The past year made it clear how many cyber challenges we face and how the threat landscape has evolved since the physical attacks on our country on 9/11. A raft of ransomware attacks has led to ransom demands as a condition for the decryption of data and to prevent its public release. Threat actors have successfully compromised digital and technology supply chains to launch large-scale attacks on governments and enterprises, impacting small businesses, local government, and hospitals. Attacks on critical infrastructure have also increased significantly over the past several years, leading to the compromise of water treatment plants, food processing facilities, and oil and gas infrastructure, which have dramatically increased the real-world impacts of cyber-attacks.
While the U.S. government has worked to respond to these emerging challenges, most notably through a Presidential Executive Order and the Cybersecurity and Infrastructure Security Agency (CISA) release of advisories and mitigation guidance, there is more work to be done. The Executive Order and the executive actions it has already spurred will have some impact, but the government needs to further enhance its response to threat actors behind many of the recent attacks with a focus on nation-states. The Biden administration should also consider pushing for expanded international action and embracement of shared cyber norms that help protect critical infrastructure and limit the impact to everyday users.
Undoubtedly, the most high-profile story in cyber over the past year has been ransomware. The past year has seen an observed rise in ransomware attacks, impacting a broader cross-section of industry, including industrial production facilities and critical infrastructure. Even in instances where companies successfully defend against a ransomware attack, via backups for example, they still face the threat of data exfiltration and “double extortion,” where there is the demand for a ransom to prevent the release or sale of stolen data coupled with the initial decryption payment demand.
Attacks on critical infrastructure have had major downstream impacts, such as the impacts on gasoline availability on the East Coast following the Colonial Pipeline attack. In some instances, these attacks have compounded physical supply chain issues. The attack on JBS, a major meat processing company, led to temporary shortages intensified by COVID-19 related supply chain impacts. Similarly, attacks on major logistics firms, like CMA CGM, can have follow-on effects, impacting the supply of a wide variety of goods across an interconnected global supply chain.
We are also seeing the increasing use of digital and technology supply chains to effect compromise at scale. Widely deployed technology tools are a target for attackers looking to compromise targets at scale — find the right vulnerability in an IT systems management tool and you have access to thousands, if not tends of thousands, of organizations.
The SolarWinds and CodeCov attacks are both examples of how the successful compromise of such tools can give an attacker access to a plethora of targets without taking the time to compromise each target individually. This type of attack essentially gives the attacker access to a skeleton key, allowing the attack to access any organization using the compromised tool. In some instances, attackers take advantage of an existing flaw within the tool, but in other instances they can compromise the development environment for the tool, letting the attacker insert their own flaw or backdoor into the tool.
In addition to the increased use of supply chain attacks, we have seen a significant increase in the number of cyber-attacks on critical infrastructure in the United States. Perhaps most notable has been the increase in the number of attacks on water treatment facilities, which are particularly worrisome given the potential impact of poisoning the water supply of an entire city or town. Attacks in Oldsmar, Fla., the San Francisco Bay Area, and Kansas have demonstrated such attacks are no longer theoretical. While the United States has cybersecurity requirements for water treatment plants, those requirements are much looser for smaller plants. Cyber maturity in these environments also tends to be lower — remote access software may be used, usernames and passwords may be reused or remain static, and little to no security may exist in key locations or systems.
The Colonial Pipeline attack demonstrated the vulnerability of the oil and gas sectors, while the attack on JBS, and similar attacks on major food and beverage companies including Australia’s Lion Brewing, Molson Coors, and E&J Gallo, revealed the vulnerability of our food supply chains. Even when attacks are, in theory, only on Information Technology (IT) infrastructure, Operational Technology (OT) infrastructure is often also taken offline either as a precaution or because its use is dependent on IT systems used for health and safety monitoring, payroll, or management functions.
These trends have been met with a meaningful government response, but we can do more.
New standards. The Biden administration’s Executive Order is pushing CISA, the National Institute for Standards and Technology (NIST), and other relevant government actors to develop new standards and regulatory requirements designed to bolster defense in key sectors and make it easier for the government to understand what is in the software it buys. One such effort, the so-called “Software Bill of Materials,” or SBOM, is meant to ensure that the government, and other software buyers, understand what libraries and other software components are included in the software used in their operating environments, making it easier to detect potential vulnerabilities and address them in a timely manner.
Diplomatic action. Law enforcement has had some success in addressing the increase in cyber-attacks, shutting down botnets used by attackers, and, in some cases, recapturing ransoms paid in cryptocurrency, like that paid in the Colonial Pipeline attack. That said, the United States can, and should, do more to pressure the countries supporting the criminal actors behind many of these attacks, most notably Russia, and increasingly, China. It will require moving beyond sanctions and making use of at least some subset of the United States’ cyber capabilities to inflict pain on the criminal organizations undertaking these attacks and state actors who back them. These actions must, of course, be balanced and proportional and limit the risk of escalation: Is it appropriate to knock a Russian water treatment plant offline in response to a Russian criminal actor’s attack on a water plant in the United States? Notably, the Russian cyber criminal group behind many of this year’s ransomware attacks, REvil, is no longer online, but it is unclear if this is a result of American political pressure on Russia, a cyber retaliation from U.S. forces, or the organization simply keeping its head down after a series of high-profile attacks.
“Use of at least some subset of the United States’ cyber capabilities to inflict pain on the criminal organizations undertaking these attacks and state actors who back them”
Cyber norms. There is also a role for international cyber norms, which have been a key cyber policy initiative for the United Nations, the Carnegie Endowment for International Peace, and the Global Commission on the Stability of Cyberspace, on which I served. At their core, cyber norms are meant to create internationally accepted “rules of the road” for actors in cyberspace that leave certain targets off-limits, for example hospitals or elections. These norms would in some ways reflect the norms we see in the physical world, where nation-states refrain from targeting hospitals with bombs and criminals generally do not take public water supplies hostage. The United States can do more to promote such norms and get most, if not all, countries on the same page as to what are acceptable and unacceptable cyber activities to undertake against other countries and civilian infrastructure.
Risk assessment. Private companies can also do more to protect themselves from an increasingly dangerous cybersecurity environment. Firstly, companies can look at threat pathways to inform their defenses, calibrating them to the threats they are most likely to face. Assessments like The Chertoff Group’s Cyber Risk Assessment can help organizations ensure that their investments are going to have the greatest chance of preventing an incident based on the specific threats they face.
Supply chain security. For supply chain-related attacks, companies need to look at it through two lenses: Am I a buyer or am I supplier? Buyers need to understand the full array of technology tools deployed in their environment, where exactly they are deployed, and to the extent possible what software components, and by extension, vulnerabilities, those tools include. Efforts like Software Bill of Materials (SBOM) should help with this. Suppliers need to do a better job of understanding what software components go into their technology offering, keeping those components up to date, and ensuring that only the required functionalities of those components are enabled. They also need to ensure that their development and update environments are properly secured, limiting the ability of an attacker to use their platform to launch an attack against their customers.
Resiliency measures. Companies should also focus on “resiliency” controls for both their own systems (i.e., ransomware-resistant back-ups, safety systems for critical infrastructure, administrative countermeasures for fraud, etc.) and those of their downstream customers (i.e., business continuity and supply chain redundancy). No organization can eliminate the risk of a successful attack, and thus needs to be ready to respond and recover from an attack. Similarly, if your company offers a mission-critical product to its customers, what can you do to minimize the impact on your customers if an attack occurs on your own enterprise?
Testing, training and oversight. Organizations also need to make sure they address other fundamental elements of their security programs. Is the right testing regime in place to verify that required controls work correctly? Is adequate training being provided to ensure that staff can respond to an incident and recognize attempts to compromise your environment? Organizations also need to ask the right questions regarding their governance and risk management: Do we have the right cyber defense architecture? Do we have enterprise alignment to effectively implement and maintain it? Do we have the programmatic resources needed to translate risk into business case and into project execution? These are all complicated questions, but it is important that enterprises have the right plans, policies, and capabilities in place prior to a compromise to ensure that the impact of an incident is as limited as possible.
The increasing sophistication of cyber-attacks, particularly the utilization of technology supply chains to effect compromise, poses a significant challenge to the U.S. government and private industry. It is more important than ever that organizations map their investments to their greatest risks, ensuring that they can achieve the greatest security gains for their dollar. The U.S. government needs to find ways to successfully pressure Russia, and increasingly China, to rein in criminal and pseudo-state actors within their countries and, by extension, limit the amount of damage inflicted on U.S. and allied critical infrastructure. Even if this is successful, these are dangerous times, and both government and industry must take the proper precautions to protect themselves, their customers, and our citizens from the increasingly real-world impacts of today’s cyber-attacks.