Running Out Of Cyber Gas

The Colonial Pipeline cyber “hostage” fiasco is the latest in an ever-escalating set of cyberspace problems for the new Biden Administration. 

With a still forming team trying to navigate the complex Federal cyber bureaucracy - and a business sector not able to fulfill its claim of taking care of itself - this kind of event only increases the urgency of what is now becoming the definition of a managerial “wicked problem” - the people causing the problem are trying to solve the problem.

The players and vulnerabilities are all too familiar – even pointed out in the U.S.’s recent Annual Intelligence Threat Assessment.  First, the attacks appear to be coming from Eastern Europe and/or Russia.  So far, publicly, it seems like a very well organized, nearly corporate group of hackers who claim to be Robin Hoods hit Colonial – robbing from the rich and giving to the poor, they say. Nice public relations effort, but hardly comforting to the companies who are victims.

Not Trusting Coincidence

Still, I am reminded of an aphorism from my spy days - I believe in coincidences.  I do not trust coincidences.  This has Russian intelligence service finger prints all over it.  And their support of such Eastern European groups is a well-known fact.  

Second, the USG seem to be inadvertently helping these kinds of hackers by publicly sharing vulnerabilities.  Now, I know the idea was to get the information out to everyone so they could patch and counter accordingly.  However, as some of us feared, it also limned out an attack mode for the bad guys. And the bad guys are not stupid – they are students of our vulnerabilities, they are increasingly sophisticated to a front-line nation state degree, and by our sharing we are educating them.

Third, and here’s a really sticky point, in America we hold the separation of business and government nearly as sacred as church and state.  So, the U.S. Government has simply minced around the edge of directed private sector cyber security for years - due in part also to business saying they can do a better job of protecting themselves.   So, the USG engages in a “public-private partnership.”  It gives private business advisories of potential attack.  It shares threat information with them - even though business holds back a lot for fear of showing “vulnerability” to competitors, stockholders, and the government. 

And the result, so far, has shown that American businesses are not doing anywhere near an adequate cyber security job - it is not information and partnership alone that will save them.  They are simply not prepared to deal with advanced nation state cyber tactics from a Russia or a China or an Iran. And the USG is not giving them the tools or protecting them adequately.

Tell Them What to Do

The sad part about all of this is we knew such an attack could happen and we’ve talked forever about the vulnerabilities.  Iran and others have been poking and prodding at utilities for years.  We have, in reaction, spent an enormous amount of time building information systems and proclaiming the safety of our systems.  And, we are still getting beaten like a drum.  

Eighty percent of American cyber space is owned by the private sector. Our COVID weakened supply chains are sputtering in a spotty restart of the economy.  Our enemies know that and are taking advantage.

American businesses need a standard they can follow to protect themselves. And they need direct orders from the U.S. government on what it takes to keep systems safe and be required to do so.  

The new Biden Cyber team are smart people – mostly government background, but with some business experience.  They are trying to put together a cyber safety program in the middle of the battle.  Tough work, no doubt.  

But, whatever bureaucratic boundaries and information sharing rules get laid out within D.C., the time has come for the USG to require businesses to maintain certain standards, demand they achieve those standards, and report immediately when they get in trouble.  The American public - whose economic well-being depends on it - deserve at least that.  And that is what a government is paid to do.

Ronald Marks is Term Visiting Professor, George Mason University, Schar School of Policy and Government. He is President of ZPN Cyber & National Security Strategies     

Image: Unsplash

You Might Also Read: 

Standing On The Cryptocurrency Frontier:
 
 
« Cyber Security Mergers & Acquisitions - April 2021
Thousands Of Stolen Identities Added To Dark Web Markets »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Snow Software

Snow Software

Snow Software is changing the way organizations think about their technology investments, empowering IT and business leaders to drive transformation with precision and agility.

Avatao

Avatao

Avatao is an online training platform for building secure software, offering a rich library of hands-on IT security exercises for software engineers to teach secure programming.

Center for Research on Scientific & Technical Information (CERIST)

Center for Research on Scientific & Technical Information (CERIST)

CERIST is a scientific and technical research centre with activities focused in the area of networks, information systems and IT security.

Clym

Clym

Clym is the data privacy platform that helps organisations meet their data protection obligations. Cookies, Consent, Requests, Policies and more are all managed in a secure and adaptive application.

Tecnalia Research & Innovation

Tecnalia Research & Innovation

Tecnalia is the largest center of applied research and technological development in Spain, a benchmark in Europe and a member of the Basque Research and Technology Alliance.

National Cybersecurity Competence Centre (NC3)

National Cybersecurity Competence Centre (NC3)

NC3 has been established in response to growing demands for practically applicable products and solutions for ensuring cybersecurity of critical and non-critical information infrastructures.

In-Q-Tel (IQT)

In-Q-Tel (IQT)

IQT is the non-profit strategic investor that accelerates the development and delivery of cutting-edge technologies to U.S. government agencies that keep our nation safe.

Scholarly Networks Security Initiative (SNSI)

Scholarly Networks Security Initiative (SNSI)

SNSI brings together publishers and institutions to solve cyber-challenges threatening the integrity of the scientific record, scholarly systems and the safety of personal data.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

HLB Mann Judd (Fiji)

HLB Mann Judd (Fiji)

HLB Mann Judd (Fiji) (formerly known as HLB Crosbie & Associates) is a well-established firm of accountants and business advisers in Fiji.

Rezonate

Rezonate

Rezonate discovers, profiles, and protects Identities and their entire access journey to cloud infrastructure and critical SaaS applications. Preventing and stopping cyberattacks.

Cyber News Live (CNL)

Cyber News Live (CNL)

Cyber News Live provide vital information and raise awareness about all things 'cyber' to ensure you stay protected in the digital world.

Multipoint Group

Multipoint Group

Multipoint is an information security and protection solutions company operating in the South EMEA region through value-added distribution channels.

Nightwing

Nightwing

Nightwing is the intelligence services company that continually redefines the edge of the possible to keep advancing our national security interests.

Dispel

Dispel

Dispel makes the fastest secure remote access for industrial networks. Built by operators for operators: a zero trust engine for your entire OT, IoT, and xIoT stack.

Advania UK

Advania UK

Advania are one of Microsoft’s leading partners in the UK, specialising in Azure, Security, Dynamics 365 and Microsoft 365.