With nation-state adversaries like China and Russia growing bolder and more experienced at electronic warfare, U.S. cybersecurity tactics need to evolve beyond the defensive, according to participants in a webinar on Tuesday.
“We’re all playing goalie, in both the public and private sector, trying to keep the ball from going in the goal, and the [adversary’s] getting unlimited penalty shots,” said Kevin Mandia, CEO of cybersecurity firm FireEye, in the Securing Cyberspace webinar hosted by The Washington Post.
The recent ransomware attacks on Colonial Pipeline and JBS USA were a major focus of discussion. Both have been connected to Russia by law enforcement. In the case of Colonial, malware implanted by the DarkSide criminal gang caused the company to shut down the network that delivers nearly 45% of the U.S. East Coast’s supply of fuel products in May. (See Glick Calls for Pipeline Cyber Standards After Colonial Attack.)
As for JBS USA — the U.S. division of the world’s largest meat company JBS, based in Brazil — the FBI confirmed the company was attacked earlier in June by a group using the REvil ransomware. While the Bureau’s original statement did not mention a nation-state affiliation for the hackers, the White House has since acknowledged that the malware “came from Russia.”
King Repeats Calls for Cyber Deterrent
The ransomware attacks have spurred calls for a re-examination of U.S. critical infrastructure and its vulnerabilities to cyber intrusions. After the Colonial hack, experts suggested to ERO Insider that non-state actors should be considered a threat to national security on par with foreign militaries, and that this stance should be communicated to nation-states that seem to tolerate their presence, if not actively encouraging their activities. (See Experts Call for Cyber Shift in Response to Colonial Hack.)
President Biden seems to have a similar viewpoint. After his meeting with Russian President Vladimir Putin earlier this month, the White House reported that Biden had “laid down some clear markers” with his counterpart on “the capacities that we have should they choose not to take action against criminals who are attacking our critical infrastructure from Russian soil.”
In Tuesday’s webinar, Sen. Angus King (I-Maine) called Biden’s stance “a very important step” for a country that has provided “no real serious response” to years of attacks. Going further, he repeated his previous calls for the U.S. to establish a more active cybersecurity strategy, including a strong deterrent capability that can give pause to potential state and non-state threats before their next attacks.
“They’ve got to feel that they’re at risk. I want somebody in the Kremlin … to say, ‘Gee, boss, I’m not sure we ought to do this because we’re liable to get whacked in some way by those Americans if we follow through,’” King said. “The best cyberattack is the one that doesn’t happen.”
Pressed on whether this means a like-for-like response — paying back a cyberattack with a cyberattack, for instance, or crippling a rival’s infrastructure in retaliation for a similar attack on the U.S. — King clarified that he’s “not prepared to say it should be cyber for cyber.” The goal should be to make clear that the private companies that stand to be harmed the most by attacks on critical infrastructure will not stand alone as before but have the full support of the government, extending to retaliation if necessary.
“We’re really dealing with a new kind of conflict here,” King said. “Traditionally, conflict has been army against army, battleship against battleship. Now we’re really talking about a case where 75-85% of the target space is in the private sector. So we have to figure out a new relationship.”
Pros and Cons of Ransom Payments
The speakers were more ambivalent on the controversial issue of whether ransomware targets should pay attackers in order to unlock their systems and prevent the potential release of confidential information. Both Colonial and JBS admitted they did pay the ransom demanded of them: cryptocurrency valued at $4.4 million and $11 million, respectively.
Colonial CEO Joseph Blount faced tough questions about his decision to pay during a Senate hearing earlier this month where he called the payment “one of the toughest decisions I have had to make in my life.” (See Colonial CEO Welcomes Federal Cyber Assistance.) JBS expressed similar sentiments in a press release regarding its own ransom payment.
King and Mandia avoided blanket condemnation of the companies’ decisions. King called it “a tough call” for companies to make, and Mandia said that banning all ransomware payments “is not fair, nor will it have the desired outcomes.” But both stressed that paying ransoms simply reinforces the idea among bad actors that ransomware works, and will lead to further proliferation of such attacks in the future.
“From my vantage point, there’s so [many] ransomware actors; they’re acting with impunity; they’re acting without risks or repercussions,” Mandia said. “And I just believe wherever money goes, crime follows. So if you can hack and make a lot of money off of it, especially anonymously in safe harbors that are 10,000 miles away from where the crimes are being committed, it’s not going to stop.”
King said that rather than banning the payment of ransoms, the government should focus on “being tough” with companies “about preventing it from happening in the first place.” He was critical of the Transportation Security Administration, which oversees the pipeline system, for failing to enforce strong cyber protections and pointed to FERC’s oversight of electric utilities as a superior regulatory model.
“FERC has a very robust, strong relationship with the utilities; utilities are far ahead of the pipeline companies, [and] pipeline companies are trying to act like they’re not involved in this,” King said. “They are; they’re critical infrastructure. In New England, 60% of our electricity comes from natural gas, and all of it comes through pipelines. If the pipelines go down, the grid goes off. So I think we need to step up dramatically the regulation of these utilities, and I consider the pipelines in that category.”