A pipeline that provides the East Coast with nearly half its gasoline and jet fuel remained shuttered on Sunday after yet another ransomware attack, prompting emergency White House meetings and new questions about whether an executive order strengthening cybersecurity for federal agencies and contractors goes far enough even as President Biden prepares to issue it, according to The New York Times.
The order, drafts of which have been circulating to government officials and corporate executives for weeks and summaries of which were obtained by The New York Times, is a new road map for the nation’s cyberdefense.
It would create a series of digital safety standards for federal agencies and contractors that develop software for the federal government, such as multifactor authentication, a version of what happens when consumers get a second code from a bank or credit-card company to allow them to log in.
It would require federal agencies to take a “zero trust” approach to software vendors, granting them access to federal systems only when necessary, and require contractors to certify that they comply with steps to ensure that the software they deliver has not been infected with malware or does not contain exploitable vulnerabilities. And it would require that vulnerabilities in software be reported to the U.S. government.
Violators would risk having their products banned from sale to the federal government, which would, in essence, kill their viability in the commercial market.
“That is the stick,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “Companies will be held liable if they’re not telling the truth.”
The order, which is expected to be issued in the coming days or weeks, would also establish a small “cybersecurity incident review board.” The board would be loosely based on the National Transportation Safety Board, which investigates major accidents at air or sea.
The measures are intended to address the fact that the software company SolarWinds made for such an easy target for Russia’s premier intelligence agency, which used its software update to burrow into nine federal agencies as well as technology firms and even some utility companies.
But federal officials, who caution that the draft of the order is not final, concede that the regulations would still almost certainly have failed to thwart the most skilled nation-state intrusions and disruptions that have rocked the government and corporate America in recent months, given their sophistication. That includes the more recent Chinese hacks of American businesses and military contractors that used a series of unknown holes in Microsoft email systems.
Theoretically, it could be more effective against the kind of criminal ransomware attack that took over Colonial Pipeline’s headquarters networks last week. That attack did not appear to involve the kind of highly sophisticated steps that Russia and China are known for: Rather than directly try to take over the pipelines, the attackers went after what officials say was poorly protected corporate data, stealing it on such a large scale that it forced the company to shutter the pipeline rather than risk a spreading attack.
But it was unclear whether Mr. Biden’s executive order would apply to Colonial Pipeline. It is a privately held firm that oversees the distribution of much of the East Coast fuel supplies — just as 85 percent of America’s critical infrastructure, from power grids to communications networks to water treatment plants, is controlled by private firms.
Federal officials expressed frustration at how ill-prepared the company was to fend off the attack or respond to it, and White House officials were holding emergency meetings, some focused on how to protect other operators who may have similar vulnerabilities.
“The success of this attack is pretty stunning given how important they are to our nation’s critical infrastructure,” said Kiersten Todt, the managing director at the nonprofit Cyber Readiness Institute and a former director of the President’s Commission on Enhancing National Cybersecurity.
Government officials have been repeating similar statements since the George W. Bush administration. While some industries — particularly the nation’s biggest financial institutions and utilities — have invested billions of dollars, many have not.
And efforts to regulate minimum cybersecurity standards for companies that oversee critical systems have repeatedly failed, most notably in 2012, when lobbyists killed such an effort in Congress, arguing that the standards would be too expensive and too onerous for businesses.
Last month, top executives from Amazon, Microsoft, Cisco, FireEye and dozens of other firms joined the Justice Department in delivering an 81-page report calling for an international coalition to combat ransomware. Leading the effort inside the Justice Department are Lisa Monaco, the deputy attorney general, and John Carlin, who led the agency’s national security division during the Obama administration.
Last month the two ordered a four-month review of what Ms. Monaco called the “blended threat of nation-states and criminal enterprises, sometimes working together, to exploit our own infrastructure against us.” Until now the Justice Department has largely pursued a strategy of indicting hackers — including Russians, Chinese, Iranians and North Koreans — few of whom ever stand trial in the United States.
Among the recommendations in the report by the coalition of companies is to press ransomware safe havens, like Russia, into prosecuting cybercriminals using sanctions or travel visa restrictions. It also recommends that international law enforcement team up to hold cryptocurrency exchanges liable under money-laundering and “know thy customer” laws.
The executive order also seeks to fill in blind spots in the nation’s cyberdefenses that were exposed in the recent Russian and Chinese cyberattacks, which were staged from domestic servers inside the United States, where the National Security Agency is legally barred from operating.
The order will set up a real-time information sharing vessel that would allow the N.S.A. to share intelligence about threats with private companies, and allow private companies to do the same. The concept has been discussed for decades and even made its way into previous “feel-good legislation” — as Senator Ron Wyden, Democrat of Oregon, described a 2015 bill that pushed voluntary threat sharing — but it has never been implemented at the speed or scale needed.
The idea is to create a vessel to allow government agencies to share classified cyberthreat data with companies, and push companies to share more data about incidents with the government.
Companies have no legal obligation to disclose a breach unless hackers made off with personal information, like Social Security numbers. The order would not change that, though legislators have recently called for a stand-alone breach disclosure law.
Thomas Fanning, the chairman and chief executive of Southern Company, one of the nation’s largest energy firms, said in an interview last week that the existing structure was slow and broken: The country now needs real-time command centers, like it built during the Cold War to see incoming missile attacks.
“A real-time view of that battlefield that allows Cyber Command to see my critical systems at the same moment and the same time I see them,” he said. “Sharing isn’t fast enough. It’s not comprehensive, and you can’t rely on it on matters of national security.”
Be the first to comment