We learned this week that the meat processing industry in the United States – a vital link in the nation’s food supply chain- is vulnerable to crippling cyber attacks. This worrying revelation follows closely on the heels of a report last month showing that our nation’s pipeline infrastructure – which delivers fuel from refineries to gas pumps- contains serious cyber security vulnerabilities that could be exploited by rival nations or criminal groups. Also: cyber defenses at our nation’s research universities, hospitals and public safety agencies are substandard and need urgent attention and investment. We now know this.
Red Teaming a $22 Trillion Economy
Who informed the American public about these lingering risks, any one of which might conceivably plunge our nation into a crisis? It wasn’t the Department of Homeland Security – whose mandate is to secure the nation from internal threats. Nor was it CISA – the Cyber Security and Infrastructure Security Agency – our nation’s leading cyber security agency.
No. It was a bunch of criminal gangs – most working out of Russia or former Soviet bloc countries in Eastern Europe. They have names like REvil (believed responsible for JBS); Darkside (Colonial Pipeline); Ryuk (hundreds of hospitals); and Babuk (DC Police Department). There are (many) more.
I’d call these groups “ragtag,” because that’s how we like to imagine criminal gangs, except that they’re anything but. Ransomware operations are well funded, specialized, well trained and operate with a kind of clinical efficiency. In fact: they’re all business.
What is their business? So-called “double extortion,” which refers to the groups’ one-two punch of stealing victims’ data, planting ransomware and then using both to negotiate the biggest payout possible. Looked at another way, though, part of the business of ransomware gangs is to find, investigate and exploit security vulnerabilities in the networks and online operations of organizations. In the legal market for IT services, this is called “red teaming,” and its a fast-growing industry.
Of course, the ransomware groups don’t charge for this red teaming service directly. Still: it is a part and parcel of what they do. And, while the service is neither sought by victims nor beneficial to them in any way, it has had benefits to us, collectively, in the world’s largest economy. If nothing else: successful ransomware attacks smoke out security laggards across industries. They send those companies and, often, their near competitors scrambling for better protection against cyber criminals.
Gimme (Cyber) Shelter
As I see it, this ransomware “epidemic” we’re bemoaning is better seen as a decentralized, cross-sector red teaming exercise that we have simply outsourced to the mob. Was that a smart idea? Not really. It is the IT sector’s equivalent of the Rolling Stones’ hiring The Hells Angels to “handle ” security at their infamous free concert at the Altamont Speedway in 1970.
Just like the ‘Stones, we could easily have hired actual security professionals to do the job. DHS, CISA, the Department of Transportation or other oversight agencies could have carried out their own, independent audits of the type that Darkside and Ryuk and REvil are doing on a weekly basis. Our government could have used its authority to mandate, rather than gently suggest, that companies submit to reviews of their cyber security or take part in sector “table top” exercises that walk through likely scenarios, including ransomware attacks. That’s especially true of critical infrastructure where a small number of firms control huge swaths of the networks that keep our economy humming.
Had those public agencies done so, in the public’s interest, they might have discovered many of the same weaknesses in public and private sector infrastructure that the ransomware groups eventually discovered and exploited – like the outdated and insecure VPN server that provided the Darkside group with access to Colonial’s network. In testimony this week, Colonial’s CEO Joseph Blount admitted that his company’s IT team had lost track of the server. “We did not see it and it did not turn up in any pen testing,” he said. “That’s unfortunate.”
Finding such flaws in the context of a government-mandated audit would have been a much better outcome. It would have given Colonial an important warning that its protections were inadequate, and allowed them to address those weaknesses in an orderly fashion, limiting disruption to the larger society.
But that’s not what happened. Why?
Government regulators, lawmakers and industry groups have – for decades- demurred at calls to exercise more regulatory oversight of cybersecurity. Instead, they have tucked in behind the 40 year old, Reagan-era doctrine that “government is the problem.” Regulatory capture, also, has taken its toll: putting the private sector and infrastructure owners in the position of making and enforcing their own rules.
That’s literally true in the electricity industry, where NERC, the North American Electric Reliability Corporation, a non-governmental, “self-regulatory organization” created by the utility industry is designated with developing and enforcing compliance with reliability standards for the electric industry in the United States. Today, those include cybersecurity standards.
Time and again, our elected leaders and agencies with oversight authority have taken at face value the word and promises of private sector firms, which have consistently downplayed the threat while overstating their capabilities as defenders. Testifying before the U.S. Senate, Colonial’s CEO Blount was pressed on whether his company participated in cybersecurity tabletop exercises conducted for pipeline operators by The Department of Transportation. He didn’t give a straight answer. Asked later whether his firm was part of an ISAC (an “information sharing and analysis center”) for his industry, he said he didn’t know. Asked if Colonial had a cyber security response plan in place prior to getting compromised that included a plan for ransomware, he admitted it did not.
Instead, Blount talked up his company’s decision to hire firms like Mandiant and Dragos after it got hit to clean up the mess as if such decisions were evidence of forward thinking and contingency planning. Note to Mr. Blount: calling the fire department to put out the fire that’s engulfing your house can’t properly be counted as “fire prevention.”
From Russia With Love
So here we are. Our “friends” in Russia and Ukraine are providing us with a valuable public service. Absent any concerted government effort to do so, they are putting publicly traded companies, private firms, state and local governments and CI owners on the infosec treadmill for a “stress test.” Sure, they’re enriching themselves in the process and sowing chaos in our society. For all we know, they are also relaying some of what they find to governments that seek to weaken and destabilize our own.
The silver lining? There are now lots of flares lighting up the sky. Public and private sector organizations that were content to keep their woeful cyber security practices on the down low no longer have that luxury and are scrambling to fix their stuff.
To extend the “stress test” metaphor: lots of companies are keeling over and falling off the treadmill in fairly dramatic fashion. Still more are huffing and puffing and failing more gracefully (and quietly). Certainly some are passing the test(s) with flying colors.
As a society: is it better that we know which companies have crap security which don’t? Yes. Is leaving it to ransomware groups to uncover the truth the best and most sensible way for us to learn this important information? No. Ransomware, after all, is a pretty dull instrument for revealing that, but it is revealing it all the same. Hopefully, as a society, we’ll find a way to do this right.