At a glance.
- Spies and crooks, and how to tell the difference.
- Regulatory sequelae to the Colonial Pipeline incident.
Telling the spooks from the goons; from deterrence to war.
Distinguishing APTs from cyber mercenaries, Aerotech News & Review says, is no straightforward task when states like Russia broker deals with gangs and permit employees side hustles. The battlefield haze complicates Washington’s ability to respond, since the FBI and Justice Department are tasked with managing hoods, and CyberCom takes the reigns if a foreign power is in play. With an eye to the persistent threats of Moscow, Beijing, and Pyongyang, the National Interest argues for uniting and aligning the efforts of Justice, CyberCom, industry, and states, and for treating cyberattacks as acts of war.
France 24, in contrast, characterizes the steady state of cyber conflict that’s taken shape since the days of Stuxnet—when cyberattacks were devastating, rare, and tightly controlled—as an intelligence contest. Governments keep operations quiet to avoid escalation and preserve their competitive edge. The fact that Washington’s responses often go unseen, CyberCom Commander Nakasone recently told Congress, does not mean US elements aren’t out there “impos[ing] the largest cost possible.”
Non-voluntary cyber standards, coming soon to a pipeline near you.
As the dust settles from the Colonial Pipeline ransomware attack, the regulatory shoe is dropping. The US Transportation Security Administration (TSA) is preparing new cybersecurity standards for pipeline operators, SecurityWeek reports, that will come in two waves carrying incident reporting and vulnerability assessment requirements. Operators are predicted to protest the move; the American Petroleum Institute called for forthcoming rules to contain “reciprocal information sharing and liability protections.”
The Washington Post notes concerns that TSA’s pipeline security division, which had five staffers in 2019, wants the know-how and manpower to oversee upwards of three-thousand pipeline firms. New regulations could also conflict with existing Coast Guard and Energy Department rules for chemical plants and electric utilities, if not crafted with care. TSA’s swing from elective guidelines to mandatory standards may spell a sea change for critical infrastructure sectors, the majority of which lack compulsory cybersecurity codes, as the regulatory tide swells.
Another Washington Post piece observes that the Federal Government still needs to get its own cyber schooner shipshape. Zero of twenty-three Federal agencies, the Government Accountability Office reported to Congress yesterday, have “fully implemented” the Office’s recommended security measures.
We received several comments from industry experts on the scope and likely effect of the coming regulation. Nick Cappi, Cyber Vice President, Portfolio Strategy and Enablement at Hexagon, hopes that other sectors won't need to sustain a similar attack before they receive regulatory attention:
"I am glad to see government involvement in securing our critical infrastructure (even if it’s limited to a specific sector, in this case, pipelines). With that said, it feels like a knee jerk reaction to an event. Hopefully, we don’t have to wait for events in each sector to receive the same type of attention from government agencies and new regulations to prevent future incidents."
Edgard Capdevielle, CEO of Nozomi Networks, also finds the regulations encouraging, and takes particular notice of the mandatory breach reporting:
“We’re encouraged to see the DHS and TSA take action to ensure appropriate security measures for the oil and gas industry. Most critical infrastructure sectors don’t have mandatory cyber standards, and until now that included oil and gas.
"The requirement for mandatory breach reporting will help shine a light on the extent of the problem in this sector. Cybersecurity is a team sport. Pipeline operators, security vendors and the government alike need to work together as a community to share threat intelligence and breach data in real time. An open approach to information sharing will play a big part in building a more mature cyber defense.
"The distributed nature of the oil and gas sector makes this extra challenging. It requires many different forms of connectivity and can be more difficult to secure. These environments are distributed and physically remote. No two operators are alike in terms of the exact processes and systems they’re using, which makes it harder to establish one set of cybersecurity requirements that will work effectively for all. There will need to be some flexibility and collaboration to make it work.
"While there's a place for regulated security requirements, we need to be careful not to put all the burden on the victim(s). Tax incentives, and government-funded centers of excellence will help ensure critical infrastructure operators can build and maintain effective cybersecurity programs over time. And it's time to take aggressive steps to hold sophisticated criminal rings and threat actors accountable for their crimes.
"We know from our work with leading oil and gas companies around the world, that those suppliers who invest early in strong cybersecurity programs and resiliency are able to respond faster, and with less financial damage, to ransomware and other cyberattacks, compared to those who wait until an incident occurs to invest in their defense.”