Running Out Of Cyber Gas

The Colonial Pipeline cyber “hostage” fiasco is the latest in an ever-escalating set of cyberspace problems for the new Biden Administration. 

With a still forming team trying to navigate the complex Federal cyber bureaucracy - and a business sector not able to fulfill its claim of taking care of itself - this kind of event only increases the urgency of what is now becoming the definition of a managerial “wicked problem” - the people causing the problem are trying to solve the problem.

The players and vulnerabilities are all too familiar – even pointed out in the U.S.’s recent Annual Intelligence Threat Assessment.  First, the attacks appear to be coming from Eastern Europe and/or Russia.  So far, publicly, it seems like a very well organized, nearly corporate group of hackers who claim to be Robin Hoods hit Colonial – robbing from the rich and giving to the poor, they say. Nice public relations effort, but hardly comforting to the companies who are victims.

Not Trusting Coincidence

Still, I am reminded of an aphorism from my spy days - I believe in coincidences.  I do not trust coincidences.  This has Russian intelligence service finger prints all over it.  And their support of such Eastern European groups is a well-known fact.  

Second, the USG seem to be inadvertently helping these kinds of hackers by publicly sharing vulnerabilities.  Now, I know the idea was to get the information out to everyone so they could patch and counter accordingly.  However, as some of us feared, it also limned out an attack mode for the bad guys. And the bad guys are not stupid – they are students of our vulnerabilities, they are increasingly sophisticated to a front-line nation state degree, and by our sharing we are educating them.

Third, and here’s a really sticky point, in America we hold the separation of business and government nearly as sacred as church and state.  So, the U.S. Government has simply minced around the edge of directed private sector cyber security for years - due in part also to business saying they can do a better job of protecting themselves.   So, the USG engages in a “public-private partnership.”  It gives private business advisories of potential attack.  It shares threat information with them - even though business holds back a lot for fear of showing “vulnerability” to competitors, stockholders, and the government. 

And the result, so far, has shown that American businesses are not doing anywhere near an adequate cyber security job - it is not information and partnership alone that will save them.  They are simply not prepared to deal with advanced nation state cyber tactics from a Russia or a China or an Iran. And the USG is not giving them the tools or protecting them adequately.

Tell Them What to Do

The sad part about all of this is we knew such an attack could happen and we’ve talked forever about the vulnerabilities.  Iran and others have been poking and prodding at utilities for years.  We have, in reaction, spent an enormous amount of time building information systems and proclaiming the safety of our systems.  And, we are still getting beaten like a drum.  

Eighty percent of American cyber space is owned by the private sector. Our COVID weakened supply chains are sputtering in a spotty restart of the economy.  Our enemies know that and are taking advantage.

American businesses need a standard they can follow to protect themselves. And they need direct orders from the U.S. government on what it takes to keep systems safe and be required to do so.  

The new Biden Cyber team are smart people – mostly government background, but with some business experience.  They are trying to put together a cyber safety program in the middle of the battle.  Tough work, no doubt.  

But, whatever bureaucratic boundaries and information sharing rules get laid out within D.C., the time has come for the USG to require businesses to maintain certain standards, demand they achieve those standards, and report immediately when they get in trouble.  The American public - whose economic well-being depends on it - deserve at least that.  And that is what a government is paid to do.

Ronald Marks is Term Visiting Professor, George Mason University, Schar School of Policy and Government. He is President of ZPN Cyber & National Security Strategies     

Image: Unsplash

You Might Also Read: 

Standing On The Cryptocurrency Frontier:
 
 
« Cyber Security Mergers & Acquisitions - April 2021
Thousands Of Stolen Identities Added To Dark Web Markets »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

BakerHostetler

BakerHostetler

BakerHostetler is one of the largest law firms in the USA We have five core practice groups including a specialty practice team in Privacy and Data Protection.

Lynxspring

Lynxspring

Lynxspring provides edge-to-enterprise solutions and IoT technology for intelligent buildings, energy management, equipment control and specialty machine-to-machine applications.

RevenueStream

RevenueStream

RevenueStream uses an innovative algorithmic approach to intercept and prevent payment fraud before it even happens.

HexaTrust

HexaTrust

The HEXATRUST club was founded by a group of French SMEs that are complementary players with expertise in information security systems, cybersecurity, cloud confidence and digital trust.

LMG Security

LMG Security

LMG Security is a cybersecurity consulting, research and training firm.

Devel

Devel

Devel is a LATAM cybersecurity company specialized in providing red, blue and purple team services for the financial sector.

Salt Security

Salt Security

Salt Security protects the APIs that are the core of every SaaS, web, mobile, microservices and IoT application.

Firedome

Firedome

Firedome's tailormade solution for IoT companies is designed to proactively prevent, detect, and respond to inevitable vulnerabilities in connected devices.

Enigmatos

Enigmatos

Enigmatos is an Israeli based Automotive Cyber Security company. We provide solutions to the ever growing threat of vehicle hacking.

Kratikal

Kratikal

Kratikal provides a complete suite of manual and automated security testing services.

Electric Power Research Institute (EPRI)

Electric Power Research Institute (EPRI)

The Electric Power Research Institute’s Cyber Security Research Laboratory (CSRL) addresses the security issues of critical functions of electric utilities.

Ribbon Communications

Ribbon Communications

Ribbon Communications delivers global communications software and network solutions to service providers, enterprises, and critical infrastructure sectors.

Meditology

Meditology

Meditology Services is a top-ranked provider of information risk management, cybersecurity, privacy, and regulatory compliance consulting services exclusively for healthcare organizations.

Stack Identity

Stack Identity

Stack Identity protects access to cloud data by prioritizing identity and access vulnerabilities via a live data attack map.

Singularico

Singularico

Singularico help secure your software using the power of AI.

Haiku

Haiku

Haiku stands at the forefront of cybersecurity upskilling, leveraging video games to immerse you in a flow state for accelerated, enduring learning.