. There’s long lines at gas stations.”
Cole said, “This, to me, finally got to a point where it directly impacted Americans. So I believe now, this is strong enough, there’s enough push back, that there will actually be regulation on cybersecurity. And while I typically believe that people should be able to do the right thing and organizations should follow good policies, I think it’s ready, because this attack and SolarWinds were preventable.”