Previous post
The East Coast is breathing a sigh of relief, as the Colonial Pipeline is restarting its operations. However, the company said it could take days for deliveries to return to normal. Bloomberg has reported that Colonial paid nearly $5 million in ransom to DarkSide, the Eastern European hackers who breached its cybersecurity.
Meanwhile, gas fever continued from Texas to New Jersey as drivers queued up in long lines to obtain precious fuel.
In Washington, DC, members of the Biden administration took the wakeup call. Like Transportation Secretary Pete Buttigieg, who wants to secure our infrastructure.
“We need to make sure our infrastructure is resilient to climate security issues caused by the increased frequency and severity of weather events. But we also need to be sure that we are resilient in the face of cyberthreats.”
Notice how Buttigieg first addresses weather issues, then threats from bad foreign actors. I’ve never heard of a hurricane shutting down a grid and demanding ransom, but you know the administration’s obsession with climate change.
Plus, on Wednesday President Biden signed an executive order to place new cybersecurity standards on software purchased by the federal government. Software developers who violate these new standards would be removed from federal procurement lists. This could also harm their chances of marketing on the commercial market.
It’s about time. Over the past year there have been about 2400 cyberattacks on corporate, local, and federal offices. And, as in the Colonial Pipeline event, hackers have demanded ransom.
Just as shocking is the fact that 85% of critical infrastructure is owned by private companies. There’s nothing wrong with private companies, of course. But there aren’t many regulations to guide them on how to protect their networks. On top of that, most ransomware attacks come from hostile overseas nations, like Russia, which also protect the criminals. And when an attack occurs, bureaucratic inefficiencies hamper defensive action.
Brian Klug/flickr/CC BY-NC 2.0.
First, the National Security Agency tries to collect intelligence, and then the FBI investigates. The Department of Homeland Security then tries to protect government computers. It’s rather like closing the barn door long after the horse runs away.
In fact, after the Colonial Pipeline attack, Sen. Rob Portman (R-OH) expressed his shock at these complications.
“Right now we are waiting for additional technical information on exactly what happened at Colonial so that we can use that information to potentially protect other potential victims down the road.”
He added:
“At our last hearing, I asked the witnesses which agency is in charge of federal cybersecurity. The witnesses were unable to give an answer, which is troubling.”
Former NSA general counsel Glenn Gerstell says this:
“No one would ever think the private sector is responsible for defending itself against North Korean missiles. And yet the private sector is expected to defend itself against foreign cyber maliciousness.”
What’s even more troubling is the substandard way in which companies maintain their security.
In February I had the privilege of hearing Professor Jonathan Lanning, a cybersecurity expert, speak at a seminar. Lanning, a former Air Force officer who served as Lead Defensive Cyberspace Operations planner, now teaches cybersecurity at Friends University in Wichita, KS.
Lanning told our group that too many companies do not use top notch employees to manage their security systems. Rather than employing professionals specifically trained in cybersecurity, they rely on people from their IT departments, many of whom are “lazy coders,” as he put it. The cost of such laxness? Lanning said that 60% of companies that get attacked with ransomware go under within six months.
No wonder there are have been 2400 cyberattacks over the past year.
The Friends University cybersecurity program uses a virtual training lab that replicates the internet in real time, giving students hands-on experience. This training goes well beyond the pejorative “learn to code.” However, the bad news is that there are only two other universities in the US which provide this kind of experience.
President Biden seems to understand the need for training future cybersecurity experts.
Biden on the gas crisis: “I think we have to make a greater investment in education as it relates to be able to train and graduate more people proficient in cyber security." pic.twitter.com/Jz1XynW6DZ
— Tom Elliott (@tomselliott) May 12, 2021
Well, maybe that’s what he says now. But don’t count on the sentiment continuing. Instead of focusing on training the best and brightest, Biden’s Department of Education is currently looking to infuse Critical Race Theory into the Elementary and Secondary Education Act. And while school boards control local schools, the feds will be there to hand out cash to school districts as an incentive to adopt this pernicious teaching. Money walks, cash talks, as the saying goes.
The time has come to abandon toxic CRT and its cousin forced diversity. As Glenn Gerstell said, “For well over two centuries, America has responded to foreign threats where they resided — overseas.” The threats, however, are now at our shores, coming from predator hackers who sniff out weakness in their prey. They see in Joe Biden a frail and inept president. They see the United States as fractured over politics and race. The Colonial Pipeline incident should serve as a wakeup call to harden our cybersecurity. First, we need a streamlined system of defense. Then, we need to employ the brightest and best-trained Americans to provide a cyber protection every bit as imposing as our military. After all, cybersecurity is now just as imperative to the safety of the nation.
Featured image: rickz/flickr/cropped/CC BY-NC-ND 2.0.
[…] post Cybersecurity Needs Beefing Up Says Biden appeared first on Victory Girls […]
GWB says: I’ve never heard of a hurricane shutting down a grid and demanding ransom
While not demanding ransom, severe weather events have most certainly disrupted distribution networks for gasoline and natural gas in the past, as well as electrical grids. Our grids need to be resilient across a RANGE of threats. (But, “increased”? Pfft.)
But there aren’t many regulations to guide them on how to protect their networks.
Gotta throw a flag on that one. If you’re talking “guiding” there are a LOT of resources our gov’t provides to help companies (and individuals) secure their information systems! The problem is that most people simply treat their information systems as if they’re secure out of the box and don’t need the identified controls placed on them. Or they just enjoy the convenience so much and don’t want to be bothered turning off conveniences that are insecure.
Here’s a big one that anybody should wade through and implement on their own personal computers:
https://public.cyber.mil/stigs/
(Second link in another comment to not trigger the moderation queue.)
“At our last hearing, I asked the witnesses which agency is in charge of federal cybersecurity. The witnesses were unable to give an answer, which is troubling.”
Well, then, they’re morons. Homeland Security has had that mission for some time now. And, DoD has a big part in it.
And yet the private sector is expected to defend itself against foreign cyber maliciousness.
I call false equivalence baloney on this one. The difference is that regular criminals don’t have nuclear missiles. But regular criminals, script kiddies AND governmental actors all use approximately the same tools. No business should be relying on the gov’t to protect them. (Retaliate, yes!) If you do, the community should stop doing business with you. Period.
AND, the gov’t should hold private companies accountable when they let their networks and systems go unpatched and become vulnerable.
the need for training future cybersecurity experts
Not so much. It’s not the training that’s necessary in many cases. It’s getting the penny-pinching top dogs at the company to actually listen to the cybersecurity guy when he says “Sir, I need to take down the network tonight to apply patches, which you’ve been pushing off for 3 months.” Or when his engineers say “Sir, we really need to real-time backup our data to an offsite location, and we need to build in the ability to near-instantly restore it if a hacker gets in.” Or any of a dozen other things where the CEO balks when told the price tag for doing cyber business in today’s world. AND we need to get people to stop being lazy with their own computer systems (including video doorbells, thermostats, and cellphones).
Money walks, cash talks, as the saying goes.
Huh?
Kim Hirsch says: It’s not the training that’s necessary in many cases. It’s getting the penny-pinching top dogs at the company to actually listen to the cybersecurity guy . . .
Yeah, but they have to hire the cybersecurity experts to begin with. As Jonathan Lanning told us, and as I wrote in the post, companies would rather use the guys from IT, whose knowledge pales in comparison to an expert like Lanning.
Huh?
You never heard that phrase? In its complete iteration it goes Money walks, cash talks, nobody balks. IOW, states and school districts don’t mind getting federal moolah in exchange for teaching CRT and the like.
GWB says: Money and cash are the same thing…………
I’ve heard it as something like “money walks, something else talks” – as in money actually does something, the other thing just talks. I do learn new stuff around here. 😉
And I don’t think you need an “expert” so much as someone who will do the hard work of finding and keeping up with the vulnerabilities and applying the fixes. Also, a person who will implement the STIGs and controls required.
(BTW, while I do have my Security+ cert, I am not a “cybersecurity professional.” I am simply an IT guy (software test, mostly). But I care about my own security and have implemented STIGs and controls on my own computers. If they would do those simple things then they might get to the point where they would need an “expert” to finish out all the really high-tech stuff.)
5 Comments