Will the Colonial Pipeline attack be the wakeup call we need for Federal regulations around cyber security?
The May 6 ransomware attack perpetrated by DarkSide caught the attention of the entire nation when Colonial preemptively shut down its pipeline. The critical passageway carries 45% of the east coast’s supply of gasoline, diesel, and jet fuel. Worried consumers rushed to pumps, kicking off a shortage in fuel for automobiles. Airlines temporarily added refueling stops for cross country flights. And the Biden administration released a cybersecurity-focused Executive Order to signal their attention to the matter.
Colonial Pays Up, Doesn’t Share Data with Feds
Ultimately, Colonial paid the ransom, submitting 75 Bitcoin (roughly $5 million USD) to the hackers. This is a bounty for DarkSide, to be sure, but only represents 0.2% of Colonial’s yearly income. (Forbes lists Colonial Group’s annual revenue at $2.5 billion.)
As of Tuesday, May 11, Colonial had not reported details of the attack to CISA, the agency created to deal with these events. CISA cannot fulfill its mandate to assist with incident response if members of the private sector are unwilling to cooperate by sharing the details of such events. (Even if those details point to failings within the organization).
Executive Order Issued
Shortly after the Colonial attack, President Biden issued Executive Order 13800 on “Improving the Nation’s Cybersecurity.” The order had been in the works since February 2021, as a part of the administration’s reaction to the Solar Winds attack.
Analysts and White House watchers say that Biden chose an EO rather than pursuing legislation through Congress due the urgency of the situation. Part of the calculus likely included the death by Senate filibuster of Susan Collins’ and Joe Lieberman’s 2012 cybersecurity bill.
The bill aimed to create optional standards for the systems that oversee critical infrastructure. When the Senate voted 52 to 46 to call off debate on the measure, Collins said, “I cannot think of another area where the threat is greater and we are less prepared.”
Effects of the New Order
The EO reaches more deeply into the private sector than any other federal guidelines in the past. It will require all software purchased by the federal government to meet new cybersecurity standards. Violators of the new standards will be removed from approved procurements lists. Losing the fed’s stamp of approval would potentially kill a product’s viability in the private sector.
A government rating system for software is likely to emerge. Scores applied to software systems could become as commonplace as vehicle safety ratings and local health department’s restaurant scores. The main difference being that an EO is weaker than the legal mandates created for agencies like the NHTSA.
Much like an airplane crash test review board, the EO creates a cybersecurity incident review board. The review board will be cooperatively led by the Department of Homeland Security and a private sector official relevant to the type of attack under review.
The EO also forces federal agencies to encrypt data that they are storing or transmitting. Encryption has not been a consistent requirement in the past, a fact that Chinese hackers have exploited to their gain.
Reactions to the Order
The guidelines in the EO represent cybersecurity best practices that have been around for years. Unfortunately, this will still be a lot of work for some agencies. But the rules should not be news to those who have been involved with information security.
While the EO is a bold move on the part of the Biden administration, it is not the only step that needs to be taken. It may take Congressional action to motivate the private sector to target the types of attacks that threaten the non-government entities that operate our critical infrastructure.
Has the Colonial attack made you question your business’s security posture? Are you ready to invest in a risk assessment and take action on the results? Asylas can help. Call us at 615-622-4591 or email email@example.com. Or complete our contact form.