Procurement to be leaders in US cyber security efforts
During a briefing on Friday, a senior administration official confirmed that The White House plans to issue an executive order in response to the SolarWinds attack where perpetrators leveraged cloud services to gain access into several federal agency networks.
The perps gained initial access into nine federal agencies and roughly a hundred companies using trojan infected software update and other techniques, such as password spraying. Exploiting a vulnerability in Microsoft’s Active Directory Federation Service, the attackers jumped to organisations’ cloud-hosted Office 365 accounts to then move laterally to other areas in the system.
The official spoke to the steps the government is taking in response to the attack in three parts.
Part one, finding and expelling the adversary
“First, finding and expelling the adversary. We’re in week three of a four-week remediation across the federal government. The compromised agencies all were tasked to do a particular set of activities and then were tasked to have an independent review of their work to ensure that we felt confident the adversary had been eradicated.
“Most of the agencies have completed that independent review. For those who have not yet, they will complete it by the end of March,” the official said.
Part two, “Building Back Better to Modernize Federal Defense.”
He then addressed the standardisation of methodologies being used for incident response. “As we talked about during a press event a number of weeks ago, we cannot defend a network if we can’t see a network. And in our review of what caused SolarWinds, we saw significant gaps in modernization and in technology of cybersecurity across the federal government.
“So we will be rolling out technology to address the specific gaps we identified, beginning with the nine compromised agencies. We want to make the federal government a leader, not a laggard, in cybersecurity. And we know we need to be able to defend against the adversaries who pursue the nation’s diplomatic, law enforcement, and health efforts.
“Those will be rolled out in the near term, beginning, as I said, with the nine compromised agencies and then more broadly across the federal government to ensure we have the visibility we need to have trust in our networks, that we can protect the important work the federal government does on behalf of the American people.”
The official then gave examples of rating systems and cybersecurity standards that may be developed for software and connected devices, including things such as baby monitors that are connected to the IoT. Both are expected to be covered in an executive order coming “in the next couple of weeks — or in the next few weeks.”
Part three, responding to perpetrators
“And then, finally, the third part of what we’re doing about it is responding to the perpetrators of the attack. You can expect further announcements on that in weeks, not months.” The official said. He then went on to explain what happened in the attack and highlighted the impact and significance, both in terms of data sets and ransomware.
Back to the key question of what are we doing about the Microsoft Exchange work? We have been working incredibly hard across government and the private sector, across all elements of the U.S. government.
“First, we’re leaning forward to alert Americans and convey the seriousness. The National Security Advisor tweeted early and more than once, signaling how important this is. I think this is the first-ever National Security Advisor to tweet on a cybersecurity incident. And tweeting also that insecure software is a threat to national economic security.”
Although there were weaknesses in the creation of the software, lack of domestic visibility was noted as a key issue. “The U.S. government largely does not have visibility into U.S. infrastructure. And many of these actors operate out of U.S. infrastructure.”
“We believe the model for the U.S. government in addressing cybersecurity issues involves working closely with the private sector. We’re not looking at additional authorities for any government agencies to do additional monitoring within the U.S. at this time. We are focused on tightening the partnership between the U.S. government and the private sector, For the first time, we’ve invited private-sector companies to participate in the Unified Coordination Group because we still believe that public-private partnership is foundational in cybersecurity, and we want to ensure we’re taking every opportunity to include key private sector participants early and directly in our remediation efforts.”
And finally, the official spoke to leveraging procurement as a leader, “Beginning with the compromised agencies, as well as addressing, in the upcoming executive action, some of the foundational areas that we think will help the federal government use procurement to be a leader in this space, and, really, in meeting in this space, address both private-sector and government challenges in finding, buying, and using innovative, usable, and secure software and hardware — and systems, to your point.”
The Risks of Paying Ransoms, Darkside Group Gets $5Mil
On May 7th, a ransomware attack, now confirmed by the Federal Bureau of Investigation (FBI) to have been the acts of the criminal network group Darkside, forced Colonial Pipeline to proactively shut down operations. On Friday, Bloomberg reported that Colonial Pipeline paid the nearly US$5 million ransom in untraceable cryptocurrency within hours after the attack.
Colonial Pipeline provides nearly half the fuel supply for the U.S. East Coast. Stores of gasoline, oil, jet fuel, home heating and military supplies were all so heavily impacted that to help with the shortages, the Federal Motor Carrier Safety Administration's (FMCSA) declared a state of emergency in 18 states. Widespread panic buying began to cause shortages. In metro Atlanta, 30% of gas stations have run out of gasoline. In Raleigh, North Carolina, 31% of gas stations had no fuel on Tuesday. Meanwhile, unleaded gas prices hit an average of $2.99 a gallon, its highest price since November 2014, the American Automobile Association said.
Once the ransom payment was received, the criminal group provided Colonial Pipeline with a decrypting tool to restore its disabled network. On Thursday, the largest fuel pipeline in the U.S., which carries 100 million gallons per day of gasoline, diesel and jet fuel, began moving some of the first millions of gallons of motor fuel. On Friday, Colonial Pipeline ramped up deliveries to fuel-starved markets on the East Coast. Although the attack was the most disruptive cyberattack on record and underscored the vulnerability of vital U.S. infrastructure to cyberattacks, the paying of the ransom set a dangerous precedence. It's generally accepted as bad practice to negotiate with terrorists. It's generally accepted as bad practice to negotiate with terrorists.
The High Risks of Paying Ransomes
Adebayo Adeleke, a U.S. Army Veteran, thought leader and speaker on geopolitics, risk management and security took a moment to share his concerns with Procurement Magazine on the precedence being set. "Historically, we don't negotiate with terrorists. Paying the ransom for a cyberattack and engaging them in monetary negotiation is legitimizing their efforts, goals and means. Ransomware is all about the money, and it's profitable, and because of this, it has been used as a tool for years now. To make ransomware go away, we must make it unprofitable, and the only way to make it unprofitable is NOT to pay them.
"Yes, it's easier said than done. There are only two choices one has when confronted with a cyberattack by ransomware, pay the amount or negotiate with them or do not pay them. I understand both sides. Shareholders pressure, national security issue at stake, severe economic impact, undue hardship, job loss, impact on the local communities and the list goes on. On the other hand, rebuilding what must have been stolen might run the organization out of business and expose lapses in U.S. national security as far as critical infrastructure is concerned, and the list goes on. There is no easy way out, but the moment money is exchanged for stolen data, it sets the precedence of exploitation and legitimizes bad behaviour, and this will continue to make the behaviour profitable. Either way, the outcome is never going to restore Colonial back to norm in the needed time. It's not going to be easy to stop these acts. The inevitable has to be done.
"Terrorism, banditry, kidnapping, ransomware all follow the same tactics. Again these tactics are not new, but it's interesting that they are digitizing tactics in a very worrisome way. There is nothing absolutely new underneath the sun. As it is in old, so it is in the new… you pay them, you glorify them."