Although the massive cyberattack on Colonial Pipeline is depriving the East Coast of energy and driving gas prices up, it ironically is adding fuel to the notion that it is time to rethink our nation’s approach to cybersecurity – because what we are currently doing isn’t working.
In the pivotal scene in the classic movie Pulp Fiction, John Travolta is arguing with Samuel L. Jackson about if their survival was an act of God or pure luck. Jackson finally ends the argument by thundering to Travolta: “You are thinking about this all wrong. It’s not about if God can change Coke to Pepsi or help me find my car keys—there are bigger issues involved.”
The same wisdom can aptly be applied to our cybersecurity policy – we have been thinking about it all wrong, and there are bigger issues involved.
When policymakers think of cybersecurity as an operational issue which can be resolved with technical enhancements, they are thinking about it all wrong.
When cyber funding is channeled overwhelmingly toward military capabilities without placing an adequate emphasis on fighting cybercrime, we are thinking about the issue it all wrong.
When we fund enhancements to federal information systems without addressing the economics of private information system security, we are thinking about things all wrong.
When we assume that the private sector should assesses cyber threats the same way as the public sector, we are thinking about things all wrong.
For the past six months, in this space, we have been insisting that it is time to rethink our approach to cybersecurity. SolarWinds, which is more a systemic cyber-attack as opposed to the traditional attack on specific entities which received virtually all the attention, validated this notion. So, too, with the recent attack on the pipeline which is simultaneously an attack on critical infrastructure by a criminal entity with implications for national security resulting from technical vulnerabilities having a basis in industry economics approved by government – also seems to prove the point a rethinking – including a broader conception of the problem — is in order.
In their excellent review of US cybersecurity policy, The Fifth Domain, Richard Clarke and Rob Knake perceptively observe that we have not changed our thinking about cyber policy since the Clinton Administration. Bill Clinton was elected president roughly 30 years ago. Maybe it’s time to rethink our strategy.
Let’s start with a quick review of the precepts mentioned at the top of this post.
First, the prevailing notion that cybersecurity is an operational issue, and the answer is technology. This has been the overwhelming focus of federal cyber policy for 30 years. Obviously, the technology is important, but tech is simply the method of the attack. To solve the problem, we must address not just how attacks occur but why they occur. The why is almost always economic. The economic calculation is the reason for the dramatic rise in ransomware attacks
It’s not just about the vulnerabilities. After all, virtually all critical infrastructure is vulnerable. Our ground transport system is vulnerable. Our agricultural system is vulnerable and yet we never hear about these systems getting attacks. In fact, our gas pipelines have been quite vulnerable for some time. The defense is that the evolution of ransomware, combined with crypto-currency – has now made this type of attack economically profitable – very profitable. No less an authority than the former Director of the DHS Cybers Security and Infrastructure Security Agency, Chris Krebs pointed this out at last week’s House Cyber Subcommittee hearing on ransomware: “To put it simply we are on the cusp of a global digital pandemic driven by greed,” said Krebs, before adding we need to “rethink” our approach to cybersecurity.
Another assumption that is the basis of traditional cybersecurity policy, and needs to be rethought, is the concept of national defense as a unique function of the military. The digital era is teaching us that is an outdated understanding, and we need to adapt. As with the focus on technical operations, certainly no one would argue we ought not to pay attention to military spending especially in the face of nation-state attacks. We have campaigned heavily in this space for matching the spending of our adversaries such as China. However even in China their digital strategy funding ($1.4 trillion over the next 4 years) is growing faster than their military.
We have seen in instances such as SolarWinds that our military/civilian structures are hampering by creating gaps in our defense that adversaries are exploiting. In addition, our civilian/military budget balance is way out of whack. Cybersecurity spending going to the DoD is around $15 billion, whereas the FBI cyber budget to fight cyber crime is about half a billion dollars (that is a half of a single billion). And we are successfully prosecuting perhaps 1 percent of cyber criminals. The Colonial Pipeline attack further illustrates the merger of crime and national security as this appears to not be a nation-state attack but a “simple” criminal technique not really distinct from the old-style mafia “protection racket” gone digital.
As previous blogs in this space have articulated, there remains a substantial lack of clarity as to what and how the military and civilian arms of government should (possibly even can) coordinate. One approach we have discussed is a reorganization and streamlining of these efforts like how our financial institutions have streamlined their cybercrime structures.
Another idea worth considering was recently floated by the Assistant Director of the FBI’s cyber division Tonya Ugoretz who suggested that
|Federal agencies should develop their cybersecurity budget requests collaboratively so that lawmakers don’t end up giving too much to agencies that don’t need it while others starve. It is also noteworthy that when Ms. Ugoretz floated the idea at the recent Billington Cybersecurity conference fellow panelist Greg Tuhill – a former Federal CISO, and a former Brigadier General who noted we are “defiantly out of kilter across the government on how we are allocating spending and recourses
Another outdated construct is the sharp delineation between government and private systems. As the Microsoft server and SolarWinds events have taught us, private entities are clearly on the front lines of cyber-attacks including many from nation-state actors. This is by the way not news. We have known this for years. Yet, when there was massive cybersecurity funding folded into the COVID bill (which we loudly supported in this space), it was confined only to upgrade government systems. Even when funding for broadband deployment was included in President Biden’s Infrastructure proposal it lacked any funding for cybersecurity.
While it may be argued that large enterprises need to fund more on cyber at shareholder expense (a debatable proposition we will address in later posts) it is obvious that small companies – the soft underbelly of our interconnected cyber systems – can never practically fund adequate security. Simply ignoring these needs is shortsighted and based in an antiquated understanding of digital technology and national defense.
If the cyber-attack on the Colonial Pipeline delivers anything of value it ought to be that we need to substantially rethink our approach to cybersecurity.