I wonder if Sue Halpern has thought the argument she’s making in her New Yorker piece all the way through? In the piece she characterizes the ransomware attack on Colonial Pipeline Company as highlighting “the perils of privately owned infrastructure”:
Eighty per cent of the energy sector, which includes pipelines, power generation, and the electricity grid, is privately held. D.H.S.’s “energy-specific plan,†also from 2015, noted that “because of the shared responsibility to secure North America’s energy delivery systems against cyber threats, a common vision and framework is needed to guide the public-private partnerships.†But that vision and framework doesn’t exist.
For years, businesses have resisted efforts from the federal government to hold them to robust cybersecurity standards, or to report cyberattacks. They typically argue that such requirements would be prohibitively expensive and damaging to brand identity, because the brands would lose consumers’ trust. Companies have also been stymied by a dearth of cybersecurity talent in this country. Colonial, for instance, had been advertising an open cybersecurity position for at least a month before the ransomware attack. (A company spokesperson told the Atlanta Journal-Constitution that filling the position would not have made a difference in this case.)
Let’s interrupt her there. We’re not alone. Every country has “a dearth of cybersecurity talent”. Cybersecurity is a highly sought-after skill but you can’t just whip up a new batch of cybersecurity experts overnight. Like all information technology it’s something that’s largely undertaken by amateurs with knowledge gained on the job. In practice cybersecurity didn’t become a topic until the advent of computer networking and it didn’t become a hot topic until Internet use started to become widespread in the 1990s. Yes, there are training courses and even college majors. DePaul and ISU both offer undergraduate cybersecurity majors. But that won’t make you a cybersecurity expert with five years of experience and getting that experience can be tough.
She concludes:
On May 12th, Biden issued another executive order. It had been months in the making, but the announcement was terrifically well timed, because the East Coast pipeline had come back to life less than an hour earlier. (It was several days, though, before sufficient fuel deliveries could be made to bring things back to normal.) “Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments,†a White House fact sheet stated, acknowledging that Biden was no less hamstrung by the private ownership of critical infrastructure than previous Presidents had been. Nonetheless, the order, which is largely directed to federal agencies and their contractors, requiring them to abide by a host of stringent new cybersecurity regulations and reporting requirements, is a clever and significant workaround of the problem. Many of the cloud services and software packages used by government agencies are also used in the private sector. By demanding that “all Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order,†the President is creating the conditions for those standards and requirements to be more broadly adopted. It’s like auto-emissions standards: when California raised its standards, twelve other states decided to adopt those requirements, and five automakers agreed to design all their new cars to meet them. Something similar is likely to occur here, too. “The Federal government must lead by example,†Biden stated.
His executive order is likely to do more than that: it also creates a Cyber Safety Review Board, to investigate cyberattacks in the same way that the National Transportation Safety Board studies air disasters. It will be tasked not only with forensics but with making “concrete recommendations for improving cybersecurity.†The order also requires I.T. service providers, and companies overseeing the software that operates industrial-control systems, to inform the government about cybersecurity breaches that could affect American networks.
Will any of this stop the next pipeline, hospital, or water-treatment-plant attack? Maybe. Will it stop the one after that? Maybe not. A President can only do so much. As Senator Mark Warner, of Virginia, who is the chair of the Senate Intelligence Committee, wrote in response to Biden’s executive order, “Congress is going to have to step up.†Until the private companies that own much of our critical infrastructure—including our election systems—are required, by law, to meet rigorous cybersecurity standards, we all remain vulnerable.
I want to make three points. First, software monoculture is inherently insecure. It drastically lowers hackers’ opportunity costs. One vulnerability in one piece of software that’s used everywhere exposes tens of thousands of companies to attack.
Second, there is an implication in her piece—not stated explicitly but strongly implied—that the public sector takes cybersecurity more seriously than the private sector. Suffice it to say that has not been my experience and I’ve been involved in security reviews of public sector departments. Take every problem you can imagine in the private sector and add dependence on old hardware and software and far too many “experts” who gained their expertise 25 years ago and haven’t learned anything since.
Third, there are actually laws already in place—Sarbanes-Oxley just to name one. SarbOx doesn’t happen to apply to Colonial Pipeline because it’s a privately held company. Crafting a law that would apply to such a company could be quite tricky.
But back to the point of my title. What’s the alternative and where do you draw the line? In addition to things we conventionally think of as infrastructure the Obama Administration declared the chemical sector, the financial services sector, agriculture, and healthcare “vital infrastructure”. For the last several months the Biden Administration has been adding things to that list including child care, elder care, and education. What does she think should be done? Nationalize all of them?
As I’ve said before my solution to making businesses take cybersecurity more seriously is to increase their liability for breaches. How would you do that in the public sector with the shield laws that are in place?
