At a glance.
- UK’s Digital Markets Unit given additional authority.
- White House issues memorandum on risks associated with quantum computing.
- Colonial Pipeline: lessons and response, one year in.
- Leadership update: US Cyber Command and National Security Agency.
- Comment on NIST Special Publication 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
UK’s Digital Markets Unit given additional authority.
Computing discusses the UK’s plans to increase the regulatory powers of the Digital Markets Unit (DMU), part of the Competition and Markets Authority (CMA), in an effort to even the playing field for smaller tech companies. Tech giants found in violation of consumer protection rules like the recently signed Digital Markets Act and Digital Services Act could be served penalties of up to 10% of their global annual turnover, and the DMU will also be authorized to fine these companies up to 5% of their daily turnover for every day an offense continues. As well, individuals like senior executives could also face civil penalties for not appropriately responding to requests for information. The DMU will also have the authority to pursue actions that give users more control over their personal data, and to resolve disputes between tech companies and news sources. Andrea Coscelli, CEO of the CMA, stated, "The CMA welcomes these proposals and we're pleased that the Government has taken forward a number of our recommendations that will allow the DMU to oversee an effective and robust digital markets regime in the UK."
White House issues memorandum on risks associated with quantum computing.
As we noted yesterday, US President Biden issued an executive order focused on advancing quantum technology in the US while also boosting the nation’s cybersecurity defenses against quantum supercomputers. Along with the EO, a National Security Memorandum has been released warning about the risks quantum computing could pose to civilian and military communications and online financial transactions, as the new technology is capable of cracking the public key cryptography currently used on most digital systems. "Research shows that at some point in the not-too-distant future, when quantum computers reach a sufficient size and level of sophistication, they will be capable of breaking much of the cryptography that currently secures our digital communications on the Internet,” the memo reads. The document also outlines a plan for employing multi-agency coordination to migrate vulnerable computer systems to quantum-resistant cryptography. The National Security Agency and National Institute of Standards and Technology will develop and publish new quantum-resistant cryptographic standards, expected to be released by 2024, with the goal of reducing quantum risk as much as possible by 2035. Security Week adds that open-source tools are now being fitted with features to prevent "capture now, decrypt later" attacks that have been attributed to developments in quantum computing.
Leadership update: US Cyber Command and National Security Agency.
General Paul Nakasone, US Cyber Command and National Security Agency (NSA) chief, has been asked to extend his four-year term for another year, and while the renewal has not yet been made official, it signifies a vote of confidence in Nakasone’s abilities from the White House and the Pentagon. The Record by Recorded Future recounts the highlights of the general’s tenure so far, noting that Nakasone’s “persistent engagement” approach has turned Cyber Command into a leading combatant command. As well, under his leadership the NSA left its “white hat” reputation behind, now regularly joining forces with other agencies to issue security alerts informing the general public about cybersecurity threats.
The Record adds that CyberCom and NSA have selected the newest leaders of the Nakasone-created Election Security Group (ESG). Established in 2018 to secure the midterm elections against Russian interference, the ESG has since expanded its mission to mitigate threats from China, North Korea, and Iran, as well as non-state actors. The group will be headed by NSA Senior Executive Anna Horrigan and Brig. Gen. Victor Macias, deputy chief of the Cyber National Mission Force (CNMF). At Vanderbilt University’s Summit on Modern Conflict and Emerging Threats this week, Nakasone stated, “We’re less than 200 days before our nation goes to vote for our midterm elections. And I assure you that we are ready, we will be ready, going forward,”
Regulatory lessons learned from the Colonial Pipeline ransomware incident.
Tomorrow marks the first anniversary of the Colonial Pipeline cyberattack that shut down operations of the critical fuel supplier for days, and in honor of the milestone, the Washington Post asked experts to reflect on the lessons learned from the incident. Emsisoft threat analyst Brett Callow, says the attack proved that criminal hackers could be just as disruptive as nation-state threat groups. “The fact that low-level criminal extortionists - not actors backed by a hostile state - were able to cause such chaos highlighted not only the fragility of our critical infrastructure, but also the need to do more to directly combat the ransomware problem,” Callow tweeted.
The attack led government officials to put more steam behind the fight against ransomware, and as Inside Cybersecurity reports, the Department of Homeland Security put forward a “flexible and effective approach” to bolstering pipeline sector cybersecurity by implementing new Transportation Security Administration (TSA) security directives and increasing the administration’s cybersecurity personnel.
Reuters reports as well that the US Department of Transportation's Pipeline and Hazardous Materials Safety Administration (PHMSA), yesterday proposed a nearly $1 million penalty to Colonial Pipeline for the management failures that exacerbated the impact of the incident. "Colonial Pipeline's ad-hoc approach toward consideration of a 'manual restart' created the potential for increased risks to the pipeline's integrity as well as additional delays in restart, exacerbating the supply issues and societal impacts," a notice from the PHMSA reads. A Colonial spokesperson responded by saying it is dedicated to working with PHMSA to resolve the issues raised, but also recognized the remediations the company implemented at the time of the incident: "Our coordination with government stakeholders was timely, efficient and effective as evidenced by our ability to quickly restart the pipeline in a safe manner five days after we were attacked, which followed localized manual operations conducted before the official restart.”
Padraic O'Reilly, pipeline cyber risk advisor for DoD and Co-Founder of cyber risk management firm CyberSaint, sent us comments on how the incident has driven industrial control system safeguards:
"The key drivers of change are the directives, the continued threat of attacks, the geopolitical situation, and the increased attention from regulators. More generally, there has also been increased attention on ICS, as credible intelligence has indicated that cyber to physical attacks are more likely. CISA has also been very focused on providing guidance to ICS. Key drivers in programs are the existing gaps that the directives seek to address. There are some unique challenges, as well, in Pipeline industrial control systems, which have to coordinate information over large geographic distances. The main issues are still the longstanding ones. What are the key business-critical systems? How segmented are networks? Are basic protections being missed like two-factor authentication? And is there a robust set of procedures in place for patching ICS, which is not as straightforward as patching IT networks? That has been a major bone of contention during the rollout of these new requirements."
O'Reilly sees some signs of improvement, but a great deal of work remains to be done. "I would say, yes, critical infrastructure is safer, but only marginally so. More attention is being paid to the overall challenge, and the directives are being taken seriously by governance and operational concerns. But the directives are still subject to haggling, and TSA is not terribly well equipped to handle a process like this at scale."
He sees on balance that regulation prompted by the incident has been a plus.
"This has put some teeth behind what was formerly voluntary guidance like that provided by the American Petroleum Institute. The Pipeline industry is currently undergoing the same sort of changes that NERC CIP put bulk power systems through when they came into effect in 2008. In essence, the requirements establish a baseline of expected safeguards and the accountability for having them in place. They are still not publicly available, so it is difficult to say the cadence at which the improvements are being made, but in my discussions with professionals, I can say that they are evaluating their current compliance and are in discussion with TSA. Certain companies are turning to consultants to expedite adoption and reporting. However, the main parts of directive 2 are expensive—architectural review, contingency planning, and mitigation measures. Directive 1 has costs associated with it, as well. The fines are potentially substantial, but a change like this generally takes more than a year, so any security gains thus far are likely to be marginal.
There's a business case to be made for improved security, and spending has followed the perceived importance of compliance. "I would say that the spending is coming as practitioners make the business case around compliance with the directives," O'Reilly says. "While Biden and the TSA have floated fines, it doesn’t look like any penalties have been issued to date. The dust hasn’t really settled on this issue yet, and TSA will need to adjust on the fly and potentially tailor the directives to be more focused on the unique challenges in Industrial control system cyber."
Mike Hamilton, former vice chair for the DHS State, Local, Tribal, and Territorial Government Coordinating Council, and currently CISO of Critical Insight, says that the Transportation Security Agency (TSA) is working on the challenges of pipeline security. "The TSA, which is the sector-specific agency for the transportation sector, is now firmly engaged in communicating cybersecurity requirements to pipeline operators. Late to the game, but still progress," Hamilton wrote. "We also now understand the importance of pipeline security, despite not having picked that up when Russia disabled a pipeline that carries energy to the country of Georgia some years ago. We’ve also seen that we can expect surgical attacks against certain sectors that appear to be ransomware, but have an outsized impact on the American economy and social fabric. This has created more of an incentive for DHS/CISA to share information outwardly WITH the private sector, rather than expecting all information to be shared FROM the private sector. This is having a positive impact."
Jonathan Reiber, who previously served as the Chief Strategy Officer for Cyber Policy in the Office of the U.S. Secretary of Defense during the Obama administration, and who is currently Vice President for Cybersecurity Strategy and Policy at AttackIQ, wrote that the Colonial Pipeline incident was a watershed event:
“The Colonial Pipeline cyberattack was one of the most impactful events in cybersecurity history in the United States, second only to the Russian government’s hack-leak disinformation operations around the 2016 U.S. presidential election. The attack terrified the country and woke up the American people. Why? In a word, panic. When the pipeline went offline, the American people panicked in fear that they wouldn’t be able to get gas, and that panic contributed to a spike in gas prices.
"The second-order effects of the Colonial Pipeline attack are far more positive. After years of escalating ransomware attacks across the United States, particularly against the healthcare sector, the Colonial Pipeline attack thrust ransomware front and center into the public’s consciousness and jerked the massive machinery of the U.S. federal government into action. For the first time, we saw the emergency energy organizations of the United States involved in a strategic response a cyberattack. The Department of Justice quickly developed tools to reclaim the ransom, going after cryptocurrency. In the year since then, accelerated by Vladimir Putin’s war in Ukraine, federal agencies and Congress passed rules and legislation to strengthen the United States’ cyberdefense posture, to include the Cyber Incident Reporting for Critical Infrastructure Act. And what is the one constant, dangerous accelerator in the 2016 election attack, the Colonial Pipeline attack, and the war in Ukraine? Vladimir Putin and his government.”
We also hear from Kudelski Security CEO Andrew Howard, who also says that the incident spurred a dramatic increase in industry awareness:
"The Colonial Pipeline attack was a wakeup call for lots of companies. It was the kind of situation security professionals had worried about for some time – a large-scale incident that leadership discussed as a hypothetical, but that Colonial made real.
"This kind of incident is often characterized by media and security leaders as an attack on an operational technology (OT) system. Now that we understand the full details of the attack a year later, we know that while an OT-oriented company was targeted, compromised billing systems on the IT network are what created the vulnerability. The systems that actually moved and controlled oil on the pipeline were not compromised. While companies should absolutely be concerned about the security of their operational technology systems, it’s crucial not to lose site of the IT functions in and around such systems.
"Across our client base, we have seen a material uptick in proactive OT-related security concerns following the Colonial Pipeline hack. While this specific attack received a lot of attention, it was not the first attack of an operational technology network and certainly won’t be the last – it represents the new normal of cybersecurity attacks we’re going to see in the future."
Comment on NIST Special Publication 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
The National Institute of Standards and Technology (NIST) has issued Special Publication 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. The Institute describes the document's purpose as follows:
"Organizations are concerned about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain. These risks are associated with an enterprise’s decreased visibility into and understanding of how the technology they acquire is developed, integrated, and deployed or the processes, procedures, standards, and practices used to ensure the security, resilience, reliability, safety, integrity, and quality of the products and services.
"This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services."
Jason Kent, Hacker in Residence for Cequence Security, approves of NIST's product:
"As more and more supply chain attacks cause havoc for enterprises NIST has come forth with its latest offering to help give guidance on how to mitigate supply chain risks, as well as help organizations comply with the latest Whitehouse directives on cyberthreats. The guidance in the CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT or C-SCRM document is some very good, very easy to achieve, first steps in understanding where risk might be. As organizations prepare to comply with this, tabletop exercises and discussions of disruptions in the supply chain should be encouraged. In addition to this, understanding that anything that impacts IT Infrastructure from a security standpoint also applies to every supplier in the chain. With our own LoNg4j announcement just yesterday we showed how a supply chain vendor can impact the overall security of an organization by having a simple flaw in a shared system."