At a glance.
- Further reflections on the Colonial Pipeline incident.
- US Executive Order rescinds bans on TikTok and WeChat.
- US supply chain security policy.
Further reflections on the Colonial Pipeline incident.
Noting Emsisoft analyst Brett Callow’s comments that “we still have a very, very long way to go before the ransomware problem will be solved,” Techxplore reviews several possible approaches. Some industry experts say the Government is likely engaged in covert action against ransomware threat actors. Others advocate for bringing greater transparency to cryptocurrencies, or establishing competitive bank-backed digital currencies. Auburn University McCrary Institute for Cyber and Critical Infrastructure Security Director Frank Cilluffo thinks the full toolkit from diplomacy to military might is necessary, and "cyber has to be items one, two and three" on the agenda in next week’s Moscow summit. Lax standards and user blunders present another major area for improvement.
Nextgov considers the impact of mandatory security requirements for critical infrastructure (CI), pipelines in particular. Colonial CEO Joseph Blount admitted yesterday in a Senate hearing that DarkSide infiltrated the company’s network through a “legacy” VPN unsecured by multi-factor authentication. Nextgov notes CISA’s recommendation to disengage legacy access points. Senator Maggie Hassan (Democrat of New Hampshire) reminded Blount of his “obligation to U.S. communities…and to our national security.” Blount acknowledged the inadequacy of existing, voluntary Transportation Security Administration guidelines, saying improved standards would particularly benefit “less sophisticated” firms. Industry players have historically resisted one-size-fits-all regulations.
Blount also threw cold water on the theory that Colonial paid DarkSide at the FBI’s behest, according to Virginia Mercury. Describing the choice to fork over $4.4 million as “one of the toughest decisions” of his life, the CEO noted the FBI’s stance against paying ransom. The Federal Government could support CI, he said, by designating a single point of contact for cyber emergencies. CI could support themselves, Hassan countered, by planning in advance for ransomware attacks. Colonial undertook cyber drills, but lacked a ransomware-specific strategy.
The Washington Post documents Capital Hill’s growing impatience with private sector cyber insecurity and “don’t blame the victim” rhetoric. At a House hearing this afternoon, Representative John Katko (Republican, New York 24th) plans to ask Colonial, “If your pipeline provides fuel to forty-five percent of the east coast, why are you only hardening systems after an attack?” Representative Bennie Thompson (Democrat, Mississippi 2nd) will add that “Government officials and cybersecurity experts have been warning about the growing threat of ransomware for years.” Former National Security Council cybersecurity director Rob Knake wrote in 2017, “No one in corporate America should be surprised any longer that connecting their systems to the internet puts the data they hold at risk.”
Congress is meanwhile navigating a log in its own eye, the Hill reports, in the form of a ransomware attack on House vendor iConstituent, which sixty offices across the political spectrum use to manage voter communications. For weeks, the offices have been unable to access “constituent information.” iConstituent apparently also serves several US cities and states.
A US Executive Order rescinds the previous Administration's bans on TikTok, WeChat.
President Biden this morning revoked his predecessor’s Executive Order banning WeChat and TikTok. Where President Trump had pushed an outright ban, President Biden has instead directed a consumer-centric study of the apps’ security, the Wall Street Journal explains. The Executive Order, "Protecting Americans’ Sensitive Data from Foreign Adversaries," revokes President Trump's Executive Orders 13942, 13943, and 13971. While acknowledging an ongoing emergency, the new Executive Order directs engagement, security reviews, and data protection instead of outright bans.
US policy on supply chain security announced, with a progress report.
The US Administration has issued a fact sheet on its plans to improve supply chain security. It’s a follow-up to the February Executive Order that directed a comprehensive review of critical supply chains. The scope includes cyber considerations, but it's far from confined to them. The fact sheet says, in part:
“The Administration’s COVID-19 Response Team has drastically expanded the manufacture of vaccines and other essential supplies, enabling more than 137 million Americans to get fully vaccinated.
“The Administration has also worked with companies that manufacture and use semiconductor chips to identify improvements in supply chain management practices that can strengthen the semiconductor supply chain over time.
“The Department of Defense (DOD) has announced an investment in the expansion of the largest rare earth element mining and processing company outside of China to provide the raw materials necessary to help combat the climate crisis.
“And the Biden-Harris Administration is working to address critical cyber vulnerabilities to U.S. supply chains and critical infrastructure, including issuing E.O. 14028 on ‘Improving the Nation’s Cyber Security’ just last month.”
The progress report claims progress in several areas:
- “Support domestic production of critical medicines,” which involves the Department of Health and Human Services organizing public-private partnerships under the Defense Production Act.
- “Secure an end-to-end domestic supply chain for advanced batteries,” an initiative for which the Department of Energy has the lead. A National Blueprint for Lithium Batteries is expected to be issued soon, and the DoE will also put in place programs for vehicular batteries and other energy storage projects.
- “Invest in sustainable domestic and international production and processing of critical minerals.” Rare earths are expected to figure prominently in these plans.
- “Partner with industry, allies, and partners to address semiconductor shortages.” The Department of Commerce has the lead here. Not mentioned but clearly relevant is recently expressed Congressional support for increased investment in domestic semiconductor production.
- And, finally, “Building Fair and Sustainable Industrial Bases,” a sweeping proposal involving general good intentions with respect to labor, business, and fair trade.
Demi Ben-Ari, CTO and co-Founder, of Panorays, thinks businesses should treat the issue seriously, too:
"Clearly, if the federal government is focusing on supply chain risk, then enterprises that operate in a complex supply chain ecosystem must take this matter seriously as well. They too must implement processes to take control of their supply chain, and an essential piece of that involves managing cybersecurity risk efficiently and effectively. This can be accomplished by thoroughly assessing and continuously monitoring all third parties while considering business context. Moreover, since enterprises often work with hundreds or even thousands of suppliers, it’s imperative for these processes to be automated."