The Cybersecurity 202: An attack on a critical pipeline highlights the need for stronger ransomware policies

The FBI confirmed Monday that a cybercriminal group known as DarkSide was responsible was deploying the malicious software that disrupted Colonial Pipeline's systems. 

The incident marks one of the highest-profile cases of a growing hacking trend in which cybercriminals lock up computer systems in exchange for a ransom, a technique known as ransomware. 

The number of ransomware attacks against critical services including hospitals and schools has skyrocketed over the past two years, causing alarm in both industry and government circles. In recent months the Justice Department, Department of Homeland Security and White House have all launched initiatives to help combat the rise in attacks using the malicious software.

While Colonial voluntarily shut down its systems to prevent additional damage, critical businesses are often thrust into an impossible choice by ransomware attacks. The Colonial Pipeline attack highlights the need for a more cohesive government policy in instructing victims on how to deal with such attacks, experts says. 

“There should be some guidelines — not necessarily regulations —  especially for critical infrastructure organizations,” said Tobias Whitney, vice president of Fortress Information Security, which works with grid operators and vendors. “Those decisions have downstream implications to them.”

In recent years, the FBI has maintained that ransomware victims should not pay cybercriminals. But as attacks become more ubiquitous and sophisticated, government officials and experts acknowledge the choices for victims aren't so straightforward.

“We recognize that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data,” said Deputy National Security adviser for Cyber and Emerging Technology Anne Neuberger yesterday when asked about the White House position on if Colonial should refuse hackers payment.

Both the White House and Colonial Pipeline have declined to say if the company chose to pay hackers.

“Typically, that is a private-sector decision, and the administration has not offered further advice at this time,” Neuberger said.

Colonial has said it expects to have its systems up and running by the end of the week. 

Experts agree that simply advising companies to pay isn't a silver bullet to stopping the crisis.

“I think it's indicative of how complicated these situations really are and that there really is no one size fits all solution that's readily available,” says Philip Reiner, CEO of he nonprofit Institute for Security and Technology.

Reiner says that while the endgame is to stop cybercriminals, advising organizations not to pay isn't necessarily the best or only way to achieve that goal.

Reiner co-chaired a Ransomware Taskforce led by the organization that recently issued a report with suggestions on how the government should tackle ransomware. The report encourages policymakers to take steps to cripple infrastructure used by cybercriminals and ensure that critical industries take necessary steps to improve their cybersecurity.

Neuberger also pointed to the need to help industry fortify systems against such attacks and holding criminal actors responsible.

“Given the rise in ransomware and given, frankly, the troubling trend we see of often targeting companies who have insurance and maybe richer targets — that we need to look thoughtfully at this area, including with our international partners, to determine what we do in addition to actively disrupting infrastructure and holding perpetrators accountable to ensure that we’re not encouraging the rise of ransomware,” said Neuberger.

That includes working with allies to take out ransomware infrastructure and hold countries harboring ransomware actors accountable, Neuberger noted. 

The group behind the cyberattack is believed to be based in Russia, however, which is known for harboring cybercriminal operations with impunity.  Intelligence officials are investigating any connections between the Russian government and the group, Neuberger told reporters.

“So far there is no evidence from our intelligence people that Russia is involved,” President Biden said Monday. “Although there is some evidence that the actors’ ransomware is in Russia. They have some responsibility to deal with this.”

Fortifying the energy industry is a significant challenge for the government.

Like Colonial Pipeline, a vast amount of the nation's utilities infrastructure is years or sometimes decades old and was not designed with modern security in mind. Government watchdogs have criticized gas and oil pipeline security, which is overseen by the Transportation Security Administration, as especially lacking.

Mounting security concerns about the industry have sparked concern from lawmakers and experts who say the government needs to do more to support the industry.

Rep. Jim Langevin (D-R.I.) says the White House and Congress should consistent share threats to eliminate the effectiveness of ransomware attacks. Langevin says the Cyberspace Solarium Commission will continue to push for industry and government to share information in real time.

Last month the administration launched a 100-day plan to improve cybersecurity of the nation's electricity infrastructure. It intends to apply the same process to other critical industries, including oil and gas pipelines. The new initiatives focus on the sharing of threat insights between the federal government and private sector.

Fortress's Whitney says we should all be concerned a ransomware gang could pull disrupt an entire U.S. industry.

“The issue is, is that they were technically able to do this,” says Whitney. “You know, just because they were technically able doesn't mean that someone else couldn't do the same thing to a similar organization and the same in a similar type of a context. So I think we need to be mindful of the fact that … it could have been much more significant.”

So far there are no other reported U.S. victims of DarkSide, but officials are urging utility providers to evaluate their cybersecurity protections.

“I will say that every company out there, especially in critical infrastructure, should be anticipating ransomware attacks and figuring out how to respond,” says Langevin.

Chat room

Darkside’s quasi-apology drew tons of attention on social media. Sid Verma, global markets editor at Bloomberg Markets:

The R Street Institute’s Shoshana Weissmann:

Matt Largey, the projects editor at Austin NPR station KUT:

The keys

Apple repairers say documents leaked by hackers will be useful for helping customers.

Hacked schematics showing the internal workings of Apple MacBooks were leaked by REvil after the ransomware group compromised Apple part manufacturer Quanta Computer, Motherboard’s Damon Beres reports. The documents have already spread among those who repair Apple hardware. They say the documents will be helpful for complex fixes to internal components in Apple computers.

“Our business relies on stuff like this leaking,” said Louis Rossmann, who owns the Rossmann Repair Group. “This is going to help me recover someone's data. Someone is going to get their data back today because of this.” Apple did not respond to a request for comment. Its computer designs are copyrighted.

Insurance officials hope the industry will follow a French insurer’s decision not to cover ransomware payments.

AXA’s decision, which appears to be an industry first, could spur other insurers to take action, CyberScoop’s Tim Starks reports.

“I’m surprised it hasn’t happened sooner,” said Jon DiMaggio, the chief security strategist at Analyst1. “These insurance companies don’t like to spend money and we’re going the opposite direction that they want to go, so I think we’re going to see more companies getting out of it.”

AXA’s move does not apply outside France and the company still covers cleanup costs from the incidents, according to Christine Weirsky, a spokeswoman for AXA’s U.S. subsidiary, AXA XL.

The Department of Homeland Security is monitoring social media sites for domestic terrorism threats.

The goal of the strategy is to find the kinds of posts that led up to the Jan. 6 riot at the Capitol, NBC News’s Ken Dilanian reports. It could, however, draw scrutiny from civil liberties groups who say the U.S. government’s technically legal monitoring of public social media posts runs the risk of stifling speech online.

“Internal government reviews have repeatedly raised concerns about the usefulness of wide-ranging collection of social media information, but agencies keep barreling forward, wrongly assuming that its benefits must outweigh its costs,” said Hugh Handeyside, a senior staff attorney at the ACLU. “People say inflammatory stuff on social media, but as an empirical matter, that speech isn't a valid or reliable predictor of violent conduct.”

“We're not looking at who are the individual posters,” a senior official said. “We are looking at what narratives are resonating and spreading across platforms. From there you may be able to determine what are the potential targets you need to protect.”

Mentions

• Brett Goldstein, who leads the Pentagon’s Defense Digital Service, will step down at the end of June, Politico Pro’s Martin Matishak reports.

Daybook

• Erin M. Joe, the director of the Cyber Threat Intelligence Integration Center, speaks at the CyberSatDigital conference at 9:20 a.m. today.
• Acting CISA director Brandon Wales testifies at a Senate Homeland Security and Governmental Affairs Committee hearing on improving federal cybersecurity in the wake of the cyberattack on SolarWinds and other software today at 10 a.m..
• Reps. Jim Langevin (D-R.I.) and Don Bacon (R-Neb.) speak at a Hudson Institute event on the U.S. military and the electromagnetic spectrum today at noon.
• Morgan Adamski, who leads the National Security Agency’s Cybersecurity Collaboration Center, speaks at the GovConWire Defense Cybersecurity Forum on Wednesday at 2 p.m.
• Lt. Gen. Vincent Stewart, the former director of the Defense Intelligence Agency and former deputy commander of U.S. Cyber Command, speaks at an event hosted by the Intelligence and National Security Alliance on Wednesday at 4:30 p.m.
• Sen. Thom Thillis (R-N.C.), former Google CEO Eric Schmidt and Gilman Louie, who ran the CIA’s In-Q-Tel venture capital fund, discuss artificial intelligence at a Center for Strategic and International Studies event on Thursday 3 p.m.
• Gen. Paul Nakasone, the commander of U.S. Cyber Command and director of the National Security Agency, testifies before a House Armed Services Committee panel along with deputy assistant secretary of defense for cyber policy Mieke Eoyang on Friday at 11 a.m.
• Steve Luczynski, who leads CISA’s coronavirus task force, speaks at 4:15 p.m. on May 17, the first day of the RSA Conference.
• Deputy national security adviser for cyber and emerging technologies Anne Neuberger speaks at the RSA Conference at 11:45 a.m. on May 18.

Secure log off

We're watching this on repeat.