Running Out Of Cyber Gas

The Colonial Pipeline cyber “hostage” fiasco is the latest in an ever-escalating set of cyberspace problems for the new Biden Administration. 

With a still forming team trying to navigate the complex Federal cyber bureaucracy - and a business sector not able to fulfill its claim of taking care of itself - this kind of event only increases the urgency of what is now becoming the definition of a managerial “wicked problem” - the people causing the problem are trying to solve the problem.

The players and vulnerabilities are all too familiar – even pointed out in the U.S.’s recent Annual Intelligence Threat Assessment.  First, the attacks appear to be coming from Eastern Europe and/or Russia.  So far, publicly, it seems like a very well organized, nearly corporate group of hackers who claim to be Robin Hoods hit Colonial – robbing from the rich and giving to the poor, they say. Nice public relations effort, but hardly comforting to the companies who are victims.

Not Trusting Coincidence

Still, I am reminded of an aphorism from my spy days - I believe in coincidences.  I do not trust coincidences.  This has Russian intelligence service finger prints all over it.  And their support of such Eastern European groups is a well-known fact.  

Second, the USG seem to be inadvertently helping these kinds of hackers by publicly sharing vulnerabilities.  Now, I know the idea was to get the information out to everyone so they could patch and counter accordingly.  However, as some of us feared, it also limned out an attack mode for the bad guys. And the bad guys are not stupid – they are students of our vulnerabilities, they are increasingly sophisticated to a front-line nation state degree, and by our sharing we are educating them.

Third, and here’s a really sticky point, in America we hold the separation of business and government nearly as sacred as church and state.  So, the U.S. Government has simply minced around the edge of directed private sector cyber security for years - due in part also to business saying they can do a better job of protecting themselves.   So, the USG engages in a “public-private partnership.”  It gives private business advisories of potential attack.  It shares threat information with them - even though business holds back a lot for fear of showing “vulnerability” to competitors, stockholders, and the government. 

And the result, so far, has shown that American businesses are not doing anywhere near an adequate cyber security job - it is not information and partnership alone that will save them.  They are simply not prepared to deal with advanced nation state cyber tactics from a Russia or a China or an Iran. And the USG is not giving them the tools or protecting them adequately.

Tell Them What to Do

The sad part about all of this is we knew such an attack could happen and we’ve talked forever about the vulnerabilities.  Iran and others have been poking and prodding at utilities for years.  We have, in reaction, spent an enormous amount of time building information systems and proclaiming the safety of our systems.  And, we are still getting beaten like a drum.  

Eighty percent of American cyber space is owned by the private sector. Our COVID weakened supply chains are sputtering in a spotty restart of the economy.  Our enemies know that and are taking advantage.

American businesses need a standard they can follow to protect themselves. And they need direct orders from the U.S. government on what it takes to keep systems safe and be required to do so.  

The new Biden Cyber team are smart people – mostly government background, but with some business experience.  They are trying to put together a cyber safety program in the middle of the battle.  Tough work, no doubt.  

But, whatever bureaucratic boundaries and information sharing rules get laid out within D.C., the time has come for the USG to require businesses to maintain certain standards, demand they achieve those standards, and report immediately when they get in trouble.  The American public - whose economic well-being depends on it - deserve at least that.  And that is what a government is paid to do.

Ronald Marks is Term Visiting Professor, George Mason University, Schar School of Policy and Government. He is President of ZPN Cyber & National Security Strategies     

Image: Unsplash

You Might Also Read: 

Standing On The Cryptocurrency Frontier:
 
 
« Cyber Security Mergers & Acquisitions - April 2021
Thousands Of Stolen Identities Added To Dark Web Markets »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Berkman Klein Center for Internet & Society

Berkman Klein Center for Internet & Society

The Berkman Klein Center for Internet & Society is a research center at Harvard University that focuses on the study of cyberspace.

Clifford Chance

Clifford Chance

Clifford Chance are one of the world's pre-eminent law firms with resources across five continents. Practice areas include Cyber Security & Information Protection

Nixu

Nixu

Nixu is the largest Nordic specialist company in information security consulting.

Detack

Detack

Detack is an independent supplier of IT security auditing and consulting services.

Bit4id

Bit4id

Bit4id provides software and systems for security and identification based on PKI technology.

National Authority for Electronic Certification and Cyber Security (AKCESK) - Albania

National Authority for Electronic Certification and Cyber Security (AKCESK) - Albania

AKCESK ensures security for trusted services, in particular reliability and security in electronic transactions between citizens, businesses and public authorities.

VietSunshine

VietSunshine

VietSunshine is a leading provider of network security infrastructure and solutions in Vietnam.

Cybertron

Cybertron

Cybertron services include real-time monitoring and incident response and a cyber range for competency development.

CloudOak

CloudOak

CloudOak is a cloud channel provider for hybrid cloud Backup as a Service (BaaS), Disaster Recovery as a Service (DRaaS) and Archiving to Small to Medium Business (SMB).

CyberKnight Technologies

CyberKnight Technologies

CyberKnight Technologies is a cybersecurity focused value-added-distributor (VAD) headquartered in Dubai and covering the Middle East.

BLUECYFORCE

BLUECYFORCE

BLUECYFORCE is the leading professional training and cyber defense training organization in France.

Key Cyber Solutions

Key Cyber Solutions

Key Cyber is an IT consulting firm that specializes in agile software development services, program management and infrastructure services, cyber security and cloud and managed services.

AdronH

AdronH

AdronH is a company of Cyber Security consultants. We support companies and public institutions with their digital transformation to new and secure business platforms.

BlueCat Networks

BlueCat Networks

BlueCat is the Adaptive DNS company. Our mission is to help the world’s largest organizations thrive on network complexity, from the edge to the core.

IDCARE

IDCARE

IDCARE is Australia and New Zealand’s national identity & cyber support service. Our service is the only one of its type in the world.

Datos Insights

Datos Insights

Datos Insights is a leading global provider of insights, data, and advisory services to the financial services, insurance, and retail technology industries.