Our Government’s Cybersecurity Plan: Too Little Too Late?

Why Our Current Cybersecurity Strategies Are Destined to Fail Us

Jun 03, 2021

This is Civic Way’s first commentary on the Colonial Pipeline shutdown and its implications for state and local government. The author, Bob Melville, is the founder of Civic Way, a nonprofit dedicated to good government, and a management consultant with over 45 years of experience improving governmental agencies across the US.

The Colonial Pipeline shutdown is merely the tip of the proverbial iceberg, a foreshadowing of a growing and potentially existential threat to American society
Our response thus far to cyber-crime can be characterized as too little too late, with our attention primarily focused on micro threats (against individual businesses and agencies)
Our most troubling vulnerability is to macro threats, cyberattacks that could paralyze or destroy critical infrastructure or other facilities or services upon which American lives depend
To protect government (and American society) against cybercrime, we need a holistic, organizational approach that encourages individual entities to work together across traditional jurisdictional barriers

Introduction

Earlier this month, the 5,500-mile Colonial Pipeline was closed for six days after a ransomware attack. According to the American Petroleum Institute, this pipeline supplies the eastern seaboard with 100 million gallons of oil per day and 45 percent of its gas and jet fuel. While this is the largest known cyberattack on America’s energy infrastructure, this pipeline is only one segment of our 190,000-mile petroleum pipeline network.

Initially, Colonial Pipeline refused to pay or negotiate with the hackers. As panic-buying set in and many gas stations ran dry (e.g., over 70 percent of Charlotte’s stations), Colonial Pipeline paid an estimated $5 million to DarkSide, an Eastern European-based cybergang. After receiving a decrypting tool from the hackers, Colonial Pipeline restored its disabled network. The shutdown lasted only a week, but it could have lasted much longer, with more devastating impacts on the Southeastern states.

What if the Colonial Pipeline shutdown is merely the tip of the proverbial iceberg? What if the $4.4 million ransom encourages more ransomware attacks and higher demands? Hackers have already demonstrated their expertise in email phishing, malware, ransomware and distributed denial of service (DDoS) attacks. What if they get even more sophisticated? Cybercrime is already deemed a national security threat by the FBI. What if it gets worse? What if it paralyzes larger elements of America’s critical infrastructure for more than a week?

The Third Cybercrime Wave Is Upon Us

We are in the third phase of the cyberattack era, with each phase shorter and exponentially more intense than the last. The first phase, from 1989 to 2015, entailed a slow, gradual increase in activity. It seems incredible now, but the first recorded ransomware attack—in 1989—involved tainted floppy disks and a $189 ransom. As late as 2013, the impact of ransomware attacks remained negligible.

The second phase started around 2015 when hackers accelerated their attacks on linked enterprise computer networks. In 2017, serious state-sponsored cyberattacks, like the WannaCry infection of thousands of computers with Microsoft Windows, became more prevalent. In 2018, Latin American banks lost over $800 million due to cybersecurity breaches. 2019 witnessed numerous attacks, including the Amavaldo malware attacks on Spanish and Brazilian financial institutions, the RobbinHood ransomware attacks on Atlanta and Baltimore public utility systems and firewall assaults on western power grid operators.

In 2020, the third—and most alarming—phase began (during the pandemic). Ransomware attacks escalated. Hackers launched more attacks from other nations, such as Russia, China and North Korea. Microsoft, Intel and many other large entities using SolarWinds and Microsoft software were hit hard. Public sector cyberattacks increased by 50 percent. Nearly 2,400 state and local governments suffered ransomware attacks.

In recent months, the cybercrime wave has swamped even more victims. States. Cities. Counties. Law enforcement agencies. Schools. Colleges. Water treatment plants. Hospitals. National health systems. Regional medical centers. Hospitals. Voting systems. Public and private entities alike. In contrast to traditional crimes, the cybercriminal doesn’t need a weapon, physical presence or getaway car.

Cybersecurity attacks have become increasingly prevalent, costly and hard to prevent. Despite valid fears that paying a ransom only encourages more crime (and does not guarantee the full restoration of hijacked data), ransoms are rising. While estimates vary widely, the average ransom is at least $200,000. During 2020, total ransoms easily exceeded $1 billion. Worse, the average ransomware attack recovery takes over nine months and costs at least $2 million. Accenture has predicted that, in the aggregate, cybercrime could cost over $5 trillion worldwide by 2024. Whatever the cost, it will affect every facet of our lives.

Cybercrime comes in many forms. Invading the digital ecosystem. Stealing identity, intellectual capital and other assets. Seizing or disabling vital processes. Flooding a network to overwhelm systems and cause permanent physical and reputational damage. Reducing our confidence or trust in public institutions. Triggering machine-on-machine wars. Cyberthreats are no longer mere inconveniences.

And cybercrime is not likely to subside any time soon. Instead, it will likely worsen. As our lives become more tethered to the Internet and Cloud, our thirst for immediate access will grow. As our networks become more connected and the lines blur between home and office, hackers will have more targets. As more data is shared among public platforms, devices, Internet of Things and stakeholders, our exposure spreads. There is little doubt that our insatiable need for connectivity has far outpaced our cybersecurity.

And the criminals are getting smarter and more elusive. Mysterious criminal gangs like Babuk, DarkSide, Evil Corp, Emotet and Wizard Spider (UNC1878). New competitors like cartels. More sophisticated tools like TrickBot, Ryuk and Botnets. Evasive measures like foreign safe havens, weak extradition procedures, dark web negotiations and cryptocurrency. As ransomware attacks continue to evolve and proliferate, they will mutate from economic nuisances into full-fledged national security threats.

Our Reeling National Energy Infrastructure

Cybercrime poses a grave threat to all elements of American life, such as work, commerce, food, travel and entertainment. Arguably, the most vulnerable—and consequential—element is our critical infrastructure. Without a functioning infrastructure, no other aspect of American life can survive. Since infrastructure means different things to different people, it should be clearly defined, especially in the context of cybersecurity.

The Department of Homeland Security has defined critical infrastructure as economy sectors “so vital … that their incapacity or destruction would have a debilitating impact on our … security or public health or safety.” Such sectors include defense, finance, agriculture, health care, transportation, energy and communications. From a state and local government perspective, critical infrastructure includes any assets vital to the delivery of essential public services—that is, those protecting our security, health or safety. Such assets include bridges, tunnels, dams, water systems, wastewater facilities and energy.

Every infrastructure element matters, but a civilized society cannot be sustained without energy. As the Colonial Pipeline shutdown reminded the Southeast, our energy infrastructure is highly vulnerable to cybercrime. And it also demonstrated that, when any part of it is paralyzed, even for a few days, panic is not long to follow. After more than a few days, economic activity is seriously disrupted.

Understanding why our energy infrastructure is so vulnerable to cyberattacks could help us find effective long-term strategies for combatting cybersecurity as a nation. Here are some causal factors worth considering:

Obsolescence – As outlined in our last commentary, America’s energy infrastructure is old and aging rapidly. Much of it was built before the advent of computer networks and we have invested far too little to ensure that it is resilient enough to withstand a major cyberattack and quickly restore operations
System Fragmentation – Our energy system is anything but well-organized (see our last commentary). It is a virtual jumble of public and private systems, including power grids, generator plants, refineries, crude oil pipelines and natural gas pipelines. Most of our energy infrastructure is owned by hundreds of private firms, large and small, usually operating under weaker public disclosure requirements than governments. Public ownership is severely fragmented across thousands of governmental entities.
Regulatory Incoherence – Federal and state energy regulations are inconsistent and too often ineffectual. And privately-owned infrastructure is only subject to voluntary guidelines (e.g., National Institute of Standards and Technology and Interstate Natural Gas Association of America). Despite the past crises and looming threats, many private interests remain adamantly opposed to government regulation.
Myopia – Many private energy firms are more focused on short-term profits than long-term security. Oil and gas firms, for instance, have been cutting costs, replacing local refineries with pipelines and overlaying new technologies on inadequate energy management systems. Most state energy policies favor short-term competitiveness over resilience and many political leaders heap praise on utility companies for keeping rates low even as they neglect long-range investment needs. Unplanned power blackouts, such as those experienced in California and Texas, are the natural byproducts of such policies.

The prognosis? America’s vast energy infrastructure, the precious fuel of its economic engine, is facing more disruptions, even bigger than the Colonial Pipeline shutdown—and just as predictable. After all, the Colonial Pipeline shutdown was certainly no surprise. A recent external audit of Colonial Pipeline found a “patchwork of poorly connected and secured systems” that an “eighth-grader could have hacked ...” In 2019, intelligence officers warned that cyberattacks that could disrupt a natural gas pipeline for weeks.

Our Micro Cybersecurity Response

The private sector grasps the seriousness of the cybercrime threat. According to Gartner, global spending on information security and risk management systems will climb to at least $174 billion by 2022. Hundreds of private firms are leaping into the cybersecurity market, including law firms, forensic accounting firms, new boutique cybersecurity consultants like Absolute, Centrify, Deep Instinct, MobileIron and Vectra and specialized ransomware negotiators like Arete, Coveware and Kivu.

The insurance industry is responding to the threat as well. The National Association of Insurance Commissioners estimates that the booming cyber-insurance market, including new firms like Coalition and Resilience, generates annual revenues of about $3.1 billion. However, traditional insurers are getting nervous about rising ransomware payments. Premium costs have jumped an estimated 50 percent since the end of 2020. And some insurers, like France’s largest general insurer, are becoming more circumspect about who they insure.

In recent years, private cybersecurity experts have developed a relatively standard menu of best practices for improving an organization’s cybersecurity. Such practices include the following:

Improve awareness – continually inform employees, vendors and customers of actual and potential cyberthreats, regularly update cybersecurity policies and procedures (including effective precautions) and quickly notify all parties of actual cyberattacks;
Strengthen access controls – institute effective passwords, employ zero-trust user authentication, secure work connections, fully screen suppliers, solutions and protect entry points and endpoints like desktops, laptops and mobile devices from cybersecurity threats
Control data – collect, retain and protect vital business data, regularly identify and purge superfluous data, enhance data sharing protocols, encrypt all data at every stage including storage, promptly identify and patch any vulnerabilities and continuously segment data networks
Improve backup capabilities – maintain duplicate infrastructure assets (e.g., servers, routers, firewalls, sensors), diversify energy feeds, continuously store redundant data at multiple sites and ensure adequate data backups (e.g., offline and in cloud)
Monitor performance – continually monitor networks and detect and isolate threats, frequently test the vulnerability of access points, perimeters and connections and regularly test backup capabilities
Accelerate responses – test and update response plans, quickly isolate hacker midpoint servers, acknowledge attacks, notify all impacted parties of potential impacts in real time, and promptly initiate damage mitigation and operational recovery efforts

Compliance is spotty. Larger firms, those with adequate budgets, are spending more on cybersecurity. In contrast, less than 15 percent of small businesses are adequately prepared. To date, small businesses have been victims of over 40 percent of cyberattacks.

Worse, such measures focus more on the micro (e.g., one enterprise), than the macro (e.g., a sector or society in general). They help individual entities improve internal cybersecurity, but they require extensive collaboration and coordination to succeed across entities. In other words, virtually all cybersecurity measures are designed to help individual enterprises protect themselves, not the public at large.

The Cybersecurity Organizational Imperative

To protect government (and American society), especially state and local governments, from cybercrime, we need a more holistic approach.

We need a new organizational approach to cybersecurity that encourages individual entities, especially states and localities, to work together across traditional jurisdictional barriers. As stated by the Combatting Ransomware report, the threat of cybercrime “demands a whole-of-government strategic response” and “structures” for coordinating “activities across authorities and capabilities.” Strengthening capabilities will require a far more serious public investment in the development and training of human resources.

In our next commentary, we will focus on specific organizational strategies for the federal government as well as state and local government. These strategies will address what most leaders and cybersecurity experts have thus far neglected, the need for a new organizational model. A pragmatic alternative to the siloed, state-centric approach that is undermining our nation’s cybersecurity efforts.

Civic Way