Thursday, May 2, 2024

Vogon Today

Selected News from the Galaxy

StartMag

I’ll explain the lesson of the Colonial Pipeline case

3 years ago babelfish

I'll explain the lesson of the Colonial Pipeline case

What is there to learn from the Colonial Pipeline case. The article by Umberto Rapetto, director of Infosec.news

The attack on the Colonial Pipeline will be remembered in the history books as well as the attack in Sarajevo of June 28, 1914. If the killing of Archduke Francesco Ferdinando, heir to the throne of Austria-Hungary, and his wife Sofia marked the start of the First World War, the digital attack on the gigantic oil pipeline that goes from Texas to New Jersey is destined to mark the fateful transition from a state of war to a condition of real war.

The Executive Order on Improving the Nation's Cybersecurity just signed by Joe Biden is no different from the sirens that once alerted the population to an impending bombing and directed people to air raid shelters.

After the sensational cybersecurity incidents such as SolarWinds, Microsoft Exchange and now Colonial Pipeline, the President of the United States issues a provision that thunders as the first declaration of war against an invisible enemy.

The technological pitfall (animated by widespread mercenary action and by the "cyber armed forces" of the countries most active on this battlefield) can no longer be neglected and Biden stresses that certain episodes manifest the insufficiency of federal action and the need for a real and effective cooperation with the private sector which owns and operates much of the critical infrastructure inside the United States.

The fact that companies decide independently on investments in cyber security must be overcome with the launch of a coordinated action program that leads to increasing and aligning organizational, technical and financial efforts with the aim of minimizing risk of future disasters.

"TO THE COMBAT POSTS"

First, obstacles to the sharing of threat intelligence between government and the private sector need to be removed. According to the Executive Order, ITC service providers must be able to share information with the Government, ensuring constant updates on detected threats and system violations that have occurred.

It is essential to eliminate the reluctance of those who provide IT services to confess embarrassing situations and the “voluntary” sharing of all available information on possible compromises of data processing systems and communication networks has become urgent.

Biden is clear. Certain silences due to contractual obligations or other agreements between private individuals must disappear and the conviction must develop that an immediate and transparent dialogue with government institutions can allow the more timely adoption of security measures capable of safeguarding the nation as a whole.

The Executive Order emphasizes the role of the Federal Government in the protection of "cloud" services and the "zero-trust" architecture and requires the implementation of multi-factor authentication and encryption: the text expresses the awareness that security models Obsolete and unencrypted data have led to the profound compromise of the "most sensitive" information systems in the public and private sectors.

One of the cornerstones of the provision is the strengthening of the protection of the software supply chain. Security standards should be established and consolidated for the development of programs and applications intended for use by government entities. Developers will be required to give maximum visibility on instructions and codes inserted into the software with particular regard to what constitutes the security structure.

A public-private process must be triggered to develop new and innovative approaches and the pilot program to create an "Energy Star" type of label so that the government – and the public world at large – can quickly determine whether the software is been developed safely.

"There is too much software, including critical software, that comes with significant vulnerabilities exploited by our adversaries," the White House press release reads verbatim.

THE NEED FOR A COMMITTEE AND A “FIRST AID BOX!

The executive order establishes a cybersecurity review committee, co-chaired by government and private sector leaders, which can meet following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.

We are aware that too often organizations repeat the mistakes of the past, they do not learn the dramatic lessons from bad experiences, they do not ask themselves the uncomfortable questions that require even more painful answers, they struggle to make changes and improvements.

The idea is inspired by the model of the National Transportation Safety Board, the body that enters the field after plane crashes and other disasters, and is based on the creation of a "standard playbook" (or on the preparation of pre-packaged and customizable modular remedies) in able to activate rapid replication with a sufficient level of problem coverage with uniform and proven initiatives aimed at identifying and countering emerging dangers.

Particular attention is required to "detection" activities, ie those aimed at detecting crisis situations, limiting accidents, predicting harmful operations that can compromise public and private networks and all information resources of the American digital connective tissue.

Slowness, overlap, lack of coordination: these are the factors that expose a country to the risk of cyber aggression and only a harmonious and shared design at the most diverse levels can brighten the future.

WHAT ABOUT US?

It is hoped that even in our part of Italy someone will find the time to read the Executive Order and maybe take a cue from it.

The changes at the top of national intelligence can be an opportunity to reconsider the scenario and to finally take note of the urgencies, priorities and above all of the time lost so far in gossip, conferences, memoranda of understanding and other "useless" various nature.

Article published on infosec.news

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/colonial-pipeline/ on Sun, 16 May 2021 06:19:40 +0000.