Running Out Of Cyber Gas

Uploaded on 2021-05-11 in INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW, BUSINESS-Production-Energy, NEWS-Cybersecurity News

The Colonial Pipeline cyber “hostage” fiasco is the latest in an ever-escalating set of cyberspace problems for the new Biden Administration. 

With a still forming team trying to navigate the complex Federal cyber bureaucracy - and a business sector not able to fulfill its claim of taking care of itself - this kind of event only increases the urgency of what is now becoming the definition of a managerial “wicked problem” - the people causing the problem are trying to solve the problem.

The players and vulnerabilities are all too familiar – even pointed out in the U.S.’s recent Annual Intelligence Threat Assessment.  First, the attacks appear to be coming from Eastern Europe and/or Russia.  So far, publicly, it seems like a very well organized, nearly corporate group of hackers who claim to be Robin Hoods hit Colonial – robbing from the rich and giving to the poor, they say. Nice public relations effort, but hardly comforting to the companies who are victims.

Not Trusting Coincidence

Still, I am reminded of an aphorism from my spy days - I believe in coincidences.  I do not trust coincidences.  This has Russian intelligence service finger prints all over it.  And their support of such Eastern European groups is a well-known fact.  

Second, the USG seem to be inadvertently helping these kinds of hackers by publicly sharing vulnerabilities.  Now, I know the idea was to get the information out to everyone so they could patch and counter accordingly.  However, as some of us feared, it also limned out an attack mode for the bad guys. And the bad guys are not stupid – they are students of our vulnerabilities, they are increasingly sophisticated to a front-line nation state degree, and by our sharing we are educating them.

Third, and here’s a really sticky point, in America we hold the separation of business and government nearly as sacred as church and state.  So, the U.S. Government has simply minced around the edge of directed private sector cyber security for years - due in part also to business saying they can do a better job of protecting themselves.   So, the USG engages in a “public-private partnership.”  It gives private business advisories of potential attack.  It shares threat information with them - even though business holds back a lot for fear of showing “vulnerability” to competitors, stockholders, and the government. 

And the result, so far, has shown that American businesses are not doing anywhere near an adequate cyber security job - it is not information and partnership alone that will save them.  They are simply not prepared to deal with advanced nation state cyber tactics from a Russia or a China or an Iran. And the USG is not giving them the tools or protecting them adequately.

Tell Them What to Do

The sad part about all of this is we knew such an attack could happen and we’ve talked forever about the vulnerabilities.  Iran and others have been poking and prodding at utilities for years.  We have, in reaction, spent an enormous amount of time building information systems and proclaiming the safety of our systems.  And, we are still getting beaten like a drum.  

Eighty percent of American cyber space is owned by the private sector. Our COVID weakened supply chains are sputtering in a spotty restart of the economy.  Our enemies know that and are taking advantage.

American businesses need a standard they can follow to protect themselves. And they need direct orders from the U.S. government on what it takes to keep systems safe and be required to do so.  

The new Biden Cyber team are smart people – mostly government background, but with some business experience.  They are trying to put together a cyber safety program in the middle of the battle.  Tough work, no doubt.  

But, whatever bureaucratic boundaries and information sharing rules get laid out within D.C., the time has come for the USG to require businesses to maintain certain standards, demand they achieve those standards, and report immediately when they get in trouble.  The American public - whose economic well-being depends on it - deserve at least that.  And that is what a government is paid to do.

Ronald Marks is Term Visiting Professor, George Mason University, Schar School of Policy and Government. He is President of ZPN Cyber & National Security Strategies     

Image: Unsplash

You Might Also Read: 

Standing On The Cryptocurrency Frontier:
 
 
« Cyber Security Mergers & Acquisitions - April 2021
Thousands Of Stolen Identities Added To Dark Web Markets »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CIO

CIO

CIO provides technology and business leaders with insight and analysis on information technology trends

Allegro Software

Allegro Software

Allegro provide secure software for the Internet of Things.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

GIAC provides certification in the knowledge and skills necessary for a practitioner in key areas of computer, information and software security.

Canadian Institute for Cybersecurity (CIC)

Canadian Institute for Cybersecurity (CIC)

The Canadian Institute for Cybersecurity (CIC) is a comprehensive multidisciplinary training, research and development, and entrepreneurial unit.

Garner Products

Garner Products

Garner design, manufacture, and sell equipment that delivers complete, permanent, and verifiable data elimination.

Threat Status

Threat Status

Threat Status are a Threat Intelligence company. We are the developers of Trillion. A cloud based Security As A Service (SaaS) platform.

Quantinuum

Quantinuum

Quantinuum is the combination of Cambridge Quantum with Honeywell Quantum Solutions, structured to drive the future of quantum computing.

ISTC Foundation

ISTC Foundation

ISTC Foundation is one of the leading innovation centers in Armenia, founded by joint initiative of IBM, USAID, Armenian Government and Enterprise Incubator Foundation.

Action1

Action1

Action1 is a Cloud-based lightweight endpoint security platform that discovers all of your endpoints in seconds and allows you to retrieve live security information from the entire network.

LocateRisk

LocateRisk

LocateRisk provides more efficiency, transparency and comparability in IT security with automated, KPI-based IT risk analyses.

Red Access

Red Access

Red Access provides the first SaaS-based platform to protect web browsing from cyber threats on any browser and any in-app while ensuring frictionless user experience.

ATSG

ATSG

ATSG is a global leader in transformational technology solutions for today’s digital enterprise. Cybersecurity ranging from Advisory & Assessment to Fully Managed Detection and Response Services.

FutureRange

FutureRange

Specialising in IT Managed Services, Cybersecurity and Digital Transformation, FutureRange experts provide professional IT services for clients throughout Ireland and beyond.

CYBRI

CYBRI

CYBRI is a cybersecurity company helping businesses detect and remediate mission-critical vulnerabilities before they get exploited by hackers.

Securin

Securin

Securin offers a comprehensive portfolio of solutions including Attack Surface Management, Vulnerability Intelligence, Penetration Testing, and Vulnerability Management.

Reaktr.ai

Reaktr.ai

Reaktr.ai is founded on the vision of using AI as a catalyst to propel industries into a future where we redefine what's possible. Fortify your cybersecurity defense with our AI-powered platform.