Monday Brief for 17 May 2021
Update: Colonial Pipeline Attack
What’s New: Oil is flowing again. There’s a new Executive Order (EO). And DarkSide is going dark.
Why This Matters: This attack is going to have lasting ramifications. Many of them good. Some of them potentially very, very bad.
Key Points:
On Wednesday, Colonial restarted oil distribution along its East Coast pipeline after the company was able to restore its operational technology (OT) — the hardware, software, tools, and technologies used for pipeline operations.
Soon thereafter, it was reported that the company paid the DarkSide ransomware group a $5M ransom, using the Bitcoin cryptocurrency.
A confidential assessment by DHS and the Energy Department predicted significant cascading effects if the pipeline shutdown went longer than another three to five days, reports The New York Times. This would include mass transit stoppages and the shutting down of chemical and refinery operations.
“This attack has exposed just how poor our resilience is,” said Kiersten E. Todt, the managing director of the nonprofit Cyber Readiness Institute. “We are overthinking the threat, when we’re still not doing the bare basics to secure our critical infrastructure.”
Late on Thursday, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity, that I will discuss in detail in the next story.
Finally, on Friday and over the weekend, developments on the “dark web” indicate the following:
DarkSide’s hacking infrastructure — including the group’s servers, blog, and payments capabilities — have been taken offline.
DarkSide is reportedly telling its affiliates to decrypt other ransomware victims, even if they haven’t paid a ransom, and is promising to compensate the attackers for lost profits by 23 May, according to the cyber intelligence firm Intel471.
Many, if not all, of the hacking syndicate’s cryptocurrency wallets have reportedly been emptied and the BitMix cryptocurrency laundering site is also reportedly offline.
Finally, a number of popular dark web hacking forums are banning ads offering ransomware-as-a-service.
What I’m Thinking:
You should never pay the ransom. But I get it. There’s a reason why the general policy of the United States is to not pay ransoms — because doing so validates the utility of hostage-taking and invites more of these attacks. But we should also acknowledge that Colonial was under immense pressure to get East Coast oil operations back up and running and the $5M ransom was a pittance compared to the operational and revenue losses it was absorbing. Having said that, undoubtedly other cyber “black hats” are already plotting how they’ll use ransomware to make their millions.
The DarkSide takedown could be heads on pikes, or a head fake. The White House promised it would take retributive action against ransomware attackers and there’s certainly good reason to suspect that DarkSide’s series of unfortunate events is the handy work of American cyber ninjas. But, some are speculating that this could be an elaborate deception strategy — where DarkSide feigns being taken down so that it can quietly re-brand, reconstitute, and resume its activities under less scrutiny. While possible, this strikes me as too clever by half. The bad things happening to these jerks is very likely the handiwork of the good guys and I hope they’re not done yet.
Finally, the White House says this wasn’t the Russian Government. During a press conference last week, the president said, “We do not believe — I emphasize, we do not believe the Russian government was involved in this attack. But we do have strong reason to believe that criminals who did the attack are living in Russia … We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks.” Even so, this could not have happened without tacit allowance by Moscow and it is simply unacceptable to be this vulnerable.
The New Executive Order
What’s New: The Biden Administration’s new cybersecurity Executive Order (EO) is out and is getting high-praise in the INFOSEC (information security) community.
Why This Matters: While this EO has been under development for several months, its importance and urgency have been heightened in the wake of several high-profile cyber events — including the SolarWinds, Microsoft Exchange, and Colonial pipeline attacks.
Key Points: The EO is extensive and I’m still noodling on all of its provisions. Here are some of the order’s most significant muscle movements:
Removes contractual barriers to information sharing between the government and IT providers and contractors are now required to immediately share breach information. (It has been reported that Colonial did not initially report its ransomware attack to the Cybersecurity and Infrastructure Security Agency).
Pushes the federal government’s move to secure cloud services and emphasizes the adoption of a “zero-trust” architecture, including the use of strong encryption and multi factor authentication on all government systems.
Calls for greater transparency into software supply chains and requires NIST to develop minimum security standards for software sold to the government.
Requires the development of a standardized “playbook” and definitions for all federal departments and agencies when responding to cyber incidents.
Calls for improved government-wide endpoint detection and better capabilities for the detection of malicious cyber actions on federal networks.
Mandates cybersecurity event logs to help with cybersecurity remediation and investigations.
Calls for the creation of a Cybersecurity Safety Review Board that will investigate government cybersecurity events and make recommendations for improving the federal government’s information security posture.
If you want a really deep dive on the EO, I recommend this one from my friend Bobby Chesney.
What I’m Thinking:
This won’t fix what just happened. This EO is not a specific response to the Colonial attack. It’s a bureaucratic response aimed at cleaning up the government’s digital house and, hopefully, incrementally influencing the private sector to adopt better practices too.
But it is a serious effort to make things better. This EO has been in the works for months and it consolidates a lot of the obvious, and the not-so-obvious, actions the government needs to take to get better. A lot of work went into this and it is rightly being praised by the INFOSEC community.
It always comes down execution. Having good ideas on what to do isn’t enough — you have to be able to execute and this is where the government often fails. Departments and agencies always have 1,000,001 excuses as to why they can’t follow through on executive guidance and this will continue to be the case. In fact, a 2019 GAO report found the following:
“During fiscal year 2018, many federal agencies were often not adequately or effectively implementing their information security policies and practices. For example, most of the 16 agencies GAO selected for review had deficiencies related to implementing the eight elements of an agency-wide information security program required by the Federal Information Security Modernization Act of 2014 (FISMA). Further, inspectors general (IGs) reported that 18 of the 24 Chief Financial Officers (CFO) Act of 1990 agencies did not have effective agency-wide information security programs. GAO and IGs have previously made numerous recommendations to agencies to address such deficiencies, but many of these recommendations remain unimplemented.”
But, there’s reason for hope. While there have been other government efforts like this, the EO is a pretty big demand signal and the security and political realities surrounding it are aligning. Even more, I’ve spoken with several friends in the INFOSEC world who say they’re working hard to align their services with the EO’s requirements and to help government agencies understand what resources are being made available for them to come into compliance. Put simply: there’s real money to be made here and the private sector is going to work hard to push through bureaucratic hurdles and to get the government squared away.
Cyber Letters of Marque & Reprisal
What’s New: I recently joined my colleague Jonah Goldberg on The Remnant Podcast (listen here), where we talked about a lot of things — including the idea of issuing cyber Letters of Marque and Reprisal. I had a good time and it’s worth a listen.
Why This Matters: This idea comes up from time to time and, in the wake of all the recent cyber nuttiness, it is worth another look.
Key Points:
Article I, § 8, clause 11 of the US Constitution gives Congress the exclusive power to “grant Letters of Marque and Reprisal.”
These letters allow a private citizen to be employed by the government as a “privateer” or “corsair” and to attack or capture enemies of the state.
In 1801, Congress authorized President Thomas Jefferson to issue letters of marque and reprisal, enlisting privateers to fight Barbary pirates who were disrupting American naval trade.
Privateering was common place until the end of the Crimean War, when seven European nations signed the Paris Declaration of 1856, with 45 other nations eventually joining later. The United States, however, is not a signatory.
What I’m Thinking:
I’m not kidding, I think this is a good idea. First, I’m all about fighting back against non-state hacking groups, malicious individuals, and other dangerous cyber threats. Second, there’s real capability in the private sector and many of these organizations are willing to help. Finally, third, there’s enough work to go around and the federal government cannot unilaterally keep up with the scale and speed of the challenge — and the status quo is simply unsustainable.
I’m not talking about “hacking back.” There are occasional calls for US law to be changed so that private companies can “defensively” attack hackers by destroying their attack infrastructure and stealing back stolen data. One of these calls appeared in the Wall Street Journal last week. I do not support these so-called “hacking-back” provisions because I believe generally-applicable laws like this would lead to all kinds of unintended consequences and damage. The stakes are too high and the sophistication of most industry actors is too low for us to pursue this course of action.
But there are some, within discreet contexts, I would be happy to unleash on our foes. The United States could build a cadre of trusted private sector actors — companies and individuals — who could be tasked with identifying, disrupting, and destroying cyber threat actors. This cadre of partners would be necessarily small, and could be specially trained, provided appropriate authorities, oversight and support, and a level of deniability when appropriate. Certainly this comes with a level of attendant complications and risks, but there is no future scenario without complications and risk and I’d rather be leaning forward than constantly on my heels.
This is about more than revenge; it’s about the long game. While smacking around the internet’s bullies brings its own satisfaction, there’s more to my thinking on this. Specifically, I think cyber letters of marque and reprisal are a good way of building an essential capability. The reality is that future wars — especially those that include states squaring off on one another — are going to have a significant cyber component and will include public and private sector targets and belligerents. These wars will be crowded, complex, and dangerous. It behooves the United States government, then, to begin building the relationships and frameworks that will be necessary to fight and win such conflicts. And this must include private sector cyber actors who can effectively partner with the government. As the Chinese proverb says, “The more you sweat in peace, the less you bleed in war.”
Quick Clicks
That’s it for this Monday Brief. Thanks for reading, and if you think someone else would like this newsletter, please share it with your friends and followers. Have a great week!
