[Posted on Behalf of Steve King, Director, Cybersecurity Advisory Services Information Security Media Group (ISMG) ]
So, yes. It is now very clear that the outbreak of the COVID-19 virus and the concomitant investor panic leading to a rapid collapse of the global financial system along with predictable social behavior has created what the Chinese like to call “interesting times”.
The Pandemic is already in the process of delivering a more significant social and financial global impact than we’ve seen in hundreds of years. And this is only the tip of the iceberg. It will likely get worse in the ensuing 30, 60, 90 days as the media continues to fan the flames of chaos both in financial markets and the politics of hatred, and as people react in all the expected ways.
But imagine if you can, our world as we see it today, attempting to respond to and cope with the aftermath of a cyber-attack on our critical infrastructure in addition to dealing with the pandemic.
We have all tried to find water, toilet paper and hand sanitizers at our local super-markets. Those of us who are non-preppers, procrastinators, poor planners or just generally late to the panic switch have discovered that we may have to become more innovative and resourceful in the coming months. We may be running low on toilet paper, but least we have tap water, gas, electricity, communications and an Internet connection.
For now.
The European Network of Transmission System Operators for Electricity (ENTSO-E) announced this past Monday that a data breach had occurred, and while they claim it was confined to its office network, and that no critical power systems had been affected, the event should serve as a wake-up call to all critical infrastructure operators and those charged with governance over these life-giving arteries in every country around the world.
Forensics and threat intelligence focused on the ENTSO attack reveal that the attackers were generating repeated, high-volume communication between the targeted server and their malware for more than a month.
ENTSO-E’s 42 members represent some of the largest utilities in Europe, coordinating the reliable delivery of electricity for European Union citizens and the targeting of a mail server at a high-value critical infrastructure organization provides the bad guys with access to sensitive information on energy allocation and resourcing in Europe, also known as the planning details required for a coordinated attack.
Last year, our CISA released a list of 55 National Critical Functions “so vital to the United States that disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, or national public health or safety.” And that was before the world had ever hear the term Coronavirus or phrases like “social distancing.”
We know that improved Industrial Control System security is vital to the protection of critical infrastructure systems and that CISA has developed a strategy to defend against complex attacks on critical systems. But there is a lot lost between strategy and implementation. As competent a leader as Chris Krebs, the CISA Director is, he can’t make infrastructure operators do what is necessary to prevent a cyber-attack.
The path to get this done must wind through Congress and on that front, we are looking eerily similar to the CDC’s decision to create our own protocols for coronavirus testing, instead of adopting the WHO’s versions and their arguably laconic response to the first indicators of the Covid-19 threat.
We have lots of early indicators of a cybersecurity threat to our national cardiovascular system now, so what is Congress doing to address it so we can get out in front and head it off?
In a characteristic display of politically infused perception of combined attentiveness with action, Congress has created a group to completely revamp our national cyber policy.
This group includes members of both parties; representatives of defense and intelligence agencies; and top private-sector experts and their charter is to develop programs designed to gather threat data, oversee global rules and standards in cyberspace, impose new cybersecurity certification requirements for companies so that boards of directors and insurance firms have better yardsticks to measure preparedness and recommend the tools and technologies necessary to close the gaps and prevent an enemy from carrying out successful cyber or physical attacks on our infrastructure.
Unfortunately, developing programs does not result in actual laws being enacted and nowhere in the charter can we find specific actionable tactics either. Instead, we now have nearly 80 committees and subcommittees with oversight of various aspects of cyber policy. And the commission additionally proposed creating new cybersecurity committees in each chamber that would have primary jurisdiction over legislation.
More committees with oversight of other committees doesn’t sound like a recipe for action.
In all, the new group has made more than 75 recommendations, with many supposedly on their way to be pre-packaged as draft legislation. A “continuity of the economy” initiative would establish rules for ways in which banking, food supply, power and other essentials would operate and survive under a digital assault. To aid private firms, and state and local governments, the group will establish a “Cyber State of Distress” and a “Cyber Response and Recovery Fund.”
Would the Cyber State of Defense resemble the post 9/11 color-coded terrorist alert system that never did serve any security purpose? Will we make different risk decisions when the distress level is orange that we will when it is yellow? Will the Cyber Response and Recovery Fund be funded by wealthy individuals, labor unions, banks and insurance companies or will it be funded by the federal printing press that we are currently using to jam $1.5 trillion in new capital into our banking system to escape a fiscal meltdown amid the coronavirus crisis?
None of this hoopla and reshuffling of deck chairs makes us any more prepared for a cyber-attack on our critical infrastructure than we were for an attack on our physical health and well-being a few months ago. Doing things the same way we have always done them almost always leads to exactly the same outcomes as before.
And relying on assumptions that we have the tools to combat a cyber-attack on our critical infrastructure may be as flawed as assuming that the Federal Reserve today has the proper tools to reverse the current financial market collapse, regardless of how many times it steps up the plate.
Ebrahim Rahbari, director of global economics at Citi Research has already gone on record as saying that, “While we continue to emphasize that this Fed will act aggressively and in particular that central banks are focused on safeguarding market functioning at this point, and will continue to provide liquidity in scale, we think these measures will still not be sufficient to durably stabilize market sentiment in light of credit concerns and escalating health concerns.”
Translation: No amount of money can stop these markets from tanking.
One of our wisest investors once said that he could end the Federal deficit in 5 minutes. All that is needed is a law that says anytime there is a deficit of more than 3% of GDP, all sitting members of congress are ineligible for re-election.
Maybe a new law that applies the same reasoning to cyber-attacks would move the needle. If not, it will likely remain stuck on its peg until the lights go out, and then it won’t matter.
Comments