I wanted to call a post at The Moderate Voice to your attention. The post, written by Terry Thompson, a prof at Johns Hopkins, and explains some of the complexities in national cyber-security defense. That’s a topic much in the news due to the Colonial Pipeline ransomware attack following hard on the heels of the SolarWinds hack. Here’s it’s opening:
The ransomware attack on Colonial Pipeline on May 7, 2021, exemplifies the huge challenges the U.S. faces in shoring up its cyber defenses. The private company, which controls a significant component of the U.S. energy infrastructure and supplies nearly half of the East Coast’s liquid fuels, was vulnerable to an all-too-common type of cyber attack. The FBI has attributed the attack to a Russian cybercrime gang. It would be difficult for the government to mandate better security at private companies, and the government is unable to provide that security for the private sector.
Similarly, the SolarWinds hack, one of the most devastating cyber attacks in history, which came to light in December 2020, exposed vulnerabilities in global software supply chains that affect government and private sector computer systems. It was a major breach of national security that revealed gaps in U.S. cyber defenses.
These gaps include inadequate security by a major software producer, fragmented authority for government support to the private sector, blurred lines between organized crime and international espionage, and a national shortfall in software and cybersecurity skills. None of these gaps is easily bridged, but the scope and impact of the SolarWinds attack show how critical controlling these gaps is to U.S. national security
He goes on to claim that national cyberdefense is a “wicked problem”:
National cyber defense is an example of a “wicked problem,†a policy problem that has no clear solution or measure of success. The Cyberspace Solarium Commission identified many inadequacies of U.S. national cyber defenses. In its 2020 report, the commission noted that “There is still not a clear unity of effort or theory of victory driving the federal government’s approach to protecting and securing cyberspace.â€
which is where we part company. I don’t that that national cyberdefense is a wicked problem. I think it’s a complex one, one that we haven’t set up the structures to address, and will be expensive to counter but it does not fit the definition of a wicked problem. A classic example of a wicked problem in geopolitics is the Israeli-Palestinian conflict. That’s a wicked problem because the Israelis reject, correctly, its resolution.
As I see it ransomware attacks like the one on the Colonial Pipeline are asymmetric warfare, prosecuted by non-state actors. IMO the DoD is not positioned particularly well to address it. That doesn’t make it a wicked problem. It makes it a problem that is best addressed by the private sector, including by issuing letters of marque. IMO it’s a bureaucratic problem as much as anything else.
“In February, a state audit indicated that the Illinois Attorney General’s Office lacked proper cybersecurity protections. Three weeks ago, the office suffered a ransomware attack.” Link
Illinois Governor: “Nobody should be afraid that state government systems are under attack today.” Presumably because the Attorney General’s Office is an independent Constitutional office from the state government, though it represents state government. Shorter version: Not my fault.
That shouldn’t have come as a surprise. I told Lisa Madigan that personally 3, 4 years ago.
I doubt it actually makes a difference. I think its IT is still operated by CMS which does (at least in theory) report to the governor. In practice it’s probably more like the other way around.
“As I see it ransomware attacks like the one on the Colonial Pipeline are asymmetric warfare, prosecuted by non-state actors.”
DarkSide is supposedly housed in Russia. It is hard to fathom that it operates independently from Putin, or acted without the nod from him. We are talking about knocking out a major US energy transport mechanism. Yes, its warfare, but its a stretch to say non-state actors.
Just as currently in Iran, its a test of the new administration. Joe might want to consider fewer afternoon nippy naps.
This is building to a crackdown on cryptocurrency.
The hackers demanded and got a ransom of cryptocurrency. An countermeasure is to remove the incentive to do ransomware by making it impossible to get anonymous ransoms.
I wonder if Musk is reading the same tea leaves.
I think that would be a good thing but it’s hard for me to see how it could be made to stick.
Today’s Russia is not the Soviet Union.