A logo sign outside of a Colonial Pipeline Company facility in Baltimore, Maryland.
Tripplaar Kristoffer | SIPA | AP
The Colonial Pipeline ransomware attack which hit critical national energy infrastructure may represent a new level of ransomware, but there is one aspect to the vulnerability exposed in U.S. defenses that is a reminder of what experts already knew: the federal government and private enterprise have struggled for decades to build a deeper relationship on cybersecurity to stay ahead of accelerating, and more advanced threats.
The scale, novelty and aggressiveness of last year’s SolarWinds attack involving reported nation-state actors from Russia, which made its way through both business and government systems, combined with the new hit on critical oil and gas infrastructure using ransomware, heightens attention on a long sought goal of greater government-industry cooperation on cybersecurity.
President Biden came into office post-SolarWinds with plans to increase the level of information sharing between companies and the government on hacking incidents and system weaknesses. The Biden administration has proposed a plan to work with critical infrastructure industries to pilot a new early warning system, a plan that industry groups have supported as a way to test new information sharing and hacking readiness protocols.
Congress is constantly looking at legislative fixes as well.
“We’ve been discussing the need for more disclosure for many, many years,” Democratic New York Congresswoman Yvette Clarke, Chair of the Homeland Cybersecurity, Infrastructure Protection and Innovation Subcommittee of the House Committee on Homeland Security, said at a CNBC Technology Executive Council event earlier this year. She said incentivizing industry to share more information earlier, and more often, is key. “We cannot keep our critical infrastructure vulnerable,” she said.
Starting to build a new, improved working relationship at the level of the critical infrastructure makes the most sense to many experts since government has a century of history with these sectors. And it will only become more important as new infrastructure spending advances and the U.S. government and industry invest more in technology like the 5G broadband rollout nationally.
“Virtual adoption in the U.S. has been so rapid out of necessity that more vulnerabilities will get baked into the infrastructure,” Clarke told tech executives at the CNBC TEC event which was held in response to the SolarWinds hack.
The Colonial Pipeline hack raises a different set of issues, including government and industry debate over whether to pay the ransom demanded by hackers, but it is similar to SolarWinds in putting the U.S. on the defensive in the cyber realm at the level of national security.
The pipeline is a critical part of U.S. petroleum infrastructure, spanning more than 5,500 miles and carrying roughly half of the East Coast’s fuel supply, as well as fuel for airports in Atlanta and Baltimore. The pipeline’s owner plans to restore full service by the end of this week, and a partial restart already is underway.
Phil Quade, a former NSA official who is now chief information security officer at Fortinet and head of its federal and critical infrastructure business, said ransomware exploits have recently taken a more disturbing turn, increasingly being used to disrupt essential government services, such as emergency response and health care. The use of ransomware as a means to assert strategic influence and threaten the reliability of critical infrastructures elevates ransomware to a matter of national importance.
Critical infrastructure and cybersecurity
The Biden administration’s focus on strengthening the Cybersecurity and Infrastructure Security Agency (CISA) and identifying critical infrastructure has encouraged cyber executives, especially as the types of critical infrastructure increase in form. “It’s not just power grids,” said Dan Schiappa, chief product officer at cybersecurity firm Sophos. Recent Covid vaccine hacks are another example.
“We need early warning in the critical infrastructure base before others,” Schiappa said. But he said there will never be perfect software. “Making mistakes is a 100% certainty … Disclosure is just a slippery slope.”
There is a fine line between the carrot-and-stick involved in government responses to hacking and cooperation with industry. Companies fear releasing too much information too soon, and liability they may be left exposed to without adequate legal protections. Angry hearings on Capitol Hill have not helped to inspire confidence in the balance being more on the carrot than stick side of the relationship.
The biggest disincentive for companies is reputational risk. We need in some way to assure people it won’t be leaked, won’t be given for a criminal investigation and won’t end up in front of a congressional committee.
Jim Lewis, Center for Strategic and International Studies
“Capitol Hill can be the stage for lots of posturing and if you disclose an incident, ideally you get liability protection,” Quade said. “If you were reckless you shouldn’t get it, but if you had reasonable eyes and understanding, that should not lead to public shaming, and that happens on Capitol Hill.”
Concerns about damage to personal and company reputation can lead business leaders to err on the side of keeping close control on information.
“The biggest disincentive for companies is reputational risk,” said Jim Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “We need in some way to assure people it won’t be leaked, won’t be given for a criminal investigation and won’t end up in front of a congressional committee.” And he added, “It doesn’t seem like it should be so hard to do.”
In fact, there are elements of a deeper working relationship on cyber framed by existing government-industry cooperation. The federal government and private enterprise have rules covering confidentiality for banking information and health information, and safe harbor for critical industries, indicating it is possible to design a system with tight controls that could satisfy both.
There are other factors at play beyond being raked over the coals by Congress, according to experts.
It remains unclear how the government would step up to offer much in return to a company or industry being more proactive and transparent in this area. There also is risk of a loss of control in making decisions once incidents or vulnerabilities are disclosed, which is a key consideration for a corporation with customers, stakeholders and shareholders.
“The government could tie yours hands about a response. There is a fear of losing autonomy,” said Ariel Levite, nonresident cyber policy fellow at the Carnegie Endowment for International Peace.
Government and industry have been engaged in a dialogue for well over a decade on increased information sharing in cyber security and that leaves Quade concerned about too much talk and not enough action. “We don’t want to say the same old things. We need more public-private sharing and to expect a different result,” he told CNBC in a recent interview that took place before the Colonial Pipeline attack.
Starting with heavily regulated sectors already subject to more stringent government oversight is the preferred approach among many experts to gain experience that can be applied to the broader economy. “We have pieces laying around, but we haven’t cracked it,” Lewis said. “If we don’t, we have a big problem.”
U.S. government cyber dominance challenged
A world of increasing capabilities among hackers funded by nation-state rivals, and massive spending in the U.S. on the internet of things and 5G, means that advanced sentinels, such data sensors, will be everywhere. “That could be wonderful opportunity or a massively invasive scourge on the economy,” Quade said.
The latest hack occurred as the Biden administration works to pass a $2.3 trillion infrastructure plan which includes funds to address critical infrastructure vulnerabilities.
Quade worked on information sharing and automated detection systems while at the NSA, and he said sharing information once a hack occurs is important, but detecting and mitigating cyber incursions in a relevant time frame are where we need to head in terms of two-way cooperation. “What are some of things we can do to prevent it from happening in the first place, or deal with it in a cyber-relevant time. That’s my frustration. I don’t want to just dust off some new argument for information sharing,” Quade said.
The relationship needs to change because the world has changed in important ways: the U.S. government, while formidable in its cyber capabilities, no longer has a clear advantage over nation-state and criminal adversaries. “The U.S. was always on top,” Levite said. “If it didn’t have a monopoly, it had a clear dominance, and in the balance between being more vulnerable or advantageous to reap benefits of intruding into systems, the U.S. was well ahead.”
That is no longer the case, with Russia and China aggressive in cyber attacks and Iran and North Korea more than pulling their weight. And at the same time, private companies are in many cases now as innovative as the NSA in their cyber capabilities, and the first to know when a system, including government, has been breached, which changes the balance in the relationship.
On Monday, President Biden said in a White House briefing, “So far there is no evidence from our intelligence people that Russia is involved although there is evidence that the actor’s ransomware is in Russia, they have some responsibility to deal with this.”
“Unfortunately, these sorts of attacks are becoming more frequent. They’re here to stay. And we have to work in partnership with businesses to secure networks to defend ourselves,” Commerce Secretary Gina Marie Raimondo told the CBS Sunday program “Face the Nation.”
Elena Kvochko, chief trust officer at SAP, and part of a group of technology officials which recently created a plan for government cooperation and operational readiness in cyber, said government and industry need to get better at vulnerability management, and in particular what is seen in real time and prevented, rather than six months after an attack.
“This is not a new debate,” Kvochko said. “But it is back on top of the agenda at a government and corporate level and we all need to understand the priority of it. We recognize there is a lot of work to do. We all put so much effort and focus into securing our ecosystems, but we can only do it together.”