Just weeks after the Colonial Pipeline – which supplies 45% of the East Coast’s supply of diesel, gasoline, and jet fuel, was taken offline after it was impacted by a ransomware attack – New York City’s Metropolitan Transit Authority announced it had also been targeted in a cyber attack. The news also came as JBS Foods, the world’s largest meat producer, was also the victim of a Russian-based hacker group.
The White House urged private companies to take “immediate action” to boost their ransomware defenses.
“Ransomware attacks have disrupted organizations around the world, from hospitals across Ireland, Germany and France, to pipelines in the United States and banks in the U.K.,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology, wrote in a memo to corporate executives and business leaders earlier in the week.
“The threats are serious, and they are increasing. We urge you to take these critical steps to protect your organizations and the American public,” she added. “The private sector has a distinct and key responsibility.”
Cyber Defenses Needed Everywhere
The deputy national security advisor called upon the private sector to adopt the best practices President Joe Biden had laid out in an executive order he signed last month that was aimed at addressing the country’s vulnerability to cyberattacks.
Those practices included use of multi-factor authentication and encryption. Neuberger also urged companies to regularly back up data and keep backups offline so that they are not vulnerable to ransomware variants; to update and patch systems regularly; to build and test an incident response plan so that businesses can sustain operations in the event of an attack; and to segment networks so that corporate business functions are separated from manufacturing and production operations.
“These are all excellent recommendations. However, there is a missing element of proactive defense here,” said Saryu Nayyar, CEO of unified security and risk analytics firm Gurucul.
“Organizations need to implement cyber defenses that can reduce the attack surface and detect ransomware attacks in real-time, not just prepare for quickly resuming operations after a ransomware attack,” Nayyar told ClearanceJobs via an email. “Modern security operations should include data science powered technology paired with traditional cyber defenses to thwart ransomware attacks.”
She suggested that privileged access management, continuous authentication, MFA, risky account discovery and cleanup, intrusion detection, behavioral analytics, data loss prevention, firewalls, Endpoint Detection and Response (EDR) or even better Extended Detection and Response (XDR) are all modern security measures needed to keep attackers from successfully penetrating corporate networks and interrupting operations.
“The technology is available,” added Nayyar. “It’s just a matter of putting it in place and working diligently to identify and derail cybercriminals and malicious insiders before they derail you.”
Staying Ahead of the Cybersecurity Curve
It isn’t just the White House that is attempting to stay ahead of the curve when it comes to the next cyber attack. This month, U.S. Army Gen. Paul M. Nakasone, commander of U.S. Cyber Command and director of National Security Agency, warned that a great threat to the nation has evolved in cyberspace.
“Our adversaries are operating with a scope, scale and sophistication unlike anything we’ve seen before,” said Nakasone during a virtual speech to the Armed Forces Communications and Electronics Association.
“Their tactics have evolved far beyond spear phishing and exploitation of weak passwords,” added Nakasone. “Today, our adversaries are targeting and infiltrating our systems by exploiting supply chain and zero-day vulnerabilities, and our adversaries are demonstrating a new risk calculus that has changed the traditional threat landscape.”
The Cyber Command chief also suggested that by operating in cyberspace, U.S. adversaries can cause damage while operating below the level of armed conflict. Already these operators – including state actors – are targeting U.S. economies, critical infrastructure and electoral processes. Nakasone warned that these adversaries have conducted persistent malicious cyber campaigns to erode U.S. military advantages. This has included the use of social media to carry out and influence operations.
The main threats are Russia and China; but other states such as Iran and North Korea shouldn’t be discounted, and each of which continue to be unpredictable and destabilizing presences in their respective regions. Still it is China that could present the greatest danger for the United States today.
“China is becoming more assertive economically, diplomatically, militarily and technologically,” Nakasone warned. “It seeks to undermine a stable and open international order to establish its credibility and dominance in the global system.”
More to Be Done than White House and DOD Efforts
Even as the White House and DoD announce that efforts will be made to stop such attacks, experts told ClearanceJobs that there is much more to be done. Arguably our efforts to date have come up way short.
“I don’t think we are doing enough,” explained Fred H. Cate, senior fellow of the Center for Applied Cybersecurity Research. “I think we collectively are doing better, but we have so much vulnerable infrastructure to defend and the attackers are getting better organized and more sophisticated in their attacks, so our net position may actually be getting weaker. Or the threat may be shifting away from ordinary fraud and to more harmful infrastructure attacks.”
Cate suggested that the government’s response has been far weaker than industry’s response to date.
“Just think about the fact that (a) the TSA has authority over pipeline security in the first place, and (b) had done nothing about it until last week,” Cate told ClearanceJobs. “We have seen dozens of highly publicized attacks, the recent ransomware attacks being only the most recent examples, but it is sobering to recall that there are dozens of other disclosed attacks that don’t make the news and hundreds or thousands more that are never disclosed.”
One problem has been that for every failure to stop these attacks that makes the news, there are those attempts that weren’t successful on the part of the cyber criminals.
“Plenty of attempts are foiled, but there’s probably no reasonable way to measure them,” noted Jim Purtilo, associate professor of computer science at the University of Maryland. “Your brick and mortar shop out on Main Street might be closed for the day, and a door lock blocked entrance to pedestrians who happened to rattle the handle. How many of those were foiled exploits? It is the same on the net. All manner of agents casually rattle the digital front door of systems every day. I can call up a system log and watch it scroll by as the activity is recorded in real time. It’s the ones which do more than just rattle the door knob that get our attention.”
Purtilo told ClearanceJobs that the military has come a long way on cybersecurity, and those in charge of operations generally have an awareness of the issues facing them.
“I think though there are parts of industry that have a ways to go. It is chiefly a mindset concern,” he added. “We don’t harden systems in some magic way and then brand them ‘secure.’ What could that even mean? Instead, we create a threat model and then work back from there to find reasonable measures which address those attack vectors.”
A Good Defense Isn’t Good Enough
When it comes to cybersecurity, defense has to be one-step ahead of an attack, but the problem is that this is rarely the case. Anti-virus software responds to threats, while many efforts are still about “recovery” as much as prevention.
“In fairness, the job of defense is always harder than offense, but we have taken a largely head-in-the-sand approach as we migrate more and more essential activities to digital tools – like industrial control systems, airplane autopilots and automobile driver assist technologies, insulin pumps, implanted pacemakers, automated alarms and door locks, wireless payment systems, military drones – that we know and repeatedly acknowledge we cannot adequately secure, but we plow ahead nevertheless,” noted Cate.
“In a sense, what we say is we are secure with respect to a list of potential threats,” said Purtilo. “Executives who build systems then, almost as afterthought, think they can slap on a bit of security have a mindset that opens them to disaster. Glad it occurred to them eventually, but probably by that point their system suffers some fundamental flaws. We don’t first manufacture a product and only later set about to build the quality; quality is something we must prioritize from the start. It’s the same for security. Security, like quality, demands we pay attention from the start.”
That doesn’t mean that a good defense isn’t possible – and in fact it should be as crucial as emphasis as stopping a terrorist attack.
“One way to put this in perspective is look at our response to COVID: we employed war powers, marshaled both public- and private-sector resources, issued sweeping executive orders, and invested hundreds of billions of dollars,” added Cate. “Compare that with our approach to cybersecurity which pales in comparison, despite the fact that the threat is potentially as great or greater.
“I regret that I am not upbeat or optimistic,” Cate admitted. “We have just been lucky so far that the most serious attacks to date haven’t been by parties like terrorists who really want to destroy or destabilize us, as oppose to make money or claim bragging rights. Depending upon the good intentions of the enemy seems like a poor strategy.”