Tag: Cybersecurity

Categories
World News

Google, Microsoft plan to spend billions on cybersecurity after assembly with Biden

Google, Microsoft plan to spend billions on cybersecurity after meeting with Biden

Business leaders in sectors ranging from technology to insurance pledged billions of dollars to step up cybersecurity efforts at a White House meeting with President Joe Biden on Wednesday.

The meeting comes in the wake of several high profile cyberattacks, including those on state software company SolarWinds and the Colonial Pipeline, which have made such security issues even more pressing.

Commitments range from working on new industry standards to providing stronger security tools for other companies to training workers to fill the roughly 500,000 vacant U.S. cybersecurity jobs. Biden recently signed an executive order requiring US authorities to use two-factor authentication for logins, which can help prevent cyberattacks.

The White House said Apple will create a program dedicated to improving security in its technology supply chains, including working with suppliers to introduce multi-factor authentication and security training.

Google said it will invest more than $ 10 billion over five years to strengthen cybersecurity and promised to train 100,000 Americans in technical areas like IT support and data analysis as part of its career certificate program. Google’s financial commitment will be used to strengthen the software supply chain and open source security, among other things.

Microsoft has allocated $ 20 billion over five years to provide more advanced security tools, CEO Satya Nadella tweeted after the meeting. He added that Microsoft will invest $ 150 million to help government agencies update their security systems and develop cybersecurity training partnerships. Microsoft has spent $ 1 billion annually on cybersecurity since 2015.

IBM said it will train more than 150,000 people in cybersecurity skills in three years, while working with traditionally black colleges and universities to help diversify its workforce. The company also announced a new data storage solution for critical infrastructure businesses and said it was working to develop secure encryption methods for quantum computing.

IBM CEO Arvind Krishna told CNBC ahead of the meeting and in front of the White House on Wednesday that cybersecurity was “the topic of the decade”. He said he hoped for better coordination between the public and private sectors emerging from the meeting and said IBM would do its part to support professionals in the field.

Amazon Web Services, Amazon’s cloud computing division, plans to provide account holders with free multifactor authentication devices to better protect their data. There are also plans to offer “safety awareness training” to organizations and individuals.

A spokesman for financial services firm TIAA pointed to several ongoing initiatives being taken to train more cybersecurity workers. This includes a partnership with New York University that enables TIAA employees to complete a fully reimbursed master’s degree in cybersecurity.

Leaving the White House, JPMorgan Chase CEO Jamie Dimon called the meeting “a very productive, collaborative discussion.”

“Hopefully we will follow up and do a good job of protecting our country from a really complex problem,” he said.

Microsoft CEO Satya Nadella said the event “brought the right people together to have a good discussion.”

Two water company executives who left the meeting told CNBC that the discussion emphasized collaboration between sectors. American Water CEO Walter Lynch said there was an “understanding that we must work together to tackle the country’s cyber threats.”

– CNBC’s Mary Catherine Wellons and Samantha Subin contributed to this report.

Subscribe to CNBC on YouTube.

WATCH: Colonial Pipeline hackers reportedly received $ 90 million in bitcoin before being shut down

Categories
Business

Colonial Pipeline Hack Reveals Weaknesses in US Cybersecurity

Colonial Pipeline Hack Reveals Weaknesses in US Cybersecurity

For years, government officials and industry executives have been running in-depth simulations of a targeted cyberattack on the US power grid or gas pipeline and imagining how the country would react.

But when the real moment came when it wasn’t an exercise, it didn’t look like the war games.

The attacker was not a terrorist group or a hostile state such as Russia, China or Iran, as was assumed in the simulations. It was a criminal blackmail ring. The aim was not to disrupt the economy by taking a pipeline offline, but rather to save company data as a ransom.

The most visible impact – long lines of nervous drivers at gas stations – resulted not from a government response but from a decision by the victim Colonial Pipeline, which controls nearly half of the gasoline, jet fuel and diesel flowing on the east coast, to turn the spigot. This was done out of concern that the malware that had infected their back office functions could make it difficult to bill for the fuel delivered down the pipeline or even spread to the pipeline’s operating system.

What happened next was a vivid example of the difference between table simulations and the cascade of consequences that can follow even a relatively straightforward attack. The episode aftermath is still playing out, but some of the lessons are already clear, showing how far the government and the private sector must go to prevent and manage cyberattacks and put in place fast backup systems in case that critical Infrastructures fail.

In this case, the long-held belief that the pipeline’s operations were completely isolated from the data systems locked down by DarkSide, a gang of ransomware believed to be operating out of Russia, proved false. And the company’s decision to shut down the pipeline sparked a series of dominoes, including panic buying at the pumps and silent fear within the government that the damage could spread quickly.

A confidential assessment by the ministries of energy and homeland security found that the country could only afford three to five days if the colonial pipeline was shut down before buses and other local transport had to cut operations due to the lack of diesel fuel. Chemical plants and refineries would also be shut down as there was no way to sell what they produced, the report said.

And while President Biden’s advisors announced efforts to find alternative ways to get gasoline and jet fuel to the east coast, none were immediately available. There was a shortage of truck drivers and tankers for trains.

“Every fragility has been exposed,” said Dmitri Alperovitch, co-founder of CrowdStrike, a cybersecurity company and now chairman of the Silverado Policy Accelerator think tank. “We learned a lot about what could go wrong. Unfortunately our opponents too. “

The list of lessons is long. Colonial, a private company, may have thought it had an impermeable protective wall, but it was easy to break through. Even after paying the extortionists nearly $ 5 million in digital currency to recover their data, the company found that the process of decrypting its data and turning the pipeline back on was excruciatingly slow, which means it is still It will be days before the east coast comes back to normal.

“It’s not like flicking a light switch,” Biden said Thursday, noting that the 5,500-mile pipeline had never been shut down before.

For the administration, the event was a dangerous week in crisis management. Mr Biden told the aides it was remembered that nothing could cause political damage faster than television images of gas pipes and soaring prices, with the inevitable comparison to Jimmy Carter’s worst moments as president.

Mr Biden feared the situation would raise concerns that the economic recovery is still fragile and inflation will rise if the pipeline is not restarted, the panic subsides and the price cut is nipped in the bud.

In addition to the numerous measures to promote oil traffic on trucks, trains and ships, Mr Biden published a long-standing regulation that aims to prescribe changes in cybersecurity for the first time.

And he suggested that he was ready to take steps the Obama administration hesitated during the 2016 election campaigns – direct measures to repel the attackers.

“We will also be pursuing a measure to compromise its operability,” said Biden, a line suggesting that the United States Cyber ​​Command, the military’s cyberwarfare force, had authority to take DarkSide out of circulation like another ransomware group in the fall before the presidential election.

Hours later, the group’s website went dark. Early Friday, DarkSide and several other ransomware groups, including Babuk, who hacked the Washington DC Police Department, announced they were getting out of the game.

Darkside alluded to disruptive actions by an unspecified law enforcement agency, although it was not clear whether this was the result of US action or pressure from Russia ahead of Mr Biden’s expected summit with President Vladimir V. Putin. And the silence could have simply expressed a decision by the ransomware gang to thwart retaliation by potentially suspending their operations.

The Pentagon’s Cyber ​​Command referred questions to the National Security Council, which refused to comment.

The episode highlighted the emergence of a new “mixed threat” that may emanate from cybercriminals but is often tolerated and sometimes encouraged by a nation that views the attacks as serving their interests. That is why Mr Biden singled out Russia – not as the culprit, but as a nation that is home to more ransomware groups than any other country.

“We do not believe that the Russian government was involved in this attack, but we have strong reasons to believe that the criminals who carried out this attack live in Russia,” said Biden. “We spoke in direct communication with Moscow about the need for responsible countries to take action against these ransomware networks.”

With Darkside’s systems down, it’s unclear how Mr Biden’s government would take further revenge beyond possible charges and sanctions that Russian cybercriminals have not previously deterred. Fighting back with a cyber attack also carries the risk of escalation.

The government must also expect much of America’s critical infrastructure to be owned and operated by the private sector and still ripe for attack.

“This attack showed how bad our resilience is,” said Kiersten E. Todt, executive director of the nonprofit Cyber ​​Readiness Institute. “We are rethinking the threat if we still don’t lay the foundations to secure our critical infrastructure.”

The good news, some officials said, was that the Americans received a wake-up call. Congress faced the reality that the federal government lacks the power to require a minimum level of cybersecurity from the companies that control more than 80 percent of the country’s critical infrastructure.

The bad news is that American opponents – not just superpowers, but also terrorists and cyber criminals – are learning how little it takes to wreak havoc in a large part of the country, even if they don’t break into the core of the electricity grid or the operational control systems, moving gasoline, water, and propane across the country.

Something as basic as a well-designed ransomware attack can easily do the trick while providing plausible denial to states like Russia, China, and Iran, which often appeal to outsiders for sensitive cyber operations.

It remains a mystery how Darkside first broke into Colonial’s business network. The privately owned company has said practically nothing, at least in public, about how the attack unfolded. It waited four days before having significant conversations with the administration, an eternity during a cyberattack.

Cybersecurity experts also note that the Colonial Pipeline never should have shut down its pipeline if it had had more confidence in the separation between its business network and pipeline operations.

“There should definitely be a separation between data management and the actual operating technology,” said Ms. Todt. “For a company that ships 45 percent of its gas to the east coast, frankly, it is inexcusable not to do the basics.”

Other pipeline operators in the US employ advanced firewalls between their data and their operations that only allow data to flow out of the pipeline in one direction and prevent a ransomware attack from spreading.

Colonial Pipeline did not indicate whether this level of security was provided in their pipeline. Industry analysts say many critical infrastructure operators say that installing such one-way gateways along a 5,500-mile pipeline can be complicated or prohibitively expensive. Others say the cost of providing these protections is still cheaper than the losses from potential downtime.

Detering ransomware criminals, whose number and audacity has increased in recent years, will certainly be more difficult than deterring nations. But this week made the urgency clear.

“It’s all fun and games when we steal each other’s money,” said Sue Gordon, former deputy chief director for national intelligence and longtime CIA analyst specializing in cyber issues, at a conference hosted by The Cipher Brief, an online intelligence agency Newsletter. “If we play around with the functioning of a society, we cannot tolerate it.”

Categories
Politics

Biden Indicators Government Order to Bolster Federal Authorities’s Cybersecurity

Biden Signs Executive Order to Bolster Federal Government’s Cybersecurity

WASHINGTON – As the east coast suffered the effects of a ransomware attack on a major oil pipeline, President Biden signed an executive order on Wednesday that set tough new standards for the cybersecurity of software sold to the federal government.

The move is part of an overall effort to strengthen the defense of the United States by encouraging private companies to practice better cybersecurity or at risk of being banned from federal treaties. However, the bigger effect may come from what, over time, might look like a government safety rating for software products, similar to how cars get a safety rating or restaurants in New York get a health safety rating.

The contract comes amid a wave of new cyberattacks that are more sophisticated and far-reaching than ever before. Last year, around 2,400 ransomware attacks hit corporate, local and federal agencies in blackmail schemes that block or publish victims’ data unless they pay a ransom.

The most pressing fear is an attack on critical infrastructure, a point that Americans who panicked to buy gasoline became clear this week. A ransomware attack on Colonial Pipeline’s information systems forced the company to shut down a critical pipeline that has been supplying 45 percent of the east coast’s gasoline, diesel and jet fuel for several days.

While every president since George W. Bush has issued new guidelines to strengthen the country’s digital defenses, Biden’s command is designed to dig deep into the private sector. And it’s far more detailed than any previous effort.

For the first time, the US will require all software purchased by the federal government to meet a set of new cybersecurity standards within six months. Although companies would have to self-certify, violations would be removed from federal procurement lists, which could affect their chances of selling their products in the commercial market.

The contract also sets up an incident review board, much like the teams that investigate aircraft accidents to learn lessons from major hacking episodes. The White House dictates that the first incident investigated will be the SolarWinds hack, in which Russia’s leading intelligence agency changed the computer code of an American company’s network management software. It gave Russia broad access to 18,000 agencies, organizations, and companies, mostly in the United States.

The new regulation also stipulates that all federal agencies must encrypt data, regardless of whether it is stored or transmitted – two very different challenges. When China stole 21.5 million files via federal employees and contractors who had security clearance in place, none of the files were encrypted so they could be easily read. (Chinese hackers, investigators later concluded, encrypted the files themselves – so as not to be discovered when they sent the sensitive records back to Beijing.)

Previous efforts to set minimum standards for software failed at Congress, particularly at a major showdown nine years ago. Small businesses have said the changes are not affordable and larger businesses have resisted an intrusive role the federal government plays in their systems.

But Mr Biden decided it was more important to act quickly than try to fight for broader mandates on Capitol Hill. Its staff said it was a first step, and industry officials said it was bolder than expected.

Updated

May 12, 2021, 7:36 p.m. ET

Amit Yoran, the executive director of Tenable and a former cybersecurity officer in the Department of Homeland Security, said the question everyone was wondering was whether Mr. Biden’s orders would stop the next Colonial or SolarWinds attacks.

“No politics, government initiative or technology can do that,” said Yoran. “But that’s a good start.”

Government officials have complained that Colonial had poor defenses, and although it built a hard shell around its computer networks, it had no way of monitoring an adversary who got inside. The Biden administration hopes that the standards set out in the Executive Ordinance, which require multifactor authentication and other protective measures, will become widespread and improve security worldwide.

Senator Mark Warner, Democrat of Virginia and chairman of the Senate Intelligence Committee, praised the order but said it should be followed by Congressional action.

Mr Warner said the recent attacks “have shown what has become increasingly apparent in recent years: that the United States is simply unwilling to fend off government sponsored or even criminal hackers who intend to compromise our systems for profit or espionage.” “

The new order is the first major public part of a multi-faceted review of defense, offensive, and legal strategies against opponents around the world. However, this arrangement focuses solely on deepening the defense in hopes of deterring attackers because they fear they will fail – or are at greater risk of being detected.

The Justice Department is setting up a new task force to take over ransomware. Now that it has been discovered in recent months that such attacks are more than just blackmail, they can topple economic sectors.

Mr Biden announced sanctions against Russia for the SolarWinds hack, and his national security adviser Jake Sullivan said there would be “invisible” consequences as well. So far, the United States has not taken similar action against the Chinese government because it was believed to have been involved in another attack and exploited loopholes in a Microsoft system used by large corporations around the world.

The Executive Order was first drafted in February in response to the SolarWinds intrusion. This attack was particularly nifty because hackers working for the Russian government managed to modify the company’s under development code that unsuspectingly distributed the malware in an update to its software packages. It was discovered during Mr Biden’s transition and led him to state that he could not trust the integrity of the federal computer systems.

Established under the Executive Ordinance, the review body is jointly chaired by the Minister of Homeland Security and a private sector official, based on the specific episode currently being investigated, in order to attract industry executives who fear the investigation could be fodder for lawsuits .

Since it was created by executive order rather than an act of Congress, the new body will not have the same extensive powers as a security body. However, officials remain confident that this will be helpful in identifying vulnerabilities, improving security practices, and pushing companies to invest more in improving their networks.

Much of the executive order focuses on information sharing and transparency. The aim is to reduce the time it takes for organizations that have been hacked or discover vulnerabilities to share this information with the Cyber ​​Security and Infrastructure Security Agency.